Olds, AB - Fastest Home Internet in Canada!

According to this CBC story small towns are getting faster Internet service before the big cities. I'll leave you to read their reasoning. I want to pick up on the Olds story, because a project that I worked on helped make it possible.

The synopsis: Olds, AB chose to build fibre infrastructure within their town, enabling them to provide gigabit Internet service to end-users, including home users. A key driver for doing this was to keep businesses from leaving for better connected locations. You can read this story from 2013 for more info.

What I want to point out is that Olds would never have had the capacity to do this without the Alberta SuperNet. SuperNet is the broadband fibre network that brings Internet connectivity to Olds. No business would have build this link to the community and without it, the speed at which you can connect within Olds would be throttled at the pipe out to the world at large.

Regardless of your personal politics, the Alberta Government did a good thing with the SuperNet. And I am proud to have been a part of that project. My role was small (I helped the public libraries design and implement their connections to the SuperNet) but it takes a lot of people making small contributions to make something like this a reality.

Kudos to Olds. Kudos to the decision makers who had the foresight to make the Alberta SuperNet a reality. And kudos to everyone still working to make sure that the power of this new resource is available to everyone in Alberta.

Also, this shows that sometimes we need public bodies to create the infrastructure we need for the 21st Century. If we left this job to commercial enterprises, they would not build it. Why not? Because it's not cost-effective. That's why, even in large cities, we don't have better service. It's also why I'm pro-Net Neutrality. We don't see every electricity producer putting up power lines to carry their power to their customers - it's too expensive to build the infrastructure - yet as consumers we can choose who supplies the power. It is going to have to be the same for Internet. There are a few distributors who build the delivery infrastructure and we get to choose the provider of the actual service. The distributors should have no right to decide which traffic is delivered first just as the power distributor has no right to decided that solar generated power gets delivered faster than wind generated power.

In summary: SuperNet - good. Net-Neutrality - I'm in favour.

Have a great Wednesday.

We're not prioritizing security activities properly...or are we?

Dark Reading and Black Hat conducted a survey of Black Hat 2015 attendees in June 2015. Their executive summary has some interesting findings. They report that there are significant discrepancies between the priorities of security professionals and the resource allocations. They also report that "Many security professionals feel that the perception of current threats - both in the media and among their managers and supervisors - is different from their own" (p. 5).  While you should take a look at the full report, here are the top 5 responses for the security pros' greatest concerns, time consuming incidents, and budget consuming incidents.

Greatest concerns:

• sophisticated, targeted attacks
• phishing, social network exploits, other social engineering
• accidental data leaks by end users not following policy
• polymorphic malware that evades signature-based defenses
• espionage/surveillance by foreign governments or competitors

Consumes time:

• vulnerabilities introduced by own app dev team
• vulnerabilities introduced though purchased apps/systems
• phishing, social network exploits, other social engineering
• internal mistakes or external attacks affecting industry or regulatory compliance
• accidental data leaks by end users not following policy

Consumes budget:

• accidental data leaks by end users not following policy
• sophisticated, targeted attacks
• internal mistakes or external attacks affecting industry or regulatory compliance
• vulnerabilities introduced though purchased apps/systems
• phishing, social network exploits, other social engineering

Let's talk about one problem with this survey - the respondents are all 'security professionals' and they're all Black Hat attendees. This would suggest that they are, for the most part, more technical people. These are the people doing the job of computer security within organizations. That's great. They are needed. I used to be one of them. But they have a completely different view of the problem than a business manager would. So, I'm not surprised that they feel that management doesn't 'get it' - that their perceptions of the problem are wrong. However, these security pros' perceptions of the problem are also wrong.

Wait, no, that's not it. The professional in charge of maintaining secure and functioning information systems has a different problem to solve than the professional in charge of managing a company/business. So, since they have different problems to solve, their perceptions of how to solve them are going to be different. Management thinks in terms of risk management - what are the risks to the organization and what do we have to do to get those risks within acceptable parameters. Security folks think in terms of risk to their specific piece of the business and are trying to minimize it - no data lost, no hackers in our network, no (little) down-time, etc. They definitely understand the problem (threat to the systems) better at a technical level than anyone who gets their information from the popular media. But they don't necessarily understand the bigger bundle of concerns that management is dealing with.

So, what are Management's greatest concerns? This survey hasn't captured that. There are some built-in assumption. If a concern is 'sophisticated, targeted attacks' I ask you why? What is it about that threat that makes it a big business concern? When you, as this security professional, can explain to the manager why she should care about this thing and what you can do about it, then you may get the resources you need to counter it. If you're spending all your time dealing with vulnerabilities introduced by your own app development, then quantify that so you can explain how much this particular problem costs the business. And, align your concerns with the business concerns. In short, learn to speak in business language, become part of the risk management team and process. And use that to get better alignment of priorities and resources.

Thoughts?

Employees as weak link

Yesterday, Krebs on Security posted this story about the Ashley Madison hack. OK, this is a problem for the company and comes with all the standard issues of data loss. But here's something else to think about.

Firstly, if you didn't know, Ashley Madison is an online cheating site. That means, account holders at AM likely do not want it widely known that they use it. Unlike other data breaches where the fear is ID theft and financial fraud - activities for which AM could simply offer ID theft protection services like everyone else -  this is a case where the compromised information could be used to blackmail individuals. Ask yourself:

• Do you have privileged users who are AM account holders? Two factor authentication isn't going to help you protect privileged accounts if the user herself is compromised.
• Is your CEO an AM account holder? What would exposure of this fact do to your company? What would he do to keep the information quiet? Are there other high-profile employees that could be AM users?

Even if you perform security checks before you hire people, you need to remember to keep monitoring them. Circumstances change and an employee who was fine last year may have run into financial difficulties or engaged in activities that have compromised her previously secure standing. These changes have impact on your organization, regardless of how much security awareness training you provide.

The next questions - How will you know if one of your people has been compromised? What will you do if it turns out they have been? What HR policies are in place to support your choice of action?

Cybersecurity is not just an IT thing. It never really was even though we shoved the responsibility into the IT department. Cybersecurity is a corporate risk management thing and it touches on every aspect of the business. HR and IT are just the first two that spring to my mind, but clearly finance, production, and operations may all be impacted by any information breach - even if it's not at your company.

Note: Edited to correct spelling mistakes on Aug. 5/15.

US Federal Cybersecurity Sprint: Maybe you should do one, too.

In early June, the US Federal Government announced they would be undertaking a 30-day Cybersecurity Sprint. The goals of the program included:

• scanning systems for indications of malicious activity
• patching critical vulnerabilities without delay 
• reviewing and improving policies regarding privileged users
• accelerating multi-factor authentication implementation, especially for privileged users.

For anyone who's working in cybersecurity for any length of time, these 4 items seem like baby steps. They are activities that a/ should have been implemented a long time ago and b/ take time, money and commitment to carry out. I suspect the problem in the past as been item b - there has been no commitment by top decision makers and, thus, there has been no money to make it happen. That is why this sprint has been such good news (once I ignore the fact that it's 2015 and it's only now happening...I started in this field in 1999 and had rather hoped we'd be in better shape by now). So yay, US Federal Government. 

Preliminary results have been discussed stating that:

• Federal civilian agencies have increased multi factor authentication use for privileged users by 20 percent within the first 10 days of the Sprint.  Several agencies have increased multi factor authentication use for privileged users to 100 percent.

• DHS has scanned over 40,000 systems for critical vulnerabilities and it is increasing those numbers every day.  Federal agencies are patching vulnerabilities as they are identified. 

The fact sheet also notes that there are several activities that remain ongoing, as we would expect. Cybersecurity is not an end-point, it is a process of continual improvement.

Now, here's the skeptic in me commenting.

• "...increased multi-factor authentication...by 20 percent..." So, if 10 privileged users used to have multi-factor authentication, a 20% increase means that there are now 12 privileged users. If you want me to applaud you, you're going to have to tell me what that increase represents as a percentage of all the privileged users. And if some agencies have increased to 100%, great for them, but where did they start from? Did they just remove privileged users (which could be OK; maybe they had too many privileged accounts to begin with).
• "...scanned over 40,000 systems..." And that represents what percentage of systems? Are we talking end-nodes (user workstations and PCs) only? What about telecommunications equipment, servers, smartphones, etc.? I suspect they still have a *very* long way to go.

In short, provide real data. I know my statistics and I know how to make numbers look impressive when really they're just 'meh.'

As government agencies continue to look closely at their systems, we can expect them to find evidence of additional leaks or breaches - that means we're going to hear more about lost data and it's going to make everyone angry, especially those who learn they had personally identifiable information exposed. I'm really sorry, but at the same time, I think it's a good thing. We need to be honest about the scope of the problem before we can start fixing things. And that means that those of you in industry need to be honest about the scope of the problem in your organization(s), too.

So, what is your organization doing to improve its cybersecurity processes? Did you take the opportunity to run your own Cybersecurity Sprint? I would suggest that the activity would be helpful in any organization, regardless of how well you believe you are managing this aspect of your business. For those with strong processes and procedures in place, it's a chance to measure their effectiveness. And for those with little cybersecurity infrastructure, it's a chance to learn from the federal initiative and get yoru house in order, hopefully before you have a significant breach.