Getting Back To New Normal and Good Security Hygiene

Today at work we were working with some clients who still had some very old, and insecure, authentication methods in their networks. Methods that could enable a malicious person to take over their entire Active Directory domain in a matter of minutes. Fortunately these clients are taking action to fix the problem and while they are doing that, they have my company actively protecting them. But it highlights how security hygiene in the new normal has to change.

This led me to back to thinking about the new normal again. Things are changing rapidly and continuously, as we all know. And in getting back to normal, that is not going to change. That is one of the aspects of getting back to normal that is here to stay. So, we see things like the Exchange Server attacks by Hafnium (a Chinese threat actor) that we learned about in February, 2021, or the Solarwinds attack that we first learned of in December, 2020. These things are going to continue to happen. And faster, more rapidly than ever before.

Side note: In the Solarwinds attack, 18,000 entities globally were vulnerable. But only 10% or so were actually breached by malicious actors. In the Exchange Server breaches, over 70,000 entities were vulnerable and it appears that 30,000, or so, were breached by malicious actors. The changes in magnitude are quickly exploding.

At the same time, so is the change in our own networks, applications, and infrastructure supporting our schools, governments, companies, and homes. Over the last 12 months we have seen organizations move ALL of their data and applications to cloud computing, whether to something like Amazon Web Services or to Software as a Service like Sales Force or to Storage as a Service like Dropbox. They are moving, or have entirely moved, their traditional network infrastructure (authentication, file services, email, office productivity) to the cloud as well: Google Drive, Microsoft Azure, Apple iCloud have all been great beneficiaries of this. Many of these organizations are maintaining crazy hybrid environments. All in a quest to support their business that is seeking to survive this insane time we are going through.

But all of this leads us to how do we, security professionals, deal with the inevitable problems that this is going to introduce in to our networks. Unpatched systems, poorly configured authentication, new vulnerabilities, and more. How do we deal with the cyber hygiene problems?

I’m going to suggest that now is the time for even more of the basics than ever before. Every vendor under the sun is going to try and sell you some miraculous tool to solve your problems. It will be magical for the low, low price of just XXXX. And I’m going to tell you that your first instinct should not to be to buy some magic silver bullet. We’ve been chasing the silver bullet in security for decades now. If that was going to work, wouldn’t it have worked already?

What I can tell you from decades in the business, as both a practitioner and a vendor, is that the organizations that solve the basics are the ones that do the best when confronted by security challenges.

But, just like everything else about Getting Back To Normal, there are going to be changes you need to make to the basics. You have to patch faster. You have to look deeper into your environment. You have to connect on-prem and cloud systems better. You need more resiliency in your defensive layers. And, most importantly, you have to figure out how to detect and respond to bad things much faster.

If you do, your organization stands a chance in the new normal.  

Posted in InfoSec, Pandemic, Security | Tagged , , , | Comments Off on Getting Back To New Normal and Good Security Hygiene

Back to Normal

Yesterday I was thinking about this whole “back to normal” thing that we are now experiencing. You know, COVID-19 vaccinations, and herd immunity, re-opening the economy and institutions, all of the things that are happening around us right now after over 12 months of a very decidedly not normal world. Public schools in WA state are beginning full in person education next week. I just bought tickets to a Mariners baseball game. Life is heading back to normal.

And that really means all sorts of things. We are going to see people returning to working in offices, children back in schools, bars open, regular travel again.

However, the world changed dramatically 12 months ago. Businesses transitioned to a completely remote work force and no travel. Schools moved to online education. Bars are allowed to send you cocktails via Uber Eats. The genie of a modern, networked, computerized world is well and truly out of the bottle. In our desire to “get back to normal”, we haven’t realized that there is no going back. You can’t stuff the genie back in the bottle.

And this new world is going to be difficult and challenging, fast paced, and ever changing. March 11, 2020 is as much a world changing day in the history of the world as November 11, 1918 or September 11, 2001 or August 6, 1945.

I will be seeing the Mariners play baseball in person, working from home, supporting clients globally, and traveling somewhere this summer with my family. And perhaps all of that explains my thinking in joining Milton Security a few weeks ago. I had literally left my previous employer just a few days prior. In the past, I’d always taken a little while to figure out what is next, what I want to do, where I want to go. This time, though, it happened very quickly, just a couple days.

And that is part of this “new normal”. Things change. Rapidly. You have to adjust and adapt just as quickly. An opportunity to do really great things in this brave new world popped up and I jumped on it. A company by veterans, dedicated to supporting veterans, and committed to the mission of protecting clients. What could be better?

So, here I am …. and yes, there will be cigars and FUD, not just blah blah about security stuff. Meanwhile, I’m the Chief Operating Officer of a great company, working with one of my best friends, taking care of great people.

As Jim McMurry and I say to each other … #BLESSED

Posted in Career, Pandemic, Security | Tagged , , | 1 Comment

How To Get My Attention

A couple days ago, I let it be known on LinkedIn that I had taken a new position as the Director, Information Security at Esterline Technologies. Then I got a bunch of private messages from sales folks trying to sell me stuff. So, I posted a quick response to that calling out the poor behavior. And finally, decided to write something longer. I wrote it as an article on LinkedIn, but thought I’d post it here, also. Everything below the line is the original LinkedIn article.

Continue reading

Posted in Career, FUD, InfoSec, Life and Times | Tagged , , , , , | 1 Comment

Travel Like a Pro

I was chatting with my friend Katie Ledoux (@kledoux) a few weeks ago about travel type stuff. She was totally stoked that, for the first time ever, she had status on an airline. Remembering that, I saw that her airline had a bonus for flights going to/from NYC. Since she lives in Boston, it should be pretty easy for her to route through NYC airports and earn the bonus.

When I shot her a quick note this morning about the bonus offer, Katie got excited all over again. I asked her if she had a travel credit card, and she said that was next on her “being a grown-up” list of things to do. Thinking about what travel credit card to advise her to get, I asked if she was loyal to a specific hotel chain. After saying “wow, imagine being fancy enough to prefer a particular hotel chain”, then Katie said to me “please advise” ….. hence the new blog tags of “please advise”, “being a grown-up” and “doing adulting right”.

Millenials are the biggest group of new travelers, with cash in hand, that the airlines and hotels have seen since the Baby Boomers …. And travel was radically different in the 1960’s and 1970’s. And the airlines, hotels, credit card companies definitely are not going to help you with this topic. So, I thought instead of just texting Katie advise on this, I’d write a blog post about picking a hotel chain (which is a little complex right now). That’s coming next.

But first, back to that travel credit card. This should be fairly easy. The first thing is, you need to know if you have a good credit score. I could write a whole blog post on just that (and probably will). But here’s how to find out. Go to Discover’s credit scorecard and signup. You’ll get your FICO 8 score via your Experian credit report. You want your FICO score, which ranges between 300 and 850, to be in the “good” range for general ability to get a credit card without having to jump through a million hoops. If you have low/poor credit scores, that is an entirely different topic for another day. Meanwhile, if your FICO score is over 670, you have a great likelihood of being approved for a good travel credit card.

This infographic is a great review of the basics of how a FICO score works.

FICO Score Infographic

There are really two choices on travel credit cards that make sense.
The first is to get a credit card co-branded with your airline. I travel with Delta, so I have a Delta branded American Express. Every dollar I spend on that card gives me a mile on Delta. Every time I buy a Delta flight with it, I get 2 miles per dollar. Plus a slew of other benefits, like Delta SkyClub access, rental car insurance coverage, a concierge line I can call and have them book flights and hotels for me, etc.

The second choice is to get a general purpose travel credit card or charge card. These include choices like American Express charge cards (Amex Premier Rewards Gold is a great choice) or Chase Sapphire credit cards (with a FICO score above 670, reasonable income, low credit utilization, you can likely get a Sapphire Preferred card fairly easily).

What is the right choice? Well, a lot depends on you and your airline choice. That said, if you have committed to a single airline for travel …. Which early on in adult travel, you really should …. Then your best first option for a travel credit card is the one co-branded with your airline. It will give you mileage earning on purchases directly with the airline AND all your other purchases. Plus, likely, it gives you a free checked bag, early boarding, and more. Plus, accumulating all those frequent flyer miles will help you to take leisure travel for free while having your employer pay for your business related travel (that you book on your personal travel credit card). Most employers are totally okay with you double dipping this way, so you absolutely should.

I take my family on a large vacation pretty well every year. And the airfare is always covered, for a family of 4-5 (depending on which kids are around), by my Delta skymiles. This year, four of us are going to Europe for 2 weeks!

One important caveat – Credit cards are not “extra money” for you to spend and then make minimum payments to your credit card company. This will heavily impact your credit score, your ability to get more credit, and your opportunity to use that credit card appropriately. You need to commit to your credit utilization being 20%, or less, of your total credit line. If your credit card has a $5000 credit limit, you should never end a billing cycle with more than a $1000 balance on your card. If that doesn’t work for you, then a travel credit card strategy is not for you.

So …. First steps for a young person wanting to be “a grown-up”, as Katie would say, is to pick a single airline for all your travel, both business and leisure. Then figure out your FICO credit score and make sure it is over 670. Then get a travel credit card with your airline. There’s a lot more and this topic can get really advanced, but there’s the starting point. Have fun!

Posted in Being A Grown-Up, Doing Adulting Right, Please Advise, Travel | Tagged , , , , , | Comments Off on Travel Like a Pro

Trolls

I hate it when I get caught by trolls. No, there is no new LinkedIn breach. I read the article and missed the date on it. Thanks Jayson Street for pointing out the date to me. 

Posted in InfoSec | Tagged , , | Comments Off on Trolls

Eric Update

As many of you probably know by now, we sold Core Security. Courion and Core Security will be merging as a result of the sale. This is good for Core. At the same time, I am leaving Core Security and looking for my next adventure!

Courion acquires Core Security

 

Posted in Career, General, Life and Times, Security | Tagged , , | 1 Comment

Information Security and Tanks

Not too long ago my good friend, Michael Farnum, invited me to be the closing speaker at HouSecCon. I told him I would love to … then he asked me to give a talk that involved my military experience and how it prepared me for the world of Information Security. Two things that are very important in my life, but not necessarily ones I had connected very strongly. After I spent a bunch of time looking at old pictures and revisiting stories of my years in the Army, I realized that the Army had actually prepared me quite well for a career in Information Security. And I knew just the pictures and stories to share with my audience.

One of the things that was going to be key was to share my experiences on tanks and to show pictures of tanks. And, because of the awesome contributions of Adrian Crenshaw, I am able to share not just the slides and pictures of tanks, but the entire presentation with you.

Everything I Know About Information Security, I Learned Shooting Tank Guns!

Posted in Career, InfoSec, Life and Times, Military | Tagged , , , | Comments Off on Information Security and Tanks

Emergency Preparedness and Cyber Security

This week I had the opportunity to be the plenary speaker for the Alaska Homeland Security Preparedness Conference. It was a great chance to talk to folks who worry about terrorism and natural disasters and convey to them the impact that information security threats could have in their readiness planning and response. I thought people might be interested in the presentation I used. It doesn’t have huge detail in it, I spoke to that. But it conveys the issues I think Homeland Security Emergency Planners at the state and local level should be thinking about.

Homeland Security And Cyber Threats

Posted in Conferences, CyberWar, InfoSec, Security | Tagged , , , | Comments Off on Emergency Preparedness and Cyber Security

Thinking About Reducing Risk

Wow, it’s been a long time since I’ve posted here. I’ve been kinda busy, tons of travel, sending a kid off to college, BlackHat and DefCon and DerbyCon, lots of engagement with customers around the idea of a mature vulnerability management program. It’s been busy. No excuse, though. Although some of my content and thoughts can be found over at the RSA Conference Blog. So, I’ve got that going for me anyway.

Be that as it may, I’ve been thinking about something and thought I would put it out there.

I often hear that perfection when it comes to risk is critical for airlines and the aviation industry. But that perfection is not possible for the security industry and we just have to do our best. Now, let’s think about this for a minute. Does it really makes sense to just blithely say we can’t do it, throw our hands in the air and give up?

When I was a kid growing up I remember roughly an airplane crash almost once a week on the evening news. It was sort of common place. Today? We are shocked when it happens. This chart, which is available from Plane Crash Info, makes really clear the change over the past 40 years.

Commercial Aviation Accidents Involving a Fatality

Notice the steep decline that began around 1990. How did this happen? Simple, the aviation industry made a very clear choice to reduce risk. Instead of shooting for perfection, though, they spent time identifying risks and deciding how to eliminate the risks. They took each small thing that posed the risk of an accident and found a way to reduce or eliminate the risk. The chart above is impressive considering the dramatic increase in passengers, planes and miles flown that began around 1990.

Now, let’s do a thought experiment. Suppose that the risk reduction efforts hadn’t happened starting in the 1980’s. As the number of planes, passengers and miles flown doubled and then tripled, what would that chart look like? How many crashes would occur regularly? Fatalities? Impact to airline profitability? Impact to flying trends? Costs of insurance? And so on.

We security types need to look at the aviation industry for our model. Each time we identify something that poses the risk of a breach, we need to invest in that small risk reduction. Rather than trying for perfection, we need to address each small thing, every day. Incremental improvement. And suddenly you will look back and realize that your risk posture today is much lower than it was in the past. Your chart can look like this one.

Take your pick. I know which way I will go.

Posted in Risk Management | Tagged , , | Comments Off on Thinking About Reducing Risk

Recently a CEO that I worked for in the past reached out to me. Like many successful CEO’s, he has “retired”. But do you ever really retire at that point? John now sits on the board of a few companies and does some consulting. He’s written a very insightful book about transformation in the industry we worked in. And he is an insanely successful guy in his entire career. I was very pleased and honored that he reached out to me for some advice.

His question revolved around what a board member should be asking to get informed about the security program of the company he was responsible for as a Director. This is a fantastic question. One I think more Directors need to think about. After all, they have a fiduciary responsibility for that company.

I wrote my former CEO a long (for me) email around all of this. After thinking about it a bit, I realized that this is something that should be shared more broadly. So, stripping the personal content out, I am including my answer to John in full for your reading pleasure.

————————————–

I think a board member’s focus should be on whether the security program has good governance, visibility at the right level and is addressing key threats and issues. Questions to ask, include the following. And you should follow up with more questions, based on the responses to these.

Q1 – to the CEO – how often do you interact with the security leadership of your organization. Do you know the top 3 security threats facing your organization? You and I interacted at least once per quarter the entire time I we worked together. There was great value in this.

Q2 – to the Leadership generally – How have you empowered the security leaders to address current security issues? How confident are you that you will not be the next Target, Community Health, Anthem or Premera?

Q3 – To the senior leader responsible for security – How is the security team organized? What level of the organization does the security leader report to? Is he/she buried too deeply in the leadership hierarchy?

Q4 – to the leadership generally – How is the leadership of the system assuring itself that they have a security program that meets their fiduciary responsibilities to the owners/sponsors, to the system itself, to the patients? Does the security leader meet regularly with leaders, with business unit leaders, with the Board, etc. Is there a system of measurement in place to demonstrate maturity and efficacy of the security program?

——————————-

In my experience, Board members are not having these conversations with senior management. If Board members don’t do this, then senior management is not going to dig in to security. It’s that simple.

Posted on by Eric | Comments Off on Advice for Board Members