Is Cybersecurity an Inside Job?

October 16, 2013 By
While security clearance and authentication processes are essential to physical and other security, the physical DC Navy Yard breach by Aaron Alexis and the state secret breaches by Edward Snowden illustrate some disturbing weaknesses in personal validation and authentication. These clearance breaches were very different in nature but show a range of how a person’s calculated action can subvert basic security measures.

Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the "moat around the castle" approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.


The Enemy Within

The highest percent of breaches occur inside an organization. When a criminal wants something specific he or she will choose the path of least resistance to obtain it. Cybercriminals don’t do this by breaking complex security algorithms. They normally do it by gaining access as a trusted insider, using and manipulating secured and authorized software and hardware to which they have access.

Corporate espionage has utilized this methodology for years and now entire countries are using software exploits to gain access to state secrets in this new cyberwar. Authenticated access is not the issue. The unknown enemy already has access. We need to quit focusing so much on allowing and disallowing access and instead watch the business system process tools and how people are using them.

As our organizational systems grow larger and our business process and control systems become more complex and connected, we begin to lose track of what we are doing, let alone securing what we are doing. We currently run business processes using layers of software, hardware and people all trying to achieve a certain departmental or subsystem task. Whether software, machine or human -- the actions of these process components are seldom if ever combined in a single understandable view of the entire process. By not allowing a total system action view, the breach of a single process action could greatly affect other connected process actions and potentially take down the whole system.

These process actions are the Achilles heel of cybersecurity and they cannot be defended by hardening physical, network or system information process security. We need to direct our attention more toward action viewing technologies vs. encrypted authorized actions. We need to assume the enemy is already in and needs to be watched.


What We Don’t See Can Hurt Us

While many people are very concerned about technical snooping capabilities, the fact is that we need better snooping capabilities in areas such as critical infrastructure, industrial control systems, intellectual property and national defense. We have created massive intelligence process capabilities through computer software, hardware and networks and have done a pretty good job securing the transport and storage of information but little in securing system processes. When we interconnect multiple actions to multiple processes without detection capabilities, we leave a wide open opportunity for breaches. Physical security in background checks, biometric authentication, RFID location based services and network encryption all have value, but they alone  will not stop an authenticated breach. We are not even looking in the right place.

The recent national security breaches were recognized at the action output level after the breach action already occurred. These breaches demonstrate two very important requirements in security that we must be concerned with. One is that we need to add intelligence to physical, human and machine actions that view and even predict a physical breach like a person breaking barricades. We can’t just go back to the old days and think that getting rid of all this digital smart stuff will improve security. It won’t. These intelligent and connected technologies can greatly help both physical and digital security if properly implemented. There are a multitude of technologies that can give intelligence to our physical world.

The second important requirement is the timing of when a process action breach occurs versus when a process breach can be observed and blocked. This is where new technologies such as anomaly detection can be used to recognize, audit and block these process actions at the real-time data input level when seconds matter. The technologies exist and are called anomaly detection. Companies such as IBM and Decision Zone have so much belief in these technologies that they have both patented their solutions. When things aren’t working properly, demonstrated by the scale and magnitude of the cyber breaches we see today, we need to do something different and there are some security companies that are realizing this. So the big question is how much? The answer may surprise you.


Cost Justifying Security Through Anomaly Detection Process Efficiencies

One of the biggest concerns in security services is the initial cost in deploying these technologies, the continued cost in using them and how these costs can be justified. Even improvements in first-level authentication and IT security are not yet considered a cost of doing business although these opinions are changing. There are ROI calculators  that are now at least trying to put a number on the cost of potential security breaches and attempts to reduce insurance policy premiums when cybersecurity defensive plans can be demonstrated.

Security is only the anomaly detection of an incorrect process action. More accurately viewing the process actions through anomaly detection can also improve the total process. Security is really only a byproduct of detecting anomaly actions that are not part of the process. People are not buying security because they can’t justify the cost. Both the public and private sectors can gain efficiencies through the use of anomaly detection resulting in service savings or profit that would justify the cost of security. The process efficiencies gained through anomaly detection technologies can absorb the  cost of security while improving process actions.



Problems occur in business processes when someone or some technology does something wrong whether intentional, mistakenly or as part of a targeted attack. We can only achieve true security when multiple actions and process can be detected simultaneously and in real time. New technologies are offering these capabilities in a time when we are rapidly expanding interconnected humans to intelligent machines that have capabilities that are so large we are having trouble even viewing these processes.

We need to start recognizing that authentication of a person no matter how accurate the techniques used are only the first level of cybersecurity. True security can only be achieved when combining prevention and detection technologies at the real time business or process input action level. Most security breaches occur quickly and are themselves an input process action. Using technology than can focus on these input actions is where we need to focus our efforts.

True cybersecurity will be obtained when we can effectively view, audit, correct and block organizational process actions. If you could have a technology that does this, then why not?  


Are Black Hats and White Hats Really Grey Hats?

Image by Pedro Nunes
August 8, 2013 By
I advise security companies that have demonstrated cybersecurity technologies far superior than those generally offered today, So why aren't we using them? The reasons have little to do with technology and a lot to do with people. Hackers sell security exploits daily on the open market while regulatory organizations take two years or more to write security regulations. Recent DEFCON and Black Hat conventions in Las Vegas clearly demonstrated that offense is far out in front of defense. So are we really trying to secure cyber? The answer is "yes and no" and there are good reasons for both. Let’s take a look at the two hats we wear while trying to find the balance.

Those Pesky Humans
There are a lot of serious mathematicians and scientists in cybersecurity. They develop rather complex systematic approaches to security solutions that do not like intermittent variables. You know -- people. Everything looks great until people enter into the digital process logic, then it all changes. 

Securing machine-to machine actions are relatively simple. You have a software logic map that does what it is supposed to do (although we don’t often audit them in security) and the machine action responds to the given audited logic commands. These process actions are often relatively simple and repetitious so they can be secured to assure that no changes have been made in the information system process.

The problem occurs when we start adding layers of software logic with access to hundreds of machines, thousands of devices and then add the human variable into the mix. Now it gets messy and the best mathematical algorithm in the world won’t fix this one. This is when you need a good process detection technology that can watch and audit both human and machine actions. These technologies exist and are what people are getting a little sensitive about lately in personal privacy.

Personal privacy aside, we must understand in critical process applications these same technologies actually need improvement if we are to obtain superior defensive cybersecurity. There is a big difference between personal privacy and information privacy in the workplace, and also which technologies should be used for those purposes.

Old Security Standards Methods Won’t Work
Remember when things were easier? A standards group put a thousand eyes on a problem, leveraged corporate and government money and made things the way everyone agreed they should be. Everyone got something and everyone was happy. But then the hackers showed up and made a mess of things by finding vulnerabilities only days after the security standards were released.  

For the first time since 2005, the U.S. National Institute of Standards and Technology (NIST) has revised federal cybersecurity standards. What took so long? Because writing regulations takes 24–36 months. Meanwhile new technologies hit the marketplace, including a supercomputer that can be purchased for $100. This means that new security regulations are already outdated by the time they are implemented. When you have massive standards and compliance bureaucracies on one side and an independent hacker with no rules or regulations on the other, guess who is going to be able to respond more quickly? The game has changed and so must the methods of approving and deploying cybersecurity technologies. 

Cybersecurity is different than most other technologies. The more people that know about the technology, the more vulnerable you become. Creating a bunch of college courses in cybersecurity offers the potential for lots more hackers. If it comes down to the ethics of being a white hat or black hat, the first priority today is 'where can I get a job and how much are you paying?' Government officials have learned this and are today playing catch-up by even hiring the black hats when needed. 

There is no easy answer to these cybersecurity problems but there is a clear understanding that trying to fix the problems won't be accomplished with standards, compliance and mandates. This process has proven very expensive and has offered little in the way of strong, defensive cybersecurity measures. Just trying to keep up with vulnerabilities has been hard enough and frankly, the exploit offense technologies are currently beating the security prevention and detection defense technologies every which way. The game has changed and we need a way to get game-changing technologies to the forefront of cybersecurity quickly, That won't happen by belaboring bureaucracies that just are not fast enough or smart enough to react to the rapidly changing world of cybersecurity.

Expensive Band-Aid Security
We will continue to have cyberbreaches by continuing to rely on Band-Aids to "fix" vulnerabilities we find in our software. These intentional and unintentional back doors are problematic in both old and new software. Intentional back doors are often put in software for simple maintenance and upgrades. These known vulnerabilities need to be continually monitored if we are to ever achieve any acceptable level of cybersecurity. We also have the secret back doors put there through collaboration by government agencies and the private-sector that have recently received some attention.
The biggest problem is the unintentional backdoors installed by getting product out rapidly without proper security audits or writing bad code. Whether it's intentional or unintentional, it’s all the same to a hacker. It’s a way in and today’s hackers can find these vulnerabilities so quickly with exploit software that security patches are at best just playing catch-up.

To make matters worse, there is an increasing and disturbing trend in finding and correcting security vulnerabilities. A recent article in the New York Times, “Nations Buying as Hackers Sell Flaws in Computer Code”, disclosed an open market on zero-day security flaws offering hundreds of thousands of dollars to hackers. Once discovered, these flaws can be immediately leveraged by hackers and taken advantage of through the sale of the information or threatened use in a cyberattack. The use of the information in zero-day exploits can be leveraged by both hackers and governments at will before anyone else knows the vulnerability exists. This is today's dangerous back-and-forth exploit game. 

Whether intentional or not, these security flaws have added up over the years and are continually being discovered. As the saying goes, "pay me now or pay me later."  We are now paying for years of software vulnerabilities and need to use defensive technologies to counter-attack these exploits as discussed in an earlier article, rather than just continue paying ransom for potential offensive hits.

Privileged Information and Trust
We seem to be having a little problem understanding what privileged information is and what it is not. Privileged information is that which should be protected from disclosure by single individuals, or from sharing metadata between government agencies and thousands of companies. Abuse of this kind can deprive the originator(s) from their rightful compensation of years of work, intellectual property or nation-state security. We do not properly protect privileged information and its rightful ownership. Cybertheft of intellectual property is reaching a trillion dollars in just the U.S., so there must be a change in the way information is stored and secured by both the public and private sectors. These changes may even be seen in a loss of trust and business by some of the largest data center providers in the world.

Still to be seen -- with the recent disclosure of government surveillance programs such as PRISM -- will be how U.S. cloud service hosting centers and the technology companies that support them will be affected. The Cloud Security Alliance revealed some disturbing results in its July 2013 survey. The survey questioned how the recent disclosure of programs such as PRISM impacts attitudes about using public cloud providers as well as any other broadly available Internet services. The results clearly demonstrated a decline in trust of U.S. cloud hosting service from foreign responders. For example, 56 percent were less likely to use U.S. cloud service providers. This concern goes much deeper with major software and hardware suppliers also being questioned and potentially taking a hit.

One thing for certain, U.S. data centers and the technologies they provide will be under a lot of scrutiny in the future and have a lot of trust to regain and validate. A happy medium may be found in new private cloud services or even a return to private enterprise networks. One thing for certain, the status quo is no longer acceptable and trust must be regained.       

We live in an age where the technology marketplace has trumped security needs for decades and we are now paying the price. We are currently releasing millions of connected products and services with little concern for security while hackers easily find vulnerabilities and readily sell exploit capabilities. Our security approval processes have become a hindrance in releasing timely defensive cybersecurity capabilities that are hacked by the time the standards are released. Those responsible for the use of security technologies and the information these technologies provide require a high level of ethical responsibility and in turn require checks and balances of personal oversight.

Security only works when you are all in and all on the same page. The other choice is all out cyberwar which is a lot more devastating than most people realize. From secret state espionage to abuses in political power, cyberwar could devastate any country.  It would be to everyone’s advantage to find a middle ground and quit pretending we are all perfect. We are not. If you have been in the security business long enough, you probably have to admit your hat isn’t white or black. It’s really kind of grey.


Column: Cyber Attacks the Reality, the Reason and the Resolution Part 3

The smart phone may be the go-to personal control device that will multiply security access privileges under a single authentication. Photo from Shutterstock

June 19, 2013 By

We are connecting digital intelligence to our homes, businesses, critical infrastructure and national defense at such staggering rates that we had to come up with methods of collecting "big data." Individuals now have the ability to access terabytes of information, millions of apps and thousands of devices that have the potential of activating critical processes at the touch of a screen. Security has been a continual afterthought even in areas as sensitive as our power grid. Even when security is responsibly deployed, breaches still happen, disclosing the weaknesses of current security solutions. There is no one-size-fits-all in cyber solutions. Instead, the best of the pieces are assembled to achieve the best possible security. Here are some good pieces of the security puzzle that when put together, offer resolution to the big problems faced today in cyberattacks.

Securing the End Points

Whether you want to secure your private conversations or a corporate database, you must first have a way to authenticate the human or machine initiating action. Sadly, this needs a lot of work. Fortunately, there is a lot of available technology to choose from.

With the password being just about dead, companies are reaching for other ways to effectively authenticate and validate this all-important initial process: access. From biometric human authentication to encrypted nano-sensors offering machine location-based identifiers, we have the technologies to securely authenticate the start of just about anything. With the computing power and popularity of BYOD, the smart phone may be the go-to personal control device that will multiply security access privileges under a single authentication. We are now just beginning to deploy apps and chip sets supporting these authentication capabilities.

When we communicate to a machine, the security beginning and end point is not a port or cable connected to some device. The points are often very complex microchips with coded processes within themselves. These trusted computer chips like BYOD devices can become part of the solution in cybersecurity -- and part of the problem.

Don Thompson, CEO of MerlinCryption explains the potential threat of microchip foul play in cybersecurity. "Embedding malicious code or 'back doors' into microchips is a growing trend in espionage," says Thompson, "The rogue chip conspiratorially communicates critical intelligence back to its criminal host. It is paramount to procure only tamper-proof USA-made chips to be used in developing the circuit board, then reinforce the device with robust encryption. End-point encryption, coupled with multi-factor authentication thwarts attacks against data.”

Securing Data in Motion

The most common solution of moving secured information over the Internet is through Virtual Private Networks (VPN). A VPN extends a private network across public networks like the Internet by establishing a virtual point-to-point connection through the use of dedicated connections or encryption. These techniques add security to the information flow but are expensive and still have security vulnerabilities. Realizing these costs and the security concerns with VPNs, a team at STTarx developed a method of truly protecting data-at-rest and data-in-motion and also masking transmissions. Their networks are stealthy and impenetrable and messaging is immune to illicit decryption. This technique offers an economic and secure method of passing data through the Internet.

Curt Massey, the CEO of STTarx Shield, explains this unique process. "We never accepted the common wisdom that networks must always be vulnerable or that messaging must rely on increasingly complex and cumbersome encryption algorithms that would eventually be broken. We used a fundamentally different approach to solving both issues. Every pen tester for a period of years has walked away scratching their heads due to complete failure to either penetrate our networks or even capture our traffic. Those to whom we have given sample STTarx traffic have been completely unsuccessful in decrypting it. We enable other solutions to focus on protecting the internal network."

Securing the Process

Today we connect multiple levels of people, applications, software, hardware and networks to our enterprise, control systems and cloud computing. There are so many layers that we are beginning to lose control of what the business process and software logic action is supposed to be doing, even though it is secured and authenticated. This is why recent exploit attacks have been directed without detection toward system process software, not just networks and databases. We need a method of real-time viewing, auditing and even blocking multiple simultaneous process actions. Rajeev Bhargava, CEO of Decision-Zone found this same problem when trying to debug software programs which led him to the unique use of graphical anomaly detection as a new method of intrusion detection security. This is how he explains it.

"The conventional view of security is primarily aimed at securing an organization’s assets, including facilities, goods, IT infrastructure and information silos. However, the characteristics of the threat environment organizations are exposed to are changing. Whereas in the past solitary intruders sought entry into an organization's network and facilities and created minor damage; nowadays these attacks originate from highly organized groups and are aimed at obtaining services or money by disrupting or diverting the victim’s normal business operations. Sometimes this is an authorized and authenticated insider.

"Processes, by nature, consist of a number of tasks performed by different individuals, usually within different departments," said Bhargava, "making them vulnerable to mistakes, misunderstandings, miscommunications and abuse. A business process consists of a set of logically interrelated tasks, intended to generate an output beneficial to the organization. A process aims to create higher-value output from lower-value input, at a cost that is lower than the increase in value of the generated product. These processes have extreme value to a company and often are the reason they have a competitive edge. These process inputs are the same place where security breaches can be identified, audited and potentially blocked. Decision-Zone has built the ultimate process security application for validating/tracking these input actions against the business process logic assuring both process productivity and process security."


Disclosures of cybersecurity breaches are constant. The damage done, money lost and intellectual property stolen is staggering. State-sponsored attacks have been validated, banks robbed, intellectual property stolen, even attacks on your personal privacy. Studies have clearly stated the certainty that you have been breached or we will be breached. The companies that were researched and quoted above have clearly stated their cases, have tested their capabilities and together can offer resolutions to specifically address these security issues.

Knowing the reality and reasons behind cyberattacks, it’s time to stop talking and start offering resolution to these serious problems. In the last few weeks, with no uncertainty, we have recognized the immediate need for cybersecurity solutions from our personal privacy to national defense. There is no "it won’t happen to me" anymore. There is no more sticking our heads in the sand. We must immediately deploy prevention and detection technologies to our critical processes or frankly, we could lose it all.  


Column: Cyber Attacks -- the Reality, the Reason and the Resolution. Part 2

Computer Hacking Increase

June 7, 2013 By
Today, as in the beginning days of the Internet, people hack for power and money -- and for one other reason: simply because they can.

Early on, there were black hats and white hats, they were just much more reserved and secretive than today's headline-capturing hackers. The difference today is that there are massive amounts of information, intellectual property and money moving back and forth on information systems. Successful hacking attempts disclosed in just the last few weeks have demonstrated how millions of dollars in cash and trillions in state secrets can be stolen comparable to the amounts taken in past wars. With the seriousness of cyber war now upon us, let’s look in more depth at the reasons.

Reason No. 1: Power

With personal portable storage capabilities in terabytes and global Internet access available to all, organizations such as the National Security Agency (NSA) got interested in gaining power and control over technologies that could access these information systems. This led to years of control of encryption algorithms, software back doors, wireless spectrum and increased control over the Internet.
The NSA's information gathering is now refined in a secretive unit known as Tailored Access Operations. TAO identifies, monitors, infiltrates and gathers intelligence on computer systems being used by entities hostile to the United States. The unit uses automated hacking software to harvest approximately 2 petabytes of data per hour, which is largely processed automatically. With this much technological power must come responsible restraint. The U.S. Department of Defense calls the use of offensive exploit hacking "computer network exploitation," but emphasized that it doesn’t target technology, trade or financial secrets.

There is, however, a thin line between the use of exploitation hacking technologies that can quickly change cybersecurity defense into cyber war offense. The first big example of cyber offense was the use of very sophisticated exploit malware called Stuxnet, which was used to attack the control system of an Iranian nuclear plant. Recently a state sponsored attack was disclosed in a Defense Science Board study as reported by The Washington Post. More than two dozen top U.S. weapons systems -- including the Patriot missile defense program, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship -- were compromised by a Chinese cyber espionage attack. This use of computer network exploitation is a clear example of just how powerful these cyber technologies are -- and how defenseless we are in stopping them.

In the past, as today, standards, compliance mandates and even secret government programs try to keep the potential use or abuse of both defensive and offensive information system security technologies in check. Big corporate and government involvement in these security technologies coordinated timely distribution of adequate security technologies while still controlling sophisticated methods of cracking security if needed. Today there is software that can find security back doors in minutes, and new exploit tools can be downloaded daily, making control of information security solutions much more difficult. We have reached a point in cybersecurity where we must focus on solutions that cannot be manipulated.  We can't continue to think we can deploy cyber technologies that have hidden access or can develop exploit systems fast enough to stay ahead of a world of knowledgeable hackers. The true power in cybersecurity is just what it says it is: security. Nations that focus on financing defensive technologies will prove to have the real power in this cyber game.

Reason No. 2: Money

Cybercrime is now believed to be the No. 1 form of crime, exceeding even illegal drug trade. Some figures within the last year give an idea of how much money we are talking about -- commercial and government projections count trillions of dollars lost in global intellectual property, with recent bank robberies of $45 million in cash.

Attacks on the Pentagon by China clearly show how financially devastating the cost of these attacks can be. The cost of the F-35 Joint Strike Fighter, for example -- the most expensive weapons system ever built -- is estimated at $1.4 trillion. This is the largest single dollar-value theft of intellectual property and could take generations of taxes to recover.  And this is just what is out in the open. Corporations have paid ransoms to keep their intellectual property, and some have even purchased stolen intellectual property. The stealing of IP has become so great that it is beginning to affect the backing of venture capital in start-up companies. Why pay for seed money for R&D if it can just be stolen? The protection of intellectual property and the dollar loss behind it has reached a threshold that demands immediate attention.
There are also legal beneficiaries of these cyberattacks, such as the people who sell security software, hardware and services. These companies clearly see new business on the horizon, such as smartphones, and are enjoying significant increases in profit. There are acquisitions and mergers of cybersecurity companies being made to strategically capture these profits.  From penetration testing to consulting, things are pretty good for people in the cybersecurity business.  Even hackers can make an honest buck. Experienced cybersecurity jobs now start at $100,000 per year for entry-level positions. Good hackers can just about write their own paycheck, and are offered jobs in U.S. government organizations such as Homeland Security, Department of Defense, NSA and even DARPA. Exploit hackers are now paid as speakers in national conventions as they demonstrate their new hacking capabilities to an applauding audience.
Yes there is money to be made in cybersecurity -- but there are also costs.

Reason No. 3: Because I Can

In the early days of the Internet, I worked for suppliers of fiber-optic networks and Internet services, and I shared information with the FBI on child pornography, money laundering, credit card theft and personal identification theft. This business has exploded to a multibillion dollar business, as seen by a recent Secret Service bust of a $6 billion money laundering scheme. In the past, the bad guys quickly found out who the best hackers were and offered them big bucks -- and sometimes threats -- to assure support of their organized crime endeavors. Back then, I was caught between the black hats and white hats, and found one reason that they both hacked: simply because they could.

Sometimes hackers honestly can't stop themselves from so easily hacking information systems -- it’s like leaving your house doors wide open, leaving for a year and wondering if someone will take something.  In hacking, "the easy stuff first" still prevails, while the use of cybersecurity exploit technologies are just making things a lot easier.  If we are to keep up, we must improve and move more quickly to stop targeted attacks. If you make it too easy, the likelihood of hackers attacking you is much greater, just because they can. 

So if we have cybersecurity protection, then why are hackers hacking? Because they can. Secret back doors are even now affecting industrial control systems all over the world. Encryption algorithms classified for specific use and restricted transport have been stolen from encryption key repositories, and then used to access sensitive information such as government contractors. Virus protection companies have known limitations in stopping malware while they charge people to remove ones they missed. Sadly the legacy cybersecurity technologies being used today don't work very well -- and the hackers know it. Even new analytic technologies are showing their weaknesses requiring human intervention in analyzing the big data that is now overpowering current IT staff and systems. Why can hackers hack?  Because we are using security technologies that have the appearance of security, but are not truly secure.

Conclusion: Offense vs. Defense

The trends and focus of obtaining new cyber offensive exploitation technologies vs.cybersecurity defensive technologies are troubling.

As a cybersecurity advisor and expert, I know of intrusion detection technologies that have been reviewed and tested at the highest levels and could, in fact, stop cyberattacks. When truly securing things, you sometimes have to give up capabilities like backdoor snooping or digital audit trails so accurate that no court would challenge the evidence -- things some aren't willing to part with. Our problem in the world today is that we have to resurrect things like honesty and moral character or minimally "trust but verify."  If we expect our homes, or neighborhoods, cities, country and workplaces to be secure, then we must show ourselves deserving while still monitoring for adversarial attacks. 

We are adding cost to everything because we can't seem to curtail everyone stealing from everyone. Yes, we can use the same technology to aggressively retaliate against those who attack us, but this is a slippery slope that can lead to complete moral and economic disaster -- even war.

So what's the difference between today’s hacking and deterring technologies that can stop it? Not much. Do you think we can survive without putting in working cyber security defense?  Do you want to know the outcome is if we don't?

Read the first part in this three-part series here. The last article will cover the resolution of cyber attacks and the available technologies than can correct it.


Column: Cyber Attacks -- the Reality, the Reason and the Resolution. Part 1

May 24, 2013 By

The amount of press on cyberattacks is increasing every day even though the media covers only a small portion of what actually is happening. From banks to intellectual property to near declarations of war, these continued attacks have the ability to cause widespread destruction and need to be taken seriously. These cyberbreaches have reached critical mass and are so big that they could change a nation’s economic status in minutes.

In this three-part series, researched facts will assure you that if you own a computer, are a government employee or run a business, you have been cyber-compromised. This is not the bad news though. The bad news is that things are getting much worse, according to statistics.

Vulnerabilities are Real and Increasing

We are reaching alarming thresholds in volume and vulnerabilities as they relate to cyberattacks on the Internet, private enterprise and industrial control systems. As our usage of and dependency on these information systems have increased, so have the attacks on those systems. Panda Security’s anti-malware laboratory published its latest Quarterly Report, analyzing IT security events and incidents from January through March 2013. In the first quarter of 2013 alone, more than six and a half million new malware samples were created. Trojans set a new record, causing nearly 80 percent of all computer infections worldwide. Recently the largest denial of service attack ever to hit the Internet targeted the websites of major banks, slowing down and even stopping transactions. It is clear that the technologies we use to protect our information technology networks have reached scalability and capability limits.

Even private enterprise information systems are not safe from these security shortcomings. A recent Dell SonicWALL customer survey found that 68 percent of all corporate employees cannot identify fraudulent attacks on the corporate network. The CEB, a member-based advisory service formerly known as the Corporate Executive Board, compiled some practical concerns in cybersecurity over several years. A recent survey of 165,000 employees showed 93 percent of workers knowingly violate policies designed to prevent data breaches. These are staggering numbers underlining the potential vulnerability of corporate intellectual property or even a government’s state secrets.

Current Security Technologies Not Enough

Even if security precautions are taken, the billions of dollars that businesses are spending on security technologies are limited. A recent RSA conference expert security panel admitted that it's time to prepare for a post-crypto world. Recent breaches have validated these concerns. More than 50 million users of the daily deals site LivingSocial were asked to reset their passwords after hackers attacked the company's servers and potentially made off with personal data. The cyberattack resulted in unauthorized access to customer data on their servers, including names, email addresses, dates of birth and encrypted passwords. Combining these breaches of encrypted information with problems of key mismanagement, key theft and unencrypted chip sets, it is clear that current key encryption technologies, storage and transport methodologies must be changed.

Intrusion Detection System (IDS) security fares no better, with experts stating that it may be time to dump anti-virus as endpoint protection. One of the biggest problems we have in cybersecurity, as stated earlier, is our increasing inability to even see malicious file attacks. For example, when Google analyzed the performance of four anti-virus engines in a recent research paper on new reputation-based techniques to stop malicious downloads, the company found that the best scanner caught at most 25 percent of malicious files from the Internet. Combining all four engines only resulted in 40 percent of the malicious files being detected.

The AV-TEST Institute registers over 200,000 new malicious programs every day, with 1,000 new attacks directed towards Android smartphones daily. These attacks are not only increasing in volume, they are getting nastier -- some can morph, hide and activate at a later time upon request. With no end of malicious attacks in sight, it is clear current intrusion detection systems must also find new ways to detect and block malware.

Is the Perfect Crime Reaching a Trillion Dollars?

Without a shot fired or hostage taken, one of the largest global bank robberies took $45 million in cash from hundreds of ATM machines around the world. This is the new signature of cybercrime: fast, easy and no one gets hurt. Sadly, even these heists can be considered chump change when it comes to the most expensive robbery, intellectual property (IP) theft. Estimated at a trillion dollars by McAfee executives, it is clear that IP theft is where the most damage can be done. If the perfect crime is one that goes completely undetected, then corporate cybercrime is a prime example. Corporations and governments are being breached daily, and as seen by previous studies, the victims are often completely unaware that their corporate information assets are being stolen.

Cybercriminals anonymously target a corporation's confidential information then leave without a trace, using or selling the information for economic gain. A dollar in IP theft is not just a dollar, as it can be multiplied many times over when invested return generates recurring revenues and paychecks that in turn produce more money and jobs over decades. Sadly, these most valuable IP assets are the ones that are being targeted and successfully attacked with one disturbing difference. You can see and measure a bank robbery loss in dollars. IP is just duplicated, leaving little trace of the theft. These types of breaches are found years later in products produced in factories or the development of adversarial defense systems. For every dollar in IP theft, thousands of dollars can be lost.

Criminals don’t even have to work very hard. Now these efforts are targeted toward browsers, operating systems and applications that are easily exploited via employee endpoints. This is a far simpler path into the corporate network than directly attacking networks. Unpatched “zero-day” vulnerabilities allow cybercriminals to secretly install malware on employee endpoint devices and essentially gain the same level of access to the corporate network, applications and data that employees have. And it doesn’t cost much. The new endpoint BYOD smartphone and some readily available exploit software and hardware is the new hacking capability that could absolutely devastate a corporate, government or critical infrastructure control system.

Exploit Tools, Offense or Defense?

One of the most disturbing developments in cyberwar has been the development and use of exploit tools that are used to effectively assist hackers. With little regulation and few if any laws on the books, these tools are being sold globally. They target vulnerabilities in software and network devices like smartphones or even complete control systems operating critical infrastructure applications like the power grid. These exploit programs can be built by anyone, and once demonstrated, can then be offered not only to the targeted company's product that was compromised but also to the highest bidder desiring the exploit tool.

Whether black hat or white, there is no doubt that the cyberattack game is on and it needs to be taken seriously. If these attacks are not taken seriously, there will be a lot of money, property or loss of life. We need to divert money currently focused on offensive cyberexploits and start directing it towards defensive cyberprotection.  


Column: Google Cybersecurity, Hack or Help?

April 22, 2013 By Larry Karisny
Google has a perfect opportunity to be a leader in cybersecurity.
From the company's Android OS, to the purchase of Motorola and the new gigabit fiber optic network to be built in Austin, Texas, to its recent hiring of Peiter "Mudge" Zatko from the Defense Advanced Research Projects Agency (DARPA), this combination of Google intellectual property -- with the Telecom intellectual property all over Austin, Texas -- could be a perfect meeting of money and minds in creating a secure smart city.

When it comes to intelligent traffic systems sending avoidance collision warnings and keeping the power grid operating -- and everything in between -- it’s time for corporate citizens to step up to the plate and responsibly address urban cyber security. If Google plans on being the financial beneficiary of billions of devices, running millions of apps on a new gigabit fiber optic network, then it also needs to take on the upfront responsibility and expense in securing these networks, devices and apps.
And right now, the Android OS and the many apps that run on it could not be further from secure.

The New Enterprise Security Threat

From hacking to hijacking enterprise networks to apps that steal apps, the Android has become a hackers' OS and device of choice. In fact, just to make it a little easier for everyone, even network exploit kits are now available, as is a top 10 list for hacker and penetration testers. This stuff isn’t funny, though. Using tools like this to breach an enterprise network means a lot of different things to many people. It is not about the enterprise -- it is the intellectual property that is kept in an enterprise. My recent interview with professional cybersecurity investigator Tom Quilty made it clear that intellectual property, and even state secrets, may be vulnerable sitting in an enterprise network server.

Taking this one step further, if the enterprise is a control system on an aircraft, then could an Android device be used to, let's say remotely access the controls of an airplane?
Such a situation was actually demonstrated at a presentation given at the Hack in the Box security conference in Amsterdam by Hugo Teso, a security consultant at n.runs in Germany, and is still being debated. To put final emphasis on the seriousness of Android smartphones in the enterprise, the recent popularity of bring your own device (BYOD) is flooding these devices into every enterprise and control system, and already overburdened enterprise managers are sending out the security warnings. Even the Army wants to use smartphones, but has shown recent security concerns in using the devices. We need to understand the smartphone is not just a phone -- it is a PC or even a personal enterprise network device with a lot of power and capabilities.

Current Mobile Security Suites Not Enough

How is Google's Android addressing these security issues today? With another app, of course. So now we have bundled smartphone security solutions reused from old PC security solutions -- that really needed some significant improvement in the first place.
For instance, let’s look at the 2013 Best Mobile Security Software Comparisons and Review. The review refers to a list of security features with new smartphone security marketing features such as "real-time protection," "phone app scanners" and "locate and track" lost phones.

If you know how viruses and malware are detected, then you understand there are thousands of new ones found every day that are first stored and analyzed, then potentially blocked. This kind of security process defies the ability to call this feature "real time." And some also say it may be time to dump anti-virus as endpoint protection.
Scan and detect phone apps are no different from scanning a download on your pc. With 1 million available apps for Android, a security app that makes sure these apps are doing only what they are supposed to be doing is needed.
As for the locate & track lost phone feature, is it my phone being tracked or is it me? I don't even see the word firewall or encryption in the list of security protection and feature listings for of any of the mobile security software companies. I also don't see any apps that secure other apps. There are a lot of concerns with these, the first of which starts in mobile smartphone security. Ultimately, however, at least there's a recognition that these devices will increasingly become our next cybersecurity problem.

Why Are We not Secure?

Cybersecurity problems are just becoming recognized and are getting worse for two reasons.
Neither the Internet nor software was built with security in mind, so we've been trying to put Band-Aids on it since its inception. The Internet was made for global collaboration, not user authentication. Software was designed to do something, not validate what it is doing.
In fact, a recent survey by Dell Sonic Wall stated that 68 percent of all businesses reported that employees cannot identify fraudulent attacks on the corporate network. A recent survey of 165,000 employees showed 93 percent of workers knowingly violate policies designed to prevent data breaches. This is not a good start when we're attempting to interconnect our cities' critical infrastructure while adding intelligence and applications to our mobile networks at alarming rates.

We need new security architectures if we expect to effectively address these problems. These new local networks will need to support local Internet applications serving our smart communities for years to come. The applications they will run are projected to be larger in use than today’s entire existing Internet -- and legacy security solutions will not be able address the magnitude of these new security requirements.

Public-Private Secured Networks Are Needed

So how can we deploy new security architectures?
A good start would be to slice and dice our networks so we can offer priority security access and authenticated to public safety, transportation and critical infrastructure. I work with companies that have the ability of cloaking authenticated data using multiple encryption algorithms that can change in milliseconds. This would allow multi-agency multi-network authentication that could securely share a single network infrastructure supporting both the public and private sector. This is a good start, but it needed to be done yesterday. Still, authentication and network security alone will not secure authenticated human breaches or the billions of increasing software and business process application events that run on it.

Anomaly Detection Needed at the Data Input Level

To prepare and protect from the massive growth in social media, mobile applications, BYOD and multimedia files flowing through municipal control systems and enterprise networks, an entirely new technology is needed. Advanced technology such as secure anomaly event detection, audit and blocking at the data input level is required. This available technology has proven effective in not only securing at the application software level (where we increasingly find today’s breaches), but it also can audit and economically refine business process events offering tremendous efficiency savings.
In anomaly detection, security just becomes a byproduct if its capabilities. The key is we need to start understanding networks, devices, application software and business process event security in totality if we are to achieve maximum security. We are being attacked from all of these levels at staggering rates, and deploying these security technologies must be done now before we move on to building additional network and application intelligence in our critical city infrastructures.
Not addressing security was a major factor in slowing down the smart grid. We should not repeat the same mistake.

Perfect Place, Perfect Timing

Google’s recent network -- and acquisitions and hires -- in Austin, Texas, is an opportunity to do security right the first time. The days of bolt-on security are gone. We need to deploy new cybersecurity architectures upfront. We have been trying to figure out how to properly design and secure municipal networks for the last decade. Our critical infrastructure, transportation and safety will depend on these networks and network application for many years to come.

Just as Google boasts tech smarts, so too does Austin. And there are security experts waiting to help with solutions in hand. This new gigabit network could be more than just blazing fast -- it could be used as a learning tool to make our local networks rock solid secure.

So let me end with a call out to Mudge in his new job. I have the perfect project for your new position with Google/Motorola Mobility's Advanced Technology & Projects, whose mission is to "deliver breakthrough innovations to the company's product line on seemingly impossible short time frames." It is a security project with a company called Google.

Larry Karisny is the director of, a cyber security expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and municipal critical infrastructure.


Common Sense Cybersecurity

January 9, 2013 By
I am now on my 27th article focusing on critical infrastructure security starting back in May of 2010, so I thought it time for a little New Year review.

I wrote and interviewed from the perspective of actually being in the business as a recognized cybersecurity expert, advisor and speaker. Digital Communities' publishing of my articles has allowed me to disclose the problems we face and work with the best in the business, which I want to share with you.
This cybersecurity summary contains comments and quotes from past articles and is a collaboration of the real problems we face with expert opinions on how we are to rapidly obtain true cybersecurity for our critical infrastructure.


The Problem with Securing the Internet is the Internet

Photo: Larry Karisny
We start with one big problem. Internet architecture was never made for security. One of my earliest articles quoted the father of the Internet Vint Cerf by saying, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet." The Internet was built as one big open collaboration messaging system using a series of numbers (IP addresses) as identifiers. Great for sharing information when there were a few hundred Internet users -- as in the early days -- but not the architecture you want to use with today's volume of Internet transactions. Even under this design, there were some amiable efforts toward security, but it has become kind of like putting a finger in the dam -- and the dam is ready to break. The biggest wake up call hit us after 9/11 when we started to review the security of our critical infrastructure and took an in-depth look at upgrading our power grid to smart networked technologies. The security vulnerabilities were shocking, and connecting them to the open Internet using legacy security technologies is not an option. It is broken and we need to fix it.


Targeted Cyber Attacks are not Hype, They are Real


I have been accused in my past articles of hyping the problems of smart-grid security. As I have attended conferences and closed-door meetings, what I have found is just the opposite. Frankly, many cyber breaches have not been disclosed due to business reasons or national security concerns. This stuff happening now is not some cute virus that might take your family pictures. Speaking at a panel at the RSA Security Conference in San Francisco in 2010, I quoted Matthew Carpenter, senior security analyst of InGuardian as saying, "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC." Cybersecurity in critical infrastructure is a whole new ballgame with the potential of unimaginable devastation.

In a later article, Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, calculated the value of smart-grid security compared to the expense of a power-grid security breach. He compared it to plunging into the Dark Ages with the first few days being essentially inconsequential from an economic standpoint. "As you approach the fifth day, however, things change quickly. There is a precipitous drop in economic activity, and by the seventh day, the economy is at 30 percent capacity. This was quite startling… emphasizing the importance of not underestimating the consequences of a prolonged failure in the grid."


Cyber War has Started


Early on, I was reprimanded for calling this Cyber War because a real declaration of war needs to be approved by Congress. Call it what you want. It is real and occurring, and has the potential of stealing billions and killing millions. Leon Panetta earlier warned the Senate by stating, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our grid, our security systems, our financial systems, our governmental systems. ... If you shut down our power grid.”
If targeted cybersecurity breaches are not war, then they certainly are the perfect weapons. Minimal collateral damage while being able to specifically target what you want to take down. You can't beat that as an offensive weapon or even as a retaliatory attack method. The super viruses Stuxnet and Flame proved this, although the capability of morphing it and throwing it back at an adversary is a bit concerning. The fact of the matter is that the first shot has been fired and retaliatory responses are occurring. Sounds a lot like war to me.


Stimulus Grants Vs Stimulus Smart Grid Grants


I followed both broadband stimulus grants and the smart grid grants. The interesting byproduct of both grants was the realization of the terrible problem we have in securing the network systems and business processes that control our critical infrastructure. Viewing our power grid was like seeing a relative you haven't seen in 50 years, finding that they're exactly the same as they were 50 years ago, and then giving them an iPad as a gift. This is the same thing that happened when hundreds of companies started to deluge power companies with their high technology solutions that could be used upgrade the power grid. Culture shock? They didn't even share the same industry acronyms.

So what did they do with all the smart grid money? They put an intelligent device (smart meter) in millions of homes with little or no concern with security for the end user or the grid network that, in most cases, were non-existent. So have we gotten smart about security? In most cases no, and sadly, from smart grid suppliers to the power companies they serve, what I have witnessed is a lot of people either sticking their heads in the sand or passing the security hot potatoes from device to chip set to software company with no one accepting responsibility for this serious security issue. So how did industry and government work on correcting this security nightmare? Compliance, standards, certifications and mandates.


Compliance, Standards, Certifications and Mandates will not Produce Cybersecurity


I have so many quotes on why compliance doesn't mean you are secure I am not sure where to start. Bob Lockhart, Pike Research; Patrick C. Miller president and CEO of EnergySec; and Eric Gunther, CTO and co-founder of EnerNex have all clearly stated to me that compliance does not mean our systems are secure. In a recent ICS Cybersecurity conference hosted by Joe Weiss, CEO of Applied Control Solutions and the 12-year conference coordinator and expert in the cybersecurity of industrial control systems, discussed the pros and cons of these well-intended oversight organizations. In his conference discussions, he recognized the value of these organizations, but also referred to a government release document that specifically disclosed the most vulnerable areas in the power grid. This is what happens when you get 1,000 eyes on things and with hundreds of meetings often requiring public disclosure.

I attended a cybersecurity conference UTC Telecom 2012 where keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in their knowledge of cybersecurity. One or two hands went up out of the more than 500 in the audience. Weatherford responded by saying we need to prepare our work force and find talent "to prepare the next generation for cybersecurity. Gaps in talent mean gaps in security." The issues of cybersecurity are clearly a public/private issue requiring absolute cooperation from both sectors if we are to achieve national security.

We even run into the problem of how to secure the intellectual property of cyber-security. In a recent interview, DC patent attorney Ted Wood, who leads the Parks IP Law Grid Industry Group, stated, “The tendency to rely only on trade secret protection for all cybersecurity and encryption innovations may be too risky. So wherever possible, companies should protect their key intellectual property by filing for patents early in the development process." He went on to say that Washington already recognizes the urgent need for effective cybersecurity. "But we must more efficiently harness American ingenuity to address the challenges we are facing in defending our critical infrastructure, especially the power grid, from cyber threats”


The Problems with Today's Security Solutions


To understand how cybersecurity works today, you need to know two security disciplines. Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). One of the best definitions I found wasIDS vs. IPS Explained. Both systems are plagued with problems that require new security architectures. No more band aids. We need serious change in both architectures. First let's look at IPS.

The biggest problem with IPS is that they use encryption keys that are stored and managed. Remember what Vint Cert said about authentication. The Internet was an open architecture never really designed for authentication. Secondly, stored keys have been mismanaged for a long time and can get lost -- even stolen -- right out of the RSA and also seen on networks. Recent theft of RSA keys even put Department of Defense contractors like Lockheed Martin in jeopardy from targeted nation-state attacks. The problem with current security architectures is that they are doomed to failure due to their designs offering at best patches rather than real security.

Current IDS solutions watch data and then notify concerns of potential intrusions using historical database information. In the real-time world of data streaming, this historical approach is not adequate. Even worse is when an authorized individual takes an improper action in the business process. Current IDS solution would in most cases consider this an acceptable data input. If Intrusion detection is to be accurate, it must watch both data and human process actions. Current IDS solutions are adding limited solutions to these human actions in what they call white boarding but even these approaches are limited, expensive and based on historical data which may be too late.

In a recent Government Technology magazine year-end review, A Summary of The Top 2013 Cybersecurity Predictions, Michigan CSO Dan Lohrmann surfed the Net looking for the top blogs and articles that both recap online security trends from the past year, as well as offer new cybersecurity predictions for the coming year. The vendor responses seem to be a litany of expected breaches.
My concern is the lack of response as to solutions that will effectively detour these attacks. Actually, if these solutions were working properly, who would even care about these attacks? We need simple, impenetrable security that can, in real time, lock out and detect cyber attacks. We cannot effectively do it using current security architectures.


No more trick fixes


There is no secret that today’s security technologies are made with back doors. This has been done intentionally for years in both the public and private sectors. There are practical reasons like that time you forgot your password and had to tell which dog you liked best or try to remember the spelling of your mother’s maiden name to gain access. Back doors are also sometimes inserted purposely by the developer for debugging reasons. There are national security mandates and industry requirements that are put in all trying to find that perfect balance between security and getting in when they need to. It’s a tough balance, but we need to start somewhere, and I think machine-to-machine (M2M) applications in critical infrastructure are a good start.

The problem with back doors in security is that today’s software and even physical chip set acid baths can detect them. The magnitude and concern for these security back doors is so great that DARPA has designed software to find and fix these security hatches. The master of back doors in security -- the NSA -- is ready to release Perfect Citizen, which was designed to detect cyber assaults on things like power grids, nuclear plants and other critical infrastructure.With hundreds of smart phone apps and new Internet-of-Things devices creating new M2M applications every day, we can’t start fast enough to minimally target where impenetrable and complete security solutions must be deployed.


Real People, Real Cybersecurity Solutions


As a security consultant and advisor, I have been able to review lots of cybersecurity designs. When searching for the best solutions, I tried to keep my eyes open for new approaches rather than just putting patches on the same old stuff. The general criteria was to find an impenetrable prevention security solution that also offered real-time detection and prediction capabilities that would be inexpensive, easy to manage and easy to deploy. To keep from the faulty designs of the past, I found I needed some changes in the approach to cybersecurity. The result of my search was meeting some pretty smart people that used a combination of complexity and common sense in developing their new security architectures. Here are the pieces to the puzzle.

I earlier discuss the problems with encryption keys is viewing them on the network, theft and mismanagement. This is a big problem with current solutions that are just waiting for more problems. A start to the correction of these problems was discussed in my earlier interview Cybersecurity and 'Smart Encryption' with Prem Sobel, who solved the encryption key problem by creating what he called "a random data generator that generates-destroys-recreates keys and passwords on demand." It's kind of like giving your keys to the whole neighborhood to use, then changing the locks in milliseconds while you are asking for the keys back so your can reuse them. Try opening that door." A little common sense with a lot of math, and Sobel's solution has stunned the world of cryptography. He continued by saying that his security solutions “were pen-tested by the best -- including some noted hackers in Ukraine and Russia.”

In another recent interview article, Cybersecurity in Today's World, Curt Massey added another critical piece to security, offering the ultimate in common sense security. His company’s solution, “You can’t attack what you can’t see … or touch". So Massey's people made their security solution invisible to hackers, and invited an eclectic and diverse group of highly skilled pentesters and outright hackers to give it their best efforts to penetrate it. One shadowy hacker’s response was quite telling: “I don’t have time for fake targets, plug wire into Internet.” The "fake target" was a series of live servers sending a data-rich stream into the "wild" Internet and back; unauthorized hackers just can’t see or affect a network thus protected. Massey added that, "most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it. We refused to accept that premise."
The final piece of the puzzle was to find a real-time IDS solution detecting both man and machine security breaches simultaneously and in real time. This tough but necessary requirement to achieve cybersecurity led me to Toronto, where I found inventor and security pioneer Rajeev Bhargava.

Bhargava took a completely different look at cyber-security. In my interview article with him, A New Way of Detecting Cybersecurity Attacks, he discussed his patented invention of using anomaly detection for real-time viewing and securing business process actions not just data. "We need to stop looking at zeros and ones and recognize that a digitally enhanced action is just an extension of a human action, and they must be viewed simultaneously if we are to achieve true security," he said. "With our solution, a single event (live data element) can be checked for anomaly instantly and acted upon.... with current IDS solutions, the context is not the business process but rather the IT analyst or mathematicians who generate the rules, patterns and algorithms."




There is not a security publication that I have read that is not predicting an increase in cybersecurity attacks this year. Legacy security solutions are showing that they were never meant to scale to the volumes of interactions occurring in today information age. These older security solutions are becoming too complex, too expensive, can’t scale and are too difficult to manage. We must look in terms of new security architectures if we are to rapidly achieve the required cybersecurity solution we need today, especially in the protection of our critical infrastructure. It may not be as hard as you think, and is immediately available to people who are willing to listen to new approaches from very smart people who just added a little common sense to security.

Larry Karisny is the director of Project, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.