NIST 800-53 Rev 5

NIST intends to roll out revision 5 of the 800-53 standard (FISMA) in 2016.  They want your feedback.  If you (like I) have to endure the implementation of these controls, give them your feedback.  Help your fellow practitioners.

Some interesting elements from the Pre-Draft Call for Comments:

  • Addition of Keywords
  • Addition of hyperlinks to related documents

I really think these are good additions to the standard and hope the body goes forward with their inclusion.

Advertisements

Taylor Communications

I work for a new company.  This past week my employer changed its name from Standard Register Incorporated to Taylor Communications.  This is the third company I have worked for in the past six months – all without leaving my seat. The last time I went through this many employers was in 1986 when I worked for Dart & Kraft, Whirlpool and Emerson all in one day.

In March of 2015, The Standard Register Company declared bankruptcy. On August 1st, the company name was changed to Standard Register Incorporated (a Taylor Corporation company).  People bemoaning the name change and the loss of a Dayton-based institution ignore the first transition.

I am excited by the name change and the opportunity it represents.  The Standard Register Company has had cycles of success and failure over the past fifteen years – but serving a contracting market ultimately resulted in more failures than success. The leadership team in that period worked hard to ‘rewire the plane in flight’ and transition the company to a different marketplace. This name change signals Taylor’s ambition – which I welcome.

The loss of the company name does sadden me.  It is hard to work for a company as long as I have and not have a sense of loss.  Part of my identity has been attached to the company name.  I understand the business imperative behind the name change and accept it – but I will take some time for me to transition to the new world.

Data Breach Settlement Insufficient

Breaches, breaches everywhere but not a consequence to be found – until now.

Data Breaches Passe

033_target

The Target data breach settlement negotiated by Mastercard has been refused by the three largest participating banks

Data breaches are (almost) no longer newsworthy. Exploited companies publish bland notices to the community indicating a breach has been reported and they are cooperating with authorities. Cyber security experts investigate.  The exploited company publishes the boilerplate list of exploited vulnerabilities. Occasionally a CISO or CIO’s employment is terminated.  And so on.

People complain about credit card interest rates but don’t correlate that experience to data breaches. It turns out a cause of high-interest rates is the result of card issuers recovering the costs associated with credit card data breaches. And guess what? That cost of doing business matters to the card issuers. The tide is turning and the accountability for data breaches is going to shift.  In their own self-interest, the major banks are pushing back – and we will eventually benefit.

Big Banks Push Back

Citigroup, Capital One Financial Corp. and J.P. Morgan Chase & Co. have each rejected the $19 million settlement negotiated on their behalf by Mastercard with Target Inc. More than $350 million has been spent addressing all of the issues associated with the 40 million cards affected by the data breach. An untold number of dollars has been stolen by the thieves associated with the Target breach with an estimated 9 billion US lost to thieves industry-wide last year. Small card issuers receive only pennies on the dollar for their losses.  They get their money after the big firms get theirs.  In that context, it’s not surprising that the major banks behind the card issuers are taking a firmer stand.

But how much is enough and how much can Target afford to spend compensating these firms for their lax controls? At what point does the consequence pass beyond termination of a senior executives employment and affect the stockholders of a company? When they care – we’ll benefit.  Target reported net revenue of 72 billion dollars in 2014.  While the settlement figure might affect stock prices temporarily, it’s not going to have a lasting effect.  Hopefully, the banks can raise the stakes and make the settlement meaningful for Target’s stakeholders – so we benefit.

Standard Register’s Decline to Bankruptcy

SR Stock Price Decline

SR stock price free fall since May of 2014

Foreshadowed since their December 8K Filing, Standard Register has announced they are filing for Chapter 11 Bankruptcy.  The Dayton Daily News has the most comprehensive coverage starting with the news in January, through the de-listing from the NYSE and the transition of the company’s CFO and the placement of an external Restructuring Officer until finally the news this past week that the company had finally filed for Chapter 11 bankruptcy.  As the week closed, the company had successfully presented motions to the bankruptcy court.
In August of 2013, Standard Register acquired another local company – Workflow One which had gone through a bankruptcy filing of their own.  The purchase was facilitated and in part funded by Silverpoint Holdings – a large Hedge Fund specializing in distressed companies.  That acquisition carried covenants associated with the funding which were triggered in December when Standard Register was unable to make the necessary loan payments.

The opportunity that exists through this Chapter 11 restructuring process is that we can focus on our balance sheet and improve the indebtedness of our business to put us in a position to take advantage [of] the transformative things that have happened with our portfolio over the last number of years. – Joe Morgan

The underlying challenge is the pension fund funding requirements held by many U.S. Corporations (PDF).  The historically low interest rates and the growing funding obligations associated with the increasing life expectancy of the pension holders has essentially flipped the company’s priorities away from market.

While informal information appears to be shared, it’s hard to assume any of the comments represent reality.  Until now, the only information here is what has been shared publicly.

Anthem

AnthemThe financial industry has been at the forefront of reported breaches for several years – it is where the money is after all.   As the Health Care Info Security site infographic depicts, the pace of breaches in the healthcare industry is picking up.  In my experience, the healthcare market security practice trails the financial market by a large margin.  Speakers will talk about the industry abiding by ‘compliance obligations’ but not addressing security issues.  The cynic in me has a hard time hearing that argument without retorting “you mean you got the auditors to go away by checking a box without addressing the underlying risk”.  I am not surprised to see the volume of breaches in the healthcare industry increasing.

Many of my coworkers are impacted by the Anthem breach recently reported by the company.  After the fact, there’s not much to do other than await a full accounting of how the breach occurred.  Early reports indicate that the credentials of a privileged account were obtained and used to navigate within the Anthem technical environment to locate and secure confidential information.  Commercial cloud storage services were used to push the data outside (or ex-filtrate as they like to say) the Anthem environment.  The company does not believe the loss of credentials was purposeful (not an inside job) but rather the result of a spear-phishing attack.

What lessons can we glean from this event?  Unfortunately, there’s nothing new here.  Absent details, these are the same events that appear to unfold every month.  Administrators, like the rest of us can still be deceived in to clicking on links and/or revealing passwords.  When companies encrypt data, they still provide ready access to accounts with elevated privileges.  And finally, avenues to exfiltrate data are still permitted in companies believing the access is necessary to business functions.

Investigators now believe the hackers somehow compromised the credentials of five different tech workers, possibly through some kind of “phishing” scheme that could have tricked a worker into unknowingly revealing a password or downloading malicious software.

The larger issue is the disproportionate value proposition that exists.  The level of effort invested by these organized crime and nation states greatly exceeds the level of effort most companies are willing to invest to protect there critical resources – there intellectual property and the information entrusted to them by their customers.  Sadly, until consumers step forward and demand changes from their service providers, we will only see companies prioritizing profit over security. It is after all why they are in business.  Until we demand a higher standard – and perhaps even pay for it – we’ll see our credit card, our social security and our other private information shared with people we likely would run away from if we saw them on the street.

Reward companies willing to differentiate themselves based on how they secure your information – or keep doing what you’ve been doing and get more of the same.

Phishing is Getting Easier

Phishing

We reveal more about ourselves every day.  We use more and more online services.  Clearly those services are not as secure as we would like.  The result of all of this – we are basically writing the phishing e-mails.  Simply read what I post and then send an e-mail asking me for money.  What could be easier?

We need to do a better job recognizing phishing emails.

Intel Files Chapter 11

Once Great Innovator ‘jumps the shark’

Excerpt from June 4th, 2018 New York Times Front Page Article

Andy Grove

Andy Grove in happier times before the stockholder revolt of 2015 which resulted in the ouster of Chairman Andy Bryant. When asked for his insights on the demise of his once great chip maker, Andy Grove commented

‘Braswell’ puts an end to the once great innovator. Competitors would point back to this tragic decision as the point in time when Intel finally ‘jumped the shark’ referencing the point in time when a previously successful organization demonstrates that they have finally ‘run out of good ideas’. Intel’s stock closed this morning at 25 cents a share.
When asked for his insights on the demise of his once great chip maker, Andy Grove commented:

“Yea, we really blew it that year. I don’t know what we were thinking. I mean really, if you are a chip maker you have to be primarily concerned with how the market receives a new product. We need to be conveying speed, efficiency and low power consumption. Braswell clearly is none of these things. And that’s just the engineering perspective. Try going to market with that kind of name. That moniker screams slow, pedantic and mundane. Our marketing team just wasn’t able to overcome the label.”

Chip Industry analysts speculated that the company’s strategy of filing Chapter 11 would ultimately prove to be flawed. “There’s nothing left. Starting in 2014, they simply stopped adding value. Braswell’s slowness and general poor computing capabilities sapped that once great organization’s strength. I doubt they will exit the bankruptcy filing with any tangible assets”.

My very feeble attempt at humor. At the time Intel announced the name of their new chip technology “Braswell”, I worked with a friend named Steve Braswell.  It was originally published on Medium (where it actually looks better), but as you know I would rather have my longer form content on my own sites.

 

Top Down Urgency

The pragmatic decision makers with whom I work rarely find my more urgent recommendations compelling. Driving change in security and compliance practices can be challenging.  Finding the right ‘lever’ to influence decisions is what the work is all about.  The recent unclassified report to President Obama by the President’s Council Of Advisors On Science and Technology (PCA ST) entitled “Immediate Opportunities for Strengthening the Nation’s CyberSecurity” is going to significantly change the conversation. While there’s nothing in the report that’s going to startle any security professional, the authors have significant clout and the recipient definitely can influence change.

If I were to boil the entire paper down to a single statement, it would be “we need to build a culture of awareness and vigilance in to society and more specifically the commercial sector through existing governance models”.  The most compelling and relevant statement in the report is:

The President should strongly encourage independent regulatory agencies to adopt regulations that require self ­reporting of continuous ­improvement practices along these same lines. In particular, the Securities and Exchange Commission (SEC) should mandate, for publicly held companies, the disclosure, as investment risks, of cyber-security risk factors that go beyond current materiality tests

The wheels of government do move slowly – but they grind everything down to the same fine powder.  The Sarbanes-Oxley act drove significant change in the commercial sector.  Eventually this recommendation is going to blossom in to legislation.  Once the SEC (or equivalent federal agency) requires it, my pragmatic decision makers will embrace the need for fundamental change in much the same way they did Sarbanes-Oxley – and I’ll have fewer opportunities to promote challenging changes.  That’ll be a good day.

Pre-Encryption Access?

Steve Blank has speculated that the NSA has corrupted the Intel/Microsoft microcode update process.  Microsoft has already admitted they have been compelled by the US government to build a back door in to their chat service.  The chat service is encrypted, but not for the NSA.  Steve Blank believes the revelation that the NSA has “pre-encryption stage access to email on Outlook.com, including Hotmail” means they have a back door farther down in the stack.  He postulates the NSA can inject their own code in to the encrypted Intel microcode update packages.

If someone had speculated this sort of thing a year ago I would have labeled them a conspiracy loony and asked them to take off their tinfoil hat.  Now, I’m not so sure.

Power Corrupts or Reveals?

A great article by Adam Grant (author of the book Give and Take) discusses whether power corrupts or simply reveals the inherent flaws we each carry.

Power frees us from the chains of conformity. As a team of psychologists led by Adam Galinsky finds, “power psychologically protects people from influence.” Because powerful people have plenty of resources, they don’t need to worry as much about the negative consequences of expressing their values. For givers, power is associated with responsibility to others. This means that power often grants givers the latitude to help others without worrying about exploitation by takers or sheer exhaustion. For takers, on the other hand, power is a license to advance their own interests.

It’s always tragic when we see individuals who appear so promising fail just as they reach the zenith of their career. Why do some people self-destruct?  More importantly, how can we all avoid doing the same in our own small world.  Do we have the ability to overcome or suppress these natural tendencies or are we doomed if we hold these qualities.  I hope we have the ability to compensate, because I’m certain we all have some of these negative qualities.