Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2013 > August
Chris Hoover

Battle Hardened

Posted by Chris Hoover Employee Aug 30, 2013

China’s internet infrastructure was hacked this week and the story immediately made me think of one frightening scenario: What if they did this to themselves? I’m not asserting that they did, but just exploring the possibility. China and Russia have both been known to perform real world military drills despite the inconvenience or impact to the civilian public.


Why would they? Well first it is common knowledge that China has been developing their information warfare capabilities. Performing such an attack lets them quantify in real world terms exactly how effective their attacks are. Next, it allows them to know and measure how resilient their infrastructure is to real world attacks. Lastly, it provides lessons learned to improve future attack methods and defense and resiliency.


The US has the most formidable military in the world not just because we spend the most on our military, but also because we are battle hardened. What does that mean? A military member’s career spans 20 years, but when was the last time we went 20 years without a conflict? That means every generation of our military is battle hardened.  Every generation must test what they know about warfare and adapt it to the latest adversary, methods, and landscape. Did lessons learned from jungle fighting in Vietnam in the 60’s and 70’s help in Central America in the 80’s? Probably. Did that same knowledge help in Kuwait and Iraq in 1991 or in Afghanistan and Iraq in 2001 or 2003? Certainly not.


Why does this matter in a GRC blog? If China did this attack to themselves, the point was to make them battle hardened for cyber war. It’s scary that such a large and well-funded entity is preparing in this way, but let’s apply this to you. What can you do to become battle hardened? When was the last time you performed a continuity or recovery exercise? When was the last time you restored from backups? When was the last time you considered what you’re defending against? Do you ever adjust your posture? Are you prepared for a jungle fight in a desert fighting era?



Those of you that have followed Archer’s multi-lingual march around the globe already know about Archer’s core libraries we’ve previously translated into French, German, Spanish, and Japanese. I’m pleased to announce the addition of Italian, Portuguese, Russian, and Simplified Chinese to the collection. Specifically the following libraries are now available in all eight languages:


  • Archer Control Standards
  • Archer Policies
  • Archer Question Library
    • Archer Control Assessment Bank
    • Archer Risk Assessment Bank


Additionally, since the Archer Control Standards library has changed since it was last translated into French, German, Spanish, and Japanese, we have incorporated those changes into newly translated versions for those languages as well.

Customers with an active support contract can contact their sales or customer support representative to obtain import packs for the language of their choice.


Thank you! Or, as they say…Merci, Danke, 谢谢, Gracias, Спасибо, ありがとう, Obrigado, Grazie!

When the Edward Snowden story first broke I remember how the crazy theories ran wild about his identity, his motivations, and (gasp!) whether we were safe. Heck they still don’t seem to know exactly what this guy took and what his endgame truly is. As the story has continued to unfold, one thing that became very interesting is not who he is, but WHAT he was. He wasn’t some agent gone rogue or a foreign super spy, he was a systems administrator! An IT contractor for crying out loud! So as congress continues “demanding answers on behalf of the American people,” cynical folks like me regard the whole thing as a charade. When millions of people have top secret clearances, how it not happening all the time?


I don’t need some fancy forensics team and congressional hearings to know the IT group holds the keys to the kingdom. Anybody who’s ever worked any kind of basic IT job knows that already. Those of us who rose the ranks through security and audit understand very well just how pervasive access control gaps are on public and private sector networks alike. So while the general public is shocked and outraged, the only thing that surprises me is that it hasn’t happened sooner or more often for that matter. Wait a HAS happened before. And it happens more often than you think. The difference is we rarely hear that much about it.


Some people are calling for Snowden’s head on a pike while others label him a whistleblowing hero. Straw men abound and as the media debate rages on around the latest news story about thousands of NSA privacy violations, I’m left wondering how much of a sign this is of things to come. National security is one thing, but what about the people who have access to your company’s “top secret” info?


Remember it’s not like Snowden was an underpaid government drone turned espionage actor, lurking in the shadows to supplement his retirement by selling secrets. On the contrary, from the sounds of it he had a pretty sweet private sector gig. So what’s it take for an IT guy with a great job and a girlfriend in Hawaii to walk away from it all, publicly turn his life upside down, and become the most wanted guy on the planet? He says it was a belief to do the right thing in exposing his employer’s egregious violation of your civil liberties. Is that really true? Could he really be that sincere? What kind of person actually does that? Well, for starters an ideologue does. So maybe it's not such a stretch after all. Doesn't mean he's right, or sane for that matter. But if I’m the CEO of a company with serious trade secrets or a checkered past (or both), maybe I’m starting to wonder what could happen if one of my employees drew inspiration from Snowden and decided to go rogue.


The global economic conditions over the last few years have boosted anti-corporate activism. This combined with porous security, flash drives the size of a gnat, and anonymous access to a nearly instantaneous global news cycle, and it’s not hard to conclude that whether for profit or popularity, a motivated insider poses a greater operational risk than ever before. If the President of the United States can’t touch an IT guy then what’s an average CEO really going to do to an employee who blows the whistle? Prosecute them? Sue for damages? Pursuing criminal charges could quickly backfire and land the CEO in the clink if the employee was shining a light on criminal fraud. On the civil side any punitive awards would pale in comparison to the cost of pursuit, the PR fallout, and repairs to the brand, presuming the company actually wanted to expose anything else internally in open court anyway. So even to serve as a deterrent, any decision to initiate a lawsuit would require a serious corporate gut check as a pre-requisite. When a subset of the population is guaranteed to rally behind the employee (little guy) regardless, at the end of the day what’s winning really look like suing somebody you just fired?


The other sad, simple reality when you boil it all down to essentials is that the security issues at play are still largely the 101 stuff. Maybe it's time to play offense for a change. Technology always advances; budgets grow and shrink; but at the end of the day it’s always back to basics. It’s the same reason coaches preach fundamentals time and time again even at the professional level. Information classification, least-privilege, role-based access control, segregation of duties, policy, and culture…these basics will make or break the security posture in any organization. “Making it” hinges almost entirely on commitment and execution.


Information Classification (“Know what you have and what should be protected”) – One of the most boring, tedious tasks to undertake. Executives will magically be on retreats anytime you try to initiate it. Legal departments hate dealing with it. Nobody wants to “restrict” people in today’s politically correct culture and everybody is scared they’re forgetting something. But the fact is if you can’t name it you can’t protect it and there has never been a valid reason that everybody should be privy to everything. So for goodness sake stop dancing around the issue and lock things down already.


Least-Privilege Access (“If you don’t need it, you don’t get it” part 1) – Bedrock fundamental. In the public sector terms like “clearance” and “need to know” are used. Guess what? The same authentication and authorization rules apply in the private sector too. And yes they also apply to the IT staff. Encryption can help here tremendously but only if you know what needs to be encrypted.


Role-based Access Control (“If you don’t need it, you don’t get it” part 2) – If the principle of least-privilege defines the rules, the role-based access control model enforces them. Certain staff members require elevated privileges. It’s a fact. Own it. “HOW” they get and keep those privileges makes all the difference. Yes “Everyone – Full Control” on the corporate <fill in the blank important file share> is easier to manage but it’s also insane. Neither good basic access control practices nor even the more advanced multi-factor IPSec and encryption setups require a PhD to implement. With a little know-how, some elbow grease and the right technology products and guidance it’s actually pretty reasonable. So roll up your sleeves, get your people with people who know what they’re doing, and insist the job’s done right. Your efforts will be rewarded.


Segregation of Duties (“You do your job and I’ll do mine”) – One of two things typically happens when jobs get cut. Either less work gets done (productivity suffers) or the remaining people pick up the slack and security can often suffer either way. Pretty soon the same accountant is preparing and posting journal entries, or the same procurement person is setting up vendors and paying them. You get the idea. Permit the lines to blur too much and the risk of fraud and other exposures skyrockets.


Sometimes cutbacks are required. It’s often easier to believe the executives are heartless but in my experience it’s one of the most dreadful things they every have to contend with. Almost without exception though, the company emerges healthier as a result. So it’s a necessary evil. That said Mr./Ms/Mrs. CEO, it’s grossly irresponsible not to ensure that continuity of the control environment is baked into your plan. You don’t get a free pass on security gaps just because you had to make some tough calls in between vacations. Suck it up and do the right thing. And if your control environment stunk before your cutbacks then I’m definitely selling your stock now.


Policy and Culture (“Lead by example and make sure it’s a good one”) – The difference between leadership and merely being in charge is often all about the tone you set. Every CEO will say they insist on quality and excellence. But truly great leaders walk the walk and earn the respect of their people as a result. Even if they’re not always enjoyable to be around or work for at times, chances are you’d still rather be in the camp of a leader who leads by example. Because you know, even though they may delegate most of the heavy lifting, if push comes to shove they’ll grab a shovel and dig in alongside you if that’s what it takes for the group to succeed. To me that’s what policy and culture are really all about. Policy reinforces that tone set at the top and the culture of the organization flows both from and back into it. If the tone is flaky and insincere the policies will be useless and the culture will be listless and indifferent.


On the flipside, it’s simply impossible to have too much integrity. So set good examples for your people. Challenge them for the same. While mistakes cannot be overlooked, try first to embrace them as teachable moments before jumping to negative consequences. And reward your people handsomely when they succeed. Accept that rules are needed so insist on having good ones and insist they’re clearly understood and followed by all. With strong leadership, good morale, and a solid security posture blended into the background, the positive momentum shift is measurable. In a proactive environment like that people want to do the right thing on their own because they’re inspired. And the risks of the next “Snowden-gate” landing at that company’s doorstep are substantially reduced.


Need help getting started? Stuck on a problem? We’re here to help. We understand this stuff as well as anybody and our cutting edge products are literally redefining security, risk management, and compliance.

Some people think the well is only as deep as the water is clear”.

Over the past decade, security organizations, along with deploying preventive technologies such as anti-virus and firewalls, have focused on capturing security logs and events to get insight into what is going on that could affect security. They turned on logging on devices and systems, deployed centralized log management technologies and gathered logs assuming that had cleaned their water giving them clear sight to the bottom of the well.   This has been a key part of getting a handle on threat activity and is an essential part of security management.  However, in some respects it has also created another cloudy well full of bits and bytes that can present an even murkier picture.  While having more data on what is going on can increase the possibility of detecting a security threat, the probability of actually detecting the threat most often is not any better and most likely worse.  Obviously you need that data to capture any nefarious happenings.  How that data is captured and analyzed has a big impact on the level of probability of successfully identifying an active security threat.  However more data does not necessarily make for a clearer picture.

At DefCon 21, I saw presentations on several attack vectors that pose significant problems.  An attack today can include:

  • Deep social reconnaissance through social media outlets (LinkedIn, Facebook, etc) combined with very targeted social engineering;
  • Malware and exploits that change constantly evading signature based protection; and
  • Communication with Command and Control (C2C) servers through channels such as Twitter and blog posts.

If you go down the laundry list of controls necessary to prevent this type of attack (a security savvy user, security awareness training, content filtering, anti-virus, patching, network filters, firewalls, etc.), the probability that one of those links in the chain are weak is pretty high.  So Visibility into what is going on in the network is critical to put pieces together once that weak link snaps.  There are two areas of Visibility that need to be addressed here:

Visibility into your existing security data must be improved. Those bits and bytes in your security event well need to be cleansed as much as possible.  Installing a filter before pumping in that data into your well can definitely help improve the clarity but for security purposes, we need more and more data.    So the first tenet of improving visibility is organizing the existing data and cleaning it up.  The answer is not only gathering the right data but having an intelligent bucket to drop into that well to pull up specific bits and bytes when the need arises.

Visibility into the empty space between security technologies must be addressed.  Whether you admit it or not, there are gaps between the technologies in your security infrastructure.  Firewalls, IDS, anti-virus and all of the other technical controls are present to defend against known attack vectors and may be getting better at agile defense.  However, there is always a gap in between technologies such as the zero day exploit that bypasses your signature based anti-virus or the seemingly normal email from an internal account to a business partner.

We see evidence of these murky waters across the industry.  Many security breaches are not identified until weeks after compromise.  In many cases, companies are being notified by an external party (law enforcement, customer, partner, etc.) of the breach.  The fact that companies are being compromised to this extent and that this is evident to OUTSIDE parties and not identified by internal teams, is disconcerting.  The ability to sift through these murky waters is a key to closing the gap between today’s security risks and tomorrow’s security organization.   RSA’s portfolio of products is a good example of technologies that we see as necessary to sift for that clean data for security operations and fill those gaps.  RSA Security Analytics is that intelligent data collector into which one can stream the bits and bytes to find the possible active threats.  RSA ECAT’s ability to detect and respond to advanced malware helps fill a similar gap in the end-point.

At both BlackHat and DefCon, I saw examples of blended attacks – combining complex technical exploits with tried and true social engineering – that will foil most all preventive security systems.  Note I said “will” – not “might”.   The only true defense to these attack vectors is a blend of preventive (try to educate the user against social attack and/or block the technical exploit), detective (identify the execution of the attack) or corrective (quarantine and contain).    Managing security in some respects is all about intelligence – intel on the threats, intel on your own vulnerabilities, intel on the threat landscape , the more intel the better.   While you can build higher and higher walls around your fortress, you still need to know the capabilities, nature and intentions of your foes.  Higher walls do not protect against an adversary who likes to tunnel through the ground.   Continual improvement of the visibility of your own inadequacies and your adversaries’ strengths has been a tenet of proper strategy since Sun Tzu was a toddler.

Steve Schlarman

Chasing the Curve

Posted by Steve Schlarman Employee Aug 8, 2013

When I was in school, one of the biggest topics of conversation around test time was the “Curve”.  For some students,  it was a blessing raising their probability of passing.  For others, the Curve meant that their final grade may or may not be affected so it didn’t impact their study habits.  For those that were challenged in statistics, ‘grading on the curve’ was a mystery to begin with so it meant nothing.   There was a moment in almost all of our academic careers that this magical curve resulted in a passing grade in instances where we had failed to make the grade.   Whether it was due to a late night football game, the school night date or a dog-ate-my-textbook incident, this enchanted thing called “the Curve” swooped in and saved the day by measuring us relative to everyone else taking the exam.   We are facing a bit of a curve in the Security industry these days.  Unfortunately, this curve isn’t a lifesaver.  In fact, this curve is a reflection of an industry facing a serious challenge.   Evidenced by what I saw at BlackHat 2013 and DefCon 21 last week,  we are faced with a series of hockey sticks rather than the smooth, attractive slope of a bell curve.


The impact of security breaches is sharply rising.    I remember the old days where the ‘hacker’ stories included rigged radio show call-in contests, social engineering a conference room phone to be forwarded to dial outside lines or merely a good old website defacement.  Today, reports are breaking constantly of serious data incidents.  Some reports say the number of breaches is down.  Some reports say they are up.  However, it is easy to see that the impacts of modern day security breaches are considerably higher than in the past given the regulatory fines, intellectual property loss and pure business damage we see today.


The breadth of computing surface (read “attack surface”) of a modern company is approaching infinity.  We thought distributed computing was a challenge compared to the mainframe days.  Today’s BYODs are just the tip of the iceberg as the perimeter and infrastructure dissolve into a mixture of growing internal infrastructures, cloud services, end user mobile devices and an app for everything.


The sophistication of adversaries is accelerating.  This isn’t just a mild increase in velocity.  It is more like a full open throttle on a Ferrari…with a CO2 thrust…going downhill…loaded with explosives…riding on a newly invented friction-less Star Wars-like Landspeeder suspension system.    That may be a little of an exaggeration and too fear-inducing but the point is – it is a scary world out there.

I am not one to play the FUD (Fear, Uncertainty & Doubt) factor.  I believe security professionals today make up a hardworking, passionate, talented community.  But I cringe when I hear anecdotes from other security professionals of how a criminal element social engineered a key system administrator for months posing as an employment recruiter, speaking with him on the phone even at one point just to spearphish him into compromising his machine.


Organizations have always been chasing the curve of security risk.  It really hasn’t been a level playing field since the mainframe walls cracked and the data center door was opened up wider and wider.   The good news is the security and technology industry has kept a continuous flow of innovations to keep that curve in check.   Conscious efforts in improving computing platforms (Microsoft’s Trustworthy Computing effort, for instance) plus continuous advancements in security technology (Think RSA) have combined to keep the gap arguably manageable historically, but not with today’s advanced threats.


My next series of blogs will focus on three areas that are necessary to keep that gap in check: Visibility , Context and Expertise.   While it would be nice (although lead to poor job security) if the curve of security risk turned into a bell curve and began decreasing, the probability of this happening  is essentially  zero.   Therefore, security professionals must think about how their strategies to manage the gap between the rapidly rising risk and their security control environment evolves.  I know that the CEO and the board will not be willing to grade the security organization on a curve when that big data breach hits and the company’s name is front page news.

Filter Blog

By date: By tag: