Sunday, December 28, 2008

Cyber Security Debacle- Update on World Bank 'Unprecedented Crisis'

It’s been months of stonewalling and denials during a series of reports covering a variety of in-house World Bank scandals including (i) targeted cyber security attacks breaching their most sensitive financial data and (ii) corruption issues with sanctions against at least one supplier determined guilty of wrongdoing. The latest twist, a leading India-based information technology vendor, Satyam Computer Services was barred in February from all business with the bank for a period of eight years — the ban started in September.

Some highlights:

The World Bank provides financial and technical assistance to developing countries, governed by a board of 180+ member nations, with the mission “Working for a World Free of Poverty.”

  • "From 2003 through 2008, as FOX News reported, the World Bank paid Satyam hundreds of millions of dollars to write and maintain all the software used by the bank throughout its global information network, including its back-office operations. The engagement scope involved overseeing data that ranged from accounting and personnel records to trust funds administered for many of the world's richest nations."

  • "Satyam was straying badly across the bank's ethical warning lines. In 2005, the bank's chief information officer, Mohamed Muhsin, was ousted after being accused of improperly buying preferential stock options from Satyam, even as he awarded the firm major contracts. A top-secret investigation led to Muhsin being banned permanently from the bank in January 2007. But for reasons that remain unclear, Satyam was allowed to remain in control of the bank's information network until early October 2008"

  • According to reporting in October, World Bank employees were ordered to change their passwords three times over a three month period as a response to the attacks, which spanned somewhere between 18 and 40 servers in multiple hacks. According to the report, there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews obtained apparent internal e-mail messages regarding the attacks characterizing a complicated series of events and the agency’s response to them.

  • “In a frantic midnight July 22nd e-mail, e-mail to colleagues, the bank's senior technology manager Rakesh Asthana, referred to the situation as an "unprecedented crisis” and that "the passwords that have been compromised may have accessed data." An e-mail from July 10 explains that a minimum of 18 servers may have been compromised and that five of them contained sensitive data. Yet an Aug. 19 memo from the bank's CIO, Guy-Pierre De Poerck, downplays the severity of the situation. The staff memo says that controls on external Web sites have been tightened, that passwords have been reset, and that RSA SecurID tokens have been deployed for Web mail access. It concludes that "there is no evidence that bank staff personal information is at risk from the recent external attempts."
    Editorial note: Guy-Pierre De Poerck no longer works at World Bank.

  • “It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software in April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007.

  • “It may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

  • Video Interview: World Bank Hack - FOXNews 10/10/2008

Some thoughts:

While this isn't your typical bank, banking and the financial sector as a whole is known to generally have much better cyber security than most sectors. It’s alarming that this situation drug out for so long after surfacing internally.

Besides the alleged repeated CIO-level inside dealing by a gorilla-scale outsourcer, a more fundamental issue was the abdication by management in addressing information security risks. Having CIOs released from employment and named security leadership temporarily in charge will help. Perhaps large gaps in fundamental information security controls are now finally being addressed. Certainly a lack of programmatic incident handling preparations contributed to the problems before Fox News broke the story.

Before saying “It can’t happen here.”

How well is your incident handling program developed? What happens to you and your organization if or when breached by targeted attacks? What about your increasing exposure with outsourcing and how risk is being managed? How about robust enclaves for your critical systems? Do you really have defense in depth with graded, inside-out protective measures? Are there definitive, complimentary, and auditable MOT controls, i.e., managerial, operational, and technical, in place for your more critical settings that clearly provide and support defense in depth capabilities, i.e., deny, detect, deter, recover? Who is watching the watchers? How is management being kept abreast of status? Are there regular, transparent reviews involving key internal stakeholders? Are there improvement planning cycles involving decision makers and are the plans being completed and results objectively reviewed?

- Think could only happen in the financial sector?

What if emergent problems persisted and pulled you and your information security team deeper into the mix after repeated missteps? How do you ensure that your response is viewed as part of the solution and not increasingly part of the problem? What if your organizational leadership "duck and covers" when pressed by providing a shifting story while investigative reporting eagerly pry out pieces of the truth and report it all?

- Are you just another easy mark?

Just how developed is your incident handling policy and procedures with senior management support to help address when escalating cyber security problems really hit the fan?

- Still comfortable?

- World Bank Besieged By Hackers, Or Not, Information Week, 10/10/2008
- World Bank Removes Chief Information Officer,, 11/27/2008
- World Bank Admits Top Tech Vendor Debarred for 8 Years,, 12/24/2008

Sunday, December 7, 2008

Clock is Ticking for First Round of Pending Changes to NERC CIP Standards
- Comments due Jan 5th

Driven by Cyber Standards Final Rule - FERC Order 706, the first revision to NERC CIPs addressing cyber security requirements for bulk electric operations is out for review and comments by Jan 5th, 2009. This round of changes include removal of significant amount of wiggle room based on "business judgement", includes explicit senior management approval of risk methodology (not just critical assets lists), background checking must be completed before permitting access (not in parallel), and tightens up timeframe requirement for addressing security issues among other changes.
  • "Emphasis on Order 706 directive for NERC to address revisions to the CIP standards considering applicable feature of the NIST Security Risk Management Framework among other resources. "
  • While this process with NERC CIPs may seem difficult, at least there is the benefit of continuity. Congressional testimony last year and this year raised serious questions about NERC's ability to be an effective ERO for FERC - NERC Aurora handling and arguably misleading testimony creating much of this pain, NERC still not out of the woodshed. Last year testimony also suggested getting rid of CIPs and starting fresh based more on NIST standards as recommended by Mr. Joe Weiss (jump to 2:12:50 for his opening comments in video):
    - “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” - Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Oct 17th, 2007 (video/submittals)
Better buckle up, this is just the first round of Order 706 driven changes.
  • "The SDT met on October 6–8, 2008 and because of the extensive scope and varying complexity of the issues and work in these revisions, the team decided on a multiphase approach for revising this set of standards. This posting of the cyber standards for industry comment only relates to Phase I of the project. "
- Cyber Security (Project 2008-06 Site) - The Cyber Security SDT posted its first draft of revised Cyber Security standards (CIP-002-1-CIP-009-1) for a 45-day public comment period starting November 21, 2008 and ending on January 5, 2009. Both clean and redline versions (zip files) are available for download and review.
- Revised NERC CIP standards out for 45 day comment period, Digital Bond 11/24/2008
- Cyber Standards Final Rule - FERC Order 706, NERC Workshop Presentation (informative 72 slides), 5/13/2008
- Drafted Changes Summary, NERC Comment Form

Saturday, November 22, 2008

My Top Cyber Security Sites
- Bookmark This!

Last Updated: 1-10-2010

Here's my developing list of top cyber security sites and podcasts with supporting rational.

A. Situational Awareness:
  1. US-CERT: United States Computer Emergency Response Team
    This is the very first place I check every day for a quick take on relevant threatscape information - i.e. Current Activity and Alerts. Simple click to drill in on full listing of active national Technical Security Alerts, Bulletins, Vulnerabilities, etc. Clean, well organized site with great coverage of a number of key cyber security topics.
  2. DHS Daily Open Source Infrastructure Report
    A must read, great source of daily critical infrastructure protection related news organized by sectors and key assets as defined by the National Infrastructure Protection Plan with linked open source references. e.g. Energy, Nuclear Reactors, Government Facilities, Information Technology, Communications, etc.
  3. SANS Internet Storm Center- Handler's Diary
    Especially useful for developing situations- these are the folks that go deep into nitty-gritty details addressing the latest Internet security problems.
B. Program Development:

  1. Resource site for CISO's, CSO's, and security professionals.
    Metrics, tools, opinions, and most importantly access to CISO's, CSO's, experts, and other professionals in the field of security. Shares information, ideas, tips, and techniques for addressing security issues faced by today's professional. Content is free; however, some areas require using a registration logon for access.  Their latest book  goes beyond program centered engagement specifics to provide a deeper understanding into what it takes for longer term results. It explains and underscores what really matters in organizations to ensure security programs - regardless of budget and expertise applied to form them up- do not devolve as many do, like an ice sculpture melting into a useless puddle, while internal areas look on- recommended reading:   CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives 
  2. Security Manager's Journal - ComputerWorld
    Since 2002, a regular series of timely security manager articles addressing real world situations very simliar to a number of challenges many organizations face. The specific companies and assorted ghostwriters remain anonomous to help protect sources while gaining insight from often entertaining real-world hard knocks. Think your job is tough?
  3. CSO Online - Security and Risk
    A sister publication of CIO Magazine, this is the primary trade magazine many follow with the latest enterprise views: headlines, data protection, identity & access, business continuity, physical security, leadership, and some solid blogs.
  4. NIST, Computer Security Division, Computer Security Resource Center
    Regulatory trajectory is promising to get more "NISTy" for critical infrastructure organizations and this site provides a front door to the National Institute of Standards and Technology well regarded Special Publications, related FIPS requirements, and drafts organized by topic clusters, etc. Great complement to an overall framework.
  5. CERT's Podcast Series: Security for Business Leaders
    Robust cyber security is increasingly a non-negotiable requirement for organizations. Moving corporate culture forward cooking security in poses challenges that must be overcome. CERT has a well done podcast series addressing key principles and strategies: Governing for Enterprise Security, Measuring Security, Privacy, Risk Management and Resilience, Security Educations and Training, Threats, Trends and Lessons Learned, Tips from the Trenches.
C. Perspectives and Professional Development:
  1. KrebsonSecurity: In-depth security news and investigation.
    Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators.
  2. Digital Bond: Control System Security Research and Consulting
    Digital Bond is a control system security research and consulting practice. They have years of security experience from the National Security Agency (NSA), National Labs, large asset owners and leading security equipment providers.perspective. Resources include the well maintained blog, monthly podcast with industry expertise, presentations, annual "S4" research conference proceedings, research, and a solid SCADApedia reference.
  3. Risky Business Podcast with Patrick Gray
    Excellent latest news coverage and regularly featured interviews all professionally done. Great, timely coverage of hot security topics from the experts closest to the action- all done in a way to help ensure those listening are entertained and gain valuable perspective.
  4. Manager Tools Podcasts
    Want to become a more effective leader and manager? This weekly podcast helps with fresh tools and easy techniques for real-world settings that go beyond theory into specific actions that can be used right away to improve your performance. A key set of "the basics" provide a strong starting point you can immediately apply and build on!
Helpful input welcome.

Sunday, November 2, 2008

FTC Will Delay 'Red Flags' Rule Enforcement for Six Months

Some Good News on FACTA!
Looks like a number of utilities will get a break in enforcement action with FTC granting a six-month delay. However, this repreave is just for FTC enforcement, and won't affect other federal agencies' enforcement of the original Nov 1, 2008 deadline.

>FTC Will Grant Six-Month Delay of Enforcement Action , FTC Announcement
>More on FACTS (Fair and Accurate Credit Transactions Act) - Wikipedia Overview/Links

Sunday, October 26, 2008

Microsoft Emergency Security Update (Ouch)
- Can't Patch Control Systems?
- Sockstress TCP Vulnerability Issues Next?

On Thursday 10/23, Microsoft spiced up our lives with a emergency security update (i.e. Microsoft Security Bulletin MS08-067 – Critical) to address a “wormable” vulnerability specifically exploiting “Server” service via remote network remote procedure calls (RPC). Similar to Blaster, unmitigated vulnerable machines can be directly attacked at a network level and immediately, completely compromised. This particular problem is also extremely exploitable once understood; security firm Immunity was able to craft a working exploit within two hours after the release of the security fix.

Don’t Neglect Control Systems- especially Critical Infrastructure. While many business network environments are going through the test and deployment process (not without some problems – e.g. some reported breakage of IPSEC), there’s also a need to be thinking about critical infrastructure as it increasingly is depending on Microsoft based solutions. These type of problems underscore how the network environment and it’s management infrastructure are such an important and fundamental starting point for establishing and sustaining a defined, effective, defense-in-depth security posture. Many may assume that the environments are well separated by definition; however, when you don’t get the control system network right (or at least sufficient), it undermines everything else being done in the name of security.

Beyond layered network segmentation with strict boundary communication controls as a vital starting point, basics that are increasingly expected include protective network chokepoints (firewalls, gateways, etc), and secure information transfer facilities (DMZs, Data Diodes, NIPS, etc). Other important steps often overlooked include basics such as server system hardening and endpoint protection measures (e.g. AV, HIPS, white listing, etc). As more is done in the name of security, the solutions themselves need to be managed and protected in a scalable manner- perhaps with a distinct network security management environment- also with commensurate protection.

Having well formed mitigations in place in control system settings will help directly address risks from emergent security problems such as this and be in a good position when facing related regulatory scrutiny. Typical business network environments are strikingly different – often quite porous and flat, with less definitive countermeasures- and therefore pressing forward with patches and security updates on a regular basis across a substantial IT foot point. These are very different environments only suited for very specific, understood and controlled interactions - having solid network security controls between the two environments is an essential part a well articulated cyber security architecture.

More- DHS Control Systems Security Program, Idaho National Laboratory offers the following tools:

What's Next- Sockstress Issues? How about long standing weaknesses involving TCP network stack vulnerabilities recently gaining attention with "Sockstress" that can be exploited to cause reachable systems to lockup, denial-of-service (DOS)? Indications are that even an attack at one packet per second can take systems down - e.g. dialup Internet. Because this is a state based attack, can't use spoofed packets but even small bot farms are sufficent to carry this attack out.
> Vendors fixing bug that could crash Internet systems Computerworld, Norway - Oct 2, 2008
> SecurityNow! Episode 164: Sockstress - Oct 2, 2008

Tuesday, October 21, 2008

Cyber Security Awareness Month In Full Force
-Threats to Security Never Sleep!

Every year my group helps support a company wide awareness campaign and that coincides with National Awareness month. Videos, games, posters, online question and answers... and of course booty with some great top prizes (ipods, security system, etc). Yes, enthusasim isn't enough- folks need to enage and submit correct answers to be in drawings. As for the goodies being drawn, we continue to get much of it just for the asking from our suppliers ahead of the event (explaining our internal campaign and asking "would they like to help us out", etc ) - no strings.

Nationally, many "free" resources continue to be developed by non-profits and governmental sources. Some the best of these online sources follow and are worth taking note of as this month winds down.

> National Cyber Security Alliance
Top 8 Cyber Security Practices

  1. Protect your personal information. It's valuable.
  2. Know who you're dealing with online.
  3. Use anti-virus software, a firewall, and anti-spyware software to help keep your computer safe and secure.
  4. Be sure to set up your operating system and Web browser software properly, and update them regularly.
  5. Use strong passwords or strong authentication technology to help protect your personal information.
  6. Back up important files.
  7. Learn what to do if something goes wrong.
  8. Protect your children online.
> EDUCAUSE's Online Cyber Resource Kit

> MS-ISAC Multi-State Information Sharing and Analysis Center
- webcast, Cyber Security Tool Kit, etc.

- more information, phamplets, etc

Saturday, October 18, 2008

Neat DHS/NCSD Cyber Security Vulnerability Assessment Tool (CSVA) + CS2SAT

Last updated 8-2-2009
DHS’s National Cyber Security Division (NCSD) has been working to develop an objective, comprehensive cyber security vulnerability assessment (CSVA) tool for some time and revving through Betas. Using a simplified methodology, the CSVA is aimed to quickly assess an organization, facility or system’s cyber vulnerabilities and recommend options with extensive helpful explanations and examples. Critical infrastructure sectors are encourage by DHS to use this tool to analyze their cybersecurity posture.

I recently got my hands on and fired up CSVA BETA 5 - some thoughts:

  • Best if performed with prepared team and good facilitation. Cyber security knowledgeable folks familiar with the assessment environment can get a running, upfront start.
  • An initial determination is made regarding if a Business Network or a Control System is being assessed and adjusts approach- very good!
  • Truth over harmony needed here folks - some questions are combination issues and not all the answers to pick from fit well. Pick the most conservative answers and capture views in comments to get through the process.
  • Credibility bolstered in assessment process with a virtual informed third-party (DHS/NCSD) cooked in.
  • Can save assessment, go back and make adjustments for what ifs or actual improvements and see results.
  • Strives to leverage concepts from recognized cybersecurity standards and guidance- e.g. ISO,COBIT, NIST, etc
  • Offers great benefit lift ratio for effort required. Being "free" helps too!

Bottom line. The CSVA journey is a short, easy trip and the results are well worth it. The tool offers a solid approach to further develop shared understanding of cybersecurity posture with various stakeholders to build on and prioritize improvements, For more information or a copy of the tool, contact the Critical Infrastructure Protection / Cyber Security Program within the DHS National Cyber Security Division at
Next- the CS2SAT.
For those needing to go beyond the CSVA’s high-level approach and focus on more specific risk particulars- factoring in consequences, network topology, requirements, etc - there’s the Control System Cyber Security Self Assessment Tool (CS2SAT) Haven't looked at it yet but planning to give it a whirl at some point - list pricing, e.g., $1800, is waived ("free") for many energy organizations.

Update 8-2-2009 - Per DHS, the CSVA will be integrated into upcoming versions of the CS2SAT . The latest Version 2 of the CS2SAT is now specifically configurable to address NERC CIP, SANS, etc for assessment activities. Works a lot like the CSVA - but focused on control system space for now (until CSVA transitioned). DHS is very committed to the CS2SAT approach- given freely at one day Industrial Control System cyber security courses - worth checking out.

Sunday, September 14, 2008

Protecting the Electric Grid from Cyber-Security Threats

On Thursday 9/11/08, the Subcommittee on Energy and Air Quality (of the Committee on Energy and Commerce) held a hearing on the state of Cyber Security with respect to the electric grid. FERC, NERC, and APPA were represented. The focus is taking drafted legislation forward to provide FERC more cyber security emergency authority to address new and often rapidly developing cyber security risks.

Protecting the Electric Grid from Cyber-Security Threats
Subcommittee on Energy and Air Quality
Committee on Energy and Commerce
- 9/11/2008 testimony, audio, and drafted legislation

CSPAN Video now available (requires Realmedia player)

Opening comments emphasized views that the risk is increasing with at least twenty incidents of cyber security problems impacting electric systems service. There’s a strong concern in addressing underlying control systems, vital to reliable service, given growing risk with increasingly interconnectivity and use of widely available technology. The risk picture will continue to be developing with the trends toward Smart Grid and other control system dependent technology developments.

FERC Interviews. Testimony emphasized FERC findings from interviews with 30 utilities – including particular actions taken to address NERC voluntary Aurora Vulnerability advisory in 2007:

  • Of the 30, seven were viewed as in full compliance with the advisory.
  • All took some steps - one still still using all default passwords, another had a 10 year plan.
  • Only 2 went sufficiently far enough to fully address the Aurora vulnerability.
  • A number of organizations shrunk scope too small - not sufficiently addressing critical assets/facilities that can affect the bulk electric system.
  • Cost estimates addressing the Aurora Vulnerability were not gathered in the process- but viewed as important by the committee with FERC in agreement- more relevant going forward.

The conclusion- self-interest alone is not sufficient for most utilities to take appropriate actions to specifically address the Aurora Vulnerability. This situation fueling strong congressional concerns about how well the regulators and utilities are addressing overall cyber security risk.

Existing FERC/NERC regulatory mechanisms are viewed as insufficient, either lacking enforcement strength (e.g. voluntary NERC Advisories) or take too long following 215 process. APPA emphasized cooperation with FERC staff in developing drafted legislation giving DOE/FERC emergency order making powers address cyber security issues- with still a few remaining points in disagreement.

Sunday, July 6, 2008

OWASP - Ira Winkler & Jeremy Poteet Videos

From time to time, I come across some gems.. in particular, the second video available at link below helps provide some solid perspective on the growing challenges with application security. While many firms don't face the extreme dynamics and poll changing stakes associated with a national political campaign's web site, utility organizations often have legacy systems that are at increasing risk from the same sort of evolving threats.

Also, to give Ira Winkler some credit after bashing his utility sector remarks, his presentation below on organizational security, including risk and how people are a very key element in a security program, are spot on. Focusing more on applications, the second presentation below provides some great insights into defense in depth strategies with some real world perspective.

(1) Index 00:00:00 - Secrets of Superspies- Ira Winkler
(2) Index 01:01:00 - In the Line of Fire: Defending Highly Visible Targets - Jeremy Poteet
Google Video Link (122 min - Oct 13, 2006)

More: Open Web Application Security Project (OWASP) -


Monday, May 26, 2008

GAO Report Rips TVA at “Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid” Hearing

Scathing GAO testimony/findings from GAO's assessment of TVA cyber security should be of special interest for many electric utility organizations. TVA issues cited included problems stemming from lacking a corporate-level cyber security program and significant security posture weaknesses, unevenness in both operational and corporate network settings. All of which TVA’s COO (William R. McCollum, Jr.) reported significant focus and progress addressing with a strong commitment to continue improving.

The hearing is available for viewing (~90m) at C-SPAN Video Library: Security of the Electric Grid - May 21, 2008 (updated 1/23/2011)

In my opinion, looking hard at referenced NIST standards to further address specific cyber security topic areas makes sense for NERC CIPs as does looking at broader information security frameworks to help scope and tailor well governed corporate level programs based on recognized frameworks, .e.g. ISO 17799:2005 , COBIT, etc.

Anyone with a stake in cyber securing critical infrastructure will benefit from reviewing the hearing and a close study of the 62 page May 2008 GAO report "Information Security- TVA Needs to Address Weaknesses in Control Systems and Networks"


Sunday, May 18, 2008

Ira Winkler - love him, hate him- he's making headlines..

  • Experts hack power grid in no time - Network World
    Apr 9, 2008 ... "We had to shut down within hours," Winkler says... "

    Press releases around Ira Winkler's assertions regarding how easy it remains to hack from the Internet into the deepest parts of electric utility critical infrastructure has caught the attention of media, regulators, senior utility management, and security professionals. While Ira's comments go over the top in my opinon when it comes to nuclear reactors and more centered on distributed SCADA- he is a practitioner that doesn't pull punches.

    (1) RSA 2008 - Ira Winkler (ISAG) (7m). Was able to get to nuclear controls - that should have no business network connectivity? Also no "off switch for nuclear" (rant- WTH is he talking about... how about the "off" switch provided by independent safety systems and SCRAM functions??).

    Would you hire Ira to do your next organizational penetration testing? Please comment and/or vote.


Given all the excellent podcasts and blogs around information assurance aka cyber security, you may wonder why yet another security blog? For me, this is a commitment to post periodically my musings and more serious thoughts related to security with a focus on critical infrastructure topics. Those that are interested in the topics or sharing related views are welcome and encouraged to contribute in a reasonably civil manner - I'll work to hold myself to a simliar standard.