Thinking About Healthcare.gov’s Security

Now that the Information Technology and Security communities have had time to digest what’s going on with Healthcare.gov, they are starting to think about what the “glitches” mean from a security perspective. For example, here’s some coverage in eWeek. And I’ve been asked by several other publications to provide my thoughts on the site’s security.

Ironically, the glitches may be the best security tool yet, per the article:

“In fact, the site’s stability issues and lack of usability to this point may be its best security: Even hackers haven’t been able to get in long enough to make it work,” Carpenter (VP of Strategy at AccessData) said.

As I point out in the article, a system as complex and interconnected as this one is, with as much data as it contains, is highly susceptible to attack, exploitation and breach of data. The technical difficulties that the site has suffered through do not hold out much hope that security has been implemented without “glitches”, either.

A site this complex, with this many bugs and glitches, being fixed on a crash basis, will have all sorts of vulnerabilities. And it turns out that one of the key contractors working on healthcare.gov, QSSI, has had security control problems in the past per this article. The only way to secure complex systems is to do the basics of security very well. But, the specific security control issues cited in the government audit, allowing employees to connect USB drives and iPods to workstations with access to sensitive data, is a pretty basic thing.

*Update – There’s another good article on SC Magazine’s site as well.

Advertisements
Posted in InfoSec | Tagged | 5 Comments

The Adobe Breach: Initial Lessons

Now that we’ve had a little time to absorb the impact of the Adobe breach, there’s a few lessons we can learn already. First, a link for those who have been living in a cave and don’t know what I mean: Krebs on Security has had great coverage.

What we know:

  • Adobe was breached via a vulnerable Cold Fusion web application server exposed to the Internet. Cold Fusion is an Adobe product.
  • The vulnerability was known for months, a published vulnerability, and was not patched
  • 38 million user’s accounts were compromised
  • Source code for Acrobat, Reader, Coldfusion and PhotoShop has been compromised

Two Initial Lessons

User accounts are a huge target for attackers. Basically, every big breach you read about includes breached user accounts. Even if there is no financial data in the account, compromising user name and password allows the bad guy to begin attacking the user’s other accounts since it is quite common to use the same ID/PW combination for most accounts. If an email account can be compromised, then the process of breaking in to financial accounts gets really easy. First thing all users should do is differentiate the passwords for email accounts, product sites like Adobe and financial sites.

Organizations continue to be compromised, breached and exploited through vulnerabilities and bugs in their systems that are well known and published. Although the vulnerabilities are known and patches published, companies are not patching their systems. Contrary to the belief that it is because companies don’t care about security, I will argue that it is essentially to the point of impossibility now. When a large organization does a vulnerability scan of its systems, it turns out a print out the size of the Manhattan phone book. There is no way, in the midst of every other priority out there, for the IT teams to deal with all of these vulnerabilities. They don’t even know which ones are important or how to prioritize the vulnerabilities. The key lesson here is that patching vulnerabilities requires tackling the problem by determining where and how the adversary will attack you, and defending there. It basically requires that we do something new and disruptive.

Finally, we know that much of Adobe’s source code for their software has been compromised. This from a company that has a really bad track record of serious security flaws in their software anyhow. Now the bad guys have direct access to Adobe source and will be able to discover all sorts of previously undiscovered vulnerabilities. If at all possible, you should stop using software from Adobe right now.

*Update 10/31/13 – Welcome Instapundit readers …. take a look around. This blog is primarily about Information Security, which is my profession, but also has some interesting stuff on my chickens, cigars and backyard home offices. 🙂

Posted in InfoSec, Risk Management, Security, Vulnerability Management | Tagged , , , | 20 Comments

Interesting Things

I work for a very interesting company, culturally speaking. It was originally founded in Buenos Aires, Argentina about 15 years ago. After achieving significant success in their market space, Core moved its headquarters to Boston. However, the majority of the company other than some administrative and sales staff, remained in Argentina. Over time, the company came to have two major locations. About half the company is located in Buenos Aires and the other half in Boston. A few people, like me, are in home offices, but spend significant time in one of the headquarters.

Because of this, the company has a very diverse culture and worldview. Interestingly, I am finding that many things we on the west coast of the US take for granted as factual and accurate is not considered to be the case by people I am now working with.

I loved living in Germany in the 1980’s and “traveling” in the Middle East and Africa in the early 1990’s because of the enormous exposure to other cultures and viewpoints. It allowed me to learn just how limited and parochial the perspectives I had been culturally raised with actually were and to greatly broaden my understanding of the world around me. And this company is giving me that same opportunity. I love it.

Posted in General, Life and Times | Tagged , , , , | Leave a comment

Back to Basics …. Again

It appears that the bad guys who exploited Adobe in August, and stole ColdFusion and Adobe (maybe) source code, as well as millions of credit card numbers, used a well known ColdFusion vulnerability. What seems to have happened is that they were able to exploit an unpatched ColdFusion instance and then follow an attack vector that led them to credit cards and source code. For some of the details on this, see this story by Krebs.

And now it’s time for me to rail, once again, about the need for InfoSec and IT Operations to “do the basics”. C’mon guys, this was your own vulnerability. One you knew about, controlled the source code for, published patches for, etc. And you couldn’t patch it? How many times must the bad guys exploit basics like this, and then follow an internal kill chain to the crown jewels before we get serious about this problem?

This is exactly why I joined CORE Security … to help with this problem. Until these very basic issues are solved, all the advanced security stuff is pointless. CISOs need to stop fretting over BYOD. It’s time for them to get back to patching vulnerabilities and shutting down attack vectors into their networks.

Posted in BYOD, InfoSec, Security, Vulnerability Management | Tagged , , , , , , , | Leave a comment

Day 3 at CORE

Yet another day of fun at CORE today. Spent the day getting to know the people, figuring out critical strategies, and places where I can start inserting myself to have some immediate impact.

Started working on goals for the next 90 days with my boss, as well. Always good to know what you are supposed to do for the next quarter.

Today a few folks who have been reading Instapundit came over and read a few things I’ve written here when Glenn linked to my post about my new job. A few left comments and many thanks to them for starting to create a conversation. A prevailing theme appeared in those comments, both here and on Glenn’s blog, that I thought I would say something about.

I spoke of being in a war that we (the guys who are trying to protect information and property) are losing. The general tenor of the comments was that our government refuses to acknowledge there is a cyber war happening. And that even if they do, the government has made it much worse through the spying, eavesdropping done by government agencies and the insertion of security holes and backdoors in certain types of software products that provide protection of data through encryption.

Although I often am critical of the Obama administration, this is an area where I am not particularly critical. Here’s why.

1. About the war. Actually, the Obama administration has been much more conscious of cyber-security and the conflict around data theft, cyber warfare attacks and much more. The FBI and other agencies have been willing, nearly, to name names when it comes to who the bad guys are. And the administration has definitely tried to do some decent work around improving government cyber-security. Now, to call it a war is not something the government should do if we aren’t prepared to wage war at a national level. And frankly, we aren’t and we shouldn’t be.

2. About the NSA spying on Americans and back doors in encryption tools. I am quite critical of what is happening here and very strongly opposed to it. However, to be frank again, the issue is one that has been going on for years, decades even. It’s not an Obama administration only issue, or a Democrats only issue. It’s a significant governance and constitutional problem. But let’s be really clear. The bad guys are not succeeding because of any of this. The reality is that they are winning because we are not doing the basic job of securing people and computers that should be done. It’s a big part of why I joined CORE, they are bringing new capabilities to bear that can really change this issue.

On this particular topic, I believe I can speak with some authority. I’ve been part of work groups that have provided input, advice and expert opinion to the Obama administration on what the Federal government can do to improve cyber-security in meaningful ways. And they have actually listened to some of what the industry experts had to say.

On top of that, I have spent time and energy (like my whole life) in this field, first military, then physical and then information security. I can claim to know something about it. I can say, with great accuracy I believe, that those of us on the good side of this fight are definitely way behind the bad guys right now in terms of processes, tools and capabilities. We need to change that before we start claiming that NSA back doors are the problem.

Posted in CyberWar, FUD, General, InfoSec, Life and Times | Tagged , , , , , , , | Leave a comment

It’s Day Two

And I am having a blast here at CORE Security! Got to be part of the quarter end yesterday … I think that was really good, making sure I experienced the craziness as everything came down to the last couple hours of the quarter. It’s been a long time since I was in an operational organization driven by that sort of thing. I needed to experience it again. And having it be Day One … that was really the right thing to get my head in the right space.

Of course I’m having fun, it’s a new job. But it’s the sort of job I really like … focusing on the future, on strategy, on people and on solving problems. I love that sort of thing. And right now I have the opportunity to make a huge difference in this organization and to the security industry as a whole.

Boston is gorgeous right now, beautiful Indian Summer going on. Have been walking to work every morning, not something you can do easily in Seattle at this time of year.

Life is pretty good!

Posted in General | Tagged , , | Leave a comment

Building CISO Relevance: Written For BitSight

BitSight is a very interesting security startup that is trying to do something we all have wanted for a long time. Their goal is to find ways to actually quantify risk in a measurable, objective way. If they achieve anything close to that goal, it’s a big deal. I went to work for CORE Security because they are in that same space: using data to provide objective insight into the risk an organization faces.

I was happy to post as a guest on BitSight’s blog because of that. I chose to hit on my favorite topic, being relevant to your business. I think it’s a pretty good read and you should check it out.

I’ve got no interest in BitSight other than wanting to see a good security idea succeed.

Here’s what I think is the key bit of the whole thing.

… security leaders are not outsiders. You don’t need to gain a seat at the table or learn the business or align with the business. You’re already a part of the business—that’s why they hired you. You just need to be relevant to your business.

Go read the whole thing.

Posted in Big Data, General, InfoSec, Risk Management | Tagged , , , | Leave a comment