At the end of December, Elcomsoft reported that it has developed a forensic tool that can decrypt disk drives encrypted with Symantec’s PGP, Microsoft’s BitLocker, and open-source TrueCrypt.  This tool could change how corporations protect their data and – perhaps more important to those corporations – they may again be liable for fines when laptops are lost or stolen.  To be precise, no one has broken the encryption algorithms themselves.  Rather, Elcomsoft has found a hole in their implementation.

Elcomsoft Forensic Disk Decryptor has many legitimate uses: law enforcement agencies may be stymied by their inability to access data on an encrypted drive; corporations may have trouble accessing terminated employees’ hard drives; and there are outlier cases, such as the archivist who followed good security practice but unfortunately died without having written down or told anyone his password.  The product clearly can be used for the good.  And the price is right: $299 per copy.

But the probability that it will be used only for forensic purposes is negligible.  PGP is the bedrock of corporate data security programs, including many utilities.  Data thieves in possession of the software may be able to bypass that corporate protection.  Has that encryption now become irrelevant?

Corporations often require that laptops have encrypted hard drives.  This is to avoid the severe penalties for compromising personal data – even when due to a criminal act such as theft of a laptop.  Many jurisdictions require the company to pay for restitution and protection of those who are affected.  This could include a year’s worth of credit monitoring for each person, or stiff fines if medical data is compromised.  Some laws prescribe prison for executives of the company that loses the data.  In the worst case, laptops with sensitive data from defense agencies have been stolen, with national security implications.

Some of these thefts appear to have been targeted.  Stealing a laptop from a rental car may be much easier than breaking into an enterprise IT system.  Full disk drive encryption is the first line of defense against such threats, because laws often waive corrective action and fines if the hard drive is fully encrypted.  Unfortunately encryption may be the only line of defense at some organizations.

Elcomsoft’s product may undermine that defense, rendering ineffective some expensive encryption deployments.  Rolling out full-disk encryption to a large organization is an incredibly complex and time-consuming process.  Not only the technology, but also the change management is challenging.  If the encryption is now shown to be ineffective, then the penalties for data compromise may return – even for fully encrypted laptops.  With or without the menace of fines, the threat to data confidentiality and integrity increases as well.

Effective security practices could have reduced this scenario from potential disaster to annoyance.   A defense-in-depth approach would supplement full-disk encryption with other measures such as digital rights management, which can protect data even after it has been stolen and exported.  However, after an expensive and complicated rollout of full-disk encryption, few companies have an appetite for the next step.

But now they may.

Telecommunications providers have found their next golden goose:  Bring Your Own Device, or BYOD.  In case you’ve been living under a rock, BYOD authorizes employees to use their own personal smartphone devices to access corporate networks.  BYOD saves corporations the expense of providing phones to their employees, while the employees get to use a device that they actually like. That’s the theory anyway.  Some companies, such as IBM, are finding that BYOD can be a can of worms.  The only surprise is that any of this is surprising.

Let’s be clear about something.  When people talk about BYOD, they are talking about iPhones and Android devices.  The one reasonably secure smartphone platform, BlackBerry, appears to be in its death throes.  Other than a curious (to me, anyway) popularity in the U.K., I see very few BlackBerry users anywhere in my travels.  People see my Torch and assume that I am some kind of social outcast.

Meanwhile, iPhones and Droids are notorious for the security that is missing from their platforms.  At least Apple exercises some level of control over iPhone apps, but Droid apps are the Wild, Wild West.  Anything goes.  Nevertheless, CIOs want those devices to access their private corporate networks to save maybe $15 per month lease or depreciation expense.  Sure, multiply that by 10,000 devices and that’s a lot of savings.  Then again, one data breach is now estimated to cost the victim company $5.5 million on average.  Would anybody like to prove to me that BYOD will be limited to a maximum of one data breach per company?

“It’s Our Network.” Anecdotal evidence is not encouraging.  One global company that I know has done an admirable job of locking down its workstations.  No user has administrator rights.  No software can be loaded onto workstations without corporate approval – not even solitaire.  Unfortunately this company uses elephantine Lenovo ThinkPad laptops, which cast grave doubt upon the definition of “portable”.  Executives at this company – tired of lugging the laptop-cum-brick through airports after long flights – have purchased iPads to take on the road.  Corporate email at their fingertips, in a sleek, lightweight device.  And network security shot to pieces.  Will the Chief Security Officer tell the CEO that he can’t have his iPad?

Financial institutions may be a bastion of resistance.  I asked a friend who is Chief Security Officer at a large card processor, “What do you think about employees wanting to use their own devices?”  His response was hard to misinterpret:  “I don’t care what the employees want.  It’s our network, not theirs.  They access our network as part of their jobs, and they will do so with a device that we issue and configure.”  As a fellow paranoid, I understand completely.

Smart grids are not immune to BYOD fallout.  This blog has in the past discussed smartphone applications that can allow unfettered direct access to SCADA devices if not properly controlled.  Unleashing BYOD upon a control network has the potential to wreak unimaginable havoc, given the diversity of devices in a typical control network that may have congealed over several decades.  These are not well-defined and recently built enterprise networks.  BYOD guarantees a lack of architectural preparation.  How is it possible to create a security architecture when the type of endpoints present – thanks to BYOD – cannot be predicted?

BYOD could work if applications have suitable built-in security to protect the crown jewels.  Unfortunately, that built-in security is not always there.  Many applications were built long before any type of smartphone access was envisaged.  Assuming that corporations encourage BYOD to save money, it’s unlikely that they will simultaneously integrate new security into old applications that are otherwise working just fine.  There are some promising approaches, such as Mocana’s application wrapper, Mobile App Protection.  But again that requires additional expense – precisely what BYOD seeks to eliminate.

So – have I managed to derail BYOD with this blog?  I doubt it.  The few that are suitably paranoid realize that we are standing on the tracks in front of an onrushing freight train.  And we’re smart enough to get off the tracks before the train gets here.  Resigned to finding a positive, at least I can conclude that BYOD is likely to generate a further 10 years’ gainful employment for all of us cyber security folk.

The New York Times recently reported that there had been “86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases,” compared to 11 attacks in the same period a year earlier.  Data came from the U.S. Department of Homeland Security (DHS).  I’ve spent a week trying to decide whether or not this matters.  Even with such small numbers, a 781% year-on-year increase must indicate something ‑ but what?

Are there really more attacks or have companies simply realized that that there is no shame in being attacked?  Like temptation, being attacked is not a sin.  Does anyone believe that our critical national infrastructure (CNI) would not be attacked?  From my research it seems likely that some critical cyber assets (CCAs) are attacked 86 times per hour.  If this is a cultural shift by CNI asset owners, that’s promising.  It’s incredibly tough for the DHS to do anything about attacks that no one has told them about.

Alternatively, do companies now have better mechanisms to detect attacks?  Perhaps.  No new capabilities have been released in the past year that would obviously have increased detection eight-fold.  Then again, deploying a detection tool where there had formerly been none can make a huge impact.  This matters: undetected attacks have a higher success likelihood than detected.  Increased detection should portend decreased success.

Or perhaps there are simply more people attacking?  That is possible too:  the DHS has warned that hactivist groups are now more likely to attack the CNI.  That would spike the number of attacks in a hurry.  On the plus side, hacktivists tend to use mass distributed tools that are more easily defended than a hostile nation-state attack.   Cyber security recently enjoyed a Schadenfreude moment when it was discovered that an unknown hacker had tricked many hacktivists into downloading a compromised version of their attack tool.  The compromised version also contained the ZeuS Trojan Horse, designed to steal the hacktivists’ banking credentials.

There may also be other causes but still there remains the question, “How big is an attack, anyway?”  What am I measuring when I count the number of reported attacks?  The answer – an attack is about the same size as a piece of string; it can be any size at all.  This blog has previously discussed the dangers of metrics without thinking deeply about what is being measured.   If the number of attacks had only increased from 11 to 12, we could truthfully say that there had only been a 9% increase in attacks and feel really good about things.  And yet – that that one additional attack might have been Stuxnet, discovered a year after it had completed its mission.

So what does this all mean?  Does it matter that reported attacks are up eight-fold?  Absolutely.  Even if we can’t be totally sure of the cause, it’s a reminder that we need action now.  Regarding the Cybersecurity Act of 2012, currently in the U.S. Senate, Representative Jim Langevin (D-RI) recently wrote, “we must not allow the perfect to be the enemy of the necessary.”

When politicians feel more urgency than industry appears to feel… what does that mean?

Earlier this month I spoke at the European Smart Grid Cyber Security and Privacy conference in Amsterdam.  My theme was, “What are people telling me in my research?” and the focus was industrial control systems.  I suspected that this would be well-received because that’s what people always ask me:  What are people telling you?  And I was right.

The answer, though, was “Many different things.”  I reviewed results from about 30 research interviews where I had asked the question, “What is the #1 worst problem facing Industrial Control System Security?”  My research subjects included utilities, systems integrators, cyber security vendors, industry specialists, and device manufacturers.  From those 30 interviews I received 23 distinct answers, ranging from “Too much Linux!” to, not surprisingly, “There’s no consensus.”

On the positive side, quite a good mix of well-tested and new breed technology has been installed into ICS networks, including ruggedized devices, identity management, role-based access control (RBAC), ICS-aware network security, unified threat management (UTM) systems, data diodes, set-and-forget technologies, application whitelisting, antivirus, lots of encryption, hardened operating systems, security event management, and hardware security modules.  That’s a long list.  In fact, when I ask the question, “What technologies for control system security are missing?” the answer is often: none at all.

Unfortunately, some really important things are missing.  In control systems it’s extremely rare to find a cyber security architecture.  For that matter, many control networks are not even mapped accurately, as they may have evolved over several decades.  Other than within defense agencies, I have not encountered any control systems with a true asset-based risk analysis – nor have the research contacts that I’ve asked.  Change management and patch management remain incredibly challenging.  And there is nothing yet like a NOC or SOC for a control network, though that cannot be too far away, since enterprise networks already do them frequently and well.

So if we combine the positives and the negatives, our present situation is about like this art installation of a deconstructed Honda Formula 1 car.  We’ve got great components, but we’re missing the glue.  There’s no way, yet, to make all those great components work together to achieve the desired result.

A recent special report in the Financial Times characterized cyber security as “a war marked by fatalism and denial.”  That’s unfair given the amount of hard work being done by so many talented and committed professionals in control systems cyber security.  But yet – we present the impression of having very little in place.  This month’s hacks against water utilities are yet another stain on our record.  And it is our record we’re talking about here – not some government agency, not some control system vendor.  The public only discerns that cyber security isn’t protecting the infrastructure – they are not interested in the details.  We succeed or fail together.

Until we can (a) glue together these great components into solutions that really are end-to-end, and (b) stop viewing the problems as someone else’s, we should resign ourselves to more gloomy headlines.  And executives continuing to ask what exactly they are getting for their security dollar.