Category Archives: Reflection

Artificial Intelligence Meets Actual Intelligence: Would you connect your brain to the internet?

Posted on by
7

Before you laugh at the notion and discount the idea as science fiction, you might be surprised to learn that many really smart people are trying to make this happen, and they are making real progress.

image of digital brain

http://wondergressive.com/wp-content/uploads/2014/01/WG-computer-brain.jpg

Exhibit A: The MIT Media Lab in NYC

Skip ahead one minute into this 60 minute video

 

Exhibit B: A company named Neuralink

Neuralink is interesting primarily because of the man who is behind it, Elon Musk. You may know who he is already, but for those that don’t, he has been involved in a just a handful of successful endeavors. Among them is the invention of a computer with four wheels that can driver really fast and runs on electric, commonly referred to as a Tesla. Oh yeah, and it can dance.

Dancing cars are cool, but Musk feels that artificial intelligence could be a risk to the human race, and if you can’t beat it, join it. He reasons that we are all “cyborgs” already, part human and part machine, thanks to the modern smartphone. Our input system (sight) is high bandwidth, he says, but we have an output bottleneck to contend with…two thumbs. He created a company with the goal of solving that problem by finding a way to connect our brain to the internet.

STOP RIGHT THERE, MUSK!

My brain is one network that must remain air gapped for all time. We can’t reliably protect my WiFi thermostat, let alone the super computer inside our head that makes you, you and me, me. I would imagine that most information security professionals will react similarly, but as technologists many would accept the risk so we can be super CISOs and the like. But fear not! The rest of us will still have jobs. How do I know? We will always need someone to protect the internet connected brains from a massive and devastating denial of service attack, and it will be the non-internet connected mortals that will have to do it.

Before you assume I lost my non-internet connected mind, rest assured most of this article was written in jest. But all kidding aside, let’s figure out how to protect artificial intelligence consistently before we put our actual intelligence at risk. Many technology experts, including Musk, are concerned about the weaponization of artificial intelligence, which is a ship that has already left the dock. I would much rather see artificial intelligence leveraged to create self-patching software or a programming language that can keep our data safe without the contingency of developer perfection. Until then, I’ll work within the constraints of having two thumbs,and be grateful for the extra four fingers on each hand that allowed me to generate this output at about 65 wpm.

Thanks for reading and don’t forget to subscribe.

 

Same Actions, Different Results. Insanity or Genius?

Posted on by
13

This post is going to be somewhat abstract, somewhat “soapboxy”. And I don’t expect anyone to read it. Well, hopefully, at least one person will. I can’t help but comment on the trend to go down a path without a clear goal or strategy in mind. Actually, it’s not a trend within cyber security or even IT as a whole. It’s a trend within humanity (queue soapbox!). Somewhere along the lines planning became a sign of weakness and the verb agile became a proper noun.

http://www.perzactly.com/wiki/images/Einstein-fish.jpg

Einstein (it wasn’t him), Mark Twain, Ben Franklin or some other historical figure once said something along the lines of, “Insanity is doing something over and over again expecting a different result.” Ok, I always got a kick out of that simple, but profound truth. I’ve heard that statement before, during and after meetings time and time again. In fact, it is so commonly quoted that you would think “insanity” is a workplace epidemic that has been fully cured! Everyone, and I mean everyone, knows the definition. Yet, the quote is inappropriately called upon day in and day out. Something isn’t adding up…

Now that we have a clear definition of insanity, does the inverse equate to certain genius? Let’s try it…”Genius is doing something differently and expecting a different result.” Not so much. I don’t think we have a definition of genius just yet.

Let’s apply these two statements to Cyber Security and see what we learn. Stay with me!

“Insanity is doing something over and over again expecting a different result.”

Although this statement may be profoundly true in cases where 2+2 always equals 4, a day in the life of a cyber security analyst, CISO, or engineer just isn’t this simple. In fact, in many cases the same action does result in different results. Let me give you two examples, one technical and one human.

The first example is in regards to testing an exploit in an effort to determine whether your system is vulnerable. Anyone who has ever done this knows that sometimes you have to execute an exploit 3,4 or more times before it is successful. Because of the many factors involved in executing a successful exploit, you have to try it multiple times before it works. A simple privilege escalation exploit in a simple capture the flag (CTF) contest taught me that. Would attempt 3 qualify someone as insane? Hopefully not since it could take more than 3 attempts before your results differ! No flag for you!

My second example is more about the human element in regards to moving a security program forward. In my career I have both observed others and had to personally advocate for policies, initiatives and security controls not once, twice but dozens of times before successful results were achieved. Human thought processes change. Culture changes. Threats change. Sometimes what we really need is to stay the course even though the previous results were unfavorable. Granted, there is definitely a hair thin line between resilience and insanity.

“Genius is doing something differently and expecting a different result.”

Well I think we can all agree that this does not sound like “genius” behavior. I could argue that it’s common sense at best. Really, though, at its core this statement is an altogether fallacy. In fact, we all know that sometimes you can make a change and have the exact same results. That is as true when it comes to cyber security as it is for our choice of food intake. Do you want an example? Ok, then. How about that time Gartner told the world that IDS is dead? Or maybe when we were told that Antivirus is dead? Do you have a Next Generation Firewall (NGFW) yet? Let’s not forget that time I tried the cabbage soup diet. I’m being somewhat belligerent here, but the point is that new and different does not always differ the results. Incidents are on the rise despite the industry’s best efforts to “think differently.” Probably because the bad guys think different…er and sometimes what we categorize as different is really not so different after all. And I’m STILL looking for a way to lose weight without eating right or exercising.

So where does this leave us? We don’t know what insanity is or what genius is anymore! Now we’re totally lost souls! Ok, let me try to come up with a one of my own timeless quotes to be misquoted for generation upon generation. Ahem…here I goes…

“Insanity is doing something over and over again, without taking note of the results. Genius is knowing what your desired result is in advance and whether or not change will get you there faster. Mediocrity is believing you’re one or the other.”

Goodnight everybody.

Thanks for reading and don’t forget to subscribe.

Breaking News: Company Fully Secured!

Status

2

Another day, another breach. Why don’t the good guys ever make the news?! Well, I decided to facetiously report on a company that has done the impossible. Prepare for corniness…

Breaking news: Security is not a journey, it’s the destination!

Today I’m excited to tell you about a company, Foolery Jewelry, that has dedicated their efforts and finances to completely eliminate all cyber security risk. It was not a simple undertaking, but they thought outside the box and were successful. They have redefined defense-in-depth as we know it. Here’s how they did it.

Wooden-Mallet-15555-large

  1. Security Awareness Training – After realizing that traditional methods were only partially effective, a home-grown user education package was developed. The concept was a simple twist on Pavlovian reconditioning. Every time an user clicked on a link in their email or opened an attachment without first verifying the source, a large rubber mallet extended from behind the user’s monitor and gently whacked the user on the head. This was quite effective for a time, but the users adapted and began to wear bike helmets to work so they could still view funny cat memes between placing incoming jewelry orders. Another layer was needed!                                                                                                                                                clip-art-mouse-697991
  2. Host-based Intrusion Prevention System (HIPS) – Although progress was made with the security awareness training program, it was clear that additional measures were required. To discourage clicking altogether, computer mice were replaced with actual mice. The amount of mallet hits plummeted, malware infections decreased and the company enjoyed an unexpected side effect. Namely, worker productivity spiked and sales doubled. Other large companies were quick to follow suit. In other news, Facebook’s stock took a nose dive. However, this method also was limited in effectiveness as workstations were gradually replaced by tablets, phones and other touchscreen devices that no longer required an archaic pointing device.                                                                               no-global-internet-2400px
  3. Next, Next Generation Firewall – Layers one and two certainly helped, but it became clear that a next generation firewall was required. I’m not talking about a Palo Alto or CheckPoint NGFW. Foolerly Jewlery made a seemingly drastic decision and air-gapped their entire network. Internet connectivity was completely eliminated. As it turned out, only a very small group of their employees required internet connectivity to do their job. Those individuals were fired and investors cheered because costs were reduced with no reduction in profit.

    https://foswiki.org/Community/WikiWatch

  4. The No Network, Network – With no connection to the outside world, it seemed as if their company was fully secured. That’s when things got interesting. An employee found a USB stick outside in the parking lot labeled as “Layoff Plan.” They secretly plugged it in and not-so-secretly infected their computer. That computer then infected other computers and it seemed as if all their security measures failed. It was time to kick things up an notch. Every computer was disconnected from the network altogether. USB ports were filled in with rubber cement, network cards were uninstalled, and network cables were cut. Stand alone workstations were used to fill out spreadsheets and each worker essentially ran their own mini-instance of Foolery Jewelry. This was a new business model for Wall Street, progressively referred to as the “micro-business island computing model” and sales continued to grow. Captains of industry applauded the model and even Amazon vowed that by 2020, they would convert their business to a network-free ecommerce platform. Gartner couldn’t explain what that meant, but they created a new magic quadrant none-the-less for a new vertical of technology offerings called “Network-free Networking (NFN).” Marketing teams quickly replaced all references to SDN with NFN and the cold calling began.

    Faraday-Cage-transparent

    http://www.herzan.com/products/electromagnetic-interference-isolation/faraday-cages.html

  5. Wireless Prevention Cube – There was still concern about employees introducing unauthorized hostpots using the iPhone 14 SE Plus 2 Android Edition wireless hotspot feature. The decision was made to wrap every cubicle in a Faraday cage, with no door or entrance that an employee could unwittingly leave cracked open. No leakage in or out. Strangely, sales came to a screeching halt as employees arrived to work and with no access to their cubicle, had no choice but to spend the day eating bagels in the break room.

Foolery Jewelry reached their cyber security goals, and fully secured their company. Unfortunately, they also destroyed their company. This was supposed to be a good news article. Oops.

Is your security road map similar? The reality is that security can not be purchased or deployed. It has to be managed. There is no way to eliminate risk or fully secure any piece of technology. But thought should be put into how and what we are trying to secure. Listen to vendors, but don’t do everything they say. Right now there is a security-vendor bubble in the works. Every start-up has Wall Street behind it, and of course they have the answer on how to fully-secure your company. Impossible! Nonetheless, when the bubble bursts, there will be many new security companies still standing and many others that no longer exist. Not to mention the many victimized companies that will fall along the way after investing heavily in these solutions, but still suffering a major breach. Foolery Jewelry is one company who just didn’t make it. Will yours?

What’s your favorite security-related magic quadrant? CASB? NGFW? Let us know in the comments below.

Thanks for reading and don’t forget to subscribe!

REVIEW: CSI: Cyber

Posted on by
23
http://en.wikipedia.org/wiki/CSI:_Cyber#mediaviewer/File:CSI-Cyber-Logo.jpg

http://en.wikipedia.org/wiki/CSI:_Cyber#mediaviewer/File:CSI-Cyber-Logo.jpg

This week was the beginning of a new CSI television series, CSI: Cyber. I am not a CSI fan by nature. In fact, I’m not a big fan of television dramas at all. I try to like them. I really do, but it’s hard for me to get passed mediocre acting and low budget explosions. However, I had to give CSI: Cyber a chance. After all, it promised to deliver on a theme that is near and dear to me, cyber security. Did it deliver?

To start on a positive note, I thought the technology aspects of the show were only moderately exaggerated, so kudos for that. I think it’s a positive thing that they are highlighting real world consequences of hacker activity. It is not a harmless pastime or a victimless crime. This show can potentially serve as a nationwide public awareness campaign. Hopefully, they will work in some useful reminders for viewers, like the importance of antivirus and the like, rather than simply inciting FUD (fear, uncertainty and doubt).

http://commons.wikimedia.org/wiki/File%3AMBP36_-_Digital_Video_Baby_Monitor_MBP36.jpg

http://commons.wikimedia.org/wiki/File%3AMBP36_-_Digital_Video_Baby_Monitor_MBP36.jpg

With that said, the first episode was named Kidnapping 2.0, making reference to the next generation of kidnapping that incorporates hacking into internet connected baby monitors. The “baby auction” plot may be farfetched, but the idea of some weirdo hacking into your baby monitor is one based on fact. It happens, and for that reason I advise my friends to avoid buying an internet connected baby monitor unless they really have a need for it. Even the ones without Wi-Fi are relatively easy to access, but you need to be in physical proximity to the camera.

I thought the title of the episode, Kidnapping 2.0, was appropriate because they kidnapped one hour of my life with no remorse. The casting choice is just unreal. Lil’ Bow Wow is a rhyming hacker being rehabbed by the FBI. To quote my wife, “STRIKE 1.” The action star of the show is none other than the star of Dawson’s Creek, James Vanderbeek. I never thought I would live to see Dawson kick down a door, but network television has blown my mind yet again. The “best white hat hacker” in the world is a stereotypical “heavyset” gentleman and at one point the FBI director tells his staff that they can “go home to their parents basements.” Really? LOL.

All things considered, I will probably watch this show again. Not because it was a good show, but I find the random technical references extremely entertaining. I love how the writers jam technical jargon into sentences that do not require it at all. It’s just hilarious. And I find the security talk extremely entertaining. There is nothing better than hearing acronyms explained by bad actors. Unfortunately, I doubt the mildly entertained IT crowd can keep this series afloat for very long.

In any case, if you’re looking for a mediocre drama with a mixture of technical chatter and law enforcement, you’ve found it! I will let it record on my DVR and from time to time I’ll check out an episode. More so for a laugh than a thrill, but at the end of the day it served its purpose of entertainment…for one reason or another.

Note to Producers: This show can still be saved by adding a key guest star or two. Namely, Jack Bauer or Liam Neeson (he has a very particular set of skills).

Did you catch the first episode? Tell me what you thought in the comments below.

Thanks for reading and don’t forget to subscribe.

 

Risky Business: Who decides?

Posted on by
9

At our recent DoIT all-hands meeting, it was mentioned that thanks to my blog it is possible to know what I’m thinking about. That has been true to some extent. As I reflected on that statement though, I realized that most of this blog has centered around facts and ways to secure your computing environment. I haven’t really used this platform to share my viewpoints or opinions. That is partially due to the fact that I am not, by nature, a blogger. This blog was my first venture into sharing information in such a public forum and I’m still trying to strike a balance between opaque and transparent. After all, discretion is the better part of valor, is it not? Mostly true, but lack of discretion has a time and place too. By the way, for some reason I hate the word blog. Blog Blog Blog.

riskgameWith over a year here on West Campus I thought today is a good day to break the self-imposed mold for this blog and talk about my thoughts on risk. No, not RISK the strategic board game. Risk as in “the potential of losing something of value.”

Did you know that risk has a formula? That’s right, my academic brethren. Here it goes: Risk = Threat x Vulnerability. Let that sink in for a minute. Read it again. Risk = Threat x Vulnerability. Which of those two factors can we control? The threat? Nope. We only have control only over the vulnerability aspects of that equation. Every organization has a risk posture. What is ours? What is yours? What needs to change?

What is our risk posture?

Before we talk about risk posture, we need to talk about risk tolerance. Some organizations are risk adverse and try to address every known vulnerability regardless of cost. Others tend to be more risk tolerant and allow certain inefficiencies to remain. Where do we sit on that spectrum as an organization? Well, most institutions of higher education tend to have relatively high risk tolerance. The extent of tolerance varies from institution to institution. Consistently, though, risk tolerance is decreasing across the board. The threat has changed. The world has changed. At Stony Brook our risk tolerance is decreasing in like manner. Is our tolerance decreasing as quickly as the threat is increasing? We need to move fast.

risktolerance

This blog is not the place to discuss our risk posture. Sorry to disappoint. I will say this, though. Our risk posture is strong in some areas and weak in others. That is true for all organizations. Then there are areas that have an unknown risk posture. Those worry me. There are too many of those.

What is your risk posture?

In other words, how are we doing as individuals in regards to assessing and managing risk. The sensitivity and tolerance to risk varies greatly. Let me give you a handful of character profiles found around campus and while you read it, try to honestly evaluate which one you relate to more.

  • A researcher who proactively reaches out to the CISO at the start of a research project to ensure that the practices they plan on following are adequate.
  • A researcher who is convinced that nobody in this world is interested in his/her research data and therefore security is not a concern.
  • An IT support professional who knows the owner of each system on their portion of the network and is quick to respond to security related incidents.
  • An IT support professional who provides support as requested, but otherwise allows faculty to manage their own equipment and therefore does not view security as part of their job description.
  • An IT admin who always takes into consideration security and can justify why every security adverse decision is made and employs compensating controls.
  • An IT admin who will always choose functionality and ease of use over security without giving any thought to risk.
  • A faculty member who wants to use their computer to accomplish a given task over the next few months.
  • A faculty member who wants admin rights on their computer so they can accomplish any task at any given time at some point in the future.

The list can go on and on, but those are some of the perspectives I’ve encountered on campus.  If reading this list put you on the defensive, ask yourself “Why?”

What needs to change? 

riskFor starters, we need to start thinking and talking about risk more often. The decisions we make must be made with both eyes wide open. Lack of thought has no place in higher education. In my opinion, this improvement will have the single greatest impact on the security of our organization. Coincidentally, our meeting with Information Systems today centered around this very topic. They are acutely aware of certain risks within their purview and they want to formalize a priority-based plan to address them. This the type of thinking that will keep Stony Brook safe.

We need to recognize who has the authority to accept risk in behalf of Stony Brook University, or wherever you happen to be employed. It’s probably not you or I. If a decision is being made that exposes Stony Brook to risk, make sure the right administrator is accepting that risk and is fully aware of the implications. It’s for your protection as much as it is for Stony Brook’s. I have observed that the higher you move up the chain of command, the less tolerance there is for risk. Let the decision makers do their job.

When there is conflict between security and preference or ease of use, we need to default secure. As it stands now, it is not uncommon to default less secure until an incident. That mentality needs to change. If a security related decision is going to impact the business flow or ease of use negatively, there needs to be a well informed decision made by the appropriate person. Don’t default less secure, default more secure until otherwise advised.

In the past, there was no reasonable way to collaborate safely. That is no longer true. Responsible collaboration is possible and practical. We have to be willing to jump through a hoop here or there to operate securely. Connecting to the VPN before accessing something is not unreasonable. Put the organization’s safety before your own convenience.

Finally, we need to work together. We need to disagree and discuss it intelligently. We need to yield when a reasonable argument is presented.

Overall, I am optimistic about our security posture and our security trajectory. Let’s make a concerted effort this year to think and talk about risk so our posture will continue to improve.

Thanks for reading and don’t forget to subscribe!