Bank Info Security carried a report today that said:

Speaking at security firm Mandiant's Cyber Defense Summit, Anne Neuberger, who serves as the deputy national security adviser for cyber and emerging technology in the Biden administration, and Gen. Paul M. Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, outlined today's threat landscape, highlighting the ability of malicious actors to penetrate federal and corporate networks.

Both federal officials underscored the threat of ransomware on everyday commerce and its ability to alter and shape foreign policy. Asked to predict whether network defenders will be forced to combat ransomware five years down the road, Nakasone answered frankly, "Every day."

The two crimes that established the reputation of the FBI were "white slavery" and "protection."  The latter of course was extortion.  We do not hear much about either any more.  We should hope for the same result from law enforcement for ransomware.  I will continue to hope and work for political pressure.  I do not accept that government can simply wash its hands of the problem.     

That said, even if I am right, it is not likely to happen anytime soon.  It is clear that today's cybersecurity is not sufficient in the light of the rate of successful ransomware attacks.  I have argued that we need to raise the cost of attack against our systems roughly ten fold.  Start with strong authentication and work toward the so called "zero trust" model in which every process restricts access to itself, protects itself from any process that can see it, and authenticates every process with which it interacts.  

In addition one must implement new backup and recovery strategies.  Current strategies were based upon the assumptions that we would have to recover a small number of files from errors, device failures, or once in forty year catastrophes.  We now need strategies that enable us to recover entire enterprises in hours to days.  At a minimum plan to recover each essential application, not merely files, and to do it in the time appropriate for that application.  For some mission critical applications that time may be measured in minutes to hours.

Plan for a successful attack on third parties on which you are dependent.  Consider single points of failure and plan on how to use alternate sources.  

It is a target rich environment and not every enterprise will be breached but one should plan for an attack as often as every year or two.  This is a "bet your business" risk and hope is not a strategy.   

 

 Now I feel better.  A colleague reminded me that we do not have to rely upon the brands.  Cards will have disappeared long before Mastercard's unrealistic timeline for removing the mag-stripe.  

I am close to cardless already.  I carry one card; however, I rarely have to use it; I usually pay with my watch.  I use my card at my dentist and, of course, in restaurants.  (In Europe they do not even need cards in restaurants.  On a recent ferry trip, I asked if I could use Apple Pay.  The bartender simply put his wireless point of sale device on the bar, just like in European restaurants.) 

Because of the way I carry the one card, on two recent excursions into NYC, I simply forgot it.  When the waiter presented the check, instead of putting down my card, I simply put down my iPhone with an  image of my card.  The waiter took it away without comment and returned it without comment.  I signed the credit card receipt and we were done.  

Most of my retail transactions are done with my watch.  For e-commerce, I prefer merchants who offer PayPal, Apple Pay, or Google Pay.  Many already do.  More will do so as they learn that it protects them from fraud, perhaps at a higher, but efficient, transaction rate.  

As I think about, it is almost too late to worry about the mag-stripe.  The brands can do more to resist fraud by promoting check-out proxies, than by eliminating the mag-stripe.

End of the Magnetic Stripe

In 1956 my senior colleagues in "Advanced Product Planning" at IBM Research wrote a "blue sky" paper in which they visualized our modern token based retail payment system.  They could not foresee the personal computer, the mobile computer, or the Internet but they did get cards right.  Frankly, I do not think they gave enough thought to the fraud that might come with it.  It was to be another generation before we began to worry about "Data Security and Privacy" as we called what we now call "cyber security."

While it is long over due, there is finally a plan with a date certain for removing the magnetic stripe from credit and debit cards.  https://www.mastercard.com/news/perspectives/2021/magnetic-stripe/    I have argued for a plan with a schedule https://tinyurl.com/paymentindustrysecurity and I should not whine about how far out it is. This is a major change and those few merchants who cannot yet process EMV, much less contactless, deserve some time to catch up.  However, 13 years seems a little much.  

As with other innovations in this space, the plan is for the US to trail the rest of the world.  We were the last to get EMV and we will be last to get rid of the mag-stripe.  There will continue to be a lot of fraud exploiting this fundamental vulnerability in the window in this plan, but better late than never.

Perhaps there is some difficulty in getting rid of this obsolete mechanism that I do not understand.  Mastercard is clearly not bringing to this effort the pressure that it brought on the industry to adopt EMV or the Payment Card Industry Data Security Standards (PCI DSS). 

Comments? 

Should Paying Ransom be Illegal?

 Today Bank Info Security raised this question at:  https://tinyurl.com/on-paying-ransom

It seems clear that, at least collectively, we are highly vulnerable to breaches and extortion.  In order to take part of the profit out of such extortion we need to raise the cost of attack against our systems ten fold.  Not only will that take time but it may also require additional motivation; too many enterprises are electing to accept, rather than mitigate, the risk.  We know how to increase security; we lack sufficient motivation.  

It seems equally clear that paying ransom may be good for the enterprise and the perpetrators while putting the infrastructure, society, and national security at ever higher risk.  We need to discourage such payments.  This includes not being able to assign the risk to underwriters, as AXA has already said.  Such insurance creates a "moral hazard."  

Historically, I have opposed "punishing the victim" as a means of encouraging better security.  We managed to discourage the old "protection" rackets without resorting to that.   However, something must be done; society cannot leave the acceptance of existential risk to any of thousands of enterprises.  

Consider sanctions for paying extortion that escalate over time on a steep, but announced, schedule.  This could increase the motive to improve security while allowing the time necessary to do it.  

Finally, as with the protection rackets, there must be a law enforcement component to our response.  We cannot put all of the responsibility for protecting society from this risk on the potential victims.  Part of this response might include funding law enforcement out of fines imposed.  Another part might include so regulating digital currency as to make it easier to "follow the money."  We may decide that we cannot tolerate anonymous receipt of funds.

The Biden Executive Order

There is nothing like long lines at the gas pumps to get the attention of government.  This is an initiative that is long overdue.  There is a great deal to do.  Cyber is the infrastructure that we use to operate all the others, particularly to include energy and finance, and it is all too fragile and porous for the reliance that we have upon it.  

It is good to see that "zero trust" made the list.  The concept goes back to the mainframe and many of us have been actively promoting it for the internet for years.  It is important to use it both horizontally, that is system to system and service to service, and vertically, through the layers of the application.  

Zero Trust requires strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) both user to system and process to process.  One cannot trust a process whose identity is not reliable.  If strong authentication is not the single most effective and efficient measure at our disposal, it is certainly among the top three.  It deserves its own mention.  

Zero trust also implies resistance to lateral compromise within the enterprise.  It should not be possible to compromise an entire enterprise simply by getting one user to click on a bait message in an e-mail or on a web-site.  In addition to resistance to fraudulent credential replay, we need structured networks.  I would like to see end-to-end application-layer encryption but, at least in the short run, I would settle for network segmentation and layering.  

I am glad that it addresses software quality.  However, the practice here is so shoddy and the contributors so many that simply saying we will address it through government purchasing power will not be enough.  Nor can we rely on training alone.  We need systems and development processes that make it much easier to do it right than to do it wrong.  

I would like to have seen the order address accountability and transparency for privileged users.  Edward Snowden should not have been able to run rampant through a network that one would have expected to be "secure."  It is ironic that the place that we are most likely to see shared credentials is among privileged users.  Wherever there are two or more privileged users per shift, we need privileged access policy and management systems.  

We cannot continue to allow just any amateur to connect anything they like to the public networks.  While it may require legislation, we must require that only mechanisms built by professionals to infrastructure standards (e.g., built for the ages, fails in an orderly and safe manner, resistant to easily anticipated misuse and abuse) can attach directly to the public networks.  As we need structure networks within the enterprise, we need structure within the Internet.  

We also need to have accountability for suppliers who distribute (malicious) code that they did not write.  This too may require legislation but a class action suit against SolarWinds would be a start.  

The Biden Executive Order is a start but only a start.  There is much to do.  Let us get on with it.

Policy -- What must it do?

I recently received a link to the electronic annual report of a company from which I receive service and in which I have a small investment.  I was pleased that it contained a button labeled "Cybersecurity Policy."  Needless to say, I clicked on this button.  This is what it said:

"We go to great lengths to protect our computer systems and equipment from the threat of a cyberattack. Our comprehensive network is designed to protect us from both internal and external threats. We’ve expanded our use of next-generation intrusion detection and prevention tools to further protect our customers’ personal information. And we’re regularly training our employees to stay aware of potential cyber threats."

I confess to having been more than a little disappointed.  This is more a statement of good intentions and practices than a policy.  None of my expectations of a "policy" were met.  

As both a practitioner of security and a customer of, and investor in, the enterprise, I would expect a policy, at a minimum, to: 

• require that managers protect the assets that they control.   
• express the organizations tolerance for risk or
• some measure of the level of security to be achieved, and
• require measurement and reporting of results, i.e, achievements and failures
• other

Said another way, I would expect a policy to communicate to managers and employees what general management wants them to do and how much to spend doing it.  This statement, labeled "policy," fails to do that.  

The first and fourth bullets may be difficult to execute, while the second and third are difficult to express.  Such expression should ensure:

• a consistent level of effective and efficient security across the enterprise,
• that precious resources get appropriate protection, 
• while expensive measures are reserved only for those assets that require them.

These results cannot be achieved without direction from general management.  Such direction is called "policy."  Policy is an important and useful tool for management and leadership.  

Note that management's tolerance for cybersecurity will differ by industry, application, and maturity of the business.  A "startup" may have a very high tolerance for cyber risk, in part because their business risk is high.  A mature company in a sensitive industry, such as finance, transportation, or energy, might be far less tolerant. 

Audit Trail

We do a much better job of designing our access controls than we do designing our audit trail.  We should start by identifying what an audit trail should do for us.  It should enable management to determine:

• how every record or object (e.g. program, file, record) got to look the way it looks currently,
• how every record or object looked at any given time in the past,
• and enable us to fix accountability for every significant event or change to a single process or individual.  

The result should be reliable and resistant to fraudulent modification. 

This requires that, not only must there be logs and journals of every relevant event, but that they be related in such a way as to support each other.  There should be logs or journals on both sides of any interface where control passes from one process or person to another.  For example, an application should log every request that it makes of the database manager and of the result that it gets back.  The database manager should record every request that it receives and what response it returned. 

Logs and journals should be protected from late, or potentially fraudulent, modification.  Consider reconciliation of the results of the independent processes on both sides of the interface, "write-only" processes or storage, or blockchains.  The correction of errors should be memorialized by new correcting entries, never by changing earlier entries.  

Log and journal records should include the action taken, the user or process on whose behalf it was taken, the date and time, and a reference or sequence number to make the entry unique.  In order to be able to establish how any record looked in the past, the record of the current change to a record should include reference by time, date, and sequence number of the next most recent change.  

Finally, the logs or journals should include images of the object both before and after the change.  While in some cases it may be sufficient to keep only the after image, since the after image in the record of the previous change is the same as the before image, keeping both improves integrity and further resists fraudulent change.