Shutting Down!

Effective June 1st, I am discontinuing this blog. To my 13,000+ subscribers and followers, I appreciate your interest and loyalty. This site is just too difficult to maintain along with all of the other content.

Please follow me on Twitter at https://twitter.com/sking1145

and on peerlyst at https://www.peerlyst.com/users/steve-king

and on LinkedIn at https://www.linkedin.com/in/steveking1145

and on our own website at https://www.netswitch.net/category/news_and_views/

Thank you all for your continuing support. Peace.

BYOD – BRING YOUR OWN DISASTER

BYOD – BRING YOUR OWN DISASTER

Today’s business landscape is constantly evolving, presenting new opportunities and challenges like the migration to public and private clouds, the never-ending wider roll-out of mobility and BYOD programs, and all of the new cyberthreats designed to exploit these technologies.

At the RSA conference this year in San Francisco, Checkpoint decided to find out what cyber security professionals felt about the impact of these changes and threats on their organizations’ security postures. They surveyed 1,900 attending IT professionals with 1,000 or more employees

The results clearly support the growing threat that BYOD programs have introduced into the landscape and inspire me to re-post much of what I wrote over 6 months ago which caused an uproar of disagreement from the InfoSec community at the time.

As for the survey, 65% of the security professionals polled said data loss was their main mobile security worry, followed by lost or stolen devices (61%), users downloading unsafe apps or content (59%) and unauthorized access to corporate data and systems (56%).

Many of today’s BYOD risks are similar to those experienced when securing PCs and laptops back in the day, but quickly become compounded due to the fact that modern mobile devices are always connected to the Internet, are primarily consumer grade, and are updated and/or replaced far more frequently.

Mobile devices also of course, comingle personal and business applications, presenting additional comedic background when attempting to secure and manage these devices compared to ancient corporate PCs and laptops.

The post that caused an uproar called for a temporary ban on BYOD programs until we figure out how to control and manage them better.

I wrote then that there is tremendous cyber-risk to all business and a set of rapidly increasing threats expanding across an array of actors whose presence we hadn’t contemplated even as recently as just last year. There are tons of vendors attacking each vector with a point solution that in theory makes sense and holds tremendous appeal on the basis of their individual promise.

There are a lot of people who have been around the information security space for a while who are very concerned that we are losing our grip on any possibility of containing the threats, and a large group of people who have entered the space recently who actually believe the marketing promise for most of these new products. And in addition, there are lots of the same people who think that all you need to do is implement the technology and the problem [whatever it might be] magically disappears.

There were over 400 product vendors at the most recent RSA conference [2016], many of which had raised in aggregate over $60 billion over the last three years. In the third quarter of this year alone, there were 5 deals of $50M+, and 10 deals between $25M-$50M with a total funding volume of$1.3B across 80 deals, a record number of deals and the second largest funding volume since 2010; fundraising volume this YTD has already exceeded all of 2015.

We have lots of money chasing a holy grail that doesn’t exist. With all of these start-up product technologies, we haven’t even come close to thwarting the majority of threats. Why? Because most of them start and end with people.

Even if we were to somehow be able to create a single solution that solved today’s big cyber-security problem, the attackers would not just decide to stop farting around, pack their things, admit defeat, throw down their weapons and go home. And even if we were able to achieve through technology a lasting success against the majority of threats, who would it be that would configure, implement, manage, tune, optimize, maintain, monitor for, respond to and remediate the minority of threats that became successful breaches?

Of the $1.3 billion invested this year, exactly zero was invested in service companies. So, no one.

That “Please, No More BYOD” post accumulated several thousand views in 5 days and of those who commented, 80% had something positive to say in support of the basic premise and 85% forwarded the post to their networks. Interestingly, of the positive responses, the job titles were mostly people who had responsibility for the defense of the enterprise and ranged from lawyers, to safety managers, to IT managers, to CISOs, compliance people, security architects, HR officers, IT project managers, security analysts and engineers, etc.

Those who bothered posting negative comments came mostly from a service desk manager, a senior consultant on embedded platforms, a product manager at a software vendor, a lead systems engineer for a software vendor, a pre-sales engineer at a software vendor, a cloud advisor at a software vendor, etc. There is a pattern here.

Their arguments ran along lines of

“Oh please, there are plenty of good mobile device security solutions out there. This is the sort of FUD that suggests antediluvian thinkers in the ‘c’ suite. “, and

“ … all of the above technologies I speak of can be run on a BYOD device, WITHOUT the MDM. So you can close off the Enterprise from the user’s device and still mitigate your risk without having to take over their device as a whole.”, to

“Not sure what your experience is with such technologies, but I can assure you that a managed iPhone is WAY safer than a Windows desktop, and much less vulnerable to malware.”, and

“An MDM with a secure internal lock box technology, like [product name], security is rock solid for mobile users. We can use up to 5 devices at [vendor name]. Mobile is here to stay!”

The majority of the argument theses ranged from a) I must be unaware of the vast panoply of cool technologies that can easily manage the mobile threat, b) I am an antediluvian thinker likened to counterparts in the [God-forbid] “C” suite, c) I live off the results of sowing Fear, Uncertainty and Doubt, and d) I have my head up my ass.

By the way, while (d) is probably true, if any one of the “cool technology” naysayers had bothered to check, they would have seen that we partner with some of the best MDM and Mobile device security product vendors on the market today.

This is one respected researcher’s view of Mobile security:

In 2015, Kaspersky detected almost 5.5 million pieces of malware on more than 3 million user devices. And as reported by IT Web, the number of new malware programs detected each day has reached over 430,000–many of which target mobile devices. I believe [for the record] that every company should be running some form of mobile device management software, but the technology’s drawbacks make it an incomplete solution to IT’s problems.

And because you asked, these are a few of the major threats from Mobile devices or a BYOD program:

Mobile apps are often the cause of unintentional data leakage and for example, “riskware” apps pose a real problem for mobile users, who generally give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined by advertisers and even [gasp] cybercriminals.

Data leakage can also happen through hostile enterprise-signed mobile apps. In those cases, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread high-value data across corporate networks without raising red flags. The solution, as in most of these risks does not involve some magic bullet software package but rather adherence to permissions policies which no software solution is going to eliminate and is very difficult to enforce.

Unsecured Wi-Fi presents a major threat because no one wants to burn through their personal data plan when wireless hotspots are available. This is yet another instance where software technologies cannot address user behaviors. The phones after all, belong to the employee and not the company.

In experiment after study, it has been proven that free wireless security is easily hacked by cyber-security experts and attackers were also able to easily hack users’ social media, PayPal and even VoIP conversations. Enforcing rules about never using free Wi-Fi on an employee’s personal device is difficult if not ultimately impossible, regardless of how cool the MDM software might be. And, it has far reaching and yet to be adequately mined privacy litigation implications that will haunt businesses in the future.

Can you imagine the plaintiff arguments based on their employer insisting on the use of personal iPhones for business applications because the company had rolled out a BYOD program and poor Marty, the A/P clerk was just trying to access his banking app when all of a sudden … ?

Network spoofing happens all the time where hackers set up fake access points (connections that look like Wi-Fi networks but are actually traps) in high-traffic public locations such as coffee shops, libraries and airports and then give the access points common names, like “Free Airport Wi-Fi” or “Coffeehouse,” which encourages users to connect.

In some cases, attackers require users to create an “account” to access these free services, complete with a password. Now some of you will say, “No one is that stupid”. To which I say, “Huh?” The cyber-thieves know that most users employ the same email and password combination for multiple services, allowing the hackers to compromise their email, e-commerce, and other secure information. Again, no MDM software is going to solve that problem.

In addition, some VPN implementations only make sure that part of a device’s network communications are protected, the MDM [software] agents themselves are not sophisticated enough to fend off all attacks because device and OS manufacturers don’t provide MDM vendors with all the code necessary to completely manage the devices and MDM providers have a tough time providing support for new operating systems as quickly as those OSes come out.

And, since mobile devices are always powered-on they represent the front lines of the phishing wars as studies have shown that mobile users are the most vulnerable and the first to receive these legitimate-seeming emails and first to take the bait. Why? Desktop users who only check their email infrequently throughout the day are often warned off by tech news sites or security bulletins before they click.

It’s not always malware that users should be worried about, but rather spyware installed by spouses, coworkers or employers to keep track of their whereabouts and use patterns. While helpful, no endpoint antivirus program is able to detect all of today’s malware strains and spyware is a high target category of threat vectors.

Many mobile app developers use weak encryption algorithms, and even strong encryption can be useless if not properly implemented. Developers frequently use standard encryption algorithms that already have known vulnerabilities to speed up the process of app development and reduce the time to market and they also inadvertently and sometimes intentionally leave “back doors” open for specialized access that renders them ultra-vulnerable to modification of high-level functions like sending or receiving text messages.

To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Similar to passwords, they’re generated by apps as a way to identify devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential.

The problem occurs when an app unintentionally shares session tokens with malicious actors, allowing them to impersonate legitimate users. No MDM platform can manage improper session handling or know in real-time whether a session token belongs to Hillary or Sebastian.

In addition to those seven threats, and for those who complained that Windows desktops are more vulnerable than mobile devices, anything and everything including desktops and laptops connected to a mobile network are increasingly responsible for infecting smartphones and tablets, by dint of their own flaws enabling malware to travel from an infected Windows desktop over the mobile network and into an iPhone. It may not happen directly but instead in an effort to bypass MDM controls, it often takes the form of embedded code in an enterprise mobile app.

High level access from personal mobile devices, smartphones and tablets effectively take the place of desktops and while less vulnerable, Android simply doesn’t offer the same level of built-in security or control. I will leave the discussion of the impact of the future threat mega-multiplier known as IoT for a later post, but suffice to say, we ain’t seen nothing yet.

Most CISOs and security professionals agree with the notion that mobile device security threats are both increasing in number and evolving in scope and that we have only begun to fight a war that is armed by a small and evolving enemy soon to be joined by the ranks of a large number of and impossible to control IoT devices.

The choices are simple.

We must either halt these programs until we can figure out how to better protect and defend against the expanded threats, or …

… we must be willing to take the risk that by relying on MDM and similar supplementary technologies to manage our mobile infrastructure, this act of deliberately increasing our threat surfaces will be offset by the gains in productivity, convenience and employee satisfaction.

Have things changed since this was originally posted back on November 13th, 2016?

Yes. They’ve gotten worse.

BYOD – BRING YOUR OWN DISASTER

Today’s business landscape is constantly evolving, presenting new opportunities and challenges like the migration to public and private clouds, the never-ending wider roll-out of mobility and BYOD programs, and all of the new cyberthreats designed to exploit these technologies.

At the RSA conference this year in San Francisco, Checkpoint decided to find out what cyber security professionals felt about the impact of these changes and threats on their organizations’ security postures. They surveyed 1,900 attending IT professionals with 1,000 or more employees

The results clearly support the growing threat that BYOD programs have introduced into the landscape and inspire me to re-post much of what I wrote over 6 months ago which caused an uproar of disagreement from the InfoSec community at the time.

As for the survey, 65% of the security professionals polled said data loss was their main mobile security worry, followed by lost or stolen devices (61%), users downloading unsafe apps or content (59%) and unauthorized access to corporate data and systems (56%).

Many of today’s BYOD risks are similar to those experienced when securing PCs and laptops back in the day, but quickly become compounded due to the fact that modern mobile devices are always connected to the Internet, are primarily consumer grade, and are updated and/or replaced far more frequently.

Mobile devices also of course, comingle personal and business applications, presenting additional comedic background when attempting to secure and manage these devices compared to ancient corporate PCs and laptops.

The post that caused an uproar called for a temporary ban on BYOD programs until we figure out how to control and manage them better.

I wrote then that there is tremendous cyber-risk to all business and a set of rapidly increasing threats expanding across an array of actors whose presence we hadn’t contemplated even as recently as just last year. There are tons of vendors attacking each vector with a point solution that in theory makes sense and holds tremendous appeal on the basis of their individual promise.

There are a lot of people who have been around the information security space for a while who are very concerned that we are losing our grip on any possibility of containing the threats, and a large group of people who have entered the space recently who actually believe the marketing promise for most of these new products. And in addition, there are lots of the same people who think that all you need to do is implement the technology and the problem [whatever it might be] magically disappears.

There were over 400 product vendors at the most recent RSA conference [2016], many of which had raised in aggregate over $60 billion over the last three years. In the third quarter of this year alone, there were 5 deals of $50M+, and 10 deals between $25M-$50M with a total funding volume of$1.3B across 80 deals, a record number of deals and the second largest funding volume since 2010; fundraising volume this YTD has already exceeded all of 2015.

We have lots of money chasing a holy grail that doesn’t exist. With all of these start-up product technologies, we haven’t even come close to thwarting the majority of threats. Why? Because most of them start and end with people.

Even if we were to somehow be able to create a single solution that solved today’s big cyber-security problem, the attackers would not just decide to stop farting around, pack their things, admit defeat, throw down their weapons and go home. And even if we were able to achieve through technology a lasting success against the majority of threats, who would it be that would configure, implement, manage, tune, optimize, maintain, monitor for, respond to and remediate the minority of threats that became successful breaches?

Of the $1.3 billion invested this year, exactly zero was invested in service companies. So, no one.

That “Please, No More BYOD” post accumulated several thousand views in 5 days and of those who commented, 80% had something positive to say in support of the basic premise and 85% forwarded the post to their networks. Interestingly, of the positive responses, the job titles were mostly people who had responsibility for the defense of the enterprise and ranged from lawyers, to safety managers, to IT managers, to CISOs, compliance people, security architects, HR officers, IT project managers, security analysts and engineers, etc.

Those who bothered posting negative comments came mostly from a service desk manager, a senior consultant on embedded platforms, a product manager at a software vendor, a lead systems engineer for a software vendor, a pre-sales engineer at a software vendor, a cloud advisor at a software vendor, etc. There is a pattern here.

Their arguments ran along lines of

“Oh please, there are plenty of good mobile device security solutions out there. This is the sort of FUD that suggests antediluvian thinkers in the ‘c’ suite. “, and

“ … all of the above technologies I speak of can be run on a BYOD device, WITHOUT the MDM. So you can close off the Enterprise from the user’s device and still mitigate your risk without having to take over their device as a whole.”, to

“Not sure what your experience is with such technologies, but I can assure you that a managed iPhone is WAY safer than a Windows desktop, and much less vulnerable to malware.”, and

“An MDM with a secure internal lock box technology, like [product name], security is rock solid for mobile users. We can use up to 5 devices at [vendor name]. Mobile is here to stay!”

The majority of the argument theses ranged from a) I must be unaware of the vast panoply of cool technologies that can easily manage the mobile threat, b) I am an antediluvian thinker likened to counterparts in the [God-forbid] “C” suite, c) I live off the results of sowing Fear, Uncertainty and Doubt, and d) I have my head up my ass.

By the way, while (d) is probably true, if any one of the “cool technology” naysayers had bothered to check, they would have seen that we partner with some of the best MDM and Mobile device security product vendors on the market today.

This is one respected researcher’s view of Mobile security:

In 2015, Kaspersky detected almost 5.5 million pieces of malware on more than 3 million user devices. And as reported by IT Web, the number of new malware programs detected each day has reached over 430,000–many of which target mobile devices. I believe [for the record] that every company should be running some form of mobile device management software, but the technology’s drawbacks make it an incomplete solution to IT’s problems.

And because you asked, these are a few of the major threats from Mobile devices or a BYOD program:

Mobile apps are often the cause of unintentional data leakage and for example, “riskware” apps pose a real problem for mobile users, who generally give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined by advertisers and even [gasp] cybercriminals.

Data leakage can also happen through hostile enterprise-signed mobile apps. In those cases, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread high-value data across corporate networks without raising red flags. The solution, as in most of these risks does not involve some magic bullet software package but rather adherence to permissions policies which no software solution is going to eliminate and is very difficult to enforce.

Unsecured Wi-Fi presents a major threat because no one wants to burn through their personal data plan when wireless hotspots are available. This is yet another instance where software technologies cannot address user behaviors. The phones after all, belong to the employee and not the company.

In experiment after study, it has been proven that free wireless security is easily hacked by cyber-security experts and attackers were also able to easily hack users’ social media, PayPal and even VoIP conversations. Enforcing rules about never using free Wi-Fi on an employee’s personal device is difficult if not ultimately impossible, regardless of how cool the MDM software might be. And, it has far reaching and yet to be adequately mined privacy litigation implications that will haunt businesses in the future.

Can you imagine the plaintiff arguments based on their employer insisting on the use of personal iPhones for business applications because the company had rolled out a BYOD program and poor Marty, the A/P clerk was just trying to access his banking app when all of a sudden … ?

Network spoofing happens all the time where hackers set up fake access points (connections that look like Wi-Fi networks but are actually traps) in high-traffic public locations such as coffee shops, libraries and airports and then give the access points common names, like “Free Airport Wi-Fi” or “Coffeehouse,” which encourages users to connect.

In some cases, attackers require users to create an “account” to access these free services, complete with a password. Now some of you will say, “No one is that stupid”. To which I say, “Huh?” The cyber-thieves know that most users employ the same email and password combination for multiple services, allowing the hackers to compromise their email, e-commerce, and other secure information. Again, no MDM software is going to solve that problem.

In addition, some VPN implementations only make sure that part of a device’s network communications are protected, the MDM [software] agents themselves are not sophisticated enough to fend off all attacks because device and OS manufacturers don’t provide MDM vendors with all the code necessary to completely manage the devices and MDM providers have a tough time providing support for new operating systems as quickly as those OSes come out.

And, since mobile devices are always powered-on they represent the front lines of the phishing wars as studies have shown that mobile users are the most vulnerable and the first to receive these legitimate-seeming emails and first to take the bait. Why? Desktop users who only check their email infrequently throughout the day are often warned off by tech news sites or security bulletins before they click.

It’s not always malware that users should be worried about, but rather spyware installed by spouses, coworkers or employers to keep track of their whereabouts and use patterns. While helpful, no endpoint antivirus program is able to detect all of today’s malware strains and spyware is a high target category of threat vectors.

Many mobile app developers use weak encryption algorithms, and even strong encryption can be useless if not properly implemented. Developers frequently use standard encryption algorithms that already have known vulnerabilities to speed up the process of app development and reduce the time to market and they also inadvertently and sometimes intentionally leave “back doors” open for specialized access that renders them ultra-vulnerable to modification of high-level functions like sending or receiving text messages.

To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Similar to passwords, they’re generated by apps as a way to identify devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential.

The problem occurs when an app unintentionally shares session tokens with malicious actors, allowing them to impersonate legitimate users. No MDM platform can manage improper session handling or know in real-time whether a session token belongs to Hillary or Sebastian.

In addition to those seven threats, and for those who complained that Windows desktops are more vulnerable than mobile devices, anything and everything including desktops and laptops connected to a mobile network are increasingly responsible for infecting smartphones and tablets, by dint of their own flaws enabling malware to travel from an infected Windows desktop over the mobile network and into an iPhone. It may not happen directly but instead in an effort to bypass MDM controls, it often takes the form of embedded code in an enterprise mobile app.

High level access from personal mobile devices, smartphones and tablets effectively take the place of desktops and while less vulnerable, Android simply doesn’t offer the same level of built-in security or control. I will leave the discussion of the impact of the future threat mega-multiplier known as IoT for a later post, but suffice to say, we ain’t seen nothing yet.

Most CISOs and security professionals agree with the notion that mobile device security threats are both increasing in number and evolving in scope and that we have only begun to fight a war that is armed by a small and evolving enemy soon to be joined by the ranks of a large number of and impossible to control IoT devices.

The choices are simple.

We must either halt these programs until we can figure out how to better protect and defend against the expanded threats, or …

… we must be willing to take the risk that by relying on MDM and similar supplementary technologies to manage our mobile infrastructure, this act of deliberately increasing our threat surfaces will be offset by the gains in productivity, convenience and employee satisfaction.

Have things changed since this was originally posted back on November 13th, 2016?

Yes. They’ve gotten worse.

OFFENSE? DEFENSE?

Many pundits have been banging on recently about cybersecurity “offense vs. defense”.

The collective belief seems to be that our cybersecurity offense has gotten way ahead of our defense, and somehow it is tied to money. I am sure they have a good basis for their opinions, but I’m hoping that this position may be in some part why President Trump has delayed his executive order on cybersecurity.

If anybody’s making any money in cybersecurity, it’s the defense guys. Not that any of it is working, but that’s where the money is. We will see 400 plus exhibitors at this year’s huge cybersecurity conference (RSA in San Francisco this week) and all of them will be focused on defense.

We are now fighting a cyber war against very sophisticated and highly organized adversaries, yet we still approach cybersecurity with a strictly defensive mindset.

Our insistence that having the best defense will keep us safe has resulted in more than $85 billion in venture capital funding for security technologies that are designed to defend against advanced adversaries. The same adversaries who continue to demonstrate their ability to break through any defense at any time and do whatever they want.

We need to start approaching security by thinking about how we can stop an offense, which is different than mounting a defense. Think about armed sentries standing at watch in a gated community. That’s defense. Now think about a supplemental recon force patrolling the grounds armed with intelligence and tracking tools, looking for intrusions and perimeter penetrations. That’s stopping an offense.

Instead of focusing all of our energies on our vulnerabilities as we have in the past, we need to organize to seek out the attacker’s footprints, their behaviors and their weaknesses and start using the enemy’s activities to our offensive advantage. We need to shift our mindset to view the corporate or government computing environment as a battlefield and begin to adopt classic military principles to gain an advantage and balance the asymmetry that is now killing us.

In every aspect of the cybersecurity battle, from economics to information, and from technology to education we are outgunned. Our banks are spending $500 million a year (JP Morgan Chase) to defend against a $25 exploit purchased on the dark web by some guy somewhere with a PC and an Internet connection.

We know nothing about our attackers (Russian hackers in our recent election is still not proven, nor is the attack on Sony Pictures), yet our attackers know everything they need to about us. Why? Because they probe and attack and learn exactly which technologies we are using to defend ourselves. We are at a severe informational disadvantage.

We use outdated technologies to defend critical assets (the Office of Personnel Management records were defended by a 12 year old technology) and remain focused on our perimeters, our end-points (mobile phones and desktops) and our websites, while our attackers have figured out long ago how to get around, through and under every defense we mount.

And it isn’t because we haven’t figured out how to apply artificial intelligence, machine learning, big data, predictive analytics and advanced behavioral modeling. We have.

Finally, while the North Koreans, Iranians, Chinese and Russians are drilling tens of thousands of students in the nuances of cybersecurity hacking, defense and attack vector development, our colleges here in the US offer almost no coursework in cybersecurity, even inside computer science curriculum. And by the way, it is really hard to get into those programs over there. In addition to being math and computer geniuses, the applicants must speak and write fluent English.

In order to shift this dynamic, we need a combination of rich, active data and advanced analytics so we can link individual behaviors to an entire campaign and catch an attack before it has the ability to develop. This means constantly performing reconnaissance and collecting information and analyzing it in real time. With this knowledge, we can begin to control our environments instead of allowing the attackers to dictate the terms.

So, why aren’t we doing it?

Cybersecurity resides in IT and IT departments aren’t run by people who view security issues with a military mindset. Today’s IT leaders evaluate security incidents in isolation and don’t think of their IT ecosystem as a field of battle, or for the most part acknowledge that we are at war. In addition, most IT leaders are still evaluating second generation cybersecurity technology while our enemies are using third generation attack techniques.

We have successfully launched advanced artificial intelligence products that can perform sophisticated analytics on threat data and reduce the incidents of potential compromise by 85% but they have had trouble gaining traction. This technology is only in use in a handful of companies.

The bad guys continue to outpace the good guys in every aspect of cybercrime. While this fact is troubling to businesses and organizations dependent on increasingly digital operations, it is beyond troubling in the Internet-connected physical world. The boundaries between cyber and physical security are disappearing.

The hack of the Bowman Avenue Dam near Rye Brook, New York was a good example of a phishing attack carried out by an enemy nation state that led to their control and manipulation of the flood gates. They didn’t want to steal anything. The purpose of that attack and the Dyn attack last October which shut down the web for an entire day was to test our vulnerabilities in defense of critical infrastructure.

Last year alone, Homeland Security has responded to 245 cyber incidents reported by critical infrastructure operators, 32% of which were in the energy sector.

I can only hope that a review of the conditions on the ground caused the Trump team to delay the executive order. Like him or hate him, maybe we will start to take the problem seriously after all.

PASSIVE SOCIAL NETWORKS AND AUGMENTED REALITY: FUTURE OPPORTUNITIES IN CYBERCRIME

Think of cybersecurity today as you would an 8-track tape player. And, think of 8-track cartridges as the equivalent of Twitter, Snapchat, Instagram and Facebook. Then, fast forward about 5 years and imagine a digitized version of music delivery (as in iTunes) taking the form of a passive social media embedded in an augmented reality world

Huh? Here’s what I mean: Many technology analysts predict that today’s concept of actively “posting” or “sharing” will be frowned upon in the future and will be entirely replaced by a passive stream of your life’s experiences, whereabouts, and media consumption. Andy Warhol’s droll prediction of 15 minutes of fame will be expanded to 24×7.

We will have a 24 hour channel of “you” that is always live (or automatically programmed), and always accessible to your friends (or if you’re born in the age of transparency (post year 2000), accessible to anyone), and always completely “authentic”. Any effort to actively post something will be seen as “manual editing” and will be broadly perceived as a huge negative no-no. Quality of streams will be community and algorithmically-determined, surfacing the highlights of your experience in ways that are determined through machine-learning and as a result will be assumed to reflect the “real” you as opposed to today’s “Facebook” you. The wisdom of crowds will enforce the authenticity by calling out clever fakes and workarounds.

In addition, we will all be riding a layer of augmented reality where our experiences will be enhanced by Geo-centric assistance/suggestions for food, beverage, entertainment, transportation, relaxation, stimulation, elimination, learning, exercise, sleep, housing, shopping, clothing, etc., in ways that we have selected through intelligence, machine learning and/or crowd sourced filtering to provide us with only the things we “like” and none of the things we “don’t like”.

These two emerging paths will merge to create a slew of social products and new forms of media advertising designed to entice not just you the traveler but also in the form of a natural viral infection, the people following you on your life journey. Whatever you are doing or consuming will become a catalyst for others’ discovery.

This means that today’s forms of paid user acquisition will become obsolete, and will instead be replaced by “product and “experience placement.” This will be great for you because the prices you will pay for products and services in your life will be offset by the exposure you bring to the brands you use. The cooler you are, the bigger your network and the better your conversion from viewers (CFV) measures become, the less your life will cost.

The relevance for social networks will be perishable and will rely entirely on context. They will move in and out of your augmented reality as they are useful. For example, you take a trip to New York City in April. Your social network will come to life enabling Big Apple navigation, events, connections, restaurants, friends, hotels, etc., and then just as suddenly disappear when your trip is over to be replaced by the next passive network infestation. Given the absence of manual editing, these networks will be trusted and become an effective form of empathy and truth. We will fall in love with machine learning.

Setting aside whether you think this all sounds “amazing and awesome” or “nightmarish”, not only will your augmented reality be continually under siege by advertising and product placement wars, but more importantly, you will not be able to distinguish truth from reality even more than you can’t today. Our current versions of ad blockers may advance in tandem with conventional advertising or product placement technologies but ideas will be more difficult to deal with than products, machine learning or otherwise.

If our inability to attend to the cybersecurity issues around IoT to-date is any indication, our future augmented realty platforms will become giant petri dishes for fraud and misdirection. Imagine what happens to your cognizant awareness if you receive all of your “information” from Fox News, or conversely from MSNBC? It is one thing to have a million records containing personal identifiable information stolen from a company’s databases via a cybersecurity breach, but it is quite another to be able to continually influence the direction of purchasing decisions of billions of consumers. A product marketing manager’s wet dream? Sure.

But the implications are obviously much greater and widespread and elevate the issue of cybersecurity to a different level.

I am sure we will all be able to install adaptive artificial intelligence combined with instant crowd-sourced filtering that will override unwelcome parts of our augmented reality experience and these will work fine right up until the moment that the bad guys figure out how to work around the defenses. This, in today’s world usually takes about 30 days. I see nothing in the way of technological advances that will shore up or lengthen that cycle.

The recent technology advances that have enabled this rapid evolution to a new world of spontaneous and copious information served up through our augmented reality platforms (our iPhone as today’s version of the 8-track player) is exciting and loaded with opportunity for both consumers and entrepreneurs and for capitalism as a whole.

It would be useful however, if we could just slow things down a bit and seriously address the cybersecurity risk associated with this direction before we plunge ahead. Because if we don’t, I don’t worry so much about bad guys being able to influence consumer behavior or even global politics as I am about our own government finding the rationalization to swoop in and “protect” us all by erecting another institution to regulate our collective behavior.

Whether it’s the future of passive social media and augmented reality or the present state of IoT defenses or even our immediate inability to protect our national infrastructure (vis-a-vis the October 21st DDoS probe) or the sensitive data that resides in most small and medium sized businesses, or medical and surgical devices in hospitals and treatment centers, we need to address the issue seriously and begin to implement technology and service solutions that can mitigate these attacks and deal with them appropriately.

If we don’t start sending that message now, we will be forever doomed to this cycle of probe, attack, breach, exfiltrate and conquer with no end in sight. And the really big prizes for able cyber-criminals are waiting in the wings.

INSIDER THREATS ARE STILL NUMBER ONE

10-17

In spite of headlines that might lead us to believe that security breaches are the result of external hackers (Russia) attacking our perimeter defenses or the continued failure of all of our advanced technology, the majority of breaches actually occur due to some action or failure of someone inside the enterprise.

In IBM’s recent report titled the 2016 Cybersecurity Intelligence Index, they found that over 60% of all attacks were carried out by insiders. Of those attacks, over 75% involved malicious intent and the balance were due to inadvertent mistakes. Of all industries studied, manufacturing, financial and healthcare came in as the top three owing to their stores of personal data, intellectual property, physical inventory, and massive financial assets under management.

Regardless of the differences in assets defended and regulatory requirements, the common denominator among all these industries was people. They all had employees and each of them represented some form of an insider threat.

There are three primary types of insider threats:

  • Joyce in accounting. Cyber criminals posing as trusted employees through hijacked identities easily compromise corporate systems through social engineering enhanced phishing email attacks. It happens multiple times every day and due to increasing regulatory oversight and fines, it is rarely reported.
  • Just plain dumb. Human error is a major factor and consistently recurring theme in most breaches. They come in the form of mis-addressed emails, lost devices, sensitive and confidential data sent to insecure home systems as well as well-intentioned system admins whose complete access to corporate systems can amplify a small mistake or sit at the root of privilege compromise.
  • A thief named Bob. With the advances and availability of exploit kits and malware on the Dark Web, anyone can become a script kiddie these days and almost all of us have a price. Disgruntled and even otherwise complacent employees are easily corrupted [I will probably get flack for this but …] and the threat of a malicious employee whose intent is to steal or damage is a very real risk today. At stake is competitive and secret intelligence information, proprietary data in the form of algorithms, formula, designs, plans, drawings, code, etc., sensitive employee PI or PH information, high value market intelligence, etc., and some employees, contractors, spouses and subs may just have a vendetta against the enterprise.

Not only can malicious actors erase evidence of their activities and presence, their access privileges gain them ingress to trusted system which will fly under the radar of even the most advanced technologies. Before anyone gets upset here, I realize there are [and we have partnered with] some very cool technology solutions that specifically address insider threat in a way that can isolate, identify and apprehend the actor in process based on behavioral analytics and machine learning, but even with this assist, managers still need to be aware of certain behaviors and ways to focus their security efforts to get the greatest returns on these defenses:

  • The Holy Grail. We often fail to properly identify the assets at greatest risk and provide them the most rigorous protections and monitoring. The bad guys aren’t really interested in your annual 10-K. They want those engine designs and affording each the same level of protection may not be th e best strategy.
  • Assessing Employee Access. While it may not be politically correct, implementing a tiered monitoring of all users with a particular focus on those with the broadest and most authoritative access is probably a good idea. These would include system administrators, key product developers, contractors, suppliers, vendors, and top level executives.
  • Block and Tackle.
  1. Implementing the automatic application of software patches will close holes that hackers can use to access your network.
  2. Developing, implementing and enforcing strong policies for user identities and passwords will make stealing credentials much harder.
  3. Continually collecting and monitoring data on every device that touches your network makes sure that you will be the first to know if you’ve been hacked and the forensics will tell you exactly where and by whom. Anyone not running a SIEM/SOC these days is asking for trouble.
  4. Developing and implementing continuous user training, education and awareness programs are the key to reducing and even eliminating the “just plain dumb” insider mistakes. An ongoing program of testing against spoofs and fake exercises goes a long way to increase your employees’ cyber-situational awareness at a disproportionately low cost compared to the potential risk reduction.
  • Implement Behavioral Analytics. The nice thing about insider threats is that they are dependent upon people and people are creatures of habit. As a result, anomalistic behavior is fairly easy to spot by analytics engines that are set to monitor the behaviors and are based on adaptive machine learning that renders them smarter over time. User and event behavioral analytics are also really good at spotting policy violations that may not be associated with malicious behavior but may result in the overall improvement of your security landscape as a by-product.

So, the next time we see a headline about a breach, let’s keep in mind that external attacks represent the minority of breaches and that the actor probably had insider help, whether in the form of an unintended identity share or outright collusion.

There is a lot you can do to make sure your company isn’t part of the next headline

CYBER-SECURITY IS AN UPHILL BATTLE. HERE’S ONE REASON WHY

10-10

A team of researchers from NIST and the Institute of Electrical and Electronics Engineers published the results of a recent survey of end users where they discovered that a vast majority (over 94%) reported feeling “overwhelmed and bombarded, and tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.”

The multidisciplinary team of researchers found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.” In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.

On the other hand, a surprising majority of respondents (78%) also expressed skepticism that they would ever be targeted by hackers. “The data showed that many interviewees did not feel important enough for anyone to want to take their information, nor did they know anyone who had ever been hacked.”

The cognitive psychologist researchers called the findings, “critical,” and concluded that if people can’t use security, they are not going to, and then we and our nation won’t be secure.

And those findings appear to be at the crux of the problem. Every security professional I know will tell you that our biggest threat is users (that would be people) who cannot or will not abide by policies, procedures and best practices.

However, in many cases it is the policies and not the users that form the core of the problem, as these are often designed without any consideration to the user experience or within a vacuum of appreciation for how ordinary workers go about their day and whether it is reasonable to expect them to perform in certain ways. In many ways, we have with the best of intentions, set up conditions that are guaranteed to fail.

Those who know me will know that I will go right to BYOD as a corporate policy that while intended to accommodate remote workers with online access to networks and systems through a single (personal) mobile device has resulted in creating one of the broadest attack surfaces most companies will ever experience. Implemented without proper controls and security tools in place, BYOD equips employees with instruments of destruction regardless of whether use policies are adhered to.

That single example is one of many that when combined with user security fatigue and carelessly developed use policies is leading to even greater exposure to threat than we have enjoyed so far.

While we have not done the best job we could have with the tools and software available so far, we are further compounding the risk exposures through poorly thought out policies and practices, a lack of training and situational awareness and a failure to properly frame the risk responsibility that each employee must assume as part of their everyday activities.

While I am never a fan of Polyannaesque approaches to security issues, the study rightfully suggests three ways employers can try to alleviate security fatigue and help users maintain secure online habits and behavior. They are:

1)     Limit the number of security decisions users need to make;

2)     Make it very simple for users to choose the right security action; and

3)     Design processes that encourage and maximize consistent decision making.

Simple enough, right? Of course not, but those three points are a good place to start. I’m not sure we have given any of this much thought however, even though we probably don’t need a survey to tell us what we all feel ourselves. It has become increasingly difficult to remember 25-30 passwords or to keep track of which systems we have used for which purposes over time.

I am told that the researchers will continue their work, and will next interview professional computer users of varying levels of responsibility, including cybersecurity professionals, mid-level employees with responsibilities to protect personally identifiable information in fields such as health care, finance and education, and workers who use computers but for whom security is not their primary responsibility.

I am pretty sure I know what they will find.

LOOKING FOR TALENT IN ALL THE WRONG PLACES

9-26

Zero percent.

That’s the current unemployment rate in cybersecurity.

Twenty jobs open for every qualified candidate. Over 1.4 million positions open listed as “Information Security Analyst”

Less than 10% of people employed in the information security field are women.

The average compensation for security analysts in California is $129,000 annually. The average pay for a CISO here in California is now above $430,000.

Market drivers:

1)     The volume of breaches and incidents of compromise increases every month and the numbers reflect only those which are reported, which are estimated to be only 40% of the actual incidents.

2)     The complexity and sophistication of the attacks is growing almost exponentially. The bad guys get smarter, while the good guys struggle with bureaucracy, confusing point solutions, a dysfunctional vendor market, budget constraints, resource constraints and technical inadequacy.

3)     The speed with which the attack vectors morph is astounding and the emergence of the Cloud and the wealth of data shared online make it easier than ever for malicious actors to discover security weak spots and create new attack vectors much faster than we can recognize and identify them, let alone concoct a remedy.

4)     While there are many qualified and smart people working in network and systems administration who could easily make the leap into a security analyst role, we concentrate instead on seeking Unicorns from the outside to help us save the day. The job descriptions are ridiculous.

Cutting to the chase, why don’t we stop writing job descriptions with a huge range of skill sets that even most CISOs don’t have and instead look inside to promote or move some of our capable existing resources over into these roles and get them the training they need to come up to speed?

I am quite certain that we could train a bright system admin in less time than it would take to recruit and board an experienced security analyst. And that assumes we could find one, have the budget to hire one without creating all of the attendant jealousy and disruption and expectations, and that we are actually cool enough to attract the candidate we seek.

After all, why should Mr. DefCON Ninja choose to work for Crapbotics in Sunnyvale?

And the only reason we don’t hire a Ms. DefCON Ninja is because there aren’t any. There are lots of women however working in data privacy who could easily make the transition. We need to immediately abandon this notion that the ideal Unicorn candidate is a seasoned male IT professional with a host of credentials. Women make better IT analysts anyway [IMHO].

It might also be instructive to take a look at the actual job duties being performed by the majority of resources in the field. Many InfoSec teams spend much of their time reporting or manually entering data rather than dealing with security issues in the first place. Do we really need a CISSP or EH cert to fill out a spreadsheet? We could reduce the size of the problem space by examining exactly what we need in these people before we rush to market.

A functional cyber-security program needs a leader and that is probably someone who is either certified as a CISO or has the hard-ball experience equivalency. It also needs one or two trained and/or experienced security analysts who can actually determine a real threat from a set of false positives and can evaluate outside vendor products and services against their own requirements. I am assuming that the typical struggling company here is not trying to create their own cyber-security solution as that would be simply stupid [explain in detail in another post].

And assuming that the leader is positioned in the company where she should be [working with or for the IT leader and not above or separate from], that person needs a solid background in IT [probably a former IT manager] and a solid background in technology [probably a former programmer or network admin]. Management experience and social skills are a must as dealing with a wide variety of confused and frustrated executives is definitely part of the job description.

The technicians could easily qualify in a few short weeks through an ethical hacker and CISSP certification and with a minimum of vendor assistance, they could wrap their brains around the issues and the solution architecture. One of the very best sources for technical knowledge is the CTO of your favorite security product or service vendor.

In order to satisfy some of the more formalized requirements embedded in audit or regulatory compliance issues, you don’t need to hire a seasoned CISO. There are lots of CISO-on-Demand and Virtual-CISO options available on the market and for a few thousand dollars, you can craft your compliance program and audit program so as to assure that your boxes are checked and your review schedule is solidified in ways that protect you from fines and may actually help you defend yourself as well.

A huge by-product is that your team members learn in the process all they need to know about the issues so that if you are able to retain them, you will be in good shape for the next go-around.

You can also hire an experienced CISO on that same temporary basis to work with your team to craft your own security program and create the actual policies and again, the experience rubs off, so your home team will be stronger for the future.

Until you get your basic cybersecurity hygiene up to par, even the best and most experienced security specialists will be constantly tasked with fighting fires and solving basic InfoSec problems. This is the stuff that your network guys do on a regular basis as it is. Today, it’s called resolving and recovering a network outage. What’s the difference to a network engineer between that and sorting out breach detections? Just a few new tools and a crash course in identity.

Of course, the last assumption in my thesis is that you will opt for automation wherever you can find it.

Whether you have a team of experienced and expensive security analysts or a rag-tag group of hastily trained converts from sysadmin, you don’t want them chasing down log events and trying to correlate historical evidence of intrusions with current network activity and sorting through false positives all day long.

You want to be able to leverage data analytics by making small investments in network behavioral tools and end-point detection technologies along with an external SOC/SIEM to assist with your program. This will always be way-y-y-y-y cheaper than hiring more security pros.

This will also allow you to establish a balance between reactive and proactive security so that your new team of internal security pros augmented by an outside consultant can improve your overall cybersecurity health.

You don’t have to be a victim of this current skills shortage.

With an honest evaluation of your current team, you can probably solve most of your InfoSec hiring problems, create a great career ladder and succession path for your employees, avoid the incumbent resentment and jealousies that will result from boarding experienced, expensive InfoSec pros, and let you focus on your next problem which will be the retention of your newly minted and suddenly marketable security analysts.

You Can Run But You Can’t Hide

9-6

Running works for a while but hackers can, and will, find you. Every time we think we have outsmarted the little devils, they whip out another workaround and we become toast.

A classic example is bio-metrics.

Many cybersecurity analysts recently got excited about facial recognition technology. Finally, a silver bullet appears but zap, some enterprising security researchers just demonstrated a particularly disturbing new method of stealing a face. This one uses 3-D rendering and Internet stalking.

Earlier this month at the Usenix security conference, some guys from the University of North Carolina, Chapel Hill presented a system that uses digital 3-D facial models based on publicly available photos and displayed with mobile virtual reality technology that defeated facial recognition systems four out of five times. One out of five would be plenty, but this is a grand slam homer.

Biometric facial recognition systems use motion and depth clues to identify their targets so that a flat unidimensional photo won’t pass the snicker test. But a Virtual Reality-style face, rendered in three dimensions, can provide the magic stuff that these systems look for. And then if they can port it to a smartphone’s screen, so much the better. Which is what they did.

These guys of course used Facebook as their source, aka the new public library of biometric data, and they went about collecting images of their 20 volunteers the way any Google stalker might—through image search engines, professional photos, and publicly available assets on social networks like LinkedIn, and Google+ in addition to Facebook. They were able to collect at least 3 and as many as 27 photos of each subject.

One of the researchers pointed out that many of their study volunteers were computer science researchers themselves, and some most had made an active effort to protect their privacy online. Nonetheless, the group was able to find at least three photos of each of them.

They tested their virtual reality face renderers on five authentication systems—KeyLemon, Mobius, TrueKey, BioID, and 1D, all of which are available from the Google Play Store and the iTunes Store and are designed for protecting data and locking smartphones.

To test the security systems, the researchers had the subjects program each one to detect their real faces. Then they showed 3-D renders of each subject to the systems to see if they would accept them. In addition to making face models from online photos, the researchers also took indoor head shots of each participant, rendered them for virtual reality, and tested these against the five systems. Using the control photos, the researchers were able to trick all five systems in every case they tested.

Using just the public web photos alone, the researchers were able to trick four of the five systems with success rates up to 85 percent.

This is bad news for these facial authentication systems that have been proliferating in consumer products like laptops and smartphones lately. Google announced earlier this year that it’s planning to put a dedicated image processing chip into its smartphones to do image recognition which is intended to help improve Android’s facial authentication, which was proven to be well, a joke. In the same breath, Google warns, “This is less secure than a PIN, pattern, or password. Someone who looks similar to you could unlock your phone.” And, if that is so, then why bother at all?

While the UNC researchers agree that it would be possible to defend against their attack, the question remains as to how quickly facial authentication systems will evolve to keep up with new and rapidly evolving methods of spoofing. New systems will probably need to incorporate hardware and sensors in addition to mobile cameras and web cams, which will probably be challenging to implement on mobile devices where the hardware footprint is highly limited.

But none of this seems to dissuade vendors from ramming these immature and untested products out the door and from proud early adopters from glomming onto them. Documented risks be damned.

Reminder:  In the Office of Personnel Management breach last year, hackers stole data for 5.6 million people’s fingerprints. Those markers will be in the wild for the rest of the victims’ lives. That data breach debacle, and the UNC researchers’ study, should clearly illustrate the troubling nature of cyber-security fixes in general and biometric authentication in particular.

When your fingerprint or your mug slips into the ether, there is no password reset button.

0
Share

NSA Leak Spotlights Critical Cyber-Security Problem For Business

8-22

“The Only Thing More Dangerous than Ignorance is Arrogance” ~A. Einstein, part-time theoretical physicist

The recent NSA leak has revealed a set of critical security vulnerabilities in market leading network products from companies like Cisco, Fortinet and Juniper.

The code samples released by the Shadow Brokers this week proved that they indeed were able to steal sensitive National Security information from what is supposed to be the best protected government agency on the planet, the National Security Agency.

Up until now, the Obama administration has required that agencies reveal any vulnerability it discovers exclusively to a White House review board prior to releasing any of that information to equipment manufacturers or software producers. The methods revealed by the hack have now been disclosed to the product vendors but as of this writing, not all have produced patches for their hardware. This conceit puts every user of those products at high risk until a patch is developed and applied.

Security experts are hoping the government will see this as a teachable moment. Baloney.

The United States law enforcement and intelligence agencies routinely purchase vulnerabilities unknown to manufacturers to hack into devices for the purposes of developing their own list of zero-days, resembling in a weird way a school-yard game of “Neener, neener, I’m smarter that you are.” Or, alternatively, “It’s my F**ing ball, and we’ll play by my rules or not at all.”

The NSA will say that this “Vulnerability Equity Process” (VEP) which allows them to justify which zero-days to keep for offensive purposes  is meant to minimize risk by keeping the risk arsenal as small as possible. Which might be acceptable if we were fighting a war in which the battlefield were contained to some physical coordinates and the source of weaponry were clearly identified as say, Berlin where we could “spy” on production and manufacturing and then get a step up on our adversaries methods and techniques. Or, even if we at least knew who our adversaries were.

By the administration’s own admission, hoarding zero-days makes commercial computing products less secure. And, it is not just The Shadow Brokers. Anyone with even the most rudimentary understanding of the landscape of cyber-security knows that other nations and cyber-gangs will be on to the same vulnerabilities at the same time or even before the NSA figures it out. The apparent belief that because they are the NSA, they are smarter than the bad guys not only fails the snicker test, it sets up a false sense of security for the citizens the agency is chartered to protect.

The agency is supposed to be responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes, and charged with the protection of U.S. government communications and information systems against penetration and network warfare. That ship sailed.

To make matters worse, the code samples offered by the Shadow Brokers appears to be from 2013, and regardless of their purpose in releasing it (many suspect it was held by the Russian government and is now being dangled in public as leverage against the U.S. fingering Russia in the Democratic Party hacks) had the NSA been under disclosure orders instead of the current protocols, the leak might not have been the security fiasco it is now.

The fiasco is that the vulnerabilities affect arguably 80% of the global network install base and because network infections typically lie in dwell for upwards of 300 days, it is possible that hundreds of thousands of networks are infected right at this moment. Cisco has quickly provided a workaround for one of two vulnerabilities and issued an advisory on the other, which was patched in 2011, in order to raise awareness among its customers. It doesn’t really matter that patches are being released. The damage is likely already done.

This leads to the inevitable questions related to IoT in the not so distant future. Should the NSA, NSC, FBI, or other government agencies, be required to inform Apple immediately when it finds a security hole? What if the subject of the investigation was a smart home alarm system, instead of an iPhone? What if it the vulnerability is in the infrastructure behind a city’s electrical grid, an airport communication system, a dam or water treatment facility or a hospital network?

As an example of the dangers implicit in the VEP, the Heartbleed Bug, which was made public in 2014, was a serious vulnerability in the widely-used OpenSSL cryptographic software library. The bug reportedly impacted the security of two-thirds of the world’s websites. It was widely reported that the NSA had been exploiting the Heartbleed Bug for two years prior to it being made public.

More recently, on April 14, 2016, the FBI, for the first time, disclosed to Apple a vulnerability affecting some iPhones and Macs. However, Apple announced later that the problem had already been discovered and repaired nine months prior to the FBI’s disclosure. This delay in disclosure raises serious questions about the effectiveness and the veracity of the VEP.

When the top hacking outfit on the planet is itself hacked, we should be concerned that keeping backdoors secure isn’t going to work.

Whether the Shadow Brokers hacked the NSA or the code was removed from the NSA by the Equation Group, the Agency’s own hacking group (more on them later), it appears to be a closely held secret that the agency was simply unable to protect. It is probably obvious that the theory that “the good guys” can create an encryption doorway that only the right intelligence agency will be able to pass through is bogus. Instead, it will always turn out that any back door of this nature will be easily hackable by anyone with a ten dollar toolkit.

For Cisco, the reveal may represent an unpleasant flashback to 2014, when Edward Snowden’s leaks demonstrated that the NSA was intercepting shipments of its equipment to install spyware. Then-CEO John Chambers wrote a letter to Obama at the time, arguing that the NSA’s practices had compromised his business. “We simply cannot operate this way,” Chambers wrote. “We need standards of conduct…to ensure that appropriate safeguards exist that serve national security objectives, while at the same time meet the needs of global commerce.”

It seems like it is beyond time that the government stops “protecting us” and starts reporting vulnerabilities it finds or acquires while there is still time for us to protect ourselves.

But, I don’t know. Maybe I missed a memo.

No pontificating, but I think it was some guy named Lincoln, while memorializing the sacrifices of war to ensure the survival of America’s representative democracy, mentioned that the “government of the people, by the people, for the people, shall not perish from the earth.”