I had the opportunity to deliver a cyber intel brief to a senior SES last week who oversees a significant set of programs at the Pentagon. He was flanked by two other SES (including the one I report to) as well as a room full of highly-qualified GS-15s. The content was how to get key leaders to participate and understand our threat landscape and how to take action on it.
I've briefed admirals, generals and SES before, but this one was different. This individual KNEW the terms and technology I was talking about. He had years in the field and in the industry and understood the terms, technologies, threats vulnerabilities and concepts I presented. A 30min presentation ended up being a 90 minute discussion. And for those who know, getting 10 minutes of an SES's time is rare, but getting three SES for 90 minutes means the subject was significant.
Effective communication to leadership is usually cut and dry and to the point.
As I went through the threats that was identified to various platforms and systems, he asked very poignant and technical questions. He was genuinely interested in the "how" and what we could do about it. He engaged with me directly and looked to his peers for feedback. It was a very different briefing than I'm used to. I drove home key points about the real threats and vulnerabilities in the field, labs and operating environment and dictated that our senior leaders were not attending these briefs, and thus making potentially uninformed decisions for their acquisition and research & development platforms.
At the end he asked, "What can I do to help?" Caught flat-footed, I said there are three things we need your help with:
1. Change intelligence acquisition from hunting to gathering. Currently there are a handful of websites on high-side networks which someone can obtain content. These websites are constructed all different and categorize their intel in different ways. I visited our Intel officer last week to work this content and he had no less than 12 tabs open, all on different pages. We need to go from hunting for intel to being able to gather it. There should be a central repository where all 17 IC agencies can submit intel to, where it's sorted, sifted, redundancies reduced and presented in a customizable user experience.
2. I need senior leaders to attend these intel briefings. If these leaders are making acquisition, engineering and architecture decisions for weapon systems, air platforms and various other secret programs and the only intel they're getting is from cable news and their Facebook feed, then what they're designing is not considering any of the intel that is being collected in the field. To stay ahead of the enemy, we need them to attend understand how this applies to their environment. They need to see that no one is immune from the bad guys.
3. Finally, we need a better mechanism for turning Intel into Guidance. Throwing a senior raw intel won't do any good unless they know what to do with it. That is where the cyber analyst along with the engineers can turn raw intelligence into actionable guidance to help make better decisions. Intel offices don't understand how their audience operates, so there needs to be local interpretation by someone who understands how and why a hack happened and what their local organization can do to minimize the same risk.
We walked downstairs afterwards and all agreed to these courses of action. Nothing was written down and I don't know if any of these actions will be followed-up on, but I know the direction I need to steer the ship for our command, and hopefully to help continue to influence for the DoD.
#2019Goals
Monday, December 17, 2018
Monday, December 10, 2018
Week 3 - Piggyback Ride!
Each one of us has been guilty of the most common security violation known to mankind - allowing someone to piggy-back behind us after we authenticate a space with our credentials. OR, we are the ones who piggy-back behind someone else, and in return we give them a wave, smile or nod. Not only does this potentially harm our security posture, but it also affects accountability.
Previously, I worked at large defense contractor for 11 years. Everyone knew everyone, and there was very little new blood coming into the organization. So after a while, everyone just held the door for each other. We did have visitors (cleaners, vendors, inspectors, etc), and for those people we required them to sign in and be escorted through.
Even the security lady allowed piggy-backing, because she could personally verify the clearance and need to know of each person who walked in. So the question begs - does it make it right? Well in those 11 years of working there we never had someone without the proper clearance enter the facilities. We never had any issue with someone without the need to know or a disgruntled employee enter and extract data or harm people in the room. Never.
So in a situation where the working population is small and everyone knows each other there is obviously less risk. But, there is always risk. I now work at a military base where there are thousands of people that I don't know. So around here it is someone we may mind to, but not always. Yes, for those super secret areas it is very much enforced. But for more common areas which are still restricted, as long as you look like an employee and flash a smile, you'll get right in. BUT, this is also because you were able to get on base, which requires positive ID verification by the Military Police.
When I started this article I really thought I was going to come to a groundbreaking self-discovery of why we need to more strictly enforce the piggy-backing rule. But it's one of those things where if you see it happen every day, and you never see a violation occur, why continue to enforce it? I've worked in a top secret environment for 20 years and I've never had anyone piggyback who ended up being a bad guy. Or at least, that I'm aware of. And right there, that's the problem.
We don't know, what we don't know. So in this case, I hate to sound like an old fuddy-duddy, but perhaps.... better safe than sorry.
Previously, I worked at large defense contractor for 11 years. Everyone knew everyone, and there was very little new blood coming into the organization. So after a while, everyone just held the door for each other. We did have visitors (cleaners, vendors, inspectors, etc), and for those people we required them to sign in and be escorted through.
Even the security lady allowed piggy-backing, because she could personally verify the clearance and need to know of each person who walked in. So the question begs - does it make it right? Well in those 11 years of working there we never had someone without the proper clearance enter the facilities. We never had any issue with someone without the need to know or a disgruntled employee enter and extract data or harm people in the room. Never.
So in a situation where the working population is small and everyone knows each other there is obviously less risk. But, there is always risk. I now work at a military base where there are thousands of people that I don't know. So around here it is someone we may mind to, but not always. Yes, for those super secret areas it is very much enforced. But for more common areas which are still restricted, as long as you look like an employee and flash a smile, you'll get right in. BUT, this is also because you were able to get on base, which requires positive ID verification by the Military Police.
When I started this article I really thought I was going to come to a groundbreaking self-discovery of why we need to more strictly enforce the piggy-backing rule. But it's one of those things where if you see it happen every day, and you never see a violation occur, why continue to enforce it? I've worked in a top secret environment for 20 years and I've never had anyone piggyback who ended up being a bad guy. Or at least, that I'm aware of. And right there, that's the problem.
We don't know, what we don't know. So in this case, I hate to sound like an old fuddy-duddy, but perhaps.... better safe than sorry.
Tuesday, December 4, 2018
Compliance Vs. Risk (Week 2)
Checklists are great for:
1. Shopping
2. Counting how many different birds you've seen in a year
3. Your favorite movies
4. Things your wife wants you to do around the house on the weekend (honey-do)
5. List of things you want to do before you die (bucket list)
Checklists are not particularly good for:
1. Evaluating cyber risk
2. Demonstrating your creativity
For any given set of security controls, there is a checklist to indicate compliance. Get a perfect score and you're "compliant". But that doesn't mean there is NO risk. Years ago, the measure of success compliance. But all the checklists in the world won't stop:
1. a motivated hacker
2. an upset employee
3. someone circumventing security in the name of getting their job done
4. dumb
Yes, a list is easy to understand, simple and shows completion. But a piece of paper has never stopped someone motivated to do something. So what will help reduce the cyber risk:
1. Proper inventory of IT assets, software/data on them, who has access, and where the data goes.
2. Cyber professionals with intimate understanding of how a lab or office operates
3. Leadership buy-in for supporting the cyber team.
4. Continuous training or awareness of the key items they need to be aware of
5. A third-party evaluation of critical security controls
6. An ongoing internalchecklist list of controls by the cyber personnel that is continuously monitored
7. Evaluation of vulnerabilities and an understanding of the threat surface
8. Donuts
Being graded based on a checklist that doesn't take the local environment into consideration is like assuming everyone wears size 32 pants and 9 1/2 shoes. If the person signing off on the risk assessment of your facility/architecture is so far removed from what they're accepting risk for, then there needs to be additional care/feeding by the cyber professionals to ensure compliance is only the start of their overall cybersecurity program.
So if that means that creating system/lab-specific checklists helps safeguard the data, IT, people and facilities, so be it. See, not all checklists are bad.
Oh, and I just found out another thing checklists are good for:
1. Blog entries
1. Shopping
2. Counting how many different birds you've seen in a year
3. Your favorite movies
4. Things your wife wants you to do around the house on the weekend (honey-do)
5. List of things you want to do before you die (bucket list)
Checklists are not particularly good for:
1. Evaluating cyber risk
2. Demonstrating your creativity
For any given set of security controls, there is a checklist to indicate compliance. Get a perfect score and you're "compliant". But that doesn't mean there is NO risk. Years ago, the measure of success compliance. But all the checklists in the world won't stop:
1. a motivated hacker
2. an upset employee
3. someone circumventing security in the name of getting their job done
4. dumb
Yes, a list is easy to understand, simple and shows completion. But a piece of paper has never stopped someone motivated to do something. So what will help reduce the cyber risk:
1. Proper inventory of IT assets, software/data on them, who has access, and where the data goes.
2. Cyber professionals with intimate understanding of how a lab or office operates
3. Leadership buy-in for supporting the cyber team.
4. Continuous training or awareness of the key items they need to be aware of
5. A third-party evaluation of critical security controls
6. An ongoing internal
7. Evaluation of vulnerabilities and an understanding of the threat surface
8. Donuts
Being graded based on a checklist that doesn't take the local environment into consideration is like assuming everyone wears size 32 pants and 9 1/2 shoes. If the person signing off on the risk assessment of your facility/architecture is so far removed from what they're accepting risk for, then there needs to be additional care/feeding by the cyber professionals to ensure compliance is only the start of their overall cybersecurity program.
So if that means that creating system/lab-specific checklists helps safeguard the data, IT, people and facilities, so be it. See, not all checklists are bad.
Oh, and I just found out another thing checklists are good for:
1. Blog entries
Monday, November 26, 2018
The New Insider Threat - "Git R Done!"
I've been investigating insider threat for years. The focus has typically been on those double-agents who are working for foreign governments trying to steal company proprietary information, or that upset worker who plans to corrupt the entire internal network and take down the enterprise out of spite for having their vacation hours take away. Truth be told, these people should not be the focus of the organization insider threat program. The probability of these situations are very, very low and realistically, if they wanted to steal information or bring down the network, they're probably going to get away with it.
What is a real threat are the everyday user or employee trying to get their job done. Employees feel their ability to be productive has been affected by the numerous and excessive security controls put in place.
"Why can't I use HTML email???"
"How come I can't use a thumb drive?!"
"I just need to transfer this file from this lab to that lab. It's okay, I'm on the cyber team..."
"I can't even update my virus definitions because DVD burning on my corporate asset is disabled!!"
Then at the same time, you get management telling you,
"Take more risk"
"Move faster"
"Be proactive and make a decision"
"Think outside the box and make it happen!"
What isn't being said is,
"What is the probability that I'm transferring malware to disconnected development systems?"
"What if I forget that USB drive in my car and drop it in the parking lot of CVS"
"Who will take the fall for this risk if something goes wrong?"
These are great examples of why throwing money at cybersecurity won't help make our systems more secure. Make no mistake, those in the cybersecurity field are providing a service. If they're in the offices and labs with clipboards and writing cyber citations, their intimidation tactics will help be conducive to helping the people they're responsible for. Instead, take the mindset of being there to help and to support and find a way to say "yes" instead of, "sorry there's a policy against that". Remember, mission first. And, the proper amount of security is... just enough.
What is a real threat are the everyday user or employee trying to get their job done. Employees feel their ability to be productive has been affected by the numerous and excessive security controls put in place.
"Why can't I use HTML email???"
"How come I can't use a thumb drive?!"
"I just need to transfer this file from this lab to that lab. It's okay, I'm on the cyber team..."
"I can't even update my virus definitions because DVD burning on my corporate asset is disabled!!"
Then at the same time, you get management telling you,
"Take more risk"
"Move faster"
"Be proactive and make a decision"
"Think outside the box and make it happen!"
What isn't being said is,
"What is the probability that I'm transferring malware to disconnected development systems?"
"What if I forget that USB drive in my car and drop it in the parking lot of CVS"
"Who will take the fall for this risk if something goes wrong?"
These are great examples of why throwing money at cybersecurity won't help make our systems more secure. Make no mistake, those in the cybersecurity field are providing a service. If they're in the offices and labs with clipboards and writing cyber citations, their intimidation tactics will help be conducive to helping the people they're responsible for. Instead, take the mindset of being there to help and to support and find a way to say "yes" instead of, "sorry there's a policy against that". Remember, mission first. And, the proper amount of security is... just enough.
Sunday, November 25, 2018
Welcome to the Mueller Cybersecurity Blog
Mission Statement
To provide a first-hand account of the cyber security of federal information systems. This will remain unclassified and public releasable. This blog will accompany my matriculation in the Bellevue University Cybersecurity Masters's Program, starting November 2018
Mission Statement
To provide a first-hand account of the cyber security of federal information systems. This will remain unclassified and public releasable. This blog will accompany my matriculation in the Bellevue University Cybersecurity Masters's Program, starting November 2018
Subscribe to:
Comments (Atom)