M1 COSAC International Roundtable Forum presented at COSAC 2015

by John O'leary,

Summary : One of the defining and truly unique characteristics of COSAC is the almost limitless degree of interaction in sessions. You might have been to other conferences where knowledgeable speakers cast new light on existing security threats or structural problems or organizational issues or alerted you to new ones and gave sound, realistic, even creative strategies for coping. But you probably didn’t experience a level of audience interaction wherein the announced speaker, though clearly an expert in the area, is often one of the least experienced people in the room regarding the topic being discussed, and the audience, anything but shy, takes nothing said at face value. This is quintessential COSAC, and it leads to one of the most significant benefits of attending any conferences - the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis. The COSAC Forum difference is that the group of practitioners in the room are generally more experienced and knowledgeable than a similar array of high-priced consultants from high-profile firms. And their experience is more real-world, since they have had to live with the results of their security decisions. Forum participants know that solutions which appear technically elegant and look really good on paper can be hamstrung by political considerations or “minor” operational flaws. They know what works, what doesn’t and more importantly, how to make things work in the real world. They know how to craft and internally sell realistic strategies for creating and implementing information security solutions. They know how to and by how much to change direction when things don’t go as planned.
For the 15th annual COSAC International Round Table Forum, deep-dive immersion into the COSAC way (Think ….. Challenge ….. Help) will be the first order of business. Anyone can suggest topics or questions. Anyone can answer. Anyone can challenge answers or give clarifying comments. To start the ball rolling, the moderator has searched SANS newsbytes and multiple other sources and put together some questions and discussion topics. Here are a few of them:
Is there a right way to handle a security incident?
Target appears to have screwed up royally. Before, during and after the BLACKPOS attack, did the powers that be in Minneapolis make poor decisions or fail to make decisions that could have mitigated the eventual disaster? Goodbye CIO, Goodbye CEO, and the lawsuits have started. There is some speculation as to whether the widely admired Target brand has been seriously, perhaps even fatally wounded.
Anthem, on the other hand, started communicating with those affected by the breach of medical records and getting ahead of the press coverage. Will this save them?
How would you handle a serious breach?
CISO Reporting Level
(from SANS newsbytes) CSO Online Publisher Bob Bragdon cites findings of the 2014 Global State of Information Security Survey that support the idea that the CISO should report directly to the CEO. Organizations in which the CISO reported to the CIO had 14 percent more downtime than those in which the CISO reported to the CEO. Companies in which the CISO reported to the CIO had higher financial losses. "In fact, having the CISO report to almost any other position in senior management other than the CIO reduced losses from cyber incidents." The study gathered information from more than 9,000 respondents.
What’s your take on placement of the position?
The Internet of Things: Smart Lightbulb Exposes Wi-Fi Password
(SANS July 7, 2014) In a proof-of-concept attack, Internet connected LED lightbulbs were used to gain access to the Wi-Fi network that controls them. LIFX smart lightbulbs can be controlled with iOS and Android devices. LIFX was made aware of the problem and has issued a firmware update to address it. The attackers were able to trick the devices into revealing the network password; they had to be within 30 meters of the devices they were targeting.
Should we turn off all the lights? … and refrigerators, and …. automobiles … and
Security Not a Priority
Despite breaches, most critical infrastructure executives say security is not a priority. According to a 2014 Ponemon study from nearly 600 IT and IT security executives around the world, two-thirds of those responding said that their infrastructure had been compromised in the preceding year, but just over a quarter said that security is a top priority. Operators of infrastructure, particularly energy infrastructure, often believe that their need to operate the infrastructure trumps the need to keep others from mis-operating it.
Are they right? Are we wrong?
Cloud Forensics
(from SANS) Cloud services have saved money and improved efficiency, but the technology holds some challenges to forensic investigations. A draft NIST report describes 65 "challenges" forensic investigators encounter when dealing with cloud computing. One example of a challenge is email. On non-cloud systems, deleted email messages can often be recovered because they are not truly deleted until they are over-written. Because of the shared nature of the cloud, deleted files are more likely to be overwritten.
How do you do forensics in a cloud environment?
Big Brother Down Under
Legislation proposed by Australian attorney general George Brandis would broaden the Australian Security Intelligence Organisation's (ASIO) access to computers and networks. Some legal experts say that the law could be interpreted to give ASIO access to every Internet-connected computer. Civil liberties groups are also concerned about provisions that would criminalize journalists who receive and publish leaked documents.
Is this only an Australian issue?
Extra Added Attraction
Lenovo Laptops Shipped with Adware and Persistent Vulnerability (SANS February 19, 2015) Lenovo has been shipping laptops loaded with Superfish, adware designed to steal Internet traffic. Superfish is designed to "help users find and discover products visually." It also injects ads into web pages. Superfish hijacks encrypted web sessions, and could easily be misused to conduct man-in-the-middle attacks. Lenovo has stopped including Superfish on its new machines.
This isn’t just adware, it is malware. Will you still buy Lenovo?
ICS-CERT Monitor Quarterly Report - Phishing Reigns Supreme (March 12, 2015)
According to a quarterly report from the US Industrial Control System Computer Emergency Response Team (ICS-CERT), industrial control systems were targets of cyber attacks at least 245 times in the 12-month period between October 1, 2013 and September 30, 2014. Seventy-nine of the incidents involved companies in the energy sector. Sixty-five of the incidents involved attacks that managed to gain access to ICS manufacturer systems. Of the known vectors of attack, 42 of the incidents were attributed to directly to phishing attacks, while the attack vector could not be identified for the others.
Can we train our people especially executives, to effectively resist phishing? Will the training stick?
How do you control BYO_?
How has the legal environment affected (positively or negatively) your ability to secure your organization’s resources?
What’s the appropriate way of handling minor security infractions by sloppy or uncaring or pressured or confused users?
What will your security budget priorities be for 2016?
Can we even identify, much less secure all the devices connected to our networks?
How complicated will it be to implement federated I&AM?
Do we have any realistic chance of prosecuting cyber criminals from countries where they are actually adding to the GNP?
Will Apple Pay become the payment method of choice? Is its security adequate?
There are a host of other issues and questions, and we’ll address as many of them as time permits. One of the best singular features of the Forum is that discussions and strategy idea trading started here very often continues throughout COSAC and beyond.
The Forum should give you a feel for the rest of COSAC. The essence of this one-day session is give and take, therefore, participants must be prepared to discuss topics freely and be willing to both critique others and have their solutions subject to scrutiny. Participants may be asked prior to COSAC to submit lists of items they’re willing to discuss and want discussion on. Some may be asked to prepare short presentations on specific topics to lead into roundtable discussions. The better prepared you are, and the more you put into this session, the more you’ll get out of it.