Proactive Measures: Beyond the Perimeter...

Operational Risk Management requires both proactive and passive measures that encompass a comprehensive organizational strategy. Odds are that you have devoted a majority of your time and resources to this point on the passive mode of preparedness and defense. A reactive and alert oriented focus. The time has come to change the priorities and to increase the allocation of strategy on the "Active Measures." Why?

Stuxnet is and was ground zero for a new generation of digital infrastructure cyber weapons.

The attribution game is still going on with several suspects on who actually developed, tested and deployed "Stuxnet." This is not as important as the realization that sitting back and waiting for the next variant or hybrid cyber weapon to attack your critical infrastructure assets in passive mode.

"The most advanced organizations are now taking the "Proactive" stance to not only detect changes in their environment in a more real-time mode, but they are starting to hunt down the attackers."

There is a decision point where you realize that the passive mode will not buy you time nor will it redirect your attackers to other more vulnerable assets. Your organization will continue to operate with the goal of serving your clients, members or customers yet simultaneously a "SpecOPS" team of internal experts will be monitoring, measuring and exercising tactics to legally neutralize the threat before them.

Commercial and non-governmental entities are creating the means and the capabilities to deter, detect and document who is attacking their digital systems and where they can be found. This intelligence is being shared within the private sector organizations to determine fingerprints, modus operandi and other evidence that is required to effectively hunt down the attackers. The next challenge will be how to package this and make sure that the proper authorities are notified in a timely manner.

There is no longer a solution that is wide enough or in depth enough to be distributed across a whole spectrum of companies or organizations. The answers will be specific, customized to the unique environment and infrastructure that comprises a particular enterprise.

In order for that specification to be developed internally and provided to the correct people, you have to have the internal mechanisms in place to know in real-time what is changing and how fast it is changing from the normal state.

Is your view beyond your own perimeter? Are you looking for the anomalies that are over the horizon and could impact your network soon? It's one thing to look at the changes to your own perimeter but what about the intelligence on providers and ISP's somewhere on the other side of the planet? Do you know where your packets are going and how they are being routed?

"In a savvy Operational Risk Management enterprise, the "Corporate Intelligence Unit” (CIU) is alive and thriving."

A proactive intelligence-led investigation doesn't begin with a phone call from someone who say's, "My system is down" or "What does this Blue Screen mean”?

It doesn't start when your VP, Research & Development suddenly leaves the company for no apparent reason. Intelligence-led operations will continue to be the aspiration of many, yet only possessed by a few.

operational risk

Black Swan: Strategy Execution for the "Outlier"...

The Black Swan is a surprise event and the idea that a catastrophe can strike without warning. A professional colleagues recent presentation was a timely reminder of its history and the origins.

What does your organization plan for within the Operational Risk Management (ORM) discipline? The Low Consequence “High Frequency Incident” or the High Consequence “Low Frequency Incident”?

The ratio can tell you what your "Resilience" factor is to Operational Risk loss events. Key Performance Indicators (KPI's) can give you some forward looking view into the risk portfolio, yet what about the resilience to the "Black Swan"?

The “Back Swan” is a highly improbable event with three principal characteristics:

It is unpredictable; it carries a massive impact; and, after the fact, we concoct an explanation that makes it appear less random, and more predictable, than it was.

"The astonishing success of Google was a Black Swan; so was 9/11.  For author Nassim Nicholas Taleb, black swans underlie almost everything about our world, from the rise of religions to events in our own personal lives."

"Why do we not acknowledge the phenomenon of black swans until after they occur? Part of the answer, according to Taleb, is that humans are hardwired to learn specifics when they should be focused on generalities. We concentrate on things we already know and time and time again fail to take into consideration what we don’t know. We are, therefore, unable to truly estimate opportunities, too vulnerable to the impulse to simplify, narrate, and categorize, and not open enough to rewarding those who can imagine the “impossible.”

Your organization is no doubt spending time on the Operational Risk Management (ORM) events, that consistently are in the high frequency "In Your Face" category.

In a highly regulated industry sector such as finance, health care or energy the oversight mechanisms require a continuous analysis of risk based upon the criticality of these sectors to the overall resilience of the economy.

"Yet it is the "Outlier" incident, that comes at the most unexpected time that is the real threat and the incident catalyst, that could be your "Black Swan”."

You never know when it is going to be coming, so you must plan, prepare and imagine that someday, it will happen.

Enabling Global Operational Risk Management (ORM) requires thinking beyond models and outside the box analysis of the "Resilience Factor," should an outlier impact the organization, the state or the country. The resources, personnel and systems focused on these areas of risk are small today. But not for long.

Just ask those people who had been working 24/7 since on any major incident.  It could have been the 9/11, "Fukushima"or "Lehman Brothers" crisis. Or more importantly, the plaintiff lawyers preparing their briefs for the inevitable aftermath of litigation over who knew what, when?

Another lesson learned from Supply Chain Risk.  Losing control of sensitive customer data is a fact of life for American companies. They’re collecting more of it, and they are often outgunned by nation state hackers, who are highly motivated to get at it.  Perhaps a vector through your most trusted supply chain vendors and partners.

One prediction into the future could be that litigation will follow all "Black Swan" incidents. If you are in a highly vulnerable industry sector, because it's part of the Critical Infrastructure of the global grid, then you already know you are in the middle of the target zone.

What is amazing to many in the after-action reporting is still how much we continue to under estimate the magnitude of a lack of planning and resources devoted, to these low frequency high consequence events…

Pain or Joy: Change Management 101...

Habits are hard to change.  It takes discipline and continuous perseverance.

When was the last time you changed something that increased your revenue?  Your health.  Or your safety and security.

Change and managing change whether in the corporate ranks of your Fortune 500 Global Enterprise or back in your own personal life at home is a true challenge.

Before you even thought about what you needed to change in your business or your own life, you probably have encountered one of two experiences:

• Pain

• Joy

Which one of these two experiences have you recently encountered?

You see, our human behavior is quite predictable and it is usually one of these two motivators in life that will change your behavior.

Educating yourself and others you care about requires that you sometimes utilize one of these motivators in order to initiate new change.  Let’s begin with “Pain”.

These realities are exactly what the evil in our world today continues to prey on.  Those individuals who are unable or unwilling to change, and to manage change in their lives.

“It is really very simple. In the foreseeable future, we will not function as a global society without the Net and the immense digital resources and information assets of our society. The addiction is established—commerce, government, education, and our neighbors offer no option other than to require that we rely upon digital information in making decisions. But we will not function successfully if the war for control of those assets is lost. The battlefield, however, is the one on which trust is to be gained or lost—trust in the information we use, trust in the infrastructures that support us, and trust in the decisions we make in a digital world.”  Page 19 - Achieving Digital Trust | The New Rules For Business At The Speed Of Light  - Author Jeffrey Ritter

In your own digital life, these habits may be as simple as using the same password on multiple accounts that each of us rely on, each day or each week of our lives.  You know who you are.

As the continued use of “Ransomware” remains so pervasive across the globe and is utilized by so many criminal gangs and nation states, each one of us must consider our personal and business habits.

At home and at work.

It is now time to change.  It is time to change your digital habits so you may avoid the pain and continue to have even more joy in your life.

Take action.

Start a new habit now of changing the weak password on your bank accounts.  Make it 20 characters, and make it random.  Easily addressed when you "Use a Password Manager App".  Then set a reminder to change it on January 1, April 1, July 1, and October 1 of each year.

“Microsoft warns that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.

The threat actor first emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.

Storm-0501's recent attacks targeted hospitals, government, manufacturing, and transportation organizations, and law enforcement agencies in the United States.” —BleepingComputer

After you have successfully accomplished this simple task in your business and in your own personal life, remember:

The “Pain” of doing this simple “Change Management” step in your life, will help bring you continued “Joy” for so many years to come…:)

Godspeed!

Critical Infrastructure: OSINT to the Rescue...

Over the past decade our U.S. Critical Infrastructure has become even more vulnerable.

Why?

In the early days of the commercial Internet 2000-2001, there were several dozen of us working in a Rosslyn building on Wilson Boulevard in Arlington, Virginia to answer our growing Fortune 500 and government clients questions of “Who”, “What”, “Where and “How”.

We already knew the answer to “Why”.

The 24/7 Internet crawler algorithms our techies engineered were doing their intended tasks and retrieving Terabytes of data on a 24/7 basis for our further human analysis.

All of this was well on its way before the more sophisticated use cases of the Internet for the implementation of the Banking infrastructure, Retail transactions and Telecommunications were in place.

The systems and infrastructure we now call “Critical”, was just in its early stages of iP maturity.

Remember, the iPhone was not invented until around 2007!

Afterwards and yet even more vital to this day, you might think about your own organizations “Operational Risk Management” (ORM) objectives and tasks into three key categories:

• Human
• Physical
• Cyber

Over the course of your companies legal, compliance and security organizations conducting regular “Threat and Hazard Identification and Risk Assessment” (THIRA) activities and rules, the reality begins to set in.

The Board of Directors are still asking, "How can we as people address the exponential growth, change and remediation without more automation, software and systems?"

"This is when new companies were born to build the software to help humans keep a better eye on the risk management of our growing Critical Infrastructure."

As new software companies were born to address THIRA applications, some people began to feel like it all had NOT been solved.

Asymmetric Warfare today, not only includes our “Nation States” across the globe, but also Black hat “Hacktivist” organizations and individual people. In every country with the Internet.

Evidence of these individuals and groups growing existence are still the “Why” for your own organizations THIRA activities.

This also includes the “Why” for our US Homeland Security organizations such as CISA and others in the National Intelligence and Law Enforcement arenas.

Perhaps even more vital, are the private organizations who are still in the business today of “Open Source Intelligence” (OSINT) since the dawn of the Internet…

Corporate Business Survival: 4D | Deter. Detect. Defend. Document.

Critical Infrastructures are those systems and assets - whether Physical or Virtual – that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of those matters.

As ransomware attacks continue to grow, organizations need to improve their security posture to protect against an attack.  Better security requires implementing appropriate security controls and ensuring that effective crisis management and employee education are in place.

The landscape of how we work has changed since the onset of the global pandemic.  We must assess vulnerabilities in a new way and with increased due diligence.

Our Corporate Critical Assets are "Under Attack".

4D = Deter. Detect. Defend. Document.

"Attackers use Tools to exploit Vulnerabilities. They create an Action on a target that produces an Unauthorized result."

Attackers do this, to obtain their Objective.

LESSON 1- DETER.

• What corporate critical assets are most valuable in the eyes of your adversary?
• Increase deterrence with these assets first.
• MFA / Layered Access.  [SMS vs. Authy or Authenticator]]
• Segmented Networks.
• Data / Network Encryption.
• People motivated by Financial Gain, Damage/Disruption or the Challenge.

LESSON 2 – DETECT.

• Detect the use of tools by the Attackers.
• Some tools are High Tech, others are "Social Engineered".
• They will discover vulnerabilities in:

Design.

Implementation.

Configuration.

You must continuously detect the use of attackers methods and tools to exploit your vulnerabilities.

LESSON 3 – DEFEND.

• Defend the target assets from actions by the attackers.
• Targets may include people, facilities, accounts, processes, data, devices, networks.
• Actions against the target are intended to produce the unauthorized result include:

Probe.

Spoof.

Steal.

Delete / Encrypt.

LESSON 4 – DOCUMENT.

• Document the "Normal" so you know when and where there is an Unauthorized result:

Increased Access.

Disclosure or Corruption of Information.

Denial of Service or Theft of Resources.

• Continuous Documenting and using a "Collection Management Framework"  (Logs) and how to access it for effective Incident Response.

1_ In order to understand how to defend your corporate critical assets, use Red Teams, Bug Bounties or internal testing resources.

2_ Maintain offline, encrypted backups of data and regularly test your backups.

3_ Review Third Party or Managed Service Provider (MSP) policies for maintaining and securing your organizations backups.

4_ Understand that adversaries may exploit the trusted relationships your organization has with third parties and MSPs.

The cost of a cyberattack is often significant for organizations large and small, and we must strengthen responsiveness and reduce behaviors that may open vulnerabilities in the future.

Public Private Partnerships of Critical Infrastructure organizations with CISA.gov and FBI.gov are vital to enhance our National Security...

Vulnerability: Launching into the Future...

Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.

Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.

At that point, we were now only in our first decade of our "Information Security" evolution.

"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."

The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.

The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:

>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.

>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.

>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.

>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:

1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.

2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.

3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.

4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.

Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.

They give us some basis for how over two decades later, the best practices are still very much the same.

Except for this.

Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…

Enterprise Security Risk Management (ESRM): Be Proactive…

What are three major questions that most CxO executives and Boards of Directors need to answer when confronting information security issues:

1. Is your security policy enforced fairly, consistently and legally across the enterprise.
2. Would our employees, contractors and partners know if a security violation was being committed?
3. Would they know what to do about it if they did recognize a security violation?

In today’s complex 5G wireless world, global supply chains, nation states or insider threats to the information infrastructure of a company or government agency are not static, one time events.

With new exploits, vulnerabilities, and digital attack tools widely available for download or X-as-a-Service (XaaS), a “complete information security solution” in place today can easily become outdated and incomplete tomorrow.

As a result, a comprehensive security architecture solution must be flexible and dynamic, continuously monitored and updated.

Presently, the news of “Zero-Day” digital-threat events tends to spread through the computer security world in a “grapevine” manner.

Threat information is obtained from specialized websites, e-mail listservs, cyber managed services and countless other informal sources.

This haphazard system is incomplete and therefore raises enterprise security risk management concerns when evaluating the damaging, costly effects of an aggressive, systematic digital event.

A comprehensive security solution requires the careful integration of people, processes, systems and external events that allows correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.

To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.

Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs.

Proactive Awareness and the ability to make informed decisions are critical.

So what?

In short, as our global electronic economy plays an increasing role in the private and public sectors, critical infrastructure organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.

Realizing these gains, depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.

This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business ransomware disruption).

The cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on our integrated systems with partners, subsidiaries and your vital supply chain.

Be proactive…

OSINT 2: When is it Time?

Wonder why some companies don't have a more proactive OSINT (Open Source Intelligence) operation inside their own institution, looking at and analyzing potential “Threat Intel” across their global domains?

While there are very expensive services that can package up exactly what you are looking for, sometimes it just takes a little more time and the right “Sources."

You could get a service at x-iDefense or even a more wide range of collection capabilities from the likes of x-Cyveillance to assist the in-house OSINT operation.

Throw in some Stratfor, OSAC and one or more variations of Symantec or Qualys or Seerist and you have it mostly covered. Except for one thing.

Plenty of "Gray Matter.”  How many qualified analysts do you have on your team?

We might agree that there is more information out there than anyone could possibly imagine accessible with a few clicks and keystrokes.

Yet the easy part is the collection and the filtering or storage. Making any sense of it all with the relevance you seek is the "Holy Grail" for you, today.

Yet that might change tomorrow.

It's the consistent development of a new hypothesis and testing it that determines who will get the next new piece of information ready for OSINT.

And still the question remains. Will this be better kept a secret, or out in the “Wild"?

The argument usually isn't whether the results of the test should be published, it's more about when to publish.

Open Source Intelligence is going to be around for some time to come. The tools are getting even better to find and process massive volumes of information.

Think AI.  Think GPU.

The only real impediment will continue to be those who want to wait and hold on to it, a little longer…

SPRINT: Folin Lane to Cislunar...

It was the year 1997 and there was another client meeting at the headquarters of Navy Federal Credit Union in Vienna, Virginia.

Traveling through Tysons Corner on Route 7, the Spring colors from Dogwoods were in full bloom. The Navy Federal HQ was tucked away in the woods just a short ride down Chain Bridge Road (123) past Westwood Country Club then a left onto Folin Lane.

The IBM Personal Computer was just now quickly replacing the old CR terminals sitting in the "Teller Windows" at 80+ branches in port locations across the USA and the world.

With NFCU overseas members branches today in Bahrain, Cuba, Greece, Guam, Korea, Italy, Japan, Singapore and Spain the Internet and use of banking protocols outside proprietary computing networks was just in it’s infancy.

Meeting up that early Spring day with NFCU key IT executives and our fellow Noblestar Team of outside Software Quality Assurance (SQA) experts such as David, Gia and Howard, the topics on that days agenda was the automated testing for bugs.

"No not Cicadas. You know, Vulnerabilities. Software Errors. Cracks in the Code."

Places that credit union software systems might be broken, running across the new IBM PCs networked to replace the terminals (CRT) from Annapolis to San Diego to Guantanamo to Italy.

Our innovation then in Software Quality Assurance, was about writing automated scripts that would rapidly test software.

The testing scripts developed by our Team in the SQA software, would help simulate hundreds of real people working at their new IBM PCs doing deposits, transfers and withdrawals as just one example.

Members of our Armed Forces who were NFCU customers (members), were counting on the IT personnel in Vienna, VA to help their branch managers keep their systems up-time-all-the-time, without vulnerabilities to the swarm of growing cyber exploits via the Internet.

So what?

True innovation begins with discovering a problem-set that has high value. Then figuring out if it can be solved quickly. A SPRINT.

To find a real solution to the problem-set that allows for the widget, the software, the process or the vehicle to do its job. What it was designed to do.

Whether it is software running on the IBM PC at the Teller Window at NFCU in Guam in 1977 or the sophisticated cislunar software running on a Space Force Lunar Lander on the Moon in 2024, what matters most?

Our United States next generation abilities to use software to more rapidly discover problems and test new versions is even more vital.

Now imagine, humans working with new AI-powered software applications to augment our abilities to discover and rapidly solve new sophisticated problem-sets, a galaxy away.

This is already our SPRINT destiny…

Antares: Innovation from Country Roads to Cislunar...

It was early February 1971 and three High School best friends consistently car pooled to do a little early morning “Country Roading”, in the white Pontiac LeMans on the way to school.

This was just a circuitous route down tree lined roads and around vast farm lands in the Midwest USA.

We were always set to arrive in the school parking lot, just in time to make it to our locker and then to 1st period before the bell rang.

Our dialogue on Capital Avenue SW and West on Beckley Road, quickly turned to the prescience of the Apollo 14 Antares Lunar Lander and it’s planned descent to the Moon in a few days time on February 4th.

Country roading this early morning gave us guys a chance to catch-up, then map and sketch out where we would rendezvous to watch together the Apollo 14 coverage of Commander Alan Shepard, Command Module Pilot Stuart Roosa and Lunar Module Pilot Ed Mitchell.

Before we as young teenage students ever knew what true innovation was really all about, we were about to see and read about it in the national news.

And little did we anticipate that when you encounter the “ABORT” signal, you sometimes have to just improvise. Test. Improvise. Test.

“After separating from the command module in lunar orbit, the LM Antares had two serious problems. First, the LM computer began getting an ABORT signal from a faulty switch. NASA believed the computer might be getting erroneous readings like this if a tiny ball of solder had shaken loose and was floating between the switch and the contact, closing the circuit. The immediate solution – tapping on the panel next to the switch – did work briefly, but the circuit soon closed again.”

Software engineering and Software Quality Assurance (SQA) is a continuous cycle of development, testing, errors, changes, testing and deployment. The software teams at MIT knew this first hand.

“A second problem occurred during the powered descent, when the LM landing radar failed to lock automatically onto the Moon's surface, depriving the navigation computer of vital information on the vehicle's altitude and vertical descent speed. After the astronauts cycled the landing radar breaker, the unit successfully acquired a signal near 22,000 feet (6,700 m). Mission rules required an abort if the landing radar was out at 10,000 feet (3,000 m), though Shepard might have tried to land without it. With the landing radar, Shepard steered the LM to a landing which was the closest to the intended target of the six missions that landed on the Moon.”

As our United States continues our next generation of the commercial race to the Moon, we can only anticipate future “ABORT” signals. Prototypes. Testing. Innovation.

After so many years working in global places where Software Quality Assurance was mission critical, you finally will learn as a professional, that it is never finished. It is never perfect.

So what?

Our USA will always be a leader because we have already been there, with humans actually operating on the Moon.

We know what will be challenging and why a hypothesis might end up being changed and adapted.

As our next human race to the Moon continues and our cislunar challenges are encountered, we know that we must continuously improve and innovate.

The same strategy shall also work here for you today on Earth, in your own small town…around your own dinner table each night…

Godspeed!