Tag Archives: security

The all enveloping genre that is known already as the Internet of Things is fast becoming labelled as being the fastest threats to emerge on our communal radar. Presenting a disorganised chaos of hard to own and manage assets delivering potentially the biggest and most arduous to secure threat fabrics ever seen in information technology.

Come with me on a trip as we turn the hands of time back to 1934  and to visualise a classification system still in use today, based on decisions made over eighty years ago when technology and communications were in their infancy. Lets explore why to not do something in the near future will destroy the promise of IoT before it has a chance to get started.

Attacks such as those seen on OVH, Brian Krebbs and now DynDns are the very start, without standardisation, without collaboration and concerted effort we may be judged in years to come as squandering opportunities to deliver flexible safe computing for the next generation.

In the 1920s and 1930s communications firms, telegraph companies and emerging radio broadcasters globally were all finding their communal feet. Existing legislation on commerce dating back to the late 1880s in the form of the ICC (The Interstate Commerce Commission) was originally conceived to manage and to counsel and prevent the ambitions of companies across America seeking to monopolise the pace of railtrack and to provide regulations on their running and operation.

The ICC by the 1930s did not scale to take into account the technological revolution that even in its embryonic state showed the promise of making the world smaller overnight. The Post Office with its Telegraph Rights, the ICC, and the Federal Radio Commission all wrapped up and became one with what would be known as the FCC. So in 1934 The Federal Communications Commission was born. North America all of a sudden had an all encompassing standards body, which would blaze a trail for countries all over the world to emulate.

If you turn over any piece of computer equipment in the US and for export (so globally) you will see an FCC rating, the FCC even today being the standards body responsible for standards implementation within its public safety and enforcement role, eighty two years after it’s inception.

Since then we’ve seen other standards bodies, CE - from the European Commission signifying their “New Approach” methodology for device manufacture and testing, UL - Underwriters Laboratories, the EMC standards for electromagnetic devices or EN standards around electrical manufacture and quality assurance. Other countries such as Australia and Canada have other systems too. However, the FCC has stood the test of time for everything from radio broadcast and spectrum management, emergence of telecommunications standards. However when it comes to the Internet of Things it’s legs fall off.

The majority of devices today, that make up the provisioned devices that are thought of as making up the predominance of the IoT global estate are often cheaply manufactured. They're mass produced dime a dozen fast to market appliances. Many mimicking products that are more expensive and playing catchup with cloned or copied devices. Many use commodity small footprint OS that may once have found their basis in Linux and Open Source communities but have been sufficiently bastardised and forked into an unsupportable image to satisfy the commodity hardware or storage footprint allowed for device operation.

Many of these devices are not connected to always on networks and have no methodology to autoupdate (where the supplier provides that functional capability). Many ship with default passwords that users then fail to change. Many that are connected to IPv4 networks have never had updates or the updates don’t address the serious underlying security weaknesses and the versions of SSH or promiscuous daemons or services running on them. These core issues as we have seen over the last month first with the attack on the Akamai hosted site where Brian Krebbs was taken offline, then round two hitting OVH, Freenode and others and then last Friday where DynDNS was all but taken offline in the latest iteration of this now almost predictable rush to launch DDoS, then creating a huge internet real estate impact.

And nowhere is there an applicable standards body or international body that polices devices prior to shipping or at the point of manufacture to ensure device hardening. Failure to prove off security concepts and issues with the developer / manufacturer are ever present. If this was concerning the manufacure of vehicle airbags or making a childseat the issue would be entirely addressed.

What we have are companies rushing to get devices to market for consumer consumption, be that Google with their acquired Nest and Home products, Amazon with Echo are all probably at the higher end of the marketplace appreciating their users are often not that conversant with securing anything they buy. Certainly devices from manufacters such as Eurotech, Evrythng and others embrace the use of PKI and TLS and have got the authentication right at point of design and provision. We aren’t addressing those but the plethora of companies from China to Malaysia, from Hungary to Thailand which are shipping devices with dated aged insecure OS platforms. These are almost always given less thought than the packaging that they ship in or the plastics used in manufacture. Aged versions of Busybox, twelve year old SSH vulnerabilities and services turned on that should never be listening.

The IPSO Alliance, The Industrial Internet Consortium, FiWare, Open Daylight IoDM, Hypercat, The All Seen Alliance, I could go on but I won’t, the list of “standards bodies” and consortia grows almost by the month. The one thing that is for sure is that they have one thing in common, none of them are relevant and making any impact on the root problem.

For this to be impacting it has to be done at the import/export level and we have to have government and industry backed assistance to make it happen. Turning the clock back to 1934 and working with the relevant governments and agencies will be the only way of enforcing change on commodity hardware vendors who are about the units shipped not the units hacked.


Live from RSA Conference 2016

This week I am in San Francisco recording a special radio show for TheStack.com and Red Hat called "Locked Down" I will be talking to the brightest and the best at RSA, expect to see a variety of shows going live over the week, discussing everything about the growing technologies, emerging products and the challenges that we are facing in security.

How do I get the show ?

If you have an iOS device simply subscribe via the Apple Podcast client on iOS available from the Apple store (or via Overcast or your podcast client of choice), simply search for "Locked Down" once installed. Stitcher Internet Radio App also is carrying the show.  SoundCloud is also carrying the stream.

If you have an Android device install Player.FM or BeyondPod and again search on "Locked Down" and subscribe. Stitcher Internet Radio App just like Player.FM and BeyondPod carries the show - all installable from the Google Play store. You can also listen in via SoundCloud.

If you are in a browser you can listen to all the shows as they appear using Player.FM directly by bookmarking and clicking http://bit.ly/1KWVVaB directly via your desktop, or via Stitcher http://stitcher.com/s?fid=84147&refid=stpr in Safari, Firefox or on any Mac or Windows browser. Stitcher doesn't always play well with Chrome, if you're a Chrome browser user click the Player FM link.

You can listen to episode 1 here in this post or visit SoundCloud's stream 

Cloud 2

A plethora of security articles has appeared in the mainstream IT press over the last few weeks that makes me believe that security is one of the new buzzwords that you can expect to hear a lot more about in 2016. As a security practitioner and someone who has done this for well over fifteen years it's bizarre how something that we do as business as usual is now getting some attention. For over a decade we were the people you didn't talk to, or if you did you did it through gritted teeth knowing we would try to hold you to a better standard or a greater ideal for the common good.

Any and all focus on security best practice is welcome. As we all witness the explosive growth of container based cloud provisioning gather pace it's circumspect to hope that this due diligence around security will filter down through programs in organisations to build in security as a de-facto standard building block and process rather than retro fitted to shore up poor code or poor deployment / management practices.

That's not to say by having the best security folk and best practices you can't get hacked from internal or external threat or fall prey to a security vulnerability. What it does mean is that you have the plan as to how to react, how to behave during an outage, what steps to take during a fix process and how you learn from that experience, growing from it. Sharing that knowledge is even more important in the Open Source space.

Please though don't fall into a trap. Having a CISSP does not make you a security professional. Having a CISSP on board your staff says you have someone who can pass an exam and who has an understanding of how a proprietary network environment and elevated threat levels and reaction capabilities to someone hosing your Cisco / Juniper / (add other vendor kit here) will have on your ability to provide service.

Any qualification that allows it's students to keep qualified by collecting points attending conferences is devalued by stupid brand marketing folk who allow such a practice. I've met some great people who also had CISSPs and I've also met some self styled pen testers, auditors and "security professionals" with CISSPs and other exam qualifications who communally couldn't find their arse with both hands. Those same people also knew how to pass exams but who had never had actual realtime experience in the trenches with developers and operational datacentre folk to get up to speed with emerging threat.

Certification is important. Want to hire good folk or get your CISSP folk up to speed with real life threat from bleeding edge threat actors that impact actual platforms now ? Get them to sign up and study for the CCSK exam. Amazon get their staff to, so do Microsoft and HP and I personally rate the material and the exam and it will allow you to get your staff to be at a point where you have a proper belts and braces ability to deal with threat and react realtime rather than a post mortem. No this isn't an advert for the Cloud Security Alliance or a trolling attack on CISSPs it's a call to arms to employers to look outside the box because sadly the hackers are better qualified than ever before,

So while you're eating your Thanksgiving meal or preparing for a quiet Christmas think about how you can increase your security skills and also maybe think about joining an Open Source project to see how security issues and vulnerabilities are managed in the wild.

Happy Thanksgiving 2015 and have a great time with your families.

This evening I've been working my way through changes and modifications on the beta of version 3.1 of the Cloud Security Alliance CCM controls. Version 3.0 is the current shipping version of this living breathing bible of cloud security goodness. Recently I was in Amsterdam with Jim Reavis and his crew at the CSA Securecloud Conference, and I'll be out in the US at the annual CSA Congress in the fall. Whilst there I recorded a podcast with Jim that I will bring out midweek this week.

Regularly I talk at conferences expressing why the CSA CCM matrixes are one of the most powerful Swiss Army tools an IT practitioner can have when approaching a governance exercise in any facet of private, public or open hybrid cloud. Crossing business verticals allowing an organisation to be able to consider pressures of location and data type, workload or platform. This then allows you to make weighted decisions around application migration, infrastructure deployment and the isolation of services or provisioned platform services.

As the audit community continue to hone and document how they are are assessing technical and actual risk in on premise cloud, a contracted out public cloud or hybrid elastic combination of the two.

As 3.1 emerges and becomes the new defacto standard I will bring more information as to how best to adopt it, for now please point your browsers at the current shipping version of the matrix which you will find here.