Wednesday, December 30, 2015

The Size and Scope of Data Breaches in 2015 (Bromium)

Last year was a pretty big year for data breaches, and it seems like 2015 is not so much different. Online retailers used to be a big target, but this we've seen breaches across many different sectors including insurance, many health companies and even governments. These targets carry even more of our personal data than retailers did. Awareness of security issues is higher than ever, with people putting more efforts into protecting their data. However, according to studies, the cost per stolen records has still managed to increase by 6% this year to an average cost of $154 per stolen record. Companies like Uber, Experian, Anthem, Premera and even the IRS had data breaches. Check out this graphic from Bromium to see the size and extent of breaches in 2015.

Tuesday, December 29, 2015

Call for Security Authors! No Prior Writing Experience Needed!

Over the course of the next year, I’d like to publish a few small booklets regarding reoccurring themes we’ve seen year-over-year in the security industry. What I’d like to do is have these booklets broken down into chapters with people within the security industry assisting with adding the real world material and insights. There is really nothing better than having those working in the trenches each day to guide the way the booklets should be written. There are so many people out there that don’t have the ability to share what they’re learning and doing each day and hopefully this can allow them to share their experience.  By doing so, we all benefit.

Within each topic I’d like to include multiple chapters, each topic will be somewhat different, but what I’m aiming at is education on topic itself. The granularity of the information for each topic will vary, but we should attempt to hit on the following main themes on each subject:

Booklet Themes
  • Review of the topic
  • Why it’s a reoccurring topic
  • Advice with solutions
  • Tricks of the trade
  • Improvements

At this time I’m proposing the following six topics to start with, since this advice is either in great demand when looking to resolve an issue or when proactively looking to improve your security posture. I’d like people to use these booklets as a way to guide people in creating better security for the topics being written on. These won’t be vendor slicks trying to sell a product, but something valuable that can be taken without bias. This in my opinion is more valuable. Also, this is a first stab at the topics, if you have others you think should be on the list, please let me know. We’re flexible.

  • Incident Response
  • DDoS
  • Deception in Depth
  • Security Monitoring
  • Phishing
  • Application Security

If you have experience in any of these areas, and want to submit some content on the topics, please let contact me at the email below. Once we get enough authors signed up we’ll start breaking down the themes of the topics in more detail. These booklets aren’t being sold and would hopefully be put under a creative commons licensing approach where others can share and add to it freely, but by giving credit to those that worked on it. 

If you’re interested, please contact me at

Monday, December 28, 2015

Cyber Security 2015 Reflections - Another Year Gone By

Here's some cyber security reflections I've written for Algosec as the year comes to a close. Also, a few things we're forecasting for the new year to come.

Wednesday, December 23, 2015

Another Example of Why Governments Should Exit the Encryption Debate (The Juniper Debacle)

With the recent revelation of the Juniper backdoor vulnerability, it begs the question as to why we should “let” the government put purposeful backdoors into our products. Apple has been very vocal on why they won’t be bullied into allowing this type of behavior with the government, and how the privacy of their users data is paramount. With the recent terror attacks in Paris and other places in the world, governments everywhere, U.S.A and U.K being the loudest, are attempting to use fear to push their agendas. This isn’t news anywhere. We know they’re looking to create backdoors into our encryption and it’s for that very reason why we have the Juniper scandal today.

In a recent article by WIRED magazine they explain that the backdoor was made possible due to the DUAL_EC_DRBG encryption algorithm which was purposely created by the NSA to decrypt data surreptitiously. This was always assumed while the protocol was in review, but was eventually pushed into NIST standard as one of the recommended encryption protocols at the time. It’s been reported that this was part of the NSA’s operation BULLRUN, which was created to break encryption for monitoring targets, and one in which they had a nearly $250 million dollar yearly budget to do so. Even more concerning is that the NSA purportedly paid off RSA with the sum of $10 million to include this algorithm into their product. RSA has since said that they were unaware of this at the time, but it’s still highly suspicious.

This being said, governments have already been accessing our systems, either in cooperation with technology vendors, or by illegally circumventing vendors technology to gather the data they’re looking to collect. So why should we trust them to be more responsible by allowing them to put holes into products that we use everyday? What have they done in the past to gain this respect and trust? They don’t have our confidence to play within the rules, so what makes them think we’d be willing to be taken by the hand and walked down a path we'll eventually regret? The problems they’re creating, look at Stuxnet and DUAL_EC_DRBG, discredit them from being taken serious. Also, it’s overreaching to start using the terrorist attacks in Paris, where they didn’t use encrypted channels for communications, or the terrorist attacks in San Bernardino, where there were public Facebook announcements made by the terrorist alerting of their actions. Both of these attack communications were in cleartext and both of these attacks weren’t stopped. This might be somewhat far-fetched by me, but if you want all the encrypted information now start stopping things that happen in the clear first.

What many of these governments aren’t thinking now is that they’re making your device less secure and more vulnerable to eventual attack by someone else. I understand they want to have a separate key that would only allow them to access the data when needed; which is still scary. But just like Dr. Ian Malcolm said in Jurassic Park, “Life, uh….finds a way” and it’s possible that the vulnerability/hole you created for yourself will be abused by others. That this hole will be used to spy against you, or that even more malicious actors will use a similar method to abuse the access that was blown open to “protect” people.  I can’t see any concrete reasons, or examples, that have been used in the past that dramatically slides the argument into the governments favor against us giving up our privacy. So as we watch the latest backdoor issue we've seen come to light with Juniper, all due to the NSA making a hole that shouldn't have been there to begin with, is yet another example of why the government should remove themselves from this debate completely. They don't have a track record of being responsible with this type of access and we don't want to give it to them.

Monday, December 21, 2015

Shop Safe This Holiday Season

With the holiday shopping season in full swing, many shoppers are deciding to skip the long lines and instead, make their purchases from the convenience of their mobile device. Did you know that nearly 53% of online purchases during last year's holiday season were made from a smartphone or tablet? This number is expected to grow even higher, making mobile shoppers a major target for cybercriminals. It's more important now than ever to fully understand how to stay safe when it comes to shopping from a mobile device or online. #ShopSafe.

Thursday, December 17, 2015

What's on Your InfosSec Wishlist?

I was recently asked the following question from TripWire: “If you had one wish for the infosec community this holiday season, what would it be and why?”. This is a very loaded question to be honest, since there's so many things on my wishlist, but there's one area I'm particularly passionate about that I think we should be doing more of next year. Here's my wishlist item, including many other information security professionals, as to what we'd like to see the community start doing this new year.