Monday, October 16, 2017

Open Letter to Congressman Tom Graves on the “Active Cyber Defense Certainty Act”

To the Honorable Tom Graves:

In November of 2015 I was invited to the now retired Congressman Steve Israel’s Cyber Consortium to participate with other security professionals in the community to discuss cyber security related issues affecting both our organizations and communities. During this meeting you were invited to speak about your thoughts on cyber security, the issues you’re dealing with in Congress and your approval for the CISA bill. After listening to you describe your concerns over the OPM breach I noticed how seriously you took the issue of cyber security. I didn’t personally agree with some of the stances taken in the room, but you don’t have to agree on everything to initiate progress. I applaud your dedication and attention to cyber security and will continue to be interested in your thoughts; even if we might have differing opinions. With this being said, I have concerns with your latest bill being proposed to Congress: The “Active Cyber Defense Certainty Act”.

Each time I see someone propose reform to the “Computer Fraud and Abuse Act” it peaks my interest. Evolving our laws with the ever-changing cyber industry is both needed and incredibly difficult to accomplish and I appreciate your effort to modernize them. With that in mind, I’m concerned that the newly proposed ACDC bill crosses some boundaries I’d like to bring to your attention.

As you’re most likely aware many of the cyber incidents occurring are being launched from systems that criminals have already compromised and being using as a guise for their attacks. This essentially could end up being an attacker proxied through multiple systems throughout various countries with the face of the attack showing as an innocent bystander. By getting the approval to perform a “hack back” against this entity puts this unknowing victim in the middle of a complicated and intrusive scenario. Not only are they already compromised by a malicious entity, but they’re now being legally attacked by others that have assumed have done them harm. Congressmen Graves, these devices could end up being systems used to assist with our economies growth, hold personal records that could affect the privacy of our citizen’s data or may even be used with aiding our healthcare industry. The collateral damage that could occur from hack backs is unknown and risky. Essentially, if someone determines they were compromised by a system in the United States and they start the process of hacking back the system owners might notice the attack and start the process of hacking them back. This in turn could create a perpetual hacking battle that wasn’t even started by the actors involved. This method will in theory cause disarray all over the internet with a system being unknowingly used as a front by a criminal to start a hacking war between two innocent organizations.
To interrupt these systems without oversight is dangerous for us all. In reading through the bill I noticed that these cyber defense techniques should only be used by “qualified defenders with a high degree of confidence of attribution”. From this statement, what qualifications does a defender have to hold before they attempt to hack-back? Also, what constitutes a high level of attribution? Seeing this bill is only focused towards American jurisdiction I personally feel attackers will bypass this threat by using foreign fronts to launch their attacks to get around being “hacked back”. This somewhat limits the bills effectiveness as it’s currently written. By being able to track, launch code or use beaconing technology to assist with attribution of the attack is dangerous to our privacy. I agree that this is an issue, one that needs to be dealt with, but it should be dealt with via the hands of law enforcement directly, not the citizens themselves. I’ve read the requirements where the FBI’s National Cyber Investigative Joint Task Force will first review the incident before the “hack back” can occur and offers a certain level of oversight to the incident, but I don’t think there’s enough. I understand the resource requirements within the FBI are stretched, but leaving this in hands of those affected by the breach allows emotions to get involved. This is one reason why we call the police if there’s a dispute in our local communities. They’re trained, have a third party perspective and attempt not to make it personal. I feel that there will be carelessness on the part of those hacking back and this emotion could lead towards carelessness and neglect that will bring upon greater damage.

Lastly, the technology is always changing and being able to get confident attribution is incredibly difficult. If an attack was seen from a particular public IP address it’s possible that the NAT’d (Network Address Translation) source is shielding multiple other internal addresses. By attacking this address it will give no attribution as to where the data or attacks might actually be sourced. Also, with the fluid environment of cloud based systems a malicious actor can launch an attack from a public CSP (cloud service provider) that would quickly remove attribution as to where the source was occurring. I noticed the language within the bill referencing “types of tools and techniques that defenders can use” to assist with hacking back. Will there be an approved tool and technique listing that the active defenders be required to use that stay within the boundaries of this law? Or will active defenders be able to use the tools of their choice? Depending on the tools and how they’re used they could cause unexpected damage to these systems being “hacked back”. Lastly, there’s mention about removing the stolen data if found and I’m concerned defenders will not be as efficient with this data deletion and could cause major damage to systems hosting other applications or systems legitimately. Deleting this data at times could become an issue with investigations, forensics and might not solve the issue long term. This stolen data is digital and just because it’s deleted in one place doesn’t mean it’s been removed permanently.

Congressman Graves, I respect what you’re doing for our country, but I’m concerned with the methods in place to protect the privacy of the data and systems being actively hacked by defenders. I’m anxious about the overzealous vigilantism that might be implied by defenders looking to defend themselves, their systems or their stolen data. You’re an outside the box thinker and passionate about the protection of our country, I love that, but the methods in place could essentially cause more harm than good as the bill is currently written. I personally implore you to reconsider the actions of having a nation of defenders actively attempting to restore their data from sources that were most likely being used without their consent. The unintended privacy consequences, destruction of systems and even life are too important not to mention. If I could have advise in any way it would be to have our country start focusing on the fundamentals of cyber security before they start writing licenses to hack.
Thank you for your service and your continued efforts to protect our nation from future cyber events.


Matthew Pascucci

Monday, September 11, 2017

The Equifax breach - Now what?

By now we’re all probably very aware of the massive Equifax hack that exposed 143 million American's social security numbers, birth dates, addresses and drivers’ licenses. There was also a small subset of credit cards and personal identifying documents released with limited personal information to an uncertain amount of Canadian and UK citizens being accessed as well. According to a statement released by Equifax the breach occurred from mid-May through July 2017. They discovered the breach on July 29th, which means attackers were actively working well over a month, if not more, at exhilarating this treasure trove of data. Equifax also stated that criminals exploited a vulnerability in their web application to gain access to sensitive data as the means of compromising their site

Here are a few of my thoughts on the Equifax breach:

Also, here's my bald head on CBS news talking about it:

Thursday, September 7, 2017

How do network management systems simplify security?

Today, many network management systems aim to increase visibility into the network and focus more on security. Since security is often left to the administrators of each department, having additional security built in to tools is becoming common.

Network management systems that provide security insight are useful tools for your networking team. However, there are a few things to consider before implementing one.

From a security perspective, monitoring a network is important because, as all data has to run through it, it's a good place to look for anomalies and incidents. There has also been a shift in the security field to make behavior analysis the norm when monitoring for malicious activity.

There are other things to look for in network management systems that help administrators detect threats within the data, and that's with performance. If you're able to gauge the performance of your equipment or applications, then you're more able to detect incidents that cause loads on the systems based off the thresholds for which they're configured. This would also include the bandwidth usage of systems that might experience slowdowns due to distributed denial-of-service attacks or a worm outbreak within the network. Read more of my article at the link below:

How can enterprises secure encrypted traffic from cloud applications?

With many applications being utilized in a SaaS model, it's important to encrypt the traffic between end users and applications. When personal and sensitive data is transferred, processed or stored off local premises, the connections between these points need to be secured.

Many large websites default to SSL/TLS, increasing the encrypted traffic on the internet. This is a plus for data security, but malicious actors can and do take advantage of this encryption with their malware, spoofing and C2 servers. With organizations like Let's Encrypt and Amazon Web Services, attackers use these flexible, well-designed and inexpensive technologies for malicious purposes. It's for this reason that enterprises need to make monitoring of encrypted traffic and decryption appliances mandatory in networks.

The recent increase in SSL/TLS traffic within networks is cause for both delight and concern. The security community has seen the need for encryption, but so have malicious actors. From a network security standpoint, it's important to be cautious when dealing with encrypted traffic. Its use is only going to grow from here, and the majority of internet traffic will move toward end-to-end encryption. Read more of my article at the below link:

Should an enterprise BYOD strategy allow the use of Gmail?

Creating separate accounts for business use on a third-party platform can be risky, but it depends on the context.

Google offers organizations the ability to host their mail on its platform, and it also offers additional features to manage these accounts -- though these features are not part of Google's free service. There are privacy concerns regarding enterprise use of Google business accounts, but organizations that have their employees use personal Gmail accounts for business purposes is a separate matter.

This enterprise BYOD strategy is a risky idea. Using a free service outside of the organization's control and making it the recommended communication method is dangerous. The organization will have no control over the data being sent or the security policy wrapped around the communications. There is no data loss prevention applied to what's being sent, there's no web filtering or antiphishing protection, and the forensic data and logging of the email are lost.

Essentially, creating a separate personal account as part of an enterprise BYOD strategy actually severely limits BYOD security, and organizations should avoid doing it.

What should you do when third-party compliance is failing?

The security of your data being held, processed or transmitted by a third party is always a security risk. Essentially, you have to trust an organization other than your own with the security and care of your data.

The third party or business partner could perform security up to or even beyond your standards, but there's always the possibility for negligence. If there's even the slightest concern that a third party is being careless with the security of your organization's data, you should act immediately.

Before giving your data to a third party or business partner, there should be a thorough review of the partner and how it performs security. This can include security questionnaires, on-site visits, audits of the third party's environment and a review of its regulatory certifications. Vendor management has become one of the largest areas of concern when it comes to data governance, and it's a growing risk if due diligence isn't done upfront. Read more of my article at the link below:

Friday, September 1, 2017

Security Researchers and Responsible Vulnerability Disclosure

I was asked to comment on the following article regarding responsible disclosure of vulnerabilities by security researchers. This is a debate that's recently been resurrected over the past couple months. In my opinion there's work to be done on both sides. Below is article I was quoted on regarding the subject: