Saturday, March 15, 2014

Red Sky Weekly: Rising from the ashes

I just read the Business Week piece on Target. The thing that strikes me is this... most companies still don't understand (information) security. I realize that's a pretty broad statement. Let me explain.

On the physical side of security, my bet is, Target has eyes on every customer that walks through the door. Even if not watching live, every customer and every action is probably recorded. There are probably algorithms that set off alarms when predetermined events take place. My bet is also, should one of those alarms go off, some discrete investigator would hit the floor, following the suspected thief, and probably stop them. If something more serious happened --bombing, armed robbery, kidnapping --the alarms go off and so do the gloves --predetermined, preplanned, rehearsed escalations.

My point is this. Many, many companies have yet to realize that the risk models of physical security apply as well to information security. Target's organic physical security team is probably staffed on pre-determined models of various threats to big box retail. But on the information security side was apparently not; even though the probability of being accessed on any given day is nearing (if not hit) a 100% probability of successful compromise. The only question is, how bad is the breach? What were the attacker's motives? Was the hacker a kid stealing a pack of gum by the checkout counter? Or was the hacker set on stealing millions of credit card numbers, pulling off one of the largest heists in the news today on one of the most market-critical days of the year?

I haven't been to Target since before Black Friday. I buy my Fruit of the Looms elsewhere. I'm betting I'm not the only one. Why?

It's confidence.

When RSA was broken into, my (then) boss and I had many discussions on how it might play out. He thought customers would run screaming from RSA. My position was that RSA would probably have a temporary setback, but find a way to recover. Although I have no empirical evidence, my guess is, and seemingly others in my circles believe, RSA today is probably more secure today than it was three years ago. And with all other factors being equal (price, competitors, market choices, substitutes for RSA tokens, etc.), the idea is that the business that is RSA is probably stronger today than others in its class is because they've lived (and survived) their oh sh*t moment. 

Survival becomes a real competitive differentiator, and Target today has exactly this same opportunity. 

BT BT

We're hosting our next threat day this week. There's a lot going on this week, so we're expecting a smaller crowd than usual, but that's fine. We're hosting the National Security Fellows from the Kennedy School on the 18th with our threat day on Wednesday. We will, as always, run a conference bridge and record the sessions. It's going to be small, but this should be a good one. 

In Red Sky Alliance this week we posted products on the Nuclear exploit kit, a new phishing campaign and at a member request, one of our interns first fusion report: First sighted in early June 2013, H-Worm is an obfuscated VBScript employed in both mass malware and targeted attacks on the energy, government, telecommunications, and manufacturing industries. The source code is widely available on Arabic hacking forums. The report describes the attack details and provides information on the H-Worm malware family. 

In Wapack Labs, we've had some pretty amazing results with Allagash. Allagash gives us the ability query via web interface, or to load samples taken from requester networks -netflow data, various logs, registry key exports, system inventories, etc. and diagnose happenings in a network -very quickly. Our largest sample to date was nearly 4Tb and took us a little longer, but we're beefing up hardware as we speak, to be able to handle these larger diagnostic requests. Interested in Allagash? Sign on to our Constant Contact list. We'll keep you informed. Interested in a diagnostic run? Drop us a note. 

It's been a long two weeks on the road, so I'm going to keep this short. 

For those of you traveling to Boston this week, we look forward to seeing you!

Until next week,
Have a great weekend!
Jeff