09 February 2013

Walking the Talk: Asymmetric Lessons Learned...

Operational Risk Management is about "Walking the Talk."  What are you advocating in your solutions or services and advice to clients or within your own organization?  When you "Walk the Talk", this means that you believe in and demonstrate first to yourself and your organization that you execute and comply with what you say.  You carry out in a demonstrable form the rule-sets, best practices, ethics and behaviors that you are asking your own customers and your suppliers to follow.  Your failure to do so, can have tremendous ramifications:

Earlier today we informed our customers about a potential security concern. Out of respect for our customers, we chose to contact them first before making a statement in public. We wanted to be certain our customers heard from us and had the opportunity they needed to make any changes before we brought this to a wider audience. 
In brief, here is what happened. Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised. 
We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.

 Asymmetric Warfare is about an indirect strategy and the ability to compromise your target through non-traditional methods.  Bit9 was just a pawn in a more sophisticated, planned and smart attack on a much more worthy adversary.  Whether the intended target was a Critical Infrastructure organization in the financial, energy or defense industrial base (DIB) doesn't really matter.  Even if the target was a U.S. government customer of Bit9, so what?  This is a clear case of a lack of due diligence by Bit9 itself and by its own client base to ensure that the Operational Risk controls are operating effectively and pervasively across the enterprise.

Supply Chain Risk Management (SCRM) is not just about validating where and how embedded circuits, EPROMs or other systems software are ensured for quality and without tampering.  SCRM is about the vendors themselves being compliant within their own enterprise with the manufacturing of their own products or the operational environment of their solution ecosystem.  The trust and confidence of these products or solution sets is ultimately about "Walking the Talk."

There’s been an onslaught of cyber attacks on U.S. banks in recent months, and it must sound the alarm to Congress and the American people that cyber security is an urgent national security priority. Cyber attacks come from diverse sources, from thieves attempting to steal individual identities and bank accounts, to large-scale disruptions caused by “hacktivists” - terrorist networks and nation-states conducting 21st-century espionage and warfare. 
The recent attacks on U.S. banks are linked to Izz ad-Din al-Qassam, a hacking group that appears to be working with the Iranian government. These attacks, which have shut down or disrupted access to many sites, including Citigroup, PNC, and Capital One, are unprecedented. They also have public officials, national security leaders, and cyber-security experts asking, what’s next? 
U.S. security officials like James Clapper, the director of national intelligence, have been warning of Iran’s growing cyber capabilities for more than a year. 

If you are a prudent CSO or CISO of a technology based product or services organization, beware.  You may just be what the enemy needs to perpetuate their asymmetric operations on the homeland.  Beyond your own reputation being at stake, so too is the trust, safety and security of the entire economic infrastructure of the United States.


No comments:

Post a Comment