Saturday, August 24, 2013

Are We Ready for Systemic Infections?

I'm NSA'd out. My daily morning reads includes RSS feeds from TechDirt, Foreign Policy, SlashDot, ARS Technica, and a couple of others, who have all been covering NSA all day every day. Bottom line is this.. right or wrong, whatever your opinion, cyber infections are systemic --at every level of computing. I've been asked a few times what I think about the NSA issues, but I have only two thoughts.. first, I worked for this smart guy that used to say "assume noble intent"... and I do. Noble intent.. good idea, bad execution? Perhaps. That's yet to be sorted out by others. The second thing I'll say is that cyber exploitation is completely and totally systemic... we've lost our lost privacy in cyberspace... the bell's been run and can't be un-rung. We live now in an untrusted environment that includes cyberspace. Better get used to it. It isn't going to get any better...  


When I go through TSA, I almost always ask them (as they are returning my ID and boarding pass) "What's my name? Where do I live" (it's WAY fun to see the expressions of pure horror on their faces when they have no idea who's ID they just checked!)... I was reminded of this when one of our guys posted a blog on our Wapack Labs site that he authored while sitting in Logan waiting for his flight to some remote location where he'll be spending the weekend shooting a LOT of guns. Matt is a personal safety guy and a gun enthusiast; a far cry from when I met him years ago when we worked together at Cisco. Matt talks a lot about personal safety, giving out information, and the idea that we are giving our personal information to perfect strangers in an airport, losing your identity online, and simply doing business on wireless networks that nobody knows are safe to actually do business on. He also talks about the fact that TSA doesn't bat an eye when you carry two Level III+ body armor plates through the checkpoint. In reading his blog, of course my mind was racing.. it always does, but think about this…

We spend a TON of money on physical security at the airport to protect from physical threats to airplanes resulting from humans carrying nail clippers onboard. We're forced to give our personal information to perfect strangers. Our bags get inspected and x-rayed, we walk through metal detectors (and worse) to ensure we have no metal objects or bombs in or on our body. When we get through security, guys with dogs are often times walking around... plenty of guns (except mine!) are holstered hot, and once we do get on the airplane, there's probably an air marshall onboard.

But with all of this physical security in place, are we really more protected?

We spend a ton of money on physical threats that might occur that day, but only a fraction of that money on cyber events that will occur that day.

With all the money spent on physical security, how well do we protect those very same planes from attacks --from inception of the idea through final delivery and flight?

Are we thinking about the systemic risk thats we face as security professionals? Are we ready if (when) it happens?

So I wanted to run a test. I ran a simple Google query for "Aviation Supply Chain". Google yields (as you might expect) quite the haul, but one company in particular stood out... a supply chain company who (according to their website) was founded in 2000, is owned by a consortium of the large airlines in the world, and sells through EDI and online. The site talks about its ability to do EDI with the companies, and apparently is an exchange of parts, services, and supplies for an enormous number of suppliers and most of the OEMs.

Here's what surprises me (it probably shouldn't come as a surprise), but the CEO is an MIT grad, the CIO is a PhD, and the VP for product management is a software guy. Something's missing. Where’s the CISO?

This is a company who built a supply chain business helping airplanes get off the ground and fly to maximum profit. They offer brokered repair services, parts, even some manufacturing, yet there's no CISO to be seen, nor anyone with security experience. As surprising to me is knowing that the supply chain industry is probably the weak link in the development of any major product --including airplanes, and looking at their conference agenda for 2012, and their upcoming 2014 (2013 isn't posted for some reason), there's a ton of information about production, supply chain management, efficiency, etc., but not even one mention of protecting data in this critical infrastructure supply chain to the aviation industry.

So here I sit, preparing my slides for the upcoming Nordic Security Conference in Iceland next week. My topic? "Seven Common Processes that companies use to protect themselves from advanced threats - How great companies survive (thrive) in today’s threat landscape” and then I shift gears back over to do some cursory research for my blog I find this supply chain exchange company (did I mention they were built and owned by the major carriers) doesn't have a CISO mentioned in their leadership page, doesn't mention security at all in their web page, and their annual conference includes a volleyball tournament, but no mention of how companies will keep components and airborne networks safe from hackers onboard with pineapples, or protect the internet-attached CVS repositories where the chips are built before they're loaded into cockpit gear, mess with schematics for the autopilot, or even more simply, protect from reroute and confusion in the ordering process by gaining EDI access at an unsuspecting mom and pop shop who happens to manufacture critical components (yes, small companies make important stuff for big companies all the time!).

This aviation question is a great example, but one of many; it seems to be a question asked in other industries as well. It seems there are others...

  • There was a great talk given at DEFCON about hacking the CAN in cars.. the CAN is the local controller area network that networks all of the sensors and computers in your car.
  • We spoke with a security intelligence organization last week who told me see beaconing from smart devices in operating rooms --coincidently, I had the same conversation with a tech-savvy cardiologist just a few weeks earlier!
  • Dozens of companies are in the news weekly --many manufacturing high end technologies. Can we assume that the machines that hold the code that's getting burned into chips destined for printers, copiers, medical devices, heck our refrigerators, won't phone home when turned on?
  • CBS News reported on an overseas networking company building espionage capabilities into our networking gear.. the same gear our infrastructure is built on.

Supply chain and interconnectedness is important... REALLY important. In fact, it's critical. So how do we get the word out to all of these companies? Many of them small (like to our aviation supply chain company) must focus on sales and productivity. Security? It costs money. But these guys are the backbone of our economy!!  I'll ask the question again...


With so much riding on data availability, integrity and confidentiality; with the government writing DFARs mods on nearly a daily basis requiring companies to prove information security (and report cyber events to them when they occur); when a guy stands in front of a crowd and talks about hacking cars through their onboard networks, and you can’t swing a dead cat without hitting someone who’s threatening our privacy, the CISO becomes a major competitive differentiator.  

The CISO should be out front. "We have one, and he's (she's) brilliant!" "Yes, we care about our customers, and we've hired the very best."


I know this is a long blog. I'll keep this short. We had great week.

  • Our first Federal Agency joined Beadwindow (our private | public portal) this week. I’ve known these guys for a while. In fact, I used to use them to fact-check my DC3 team when we were just starting out! Welcome!
  • We had two meetings with prospective members and brought one more private company (the CISO of a security company) into Beadwindow.
  • Even with the team working nights supporting TIAD (our Threat Intelligence and Analysis Database) training overseas, we managed to continue developing cool tech, the portal is busier than ever, and now, heading into post-summer, the phones are starting to ring again! I was starting to feel a bit like Rip Van Winkle.. time to wake up, old man!
  • Fusion Report this week but we're building out our linguist team --we got our first Romanian speaker onboard, a new Russian linguist and just posted three new priority intelligence reports (PIRs). PIRs are short pieces that we find interesting, and that offer fast turnaround analysis for instant situational awareness when something looks important.

    • Defcon Talk on Car Hjacking - I LOVED this talk btw!
    • Androit Malware
    • Ministry of State Security's new Lhasa office

Our members will be reading these as we speak. You could be too. Call us.
Have a great week!