Saturday, May 24, 2014

Memorial Day 2014: The Risk of Service is Understood...

It is Memorial Day weekend in the U.S. and on this final Monday of May 2014, we reflect on this past year.

In order to put it all in context, we looked back 12 months to our 2013 blog post here.  It was only a few weeks since a fellow colleague from Team Rubicon had ended his battle at home, after several tours of duty with AFSOC.  Neil had joined the ranks of those fallen heroes who survive deployment tagging and tracking the enemy in the Hindu Kush.  He was one of the 22 that day in early May that could not defeat the legacy of demons, that he fought each night as he fell deep asleep.

Memorial Day 2014, we honor Neil in Section 60 at Arlington Memorial Cemetery and all those other military members who have defended our freedoms for 238 years.  Simultaneously, we do the same for the "Stars" on the wall in Langley, Va for the officers who have done the same.

Whether you are on the front lines or inside the wire at the FOB.  Whether you are in Tampa, FL, Stuttgart, Germany or Arlington, VA.  Whether you are on your beat cruising the streets of a major metro USA city.  Whether you are watching a monitor at IAD, LAX or DFW.  Whether you are deep in analysis of Internet malware metadata or reviewing the latest GEOINT from an UAS.  We are all the same, in that the mission that gets each one of us out of bed each day.  Our countries "Operational Risk Management (ORM)."

The Operational Risk Management mission of the U.S. Homeland is vast and encompasses a spectrum of activity, both passive and kinetic.  Digital and physical.  It requires manpower and resources far beyond the capital that many developed countries of the world could to this day comprehend.  There are only a few places across the globe, where a normal citizen would say that the mission and the capital expenditures are worth every dollar and every drop of blood.

Memorial Day in the United States is exactly this:
Memorial Day is a United States federal holiday which occurs every year on the final Monday of May.[1] Memorial Day is a day of remembering the men and women who died while serving in the United States Armed Forces.[2] Formerly known as Decoration Day, it originated after the American Civil War to commemorate the Union and Confederate soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service[3].
So this weekend as we walk among the headstones, reflect on our colleagues who gave their service and their own lives, we will stand proud.  We understand the risks.  We know why we serve.  In the spotlight or in the shadows.  The tradition and the mission continues...

Sunday, May 04, 2014

Consumer Privacy USA: The Risk of Viceroy Tiger and Keyhole Panda...

There is a flurry of Operational Risk Management (ORM) activity around the DC beltway and across Silicon Valley in order to gain new consumer confidence.  The confidence that their personal metadata and information is being protected with encryption software and that privacy policies are in place to notify users, when their information is requested by the government.  Interesting.

Much of this wasted bandwidth is focused on competitive strategies.  If LinkedIn gets 3 or 4 stars from the EFF "Who Has Got Your Back Report" then our social media company should aspire to do the same. Transparency to the consumer end user on how data is protected and when you are notified of it being lost, leaked, hacked or handed over to law enforcement is the buzz right now.  Why?
Apple, Facebook, others defy authorities, notify users of secret data demands 
By Craig Timberg, Published: May 1 
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered. 
Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July. 
As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries.
Enterprise business are now waking up to the reality of investing in more robust Operational Risk Management (ORM) practices within their Enterprise Architecture Framework.  Areas that have been neglected in the architecture for data transport are now finally being updated.  Even the fact that the latest versions of SSL capabilities are being exposed as a result of the "Heartbleed" vulnerability, has finally motivated many to upgrade to TLS 1.2 and add Forward Secrecy.  Even LinkedIn, who gets multiple stars from EFF (and only a "B" from Qualys SSL Labs) doesn't even use TLS 1.2 nor does the average consumer even understand why Forward Secrecy is an important capability or why Google uses it within the popular Gmail service.

The privacy policies and opt-out capabilities the consumer really needs, are from the private sector companies that are currently trading your personal information.  Your browsing history. Your purchases at national retailers.  When was the last time you gave your phone number to a cashier at the register, to earn buy 1 get 1 coupons or a discount at the local gasoline pump?  Where do you think all of this activity-based behavior about you the consumer is being resold?

The marketing of privacy and security will continue to become a product or service differentiator.  The government agencies will continue to follow the law to obtain your information.  The magistrate judges will make sure of this.  The adversaries however, are becoming more productive and will find new exploits to attack your infrastructure in new ways, on vectors that you have not even thought of yet.

Who are some of the adversaries?  A few worth noting:

  • Iran:  Cutting Kitten
  • India:  Viceroy Tiger
  • China:  Comment Panda, Deep Panda, Foxy Panda, Keyhole Panda, Union Panda, Vixen Panda et al

These cyber adversaries are in many cases focused on cyber espionage and the theft of your Intellectual Property or Research and Development.  This leaves hundreds of other capable crime-ware driven organizations across the globe, who are targeting other valuable data to perpetuate their fraudulent activities.  So what have you done at the Board of Directors level and the Executive "C" Suite, to pave the way for more effective collaboration with the G-man?

Collaboration with the FBI, Secret Service, SEC, FTC, OFAC, U.S. Attorney, State Attorney General or even the local county prosecutor is a prudent and wise Operational Risk Management strategy. "Complacency"--this could be one of the greatest vulnerabilities that your share holders and stake holders have ignored.  A proactive organization has established protocols, implemented best practices and tested policies.  They are already in place to work collaboratively with local, state and federal government.  These organizations will ultimately be the marketplace front runners.
“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
This is just one more example of what is becoming the new normal.  The Operational Risk Management (ORM) professionals in your organization are ready and willing to support corporate executives and the Board of Directors new found enlightenment.  Your new government partners will even share information with you, on the latest modus operandi of "Keyhole Panda"...