Jul
29

2014

Quote of the day — On cyber security market success, or the lack thereof

“Market success of technologies and products is usually driven by what they enable, not by what they restrict or prevent. Restrictive solutions, such as those in environmental protection, safety, or security, require a strong policy or even legislation to achieve widespread adoption. Nowhere is this more the case than in cyber, where it must appear illogical for customers to pay extra for restrictions of functionality that they expect to only become more powerful and cheaper at the same time.”

Ralph Langner
Recent Blackphone customer

Jul
28

2014

Five Reasons You Don’t Need Better Cyber Security

Admittedly, these are based on anecdotal evidence, but I suspect they are very close to the major reasons used to deflect concerns about increasing the security posture of cyber-physical systems.

  1. Using complex risk calculations, it can be shown that the risk is really really small.
  2. Even if your company gets attacked once, the probability of another similar attack is less than lightning striking the same place twice.
  3. Your networks are better protected than those other guys and everybody knows that hackers go after easy targets first.
  4. It’s just silly to invest in security expecting some kind of return. Security is just a big black hole that you dump money into if you have too much.
  5. If one of the above reasons don’t work for you, then there is one fail-safe reason; you just don’t want to. If you don’t want to do something, one reason is as good as another.

Perry Pederson

 

 

Jul
22

2014

“Surviving on a Diet of Poisoned Fruit”

Poisoned fruit is an apt metaphor used by the Honorable Richard Danzig in the title of his latest report for all things cyber that today we can’t live without, yet bring ever increasing risks. The Center for a New American Security (CNAS) sponsored an event showcasing Danzig’s report and to discuss proposals for U.S. government responses to cyber insecurity. Panelists included: Mike Walker (DARPA), Melissa Hathaway (President of Hathaway Global Strategies), Gary McGraw (CTO, Cigital), and Ben FitzGerald (CNAS) who also moderated the session. Introductory comments where provided by Dan Kaufman (Director of the Information Innovation Office, DARPA). The panel discussion was followed by Richard Danzig who responded to comments by the panel as well as the audience.

Read more »

Jul
11

2014

Quote of the day — on pen testing

“The basic premise of penetration testing is that you’ve got something that you don’t understand and you’re trying to achieve an understanding of it by having some outsider — who also doesn’t understand it — attack it, simulating someone who doesn’t understand it, trying to figure it out. Now if that’s not the dumbest thing you’ve ever heard of, I don’t know what it is.”

Marcus Ranum

Jul
09

2014

Aurora Revisited — by its original project lead

When I accepted the position as Director of the Control Systems Security Program (CSSP) in 2006, I had no idea about what was coming. One of the challenges I did envision was finding a way to educate non-technical policy makers about ICS security. In other words, we needed an engineering approach to solve this problem, but we also needed to “sell” the approach to non-technical people and Aurora provided such a vehicle. After briefing the DHS Secretary on the proposed test and getting the ‘green-light’ the DHS and INL crews went into high gear. For some, Aurora was just another test and the outcome was to be determined during actual testing. For those of us who understood the basic physics involved (and lessons taught in power engineering 101) we knew we were out to destroy a generator. Since that event, there are those who will still deny the validity of what was accomplished on that cold day in Idaho, but the test finally provided empirical evidence that cyber attacks can destroy physical equipment and it captured the event on video. Read more »

Jul
01

2014

RIPE progress report: From framework to executable program

Less than a year ago (last September, to be exact) we published a whitepaper on the RIPE Framework, explaining the rationale for and building blocks of a process-oriented approach to ICS security and robustness that allows for empirical verification and measurement. Since then, much activity has been going on that we want to let blog readers know about.

Read more »

Jun
17

2014

What a cyber warning shot would look like

Several people have expected that at some point in time the crisis in Ukraine might involve cyber conflict. Well maybe the time has come.

We don’t know if today’s explosion of a gas pipeline in Ukraine was caused by a cyber attack, but it would be a perfect example of digital sabre-rattling that avoids kinetic action and all the military, legal, and political issues that come with it. It’s not about cyber war, it’s about cyber coercion.

Jun
07

2014

Germany’s fake cyber defense exposed

Three years ago, the German government established a national cyber defense center (“Nationales Cyber-Abwehrzentrum”). The stated objective was to establish a government entity that would coordinate and bundle the activities of various agencies that are tasked with cyber security, in order to give them more punch on a national scale.

In a classified assessment by the German Bundesrechnungshof (equivalent to the US GAO) that was leaked to the German newspaper Süddeutsche Zeitung and to German national TV, the government’s financial controllers frankly suggest to shut the operation down as in its present form it appears to be nothing but a waste of money.

The facts in a nutshell:

  • The center’s only scheduled activity is a daily discussion of the situation.
  • Several of the center’s ten (!) employees, which are on lease from other agencies, don’t show up on a regular basis.
  • Strategic advice is issued by the center only in annual reports, obviously foiling the center’s stated objective of “quick assessments and call to action”.
  • The center lacks the expertise to execute its stated mission.
  • No procedure or workflow has been defined for what the center is supposed to do in the event of a substantial cyber attack against Germany.

The criticism can hardly surprise. We had already pointed out the center’s ridiculously tiny footprint and weak mission statement at the time of its creation. Hopefully, the present reporting will make German business decision makers aware of the fact that in time of cyber crisis, the government will hardly be able to provide any help – a phantasy that some CEOs used to nurture to justify their own inaction for providing appropriate cyber defenses.

Jun
02

2014

ISA-99’s ivory tower metrics

ISA-99 has published a draft set of cyber security metrics that is worth a closer look. Metrics are an indispensable part of every cyber security program because without them such program

a) will not be fact-based

b) lacks the capability of systematic improvement (you cannot improve what you can’t measure).

Read more »

May
27

2014

Ill advice for free

Recently the Energy Sector Control Systems Working Group (ESCSWG) published a cyber security procurement guideline. Readers who paid attention to detail may have been left scratching their heads. Here are some items that caught our attention.

Read more »

Older posts «

» Newer posts