In the News: Global cybercrime prosecution a patchwork of alliances (CSO Online)

Quoted in the CSO Online article Global cybercrime prosecution a patchwork of alliances by Maria Korolov:

Not all security experts are quite that optimistic, however.

“From what I’ve seen, personally, there are a lot of good efforts,” said David Venable, vice president of cybersecurity at Masergy Communications.

Venable has previously worked for the NSA for several years. Now, at Masergy, he helps companies with international cybercrime investigations.

He said that it can be difficult to go after the smaller fish because the global cybercrime law enforcement processes aren’t well developed yet.

“And as long as there are any countries that aren’t cooperating, hackers around the world will use that country’s infrastructure to launch attacks,” he added.

Could your BYOD system be a threat to your business?

Originally published by Beta News.

Nowadays, practically everyone is connected to the Internet at home, in the office and on the move. This has introduced fantastic opportunities for businesses and employees to operate smarter. Bring Your Own Device (BYOD); the concept of allowing employees to work in the office or remotely using their own devices, rather than company owned, has been around for a while now and really makes the most of this ‘personal device era’. It’s convenient for employees to use their own devices, reduces burden on IT admin and saves Capex costs for the business. But, could BYOD end up being the company’s biggest threat?

Employees now have the opportunity to use their own personal devices for work purposes. The thought behind this is that employees are already familiar with their own devices and already have them on hand at all times. BYOD is generally a good thing, but it is not without its challenges and concerns. Like any new development, the risks need to be evaluated. But, in theory, team members will be more productive and happier at work with a BYOD scheme in place.

Some pressing concerns

The areas of highest concern within the enterprise are: data leakage and loss, unauthorized access to company data and systems, downloading unsafe apps or content and malware.

BYOD has been around for a while, however, there are no universal set of guidelines for employers and employees to work too. But there are some best practices that security experts recommend.

My personal view is that the most pressing concerns with BYOD are those of network and security stability. Keeping your company’s private and sensitive data secure is one of your IT department’s biggest responsibilities and BYOD adds a new dimension to this ongoing struggle. As the workforce becomes more reliant on mobile devices, the floodgates of data leakage and threats open up, resulting in an even greater reliance on the IT department to secure mobile devices.

According to the Crowd Research Partners BYOD & Mobile Security 2016 Spotlight Report, it finds that: 72 percent of respondents are concerned with data leakage and loss, 56 percent with unauthorized access to company data and systems, 52 percent with downloading unsafe apps or content by users and 52 percent with malware.

Mobile phones and tablets are the weakest link when it comes to security and are prone to attacks. They also require regular patch updates, with the responsibility for these falling on employees. That leaves the impetus on organizations to implement policies and procedures that help employees keep their devices secure.

With employees carrying their devices all of the time, this means that these devices also have access to their employer’s network and secure data — all the time. This means that a lost or stolen device is a potential threat. It also means that any malicious program hiding on a personal device now also has access to your company’s network and data. All it takes is one infected device to compromise the integrity of your network and data security. Through BYOD, CIOs can have less control over the mobile devices used in their organization, which ultimately means they are more vulnerable to attacks.

The Crowd Research Partners research also mentioned the threat of employees downloading mobile apps — this I agree with. Employees can use these apps to connect to external Wi-Fi spots without having the correct security protocols in place. This creates serious security holes that can be exploited by hackers.

Coupled with the fact that your employees might not have anti-virus protection or have an up to date firewall present on their mobile devices, means they are more vulnerable to attacks. To prevent viruses from spreading, it is important that there is a gatekeeper like a VPN, which grants access by verifying that the data being transferred from the mobile device to your IT network is encrypted and permitted.

What can you do?

You must create a strategy for BYOD with a business case and a goal statement. As technology continues to advance and change the way we live and work, building a smart, flexible mobile strategy will allow companies to explore innovative ways to empower their workforce and drive greater productivity.

In addition, you must secure devices and apps by implementing an MDM solution, or other container-focused management utilities that will greatly help your organization in managing and securing the devices. The policies on the devices or within managed containers should be defined by the risk assessment.

You can also complement end-user and administrative security with more extensive network safety: the creation of multiple virtual routing and forwarding (VRF) and virtual switching instance (VSI) environments on the same physical infrastructure allows separate virtual LAN (VLANs) for traffic segregation, i.e. trusted vs untrusted traffic. This way, a BYOD smartphone can be contained on a VRF for user-owned devices, and any malware that may intrude upon it can be kept from infecting the most trusted environment that’s reserved for corporate-issued systems.

Here are steps you can take to ensure that information security won’t be needlessly impaired by the use of employees’ devices:

  • Make sure users register their devices with your IT security professionals
  • Require employees use PINs, passwords or patterns for data access
  • Implement handset’s device-level encryption
  • Set company guidelines, user policies and provide training
  • Create enterprise-wide BYOD policies

Getting clever about BYOD

Making BYOD a success requires organizations to intelligently detect nefarious activity, like APTs, that enter the corporate environment courtesy of user-owned smartphones and tablets.  Network behavioral analysis and machine learning solutions that monitor network activity and adapt to changing threat conditions are a wise investment in supporting BYOD initiatives.

With data loss, unauthorized access and malware are just some of the concerns around BYOD, you must make sure all devices are registered, device-level encryption is installed and user policies are established. Educating employees on how to protect their devices and ensuring they are configured in line with security policies ensures that even the basic security precautions are adopted.

One thing is for sure: There’s no time to waste getting more done. Citing BYOD as a driver of innovation, as well as device and service cost savings, Gartner has predicted that by next year, half of all businesses will require workers to use a personal device for work.

Cybersecurity In 2017: When Moore’s Law Attacks

Originally published by Channel Partners.

We all know that the traditional defenses your customers have deployed to prevent cyberattacks – including firewalls, antivirus software and intrusion-detection systems – are being outpaced. The proof is undeniable: Just in the past few months, we’ve seen dozens of organizations hit by catastrophic cyberattacks. In many cases, such as the U.S. Democratic National Committee and Yahoo, which lost personal data on a billion accounts, the affected organizations were for months unaware they had been compromised.

Why is it seemingly so easy for everyone from state-sponsored actors to lonely script-kiddies to waltz through costly defenses? Mainly because the tools used by cybercriminals today are measurably better and cheaper than what was available even a couple of years ago. Unconstrained by any central authority, legal regulations or budget limits, cybercriminals can double the effectiveness of their tools for half the money every few months — similar to the way Moore’s Law increases chip performance while driving down the cost to produce semiconductors.

That reality is driving many cyber-defense professionals to rethink the way they protect customers, and their own organizations. The tactics currently used by the majority of corporate IT teams just aren’t working. During my tenure at the National Security Agency and in my current role as VP of cybersecurity at Masergy, my view has been that every organization needs a well-defined security process that is standardized and repeatable.

Of course, standardization and repeatability have always been core to how solutions providers operate, and that familiarity can help convince customers that have been hesitant to outsource security. The fact is, the amount of time, money and effort needed by internal IT teams to maintain their current cyber defenses often precludes CISOs from stepping back and developing comprehensive corporate cybersecurity strategy — let alone brief the CEO and board of directors on security strategy and tactics.

It’s a vicious cycle that seems impossible to break: Cyber criminals know it’s hard for a CISO to make changes. But unless CISOs get motivated to take the steps needed to change, attackers can exploit weakness.

As an adviser with insight into the business, you’re in a position to help. Here are the four critical steps to align security strategies with business priorities, and in the process get much-needed support – and spending authority – from corporate board members.

1. Understand High-Priority Security Gaps

Help customer CISOs concentrate their efforts appropriately by identifying the biggest business risks to their particular companies. Consider common indicators of security threats that the organization may not be well-equipped to address. Can you help identify outdated security suppositions or poorly implemented capabilities that are due for an update? In a world where the assumption should be that every business is compromised, what is the critical data that must be protected?

2. Determine 3- to 5-Year Goals

Every business will evolve in that timeframe in terms of growth, globalization, workforce and likely everything else. Partners can help customers understand how technological and other changes will impact their risk profiles.

You don’t need to start from scratch. Leverage the NIST Cyber Security Framework, the ISO 27000 series, and the 20 different CIS Critical Security Controls in context. For a start, use CIS to help customers fulfill short-term security demands and defend against the highest-impact threats. Move up to meeting midterm goals by excerpting from ISO 27000 controls. You’ll have a head start, as about 44 percent of them map to the CIS model. For the long term, work to implement NIST controls.

3. Track Security Status

I’ve developed a security maturity model based on the industry-standard Capability Maturity Model (CMM), which measures five levels of progress across five spectrums of security: Policy, Technology, Human Factors, Risk and Vulnerability Management, and Support.

Level 1 identifies security as an individual effort. Level 2 represents repeatable efforts, and Level 3 indicates processes that are institutionalized across the organization. Level 4 represents managed functions, where you’re looking for areas to do continuous process improvements. Optimization is the focus at Level 5, where you’re looking to subtly tweak an already smooth-running environment.

To determine a customers’ status, grade the five CMM metrics (policy, technology, human factors, risk and vulnerability management and support). Score a measurement at zero points if they’re at Level 1, up to 20 points for Level 5 performance, for a total score of 0-100. Download a copy of the same worksheet I use to measure current CMM metrics with guidance on determining levels for each metric. View the video of a workshop I gave at Black Hat USA 2016 to learn more about this security model.

4. Share Security Progress with Business Leaders

Translate your security-infused language to something that makes sense to customer business leaders and boards. Give them the visuals about security status. Make sure your language conveys that your sole aim is to provide information to make decisions based on understanding the risks that security gaps present to business performance, funding and shareholder value.

Security integration shouldn’t be a DIY effort for partners, either. Leverage external expertise to help with gap analysis, risk assessment, consolidated views of a customer’s security posture and even managing your SOC. Outside specialists can be your best friend in this challenging effort.

In the News: The future of conflict is in cyberspace (The Sunday Times of London)

Quoted in the Sunday Times article The future of conflict is in cyberspace by Davey Winder:

The US Cyber Command response was to launch attacks against cyber communication channels and drone-strikes against human targets in Syria thought to be linked with the group. It’s now known that the Cyber Caliphate was a false-flag operation run by APT 28, a Russian state-sponsored hacking group.
“Once an organisation’s techniques and fingerprint are known, it’s relatively trivial for other organisations to emulate it,” says David Venable, former US National Security Agency intelligence officer and now vice president of cyber security at Masergy. It’s a huge danger, Mr Venable insists as “the use of this information to impact the foreign policies of other states is extremely likely, especially with regards to states with sophisticated cyber operations”.

In the News: Blackhat EU: Breaking Big Data (SC Magazine)

SC Magazine recently did a feature on Dave’s Blackhat EU Briefing: Breaking Big Data.

Former intelligence officer David Venable gave a crowd at Blackhat EU 2016, a rundown of what big data, and bad data in the private sector could mean for your privacy.

David Venable spent time as an employee of the National Security Agency
David Venable spent time as an employee of the National Security Agency

“Privacy as we know it is dead”, said David Venable of Masergy Communications, as he began his talk, Breaking Big Data: Evading Analysis of the Metadata of Your Life at BlackHat Europe 2016.

In the News: Anti-ultrasound tech aims to foil the dog-whistle marketeers (The Register)

Featured in The Register article, Anti-ultrasound tech aims to foil the dog-whistle marketeers by John Leyden:

On a similar theme, former NSA analyst David Venable, now vice president of Masergy, gave a presentation on the advertising industry’s use of the Big Data technologies pioneered by intelligence agencies and governments.

Venable outlined techniques to prevent selected activities from being associated with someone’s true persona, with a focus on making the true persona blend in with the masses. Going off the grid need not be the answer, and in any case might make someone stand out more, Venable told El Reg.

“Bad data can lead to bad decisions,” he said. “Biased algorithms reflect the biases of creators, which is why you might want to avoid them.”

Venable’s idea is to rethink operational security principles, which normally involve staying under the radar of government agencies and the police, to avoid motor insurance providers and credit reference agencies. “It’s about choosing what information you reveal and mindfulness,” he said.

Part of this involves thinking about the apps installed on a smartphone, as well as more subtle defences such as keeping a phone in another room in case an app is recording audio. Venable does not, however, advocate keeping smartphones in the refrigerator before taking meetings, as per Edward Snowden. ®

In the News: The Rise and Rise of Ransomware (SC Magazine)

Quoted in the SC Magazine article The Rise and Rise of Ransomware by Davey Winder:

It’s an attractive threat sector for many reasons. Number one, persistent attacks can be avoided. “Ransomware that encrypts all the data and destroys local backups before asking for a lump sum payout,” Dave Venable, VP of cyber security at Masergy told SC, “lets hackers avoid the higher costs and labour of maintaining the infrastructure of persistent attacks.”

How to deal with the insider threat

Originally published in IT Security Thing.

While the entire threat landscape is changing dramatically with the increased sophistication of adversaries, nation state and state-sponsored actors, and rapidly evolving attack surfaces, one of the few thing that hasn’t changed is that the insider threat is one of the most, if not the most, insidious threat in almost any environment.

That’s not FUD (fear, uncertainty and doubt) either, just look at the negative impact that Edward Snowden’s leak of thousands of files from the National Security Agency (NSA) has had on the US intelligence apparatus.

According to a Preliminary Model of Insider Theft of Intellectual Property, a paper published by Carnegie Mellon University, 75% of cases of insider IP thefts were performed by employees. Some 65% had already accepted a new job somewhere else while 35% stole to gain an immediate advantage at a new job. And 25% of cases resulted in the stolen information being given to a foreign government or company.

Today, external attacks are almost constant and less damaging (with the exception of high-profile attacks and near-total breaches, such as those against Sony and Ashley Madison). By contrast, insider attacks are more rare, but typically far more damaging.

It gets worse every day

As Willie Sutton, the infamous American bank robber said, when asked why he robbed banks, “That’s where the money is.” The insider threat is getting worse because that’s where the valuable information is, but there’s an additional component here – that’s also where the weakest controls are.

We lock down the external. As an industry, we’ve become better at that over the years. However, as long as there’s valuable information, someone’s willing to get access via the HVAC network like the case with retailer Target, recruit an unscrupulous employee, or in some of the worst cases – get a job at a company to gain access to information in order to steal it.

One of the most the most common mechanisms used to gain unauthorised access to systems from within is not a technical one; it’s asking a friend. In fact, according to the Carnegie Mellon University paper, 19% of intellectual property theft cases involved colluding with another insider.

Insider threat detection and prevention

In the case of malicious collusion, not much can be done. However, good security awareness training can be invaluable in preventing social engineering attacks; where an employee tricks another employee into providing sensitive information.

Another common technique is improper sharing permissions on drives, folders, and documents. Finally, and this seems to be rarer, is the use of technological exploitation techniques against internal systems.

The problem, from what I’m seeing in the field, is the majority of organisations are overlooking the insider threat. Very few organisations are actively posturing against, or frankly even considering, insider threats.

But, insider attacks can be detected, and avoided, by not only focusing security efforts on protecting the perimeter, but also internally too. Behavioural analysis on internal network traffic is one of the best defences against an ‘Edward Snowden-style’ insider attack. Users typically behave in certain ways. When that behaviour changes, it usually means something.

For example, according to Wired, Snowden spent a great deal of time scouring the private classified NSA network for documents and downloading them to his workstation, memory sticks and CDs – a dramatic shift from typical behaviour of someone in his role. This would have easily been detected with behavioural analysis.

Security technology isn’t just for the external threats

Data loss prevention (DLP), which typically scans outbound data for known sensitive information, can also help, although it’s not a replacement for good physical security. It wouldn’t have prevented either Snowden or Chelsea Manning from walking out with secrets burned onto CDs labelled, for example, “Lady Gaga.”

Unfortunately, none of these will detect or prevent the most dangerous insider threat: when an employee takes sensitive information they have been entrusted with to do their jobs. Unfortunately, this is less preventable via technology and requires insight into employees’ changing behaviour and attitudes.

In order to best protect an organisation from insider threat, CIOs and CISOs need to approach these attacks differently, compared to external attacks. First and foremost, they need to stop treating the internal network like it’s a safe or trusted zone. It’s not. BYOD environments realise this, but the more important lesson here is that non-BYOD networks aren’t safe either.

Regular internal vulnerability assessments and penetration testing are key to finding and remediating internal weaknesses. Remediation is the key. I can’t even tell you how many internal assessments we’ve performed to check a compliance box that it was done, but the results were never acted upon.

The addition of behavioural intrusion detections systems (IDS) sensors on the internal network will improve the situation drastically, as will regular evaluation of access rights and sharing permissions.

The theft of IP due to insider threats can be far more damaging than an external attack. A disgruntled employee is both hard to spot, and even harder to stop if they are determined to steal or maliciously use sensitive company information. But with the right technologies, controls and processes in place, it will be far easier to detect and stop insider threats than if none of the above were in place.