Category Archives: Security

Security

Attorneys and Law Firms Beware and Implement Good Cyber Security Practices

Leave a comment

If you are an attorney you need to heed the warnings: lock down and protect client data.  This is not a scare tactic, but good advice in light of recent events.  In 2010 at least seven law firms in Canada were hacked, allegedly by Chinese hackers seeking to derail a $40 billion deal with an Australian mining company and to steal valuable client data resident at the law firms; and just this year the Puckett law firm was hacked by the Anonymous hacker group because the firm represents one of the Marine sergeants accused in the Hidatha, Iraq killings.  Some members of Anonymous were upset that the sergeant was getting a pretty good deal and Bradley Manning, the private who leaked      secrets to WikiLeaks was facing life in prison.  Imagine realizing that your law firm has been hacked and wondering what this is going to do to your reputation, and what, if any, ethics or disciplinary action may result. These are the type of stories that make the headlines.

Let’s face it, if your client’s network and/or data is secure, smart hackers will look for the soft target and see if they can get what they are looking for by going through you.  “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” (Mary Galligan, head of cyber in the New York City office of the FBI).  As a profession, we have moved far beyond being able to claim ignorance when it comes to cyber security.

An Aug. 2011 ABA formal opinion suggested that attorneys discuss with clients the fact that email may not be very secure.  Ensure clients are comfortable sending sensitive client info via email.  Some local bar associations have taken it a step further and stated that ethics require attorneys to use a secure email service.  I agree.  In fact, I would do two things:

1) include in your engagement letter a statement that email is not secure and that clients should either agree to use a secure service or sign a statement indicating their desire to continue to use email despite the security concerns; and,

2) Incorporate into a security policy for the firm a plan that outlines how client data will be protected and ensure all in the firm have read and are following it.

Cyber security does not need to be a mystery.  Many free and easy to use tools exist that will help you keep your practice more secure.  For instance, your email service may support secure or encrypted email.  If it doesn’t, there are many good options, such as Hushmail.  It is free, like Hotmail, and allows you to password protect emails using a question and answer format.  Just send your client a text or call them on the phone and tell them the password/answer.  This will significantly lower the risk of loss or theft of data and potentially reduce or eliminate your liability if an incident does occur.  It will also be a deterrent to your client if he/she decides to share your confidential communications with a third party, thus destroying attorney-client confidentiality. He/she will have to provide the password to that person or at least take extra steps to forward the message.  This is just one of many free tools that you can use to significantly lower the risk of a cyber-incident and reduce your liability if data is lost or stolen.  Will these tools make you 100% secure?  Not even close, but if the big guys like Citibank, JP Morgan, Google, the Pentagon, RSA, Visa, and a slew of others cannot prevent getting hacked neither can you.  What you can do is pull yourself out of the low hanging fruit category and minimize the risk of an incident. It’s time to do some research into this topic or hire someone you can trust.  Do Not trust the firm that tells you they have made your network secure, its not going to happen, and if you believe it there is a little bridge I would love to sell you ; – ).  Feel free to contact me with questions or leave a comment.

Security

Multiple Syslog Configuration on ESXi 5

Leave a comment

William Lam has posted a detailed explanation of how to quickly and easily configure multiple ESXi hosts to forward logs to multiple syslog servers:

…with ESXi 5.0 you can now forward to multiple syslog servers which is great for providing redundancy when shipping your logs. In addition to supporting multiple syslog servers, with the release of ESXi 5.0, you can specify different transport protocols: UDP (default), TCP and SSL.

Security

Why are you driving a car?

Leave a comment

From Copenhagen comes a video emphasising the ubiquity and ease of cycling. It makes bicycling look so common, convenient and safe you might ask yourself why drive a car if you are in the city. Many security features stand out such as a dedicated bike lane with special colouring, bright lights, fenders…

…all that being said you might also notice that the bikes in the video lack the latest/greatest brake and suspension improvements or that no one is wearing helmets or gloves. This says to me that bicycle safety advocacy is focused on making a safe environment for people to cycle in but it leaves personal risk decisions within that environment up to them.

Food, Security

Chinese Crackdown, U.S. Outgunned

Leave a comment

The Wall Street Journal just ran a cover story with the title called “U.S. Outgunned in Hacker War”.

Run for the hills!

No, wait, let’s take a closer look. My first reaction was to look for details on who is out gunning the U.S.. My second reaction was to look for definition of a “Hacker War.” Unfortunately, the story comes up short on both accounts.

The reader is left without clarity who is shooting or what was meant by the term war. That is unfortunate because it is not hard for them to write a more balanced (e.g. include a counter-point) and substantive (e.g. include some data) story. Here is how I tried to make some sense of this story using a few simple steps.

The WSJ uses a quote from the FBI to start their story.

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

Could this be in terms of U.S. criminals who are plundering U.S. assets? Why would I ask that? Let’s jump right past all the glaringly obvious examples of Bernard Madoff, Kenneth Lay, Jeffrey Skilling, Andrew Fastow, Bernard Ebbers, Scott Sullivan…and look at some of the latest data on IT threats from a security solution vendor.

  • More than 75 percent of the respondents indicated that privileged users within their own institutions had or were likely to turn off or alter application controls to change sensitive information – and then reset the controls to cover their tracks.
  • Eighty-one percent replied that individuals at their institutions either had used or were likely to use someone else’s credentials to gain elevated rights or bypass separation of duty controls.
  • On average, respondents noted that their organizations experienced more than one incident of employee-related fraud per week…

Also, as I explained in my presentation on breach data at the RSA SF 2012 conference, the U.S. shows up in many reports as the #1 source of threats. Sophos lists America as the top Spam producing country (China is the most attacked, according to them), while McAfee says 73% of malicious online content is hosted in the U.S. In other words, the U.S. currently is allowing attackers to attack the U.S.. So, if we add in this detail to the story, can we conclude the U.S. is out gunned by the U.S.?

Before I answer that, you may say this data is from vendors and of course they are stoking fear. That is true but it at least gives us some quantitative detail to assess on our own and verify. The Wall Street Journal mentions no data at all.

More to the point we could make a similar argument about the Wall Street Journal source that starts their story. The perspective they cite actually is from a person leaving to a private sector consulting practice. Clearly Henry stands to profit more, and help his consulting firm win clients, when he stokes generic security fear.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy.

…operators at Mr. Henry’s firm are standing by to sign you up for a new service. You can have all the major change he says you need for the low, low price of just $$$K/month.

So the first technique I recommend when reading these scare stories is to seek transparency; get to the data and verify the analysis. Always factor and account for bias. We should not be satisfied with stories of a threat mired in sophisticated or advanced details, especially from those who stand to profit with obfuscated services. As Einstein once said “if you can’t explain it simply, you don’t understand it well enough.”

Now back to the question of the U.S. out gunning the U.S.. The Wall Street Journal suddenly and without explanation brings up China.

Testimony Monday before a government commission assessing Chinese computer capabilities underscored the dangers. Richard Bejtlich, chief security officer at Mandiant, a computer-security company, said that in cases handled by his firm where intrusions were traced back to Chinese hackers, 94% of the targeted companies didn’t realize they had been breached until someone else told them.

As Richard Bejtlich must know a vast majority of companies don’t realize they are breached until someone else told them, full stop. The new Verizon DBIR says 92% of incidents were discovered by a third party. That data point has nothing to do with China or the Chinese.

I have commented before on errors from those with an anti-Sino fixation. It is not clear to me why the Wall Street Journal is so eager to follow their fixation without question.

Breach data, referenced above, shows that the Chinese are not the most likely source of attack. That is not to mention that when I read Bejtlich’s latest opines I ponder how the person who names his book The Tao of Network Security Monitoring, his company Tao Security, and his twitter handle @taosecurity (using the yin-yang symbol as his company logo) has become the person trying to convince us that the Chinese are stealing ideas from America.

I’m not saying the U.S. should not accuse the Chinese of copying ideas, since obviously attacks can come from anywhere and a Bernie Madoff could be born in any country; but those in the U.S. who worry about transfer of knowledge should be careful to put their accusations in perspective. Noodles, gunpowder…so many things popularised as American are obviously not from America. The issue of “who” is complicated but focusing on outsiders may be a distraction from more likely threats. We should be careful before we de-emphasise or fail to account for the risk from insiders.

The answer to my first question about the WSJ title, I would argue, is that the U.S. is actually out gunned by the U.S.. This includes outsiders granted insider access. It also includes threats from trusted insiders — those supposed to be protecting other insiders.

The second technique I recommend when reading these scare stories is to seek details on the vulnerabilities. Once we identify who is involved we also need some idea of their capability to cause actual damage. Ironically, I can’t think of a better example than China to illustrate this point.

News has been flaring up that there has been a crackdown in China on expression. The Chinese are upset about the Chinese and restricting speech they consider harmful.

Authorities also closed 16 websites and detained six people, Xinhua reported, for allegedly spreading rumors of “military vehicles entering Beijing and something wrong going on in Beijing,” a spokesperson for the State Internet Information Office told Xinhua.

This is a case where an authority sees a threat so great that they take action to reduce risk. As Americans we most likely disagree with the Chinese government’s assessment of vulnerability. We live in a country where freedom of speech is said to make us stronger (still with some exceptions).

However, if you look past the question of who is the threat and on to the question of capability then the Wall Street Journal story really comes down to the FBI calling for more “guns” to fight a “Hacker War” so they can increase their capabilities, perhaps to the level that the Chinese are demonstrating with their latest crackdown.

Americans reading the Wall Street Journal story might be distracted by the Chinese tangent and think this is an us versus them war. But the reader is wise to think much more carefully about whether and when they trust an increase of power in authority to crack down on threats that may actually be on the inside.

Alas, we’re now back to the question of what they mean by “Hacker War”. If we try to define war without any notion of internal threats then it becomes more of a discussion of whether and where the U.S. is working on ways to undermine or bypass sovereignty again. But it should hopefully be clear now that the threat is not just external.

Perhaps the best way to look at this is with regard to healthcare risk news. If the Wall Street Journal ran a story on the latest data on eating well they probably would have titled it “U.S. Outgunned in Sugar War.” So the question becomes why are we allowing ourselves to do so much damage to ourselves? Or maybe the question, in terms of Bruce Schneier’s new book, is how much damage is acceptable before we are willing to give more fire power to authorities if we know how much it can reduce our freedom.