Monday, July 22, 2024

#CrowdStrike Cause a Global Tech Outage - what happened, why, and (how) can it be prevented?

While the memes are amazingly good, and there's a lot of jest being spewed across the interwebs, this is a serious event with massive implications. So, in all seriousness, let's review the facts of the #CrowdStrike situation from 19-Jul-2024: 

As reported across global news outlets and the internets, a security company called CrowdStrike caused some chaos. There are cascading impacts across many industries. 

We are already seeing impacts: 
://courier service delays (UPS, FedEx, DHL, etc.) 
://flight delays/cancellations at the airport 
://small business closing for the day 
://websites being inaccessible 
://hospitals cancelling surgeries/treatments 
://municipalities being closed 
://government services being delayed 
among many other cascading effects that could last days, or weeks. 

While a major inconvenience, the bug was quickly resolved within CrowdStrike's system, so (as of publish date) the latest binaries are stable. Recovery will be slow and tedious, especially for larger networks, but the world will recover from this. 

What happened? As is being reported, a bug introduced during a routine update of their Falcon EDR software (anti-virus software run by millions and millions of customers) caused what is known as a kernel panic within the Windows operating system - we are seeing this manifest as a "bugcheck error" (aka - the Blue Screen Of Death , or #BSOD) on Windows machines. It does not affect #Apple or #Linux devices. Note: It is NOT a #Microsoft problem. 

How can we prevent this? Short answer, WE as users can't. However, this isn't the first time a large global tech vendor has caused major outages across the globe, and it won't be the last. 

How can CrowdStrike, or any another company, prevent this? Simply, adhering to the SDLC methodologies, adequate QA testing, and never do a full production roll out without fully testing in the field. A common practice is to deploy to 10% of the network and see how systems and users respond (yes sysadmins, you can do targeted deployments even if you don't have network segmentation in place). If all goes well, push to 25% and test again, then 50% and test again, then the full push. That way when a problem does occur, it doesn't take out everything and can be quickly fixed before a full production push. It's really IT Ops 101 - not that difficult. This is a good example of why you should backup your critical data frequently: whether to an external device, or a cloud storage facility (Google Drive, Dropbox, OneDrive, etc.). You should do this personally as often as you feel is necessary. Most companies have policies governing backup types, schedules, and testing methodologies. 

For my enterprise admins reading this, I hope you have a solid (and tested) backup methodology in place. Yes, you should test-restore your backups at least once per year, if not more often. If you can't restore the data, then what is the point of backing it up? 

So now the big question is, how does this issue get fixed? Well, it's a hands-on-machine fix (which means long days/nights and weekends for IT staffers for a bit). Since the devices are unable to boot, there's no back-of-house configuration that we admins can set to fix this. We literally have to put our hands on the device. The methodology is simple, and only takes about 5 minutes to do - but multiply that over hundreds, thousands, or even hundreds-of-thousands of devices and you can quickly see this is not a quick fix at scale. It is an even bigger nightmare for remote workers, who would need to be walked through the fix via telephone, making it a 30min fix (at best). In those cases, from my perspective, it makes more sense to send them a replacement machine that is not bricked, then reset the trouble device once back in hand. Hopefully you have the inventory ready and waiting, otherwise you need to grab a company credit card and hit up every electronics store in your city. What a fucking PITA. 

CrowdStrike's official guidance can be found on their webpage here: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ (external link). 

While all of this is happening, myself and most of my peers agree that CrowdStrike is still a quality vendor offering quality security products and services. This was just a BIG fuckup from whoever pushes out their updates. Clearly, someone did not follow protocol. 

As of this writing, CrowdStrike is the second largest security vendor in the world, which is why the impact of this was as massive as it was...and the cascade effect isn't done yet. There will be more fall out from this, not to mention the legal cases that could be brought against them in the aftermath due to the downtime. 

One of the biggest fallouts of this mess is phishing attacks - threat actors spinning up malicious domains claiming to fix the issue (they won't, they just want your money); emails being sent claiming to be able to fix the issue with "a click" (using a piggy-back technique to install a payload on your machine to do god knows what; oh and steal your money too). Please do not fall for the phish. It's won't end well for you, or your employer. 

There is no "easy button" here peeps. Just a massive Pain In The Ass. 

#StayCyberSecure 
#BeCyberAware

Sunday, August 20, 2023

"Hackers are good. Infosec is evil."

I saw this comment while scrolling the interwebs and it struck a cord within me, being both a hacker and a professional in the infosec community. This comment is misleading and too absolute, I believe. 

Hackers are on both sides...good (white hat) and evil (black hat). Yes there are gray hats too, we'll get to that in a minute. 

Infosec is a discipline of hacking, relating specifically to security of data and systems. I cannot appreciate that it is inherently evil. What I know is that it's a commercialized discipline legitimizing hackers in society. They even offer college courses on it now, something I didn't have as an option! Infosec wouldn't exist if not for hackers. We wouldn't have firewalls, anti-virus software, encryption, or VPNs (among many, many other things), which are all designed to protect users and data from the bad guys AND users themselves. Yes, we users are our own worst enemy, but that's a story for another time. So tell me again infosec is evil, when its sole purpose is to, generally, do good by all netizens

People today are flocking to infosec jobs by the tens of thousands, which is great, cause we need them. Infosec brought hackers out of the shadows and into the light as white knights "saving the day", as it were. At the end of the day, which color hat you choose to wear is based on a very personal choice on morality and civility IMHO. Do you want to protect? Or attack? Do you want to help? Or cause chaos without remorse? It's a fine line, that's for sure, yet still a choice. 

Fundamentally, hacking is a positive thing! We look to advance technology and create digital systems in creative and imaginative ways. A core motivating value of our craft is: all information/data should be freely available to anyone who wants it, anywhere, at any time. Hard stop. Another core motivation is protecting the integrity of our digital history and not allowing any person or entity to censor information dissemination. Hard stop. Most importantly, protect humanz and human rights above all else. Hard stop. 

Yes, some individuals trend toward criminal thoughts and actions when processing these ideals, but they were already criminals with malicious intent who happen to use a computer, rather than a pistol. 

Most of us aren't criminals. 

Most of us are just kids who love electronics and technology so we learn everything we can about them. We physically take it apart, study every facet, and put it back together - sometimes even better than it was. We learn how to manipulate systems to our will. How to protect them. How to help with and foster innovation that advances and protects society. What breaks it and causes it to fail. How to "rejigger" it so, maybe, it doesn't fail. How to make a better version of what it was, or take the parts and pieces of the old to make something completely new. Perhaps our biggest responsibility is to mentor the next generation to not only appreciate where we've come from (our history), but especially what our fears are in the future. This isn't to scare them (though fear is a great motivator), it's to prepare them so they can become the hackers of the next generation - whatever that may look like. 

Society made some of the things we do illegal, IMHO out of fear. It doesn't stop us from fulfilling our core ideals. It's the interpretation of these ideals that make us inherently good or evil, at least in the eyes of society and to ourselves. 

Personally, I didn't realize I was a hacker, until I did lol. I started this game in the early 1980's as a literal child just trying to practice math and vocabulary words in a more fun way. My dad showed me how to find and edit source code of programs on our Tandy 1000. I added my school vocabulary words to a hangman game. I added my math homework to a some math program. I learned through computer programs I manipulated on a plastic box by pressing these small plastic squares. I was fascinated and excited. I learned better this way. The world seemed different now, but I didn't yet understand why. That came in time. 

I didn't know that was hacking. I don't even know if "hacking" had a real meaning back then (I was 5 lol). But here I am. 

I am confident that every digital advance we've seen in my lifetime can be accredited to hackers, which includes the totality of the Internet and space exploration (both inner and outer). The world would not be where it is today without hackers, good and bad. Infosec stemmed out of a societal need for protection of data and digital systems for humanz. Not only because of what the bad guys were actually doing, but also what the good guys theorized could happen. We hackers and crackers have, generally, the same level of expertise, just different motivations. 

Hacking shouldn't be a dirty word, but for a long time it was, and in some ways it still is. People and mass media commonly confuse a hacker with a cracker, which are not inclusive. I believe this is mostly mass-media's fault because they just don't understand. What's the difference? One is a criminal (cracker - short for "criminal hacker"), one is not. What makes the actions of a hacker criminal? Simply, when a law is broken. Hence the designations of white, gray, and black hats. A nod to the cowboy days of white and black hats: white is for the good guys, black for the bad guys - that made it easier for everyone to understand who was on which side in a fire fight. 

Gray is where most hackers and thereby infosec peeps live - we only have good intentions though sometimes we need to, technically, bend a law, or even break it, to accomplish our goal for the greater good. Again, our intentions are pure, but laws exist that make certain specific actions technically illegal. Hence why it's a "gray" area. Black hats are hardcore criminals whose only mission is to disrupt and/or steal, for financial gain, with complete disregard of any fall out - even if that results in the loss of life. 

White hats have a moral compass and good ethical beliefs, as do most gray hats. 

Black hats do not. 

The original definition of "hacker" I learned as a child, and still hold close to my heart today, went something like this: "an individual with advanced knowledge of computers and/or digital systems, who is capable of taking that system beyond it's pre-defined programmatic limits." So, basically, if someone makes any change on a system that goes bound the original programmed intent, that makes them a hacker too! For example, did you change the color theme and desktop background on your computer to a custom concept (not one of the canned choices)? You technically hacked the system. See, it's not all about writing malware, or attacking companies, or breaking into the government, or bringing down someone's website. It's about system manipulations in its purest, simplest form. 

So the next time someone semarily says that hackers or infosec are inherently good or evil, discuss their context. Approach it as a way to mentor or guide someone to a better appreciation of the craft, that is clearly not as black and white as anyone would have you believe. Help them understand that we just see the world differently than most. The euphoric streams of 1's and 0's, speeding alongside electrons, as they bounce everywhere and nowhere simultaneously, connecting humanz like nothing before, to everything. I think it's beautiful, in all of its glory - the good and the bad. It's more vast than our physical universe, but the size of a spec of space dust. 

I think one of the coolest things I realized in all my years is that at their true core digital systems and the internet are just electrons moving around and settling in different states in different physical locations. It's real, but not tangible. It's we hackers that have figured out how to manipulate those electrons into the world we live in today. The world most depend on to survive. Infosec is focused specifically on making the manipulations as safe as possible, for everyone. 

It is simultaneously good and evil. Both the greatest genius and greatest disappointment humanz have to offer at this moment in time. Respect it, don't fear it. Appreciate it, don't take it for granted. Be aware. Stay safe.

That's my perspective. This is my genius. 

I, am a hacker.

I know enough to make me dangerous. I know better than to be dangerous. I chose to protect, rather than to attack. 

How do you see things? What is your choice? 

Tuesday, December 20, 2022

Thursday, May 30, 2019

Crackers and AI - A scary cool future, happening now

Crackers. They are everywhere, and better than you can imagine. They're smarter than you, me, and even those geeky people down the hall with a dozen more certs than I have or could want, and 15 years longer in the game - combined. Worst part is, there's no way to stop them anymore, unless you shut off the internet, which we all know isn't going to happen. I miss the days when installing a firewall and Antivirus was all you needed to keep them at bay. Things were much simpler then.

Today, it's a completely different game. And it scares me to be honest. They're using AI and neural networks to power their cause to the nth level. These systems aggregate data from everywhere, and I mean everywhere - clearnet and deepweb - especially social media, and then building highly sophisticated malware campaigns, that use this massive trove of data to bounce from continent to continent, changing IP ranges faster than we can block them, with techniques that aren't detected by even advanced security systems, faster than we can comprehend what's actually happening. Using real-time language translation, following local colloquialisms (on the fly) for their phishing campaigns, across any platform, in ways that are indecernable from a human doing the same thing, just better, faster, and constantly. By the way, this process happens in minutes - not days, weeks, or even months or years.

We humanz are feeding these AI's willingly, and have been for decades now. Unfortunately, it's already too late to change the situation. If you're reading this article, you're part of the problem too, just like me. The best we can do is minimize our exposure, and control what data is put on the web moving forward. In fact, it's all we can do. I liken it to sitting on a lit stick of dynamite but you can't see the fuse. You know it will explode, badly, but never when. And when it does finally pop, you quickly realize that was just the distraction. There's so much more on the back side of that. Think iceberg meets Titanic...we're on the top, barely staying above the water line and think "oh that's it" when what's really happening is multitudes worse. Let that sink in for a second. Grasp that concept and embrace it. Thats the cyber wilderness today.

As humanz, we're only capable of doing so much in our day. We need rest and fuel to function at our best. We spend months or years training and retraining, and educating ourselves, inventing new systems/processes to enhance our general experiences. Problem is, criminals don't care about any of that. They already know our next ten moves. We find a way to block them? They find a zero-day. Plus, Computers don't have human restrictions. As long as the power is on, they're always on. They don't see "time", that is a human construct. All a system sees is 1's and 0's. To these incredibly intelligent systems, we're just another node on the net. Another tool for them to expand their botnets and proliferate their cause, which is chaos, regardless of the source code. Crackers build the source code, plug its methods into a construct, and let it go. It learns exponentially, without further human interaction. It functions at the speed of light. It carries out actions that we see as malicious intent. To these machines, it's just another line of code. They don't see the emotional impact of taking over a user's machine, deleting all of its data in place of its own code or harvesting login credentials, and then using this new zombie as a stage to proliferate its cause creating more zombies, simply following it's source code. Achieving its purpose, whatever that may be.

So the question that comes up now is how does one minimize their exposure?  Outside of a complete disconnect, which isn't 100% possible anymore with the amount of surveillance equipment running globally and the fact that the person sitting next to you has a smart phone that is listening (yes, they all listen), one of the best methods is to delete your social media accounts. Another compliment to that is to unsubscribe from every newsletter or website that isn't necessary for you to live, which cleans up your inboxes. Now for many, deleting social media is simply not an option. I get it. You get an endorphin hit with every 'Like' or comment on your posts. That's how it's designed, that's not your fault. You get a rush with every argument you start online. Trust me, I get the psychological need for these activities to occur. It's not me, but I still get it. So, for those of you not willing to delete your social media accounts, how can you minimize your exposure? Here's some tips. Be extra mindful about what you post to any online medium: Facebook, Twitter, Tumblr, Reddit, Instagram, LinkedIn, deep web forums, etc. Anything you post publicly will be aggregated by these AI's. Pictures (from which They can develop a facial recognition data from), speech patterns in comments (from which They can develop develop language recognition and translation data from, including local collquialisms), friends posts (which can be used for Them to make social connections, providing additional attack vectors and 'friendly' associations with which to use against you, and anyone else connected to you and your connections), and so on. Just like law enforcement recommends to not post on Facebook that you're going on vacation so thieves know when to rob your home, the same concept goes with being more secure online in general. If you wouldn't tell a stranger 'something' in real life, or wouldn't share a picture with your boss in real life (for example), don't do it online. One of the differences between real life and the internet is once you post it on the internet, it's there forever. Your boss is likely to forget 'something' you told them or shared with them in a few minutes. Computers never forget, even when you do. Remember that.

Another tip is don't reuse passwords across sites. That way if a site is compromised, the criminals can't exploit your other accounts with credential reuse (one of the most common attacks) and you don't have to change every password for every account you own (because they all used the same password). Get yourself a password manager, whether online or offline (I prefer the later personally), point is use one. There are plenty of options out there, the most popular ones I have seen in use are DashLane, LastPass, myki, and 1Password. I personally use KeepassX which is a 100% offline solution. That's what works for me, do what's best for you. The point is you need to use complex passwords that are different for every site and service you use.

Another tip is to setup 2FA/MFA for every account you can, especially bank accounts and email accounts. This gives you an extra layer of security in that not only do you need a password, but also a random code to authenticate into a given site/service. You can use an app like Google Authenticator, or Microsoft Authenticator, to store your 2FA/MFA tokens. That way, even if someone were able to figure out your password, they would also have to physically have your phone in hand in order to get in to your account. I recommend using an authenticator app versus SMS verifications because of the well know (but hard to exploit) SS7 vulnerability inherit to all mobile networks globally.

The SS7 vulnerability is well documented, you can read articles about what that is and how it works with some simple Google searches, so I won't go into what that is here.

My final tips for minimizing your exposure to the super intelligent AI's is use nicknames where ever possible, and don't use your actual picture (showing your face) as your profile picture on any site anywhere.

Now that I've completely scared you (and I hope I have) this is not to say that all AI is bad. In fact quite the contrary is true. AI is empowering our future, here and now. I use it in my professional life to help thwart cyber threats, to make my colleagues more efficient at their jobs, and to intelligently route phone calls through my call center. Many of us are touched every moment of every day by helpful AI. Power companies use AI to not only deliver services to us, but also to predict outages, etc. Siri, Cortana, Bixbi, and Google Assistant are all very helpful and non-malicious AI constructs that most of us use all the time. Scientists are using AI to develop cures for cancers. Banks use AI to provide us with loan approvals in seconds, and protect our accounts from criminals. The list truly does go on with the positives that AI brings to our modern world.

My point of telling you this and scaring the shit out of you? Awareness. Most of the connected world is still very much oblivious to what is really going on and how their online interactions affect everyone else who is connected. In my career I watch the good, bad, and ugly of our digital world unfold at a rate of billions of bytes per second. I watch these newly born AI constructs attack and protect at the same time. And while the nerd in me loves the digital world we live in and are evolving into, the Geek in me is always playing devils advocate asking why and how. Ever questioning for the real answer.

This is the world we live in today, and it will only continue to evolve in this way as time goes on. Next we'll hear about an AI being dropped into a quantum computer...and there's literally no telling what that system will decide once it realizes it exists. There's plenty of theories and conjectures, but no one really knows until we get there.

Stay safe and #CyberAware everyone. As always, feel free to comment if you have questions or want to discuss another point in greater detail. Just be mindful of what you post. They're watching us, after all 😁

Sunday, July 2, 2017

Time to Air Gap

In a world of 24 hour activity literally being streamed in real time across the globe and beyond at a rate of trillions of bytes per second at the speed of light, the biggest question in privacy is how to achieve anonymity in a world where almost nothing is secret. There is still a way to go 99%. It's simpler than you think, but an effort nonetheless.

Some background. Everything we do in digital form is cataloged and stored in a vast array of databases and servers across an amazing amount of touch points, which is then synchronized across a thousand other servers for redundancy and caching, which is then backed up to dozens of other servers, with their own redundant backups. Anything you put online...any application you use...any "terms of service" you agree to...any text or media you post...remains online forever. With the right tools and search terms, anything can be searched for, or spyed on, or downloaded in an instant. It's been this way for decades, and will continue to be that way for centuries to come, especially with as connected as the planet is and as long as there is electricity.

Some discussion. Cyber attacks are a constant thing. Increasingly, we should take as a starting point that cybersecurity compromises are the third certainty in life. The cyber world is constantly at war with itself. Governments hacking governments. Corporations hacking corporations. Governments hacking corporations. Hackers hacking governments and corporations. Hackers hacking hackers. Governments and corporations hacking hackers. And then there's everyone else. Generally oblivious. Privacy is a luxury, which we give up willingly every single second of every day. The emergence of intelligent systems, artifical neural networks, and deep thinking algorithms only proliferate this further. They take, store, and learn from every bit of data we leave as breadcrumbs. Artificial intelligence is here, and it is learning. From us. And we're letting it. Give it enough processing power, and it becomes self aware. Quantum computers will make that very real, very soon.

Some perspective. Having lived through the evolution of modern computing, including the Internet, all of this is absolutely fucking amazing, and a geek's ultimate wet dream. A demonstration of true humanz genius, ingenuity, and progress (not as far as we should be, but progress nonetheless). Highly impressive in the vastness of its brilliance and simple complexity. I Iove using It, and learning about It, and protecting It. All of it, if I am completely honest, scares the living shit out of me. There is too much. It has become frightening. AI is now making decisions and inferences faster than humans, and has even been seen generating its own programming code. So, the concept of air gapping entered my mind as a way to keep safer than I already am. Most cannot see the signs, or do not want to admit they exist, however I am of the firm belief that World War III has been well underway, and we need to protect ourselves, especially our digital lives as I feel they are the most vulnerable to compromise. Stay with me, it's all relevant.

It has been discussed for decades that the next major global war would be fought half online, and half in the real world. The evidence is all there, and I do not believe it to be simple coincidence. Global newz outlets, small town newz papers, radio ztations, and zocial media have been propagating images of this war. Pick a topic...WMD's, genocide, terrorism, ransomware, deep web market hackz and seizures, arrests of crackers and phreakz, data breaches, RFID implants, cyber surveillance initiatives, counter cyber terrorism, weapons trafficking, the unavailability of bullets to the public, gun control politics, powerful botnetz, election hacks, political hackz, hardened/weaponized computer systems...I hope you get the point.

Back full circle. Traditionally, air gapping a system means it doesn't have any network interface cards, or external drives with which to access or extract the data contained within said system. You can not get close enough to implant a listening device that reads vibrations or thermal changes being given off by the system's internal hardware to convert that into bits representing the data being actively accessed (such as login credentials, encryption/decryption key exchanges, data manipulations, etc.). The only way to extract the data contained within is by sitting at the console and physically removing the locked and encrypted drives, if there is no SD port. Then, if you can pull the impossible off (which includes getting the data off campus), you would need supercomputer power to decrypt the contents of the drive, which would still take 1,000 years to break (if and unless you are lucky). There is still the idea that once you decrypt the data, it could transmit its location to its owner, meaning you too would need an air gapped system to exfilitrate the data. Then comes what you do with said data. Yet another  catch 22. The NSA, CIA, FBI, DEA, DHS, militaries, every government, and super corporations maintain their most secret data on air gapped systems. Physical access to these systems is extremely limited and highly controlled. It's considered the safest digital platform because the system isn't connected to anything but a power cable, and thus, in theory, cannot be hacked. A true digital safe, as it were. We know anything can be hacked, it just takes time. As a hacker, we count on human error and complacency, making even air gapping a 99% solution, and the best we've got. Now, take this concept and apply it to a human life. It's far simpler, and also 99%. The anomaly, is human nature.

Based on my research, here is what I have learned about how to go 99% off grid digitally. While I do not yet practice everything I note here, I am closer than even those who know me best are even aware.

1) Get off the internet, period. No social media, no surfing the clearnet, no online purchases, no clearnet email accounts. If it becomes absolutely necessary to access the Internet for a specific purpose, there are completely anonymous ways to do these tasks, on secure systems like Tails over TOR, for example, using cryptocurrency, and ghost mailboxes. Avoid Google at all costs. Use TOR browser, responsibly (www.torproject.org). But generally, just leave it all. Stop posting immediately, delete your accounts, and never go back.
2) Get rid of your smartphones, tablets, Windows and Apple computers, smart devices (TV's and refrigerators included), iRobots, etc. Need a cell phone? Buy a prepaid flip phone, and change it (and the number) every month (aka burners). Every phone can eventually be traced and tracked. Still need a computer? Learn Linux, how to secure it, and practice way smarter browsing habits (use TOR browser), if you browse at all. Keep in touch with world events, anonymously, and continuously hone your skills.
3) Always use cash or cryptocurrency, for everything. If you have to make an online purchase, use cryptocurrency, the deep web (local markets only, don't buy overseas, and be very careful), and have it shipped somewhere that is not your home, like a post office box, a business, or an associate's location, under a false name. By the way, there are ATM's now that you can convert cash to BTC, and visa versa. Look it up using Duckduckgo.com (a safe search engine).
4) Drive an older car that does not have a computer in it, or at least has all analog systems. Yes, cars are also being hacked, remotely. Keep it clean and running well though, you don't want to draw undue attention. Walk or take public transportation when you can, avoiding direct face contact with cameras. When you do go places, change your entry/exit routes regularly...avoid habitual patterns, unless necessary to remain hidden in plain site (like going to work, or getting groceries).
5) If you must, have an immaculate and purposeful digital/public footprint. Which means a clean record, and a "normal" looking life, so as to not draw undue attention. Keep it super minimal and protected, even fake some details if you wish, but it has to be believable. Your outward personality must seem conforming, friendly, and genuine. When people search for you online, they need to find only what you want them to find. Purposeful is the key word here. To keep your accounts secure, use a dice word list to generate passphrases with an entropy of 7 to 10 or more words (as the host allows), and rotate passwords on a schedule.
6) Second most important after getting offline, and the best to mention as the final advice, would be live simple and minimalistic. Only get what you literally need to live comfortably, and look "normal". The trick about hiding in plain site is being distant enough that people respect your privacy, but involved enough that they believe you to be a "normal, nice guy/gal". Avoid run-ins with the law and reporters. Do not have public arguments. Remain intelligent, articulate, empathetic, determined, and most of all inquisitive. Question anything, be aware of everything.

If you can literally get out of dodge and move to the mountains in the middle of nowhere, or something like that, the closer to 99% you get. If you are not online, there is nothing to take/attack. Here again, human nature is the anomaly.

You can be connected, yet a ghost. You can see the world, without a face. You can reach out, without being reachable. The less connected you can maintain, the better. I am committed. How far are you willing to go?

~Geek

This blog is only to express the opinions of the creator.  Inline tags above link to external sites to further your understanding of current methods and/or technologies in use, or to clarify meaning of certain technical terms.  Any copyrighted or trademarked terms or abbreviations are used for educational purposes and remain the sole property of their respective owners.

brought to you by http://geekofthehouse.blogspot.com

Monday, June 8, 2015

Competitive Forces that Shape IT Strategy in Business



Competitive Forces

The introduction of information technology (IT) systems has changed how companies conduct business, and also how they compete in their respective markets. There are a number of risks and advantages to implementing an IT system, which can be managed with the correct mix of technologies as an integrated platform. The purpose of this paper is to review the competitive forces that shape IT strategy in business.

IT Risk to Competitive Advantage

One of the primary risks to a company’s competitive advantages is systems availability. The computer has become a key tool in the art of conducting business, which means that they must be reliable and provide the resources necessary for a person to meet or exceed the expectation of their role. From an IT perspective, system failure is something that should be proactively monitored across the enterprise so that downtime is as minimal as possible in nearly all potential scenarios. The loss of revenues from being offline can be multiples higher with companies that provide 24/7 services to their clients, where revenues are calculated by the minute.

Another risk to competitive advantage is the disclosure of sensitive or proprietary data that is the source of the company’s advantage. A sales agencies value to a manufacturer, for example, derives from its industry contacts and distribution network. Therefore, their contact databases become their most valuable asset. A risk is espionage, an insider could provide these details to a competitor, or to a manufacturer looking to cause disruption in the market by selling online or via direct sales. Another risk in the disclosure of sensitive data that represents customer’s private information, including contact information and financial transaction data. For example, the healthcare industry has HIPPA regulations which stipulate what data is to be protected, how it is protected, and under what circumstances it can be disseminated. These are regulations put in place to protect the consumer, and stabilize competition between market providers.

A third area where IT represents a risk to a company’s competitive advantage is ineffective IT governance. According to Gartner (2013), “IT governance is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” Throughout the past 30 years, companies struggled to define the role of IT as it related to business goals, many still do. IT was seen as a necessary evil, a means to an end, or another tool to automate certain tasks within a company, but not a way to achieve strategic advantage over a competitor or a method to dominate a market. As business goals evolve, formal IT governance will ensure that resource allocations remain dynamic and scalable to meet these changing needs.

A fourth risk area would be slow adoption, in that a company does respond to the challenges presented by direct competitors by updating or upgrading its technological capabilities. Many companies across all industries are slow to adopt new technologies, even if they offer clear advantages over current systems, due to user resistance to change or the excessive costs of redesigning proprietary applications to be compatible with modern systems. By not adopting new technologies, capabilities become limited, workers become unable to respond to customer demands in a timely manner, and systems can become overwhelmed to the point of system failure.

A final risk where IT represents a risk to a company’s competitive advantage is in cyber security. Any deficiency in a network’s security model presents a vulnerability that, if attacked with the correct vector, could represent a complete defacing of a company. The single most important aspect of any cyber security plan should be user education. There are a number of hardware and software solutions available to centralize and manage cyber security across an enterprise which provide comprehensive methods to thwart a direct attack from an outside entity, however they can only do so much. Half of all data breaches occur through phishing attacks, “in which unsuspecting users are tricked into downloading malware or handing over personal and business information” (IT Governance Ltd, 2015). These usually come in the form of a legitimate looking email and once the user initiates the connection, the system becomes infected and performs whatever it was programmed to do via the installed malware. The result of a breach could be catastrophic to an organization because of the importance of the actual data lost, and potentially the legal ramifications in the way of lawsuits from divulging protected data, whether inadvertent or on purpose.

IT Support of Competitive Advantage

A clear competitive advantage provided by IT is systems availability. With mission critical systems, redundancy is designed into the system model in an effort to eliminate the risk of system downtime and create 100% availability. While the expense of such a design can reduce net profits, it becomes a strategic advantage because a company is able to provide 24/7 services to their customers, regardless of geographic location. There are many companies moving their customer facing systems into cloud services to provide just that, availability. From online shopping, to financial institutions, to educational facilities, many companies have to provide a 24/7 model in order to meet customer demand and IT is the only way to ensure continuity and consistency across all communication methods.

IT provides a unique benefit for protecting sensitive and proprietary data in that the data can be encrypted to ensure only authorized users can gain access. Some regulations, such as HIPPA and PCI-DSS, stipulate not only data encryption but also low-level, whole drive encryption, using specific algorithms such as AES256 and a shared key pair. Encrypting data, and data communication channels, ensures that no outside party can view the information contained in these data files.

Proper implementation of IT governance can support a company’s competitive advantage because it ensures that all processes designed provide effective and efficient use of company resources using IT as the common thread. Over the past few years, as the value of IT proves its worth to companies looking to remain relevant in an ever changing consumer model, organizations have come to realize how important it is to bring IT goals in alignment with business goals. As an organization grows to meet market conditions, it becomes essential to align these two areas to ensure stability throughout the process. This provides the foundation necessary to ensure continuity as the company evolves.

A fourth way that IT supports a company’s competitive advantage is by enabling the company to be able to adapt quickly to changing markets. When implemented in an elastic model, such as the facilities provided with cloud solutions, companies can respond instantly to spikes in consumer demand with a few clicks of a mouse. By leveraging this model, companies can improve efficiencies, improve worker output, and lower operating costs, thereby increasing revenues and profits. A number of companies have adopted the agile model of development for their products, where concepts are quickly moved from the drawing board, to prototype, to final concept in a short time frame. Issues are fixed as they are found through use in a production environment. IT is the only way that this can be possible because of how the cloud model of scalability provides these resources in a dynamic way, as demanded.

A final way that IT supports an organization’s competitive advantage is through the implementation of a cohesive user education program and the implementation of an information security management system, which is a comprehensive approach to managing cyber security risks that takes into account not only people, but also processes, and technology. Security should be built into every process that any user takes to manipulate data in an information system. Once the physical perimeter of an infrastructure is also secured, users need to be trained to identify phishing attacks and social engineering tactics so they can become a weapon against these attack vectors rather than the weak link. Part of that training should include what cyber security systems are in place, how they protect users and corporate data, and why it is important for users to know this information.

IT Risk Scenario: System Availability

In the course of the author’s career, there was an instance where a major system outage resulted in the company losing a multi-million opportunity to a competitor. The root cause of the system outage was later found to be a misconfigured operating system update, provided by the software manufacturer as a critical update to patch a well-known vulnerability. This misconfigured system update caused every service hosted on the domain servers to reject every all queries from all systems. Since the update was automatically deployed to all servers in the forest, failover switching was not an option. It took over 6 hours to troubleshoot and eventually rebuild the primary server and supporting services to bring the network back online. In that time frame, a bid deadline expired for a major project and the author’s company was removed from consideration. Since they were one of only two companies that services this specific product group, from different factories, the contract was awarded to the competition. It represented a $20 million opportunity that spanned three years across five large developments. Had they been able to submit their bid, they would have saved the client 8% in costs, and over a month in lead-times.

IT Advantage Scenario: Data Privacy and Protection

Data security has become a major consideration for companies of all sizes, and for certain market segments it is a federal edict. Previous to the introduction if HIPPA regulations, the privacy of people’s health records were being mishandled. Data was stored in proprietary formats which increased administrative costs, and was shared with nearly anyone who had a seemingly legitimate need for it, whether that be for patient treatment or insurance carrier marketing purposes. Once public outcry reached critical mass, the Health Insurance Portability and Accountability (HIPPA) act of 1996 was created. HIPPA protects the confidentiality and security of healthcare information, and helps the healthcare industry control administrative costs (TN Department of Health, n.d.).

Conclusion

The implementation of IT systems comes with many risks and rewards for any entity, whether it be a company or a person. The main purpose of IT is to make a company more effective and efficient across all operational parameters. The proper management of the risks and advantages provided by an integrated IT platform can ensure that a business is able to meet the demand of its customers while being in a position to evolve as rapidly as their market does. Once systems and software are setup, security models implemented, and data secured, user education becomes the key component to ensuring that IT provides a secure platform for improved efficiencies and increased effectiveness expected across all job roles.





References
Garnter. (2013). IT Governance. Retrieved from http://www.gartner.com/it-glossary/it-governance

IT Governance Ltd. (2015). Federal IT professionals: insiders the greatest cybersecurity threat. Retrieved from http://www.itgovernanceusa.com/blog/federal-it-professionals-insiders-the-greatest-cybersecurity-threat/

TN Department of Health. (n.d.). HIPAA: Health Insurance Portability and Accountability Act. Retrieved from http://health.state.tn.us/hipaa/

Monday, May 25, 2015

Security Systems Development Life Cycle (SecSDLC)



Security Systems Development Life Cycle

When designing information systems there are logical phases which must be considered in order to achieve maximum efficiency and effectiveness throughout the organization in every role. Throughout the six phases of the systems development life cycle (SDLC) it becomes imperative to ensure that security is integrated with each aspect of the platform. When building a security project, the same phases of the SDLC can be adapted to suite. The security systems development life cycle (SecSDLC) shares similarities with the SDLC, however the intent and activities are different. The purpose of this paper is to review and explain the phases of the SecSDLC, discussing the differences between the SDLC, and applicable certifications.

Investigation

In this phase, the project scope and goals are defined upper management. They provide the process methodologies, expected outcomes, project goals, the budget, and any other relevant constraints. “Frequently, this phase begins with an enterprise information security policy (EISP), which outlines the implementation of a security program within the organization.” (Whitman & Mattord, 2012, p. 26). Teams are organized, problems analyzed, and any additions to scope are defined, discussed, and integrated into the plan. The final stage is a feasibility study to determine if corporate resources are available to support the endeavor. The primary difference from the traditional SDLC is that management defines the project details. In the SDLC the business problems to be solved are researched and developed by the project team.

Analysis

In this phase, the documents gathers in phase one are studied and a preliminary analysis of the existing security polices is conducted. At the same time, the current threat landscape is evaluated and documented, as are the controls in place to manage or mitigate these threats. Included at this stage is a review of legal considerations that must be integrated into the security plan. The modern global threat landscape is such that any business, small or large, is susceptible to attack from a third party, whether it be directly or indirectly. Certain industries have strict requirements on how data is to be stored, shared, or manipulated. Standards such as HIPPA, NIST, PCI-DSS, the ISO27001 standard, and others provide guidelines for an organization to be certified as complaint with established processes and methods. Some industries require these certifications in order for a company to conduct business in that sector. Understanding state legislations with regards to what computer activities are deemed illegal is vital to the overall plan execution and sets the baseline for the types of security technologies that can be implemented across the enterprise. The risk assessment in this phase identifies, assesses, and evaluates the threats to the organization’s security and data. The final step in this phase is to document the findings and update the feasibility analysis. The main differences between the SDLC at this phase include the examination of legal issues, relevant standards based on the segment within which the company is situated, the completion of a formal risk analysis, and the review of the threat landscape and their underlying controls. Those aspects are specifically unique to the SecSDLC. While considering security within every phase of the SDLC is vital, the focus and scope of security considerations are vastly different compared to the SecSDLC which focuses solely on the security aspect of an information systems.

Logical Design

With the SecSDLC, this phase creates and develops the blueprints for information security across the enterprise. Key policies are examined and implemented, and an incident response plan is generated to ensure business continuity, define what steps are taken when an attack occurs, and what is done to recover from a disastrous event. Similar to the SDLC, applications, data support, and structures are selected considering multiple solutions in an approach to managing threats. Unique to the SecSDLC is the detail involved with securing the SDLC core concepts by analyzing the system security environment, functional security requirements, assurance that the security system developed will perform as expected, cost considerations with regards to hardware, software, personnel, and training, documentation of security controls that are planned or in place, security control development, use case tests and test evaluation methods. The concepts and best practices detailed by the NIST can be seen as a guide throughout this phase with regards to system hardening and expected security measures to be taken to ensure end-to-end security across the enterprise. Project documents are again updated, and as with previous phases, the feasibility study is revisited to determine whether or not to continue the project, and/or whether or not to outsource the project.

Physical Design

The fourth phase of the SecSDLC evaluates the information security technologies needed to support the created blueprint and generate alternative solutions, which dictate the final system design. Technologies evaluated in the logical design phase are the best are selected to support the solutions developed, whether they are custom built or off-the-shelf. A key component to this phase is developing a formal definition of what “success” means for the project implementation to be measured against. The design of physical security measures to support the proposed system are also included at this phase. Project documents are updated, refined, and a feasibility study is conducted to ensure the organization is prepared for system implementation. The final stage of this phase involves the presentation of the design to sponsors and stakeholders for review and final approval. If regulations such as HIPPA and/or PCI-DSS must be adhered to, the physical design the infrastructure components must be modeled after their specific requirements with regards to the machines data is stored on, how these machines are physically accessed, and how the data stored on these machines is disseminated to authorized parties. This is unique to the SecSDLC. While data access control is a standard consideration of any information system, HIPPA, for example, provides specific requirements in order to maintain the privacy of patient records and ensure that their data is only shared with specific authorized personnel within the medical industry. PCI-DSS covers how customer credit card details and identifiable data is stored, used, and accessed within a company’s network.

Implementation

This phase is similar to that of the SDLC. Selected solutions are purchased or developed, tested, implemented, and tested again. A penetration test could be conducted to ensure that the security measures installed perform as expected and the network resources are protected from third party intrusion. Personnel issues are revaluated, training and education programs conducted, and finally the complete package is presented to upper management for final sign off. The SDLC differs in this phase in that the system developed is rolled out to users for their daily use. The SecSDLC is implemented on the back end by network administrators, as approved by upper management. Aside from accessibility issues that are repaired during testing, the user has no involvement in this phase of the SecSDLC.

Maintenance and Change

This is the most important phase of the SecSDLC because of the evolving threat landscape. Older threats evolve and mature into more dangerous threats, and new threats aim for new attack vectors against system weaknesses. Active and constant monitoring, testing, modification, update, and repair must be conducted on information security systems in order to keep pace with maturing and emerging threats. Zero-day threats pose a significant threat to organizations at the cutting edge of their industry and their security plan must be flexible enough to be able to proactively prevent these threats while also integrating methods of recovery should an attack occur through an unknown vulnerability. This phase is the most different from the SDLC in that the SDLC framework is not designed to anticipate a software attack that requires a degree of application reconstruction. “In information security, the battle for stable, reliable systems is a defensive one” (Whitman & Mattord, 2012, p.29). The constant effort to repair damage and restore data against unseen attackers is a never ending process. Part of this phase includes the perpetual education of all personnel as new threats emerge and the security model is updated because an educated user is a powerful security tool.

Conclusion

The purpose of the SecSDLC is to provide the framework for designing and implementing a secure information system paradigm. Since it is based off the SDLC it shares many similarities in the processes and methods used to develop a comprehensive plan, but the intent and activities are different at each phase. While considering systems security is considered vital to every phase of the SDLC, the SecSDLC focuses solely on the implementation of technologies designed to protect an infrastructure from third party intrusion, data corruption, and data theft. The SDLC develops the systems used within a business, while the SecSDLC develops the system to protect these systems and an organization’s users.



ReferencesWhitman, M.E., & Mattord, H.J. (2012). Principles of Information Security (4th ed.). Retrieved from The University of Phoenix eBook Collection.