Sunday, April 29, 2012

Recalibrating Cybercime Re-Calibration

I stand corrected (or a least adjusted).

As long-time readers may recognize, I am more than ready to admit error. So, re: this recent SGSB POST on the costs of cybercrime, here's what I guy who knows (substantially) more than I do had to say:
I agree that the NYT authors brought a “fresh perspective” but if a policy wonk read that article and considered it as their ONLY source of information on the topic, I think the wonk would have been duped! (I should copyright that clause!) Take at look at the book Fatal System Error. The Russian mafia guys were making a ton of money off of cyber crime and derivatives. Also, research I’d done years ago had the average “salary” for East European cybercriminals at $300,000 per day (untaxed). Look at Albert Gonzales. He made a ton of money before he got bagged by the FBI. Another example of the monetary benefits of cybercrime. So, I agree the NYT brought some “new” perspective but I think they are missing the point as to why cybercrime is real and financially acceptable.
Acknowledged. But in my own defense (does that mean I'm being defensive?), if  policy wonk read only the article in question and formed their opinion thusly, then they'd be a pretty lame wonk and maybe not a wonk at all. Not sure what the minimum requirements for wonk status are, but I bet that reading one thing is not enough.

In sum, the dollar costs of cybercrime may be overstated or grossly over-represented in some analyses. But that doesn't mean cybercrime should be considered any less damaging. Please proceed on the current course until further notice.

Wednesday, April 25, 2012

Re-Calibrating Cybercrime Costs and Responses

A few days ago the NYT published an article called "The Cybercrime Wave That Wasn't". What !?!

I read the title again, cleaned my glasses, counted to ten, took a deep cleansing breath, and looked at it again.

It still said the same thing. How disappointing. But maybe, I thought, it was just another piece of anti-sensationalist faux-journalism.

Here's a slice for you:
Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
If you read the article, the authors unpack their analysis that shows the upward bias and roundup errors that appear "among dozens of surveys, from security vendors, industry analysts and government agencies" and they note that they "have not found one that appears free of this upward bias."

They don't go as far you'd think they would if they were true anti-sensationalists, because they remind the reader that despite the fact that it appears actual cybercrime losses are much lower than the many reports on the subject seem to indicate, there's still major cause for concern:
... this is not a zero-sum game: the difficulty of getting rich for bad guys doesn’t imply that the
consequences are small for good guys. Profit estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem.
Sounds pretty fair and balanced to me. And so I was well prepared when Computerworld (and many others) reported yesterday that an analyst firm called Group-IB after reviewing the Russia cyber underworld's 10Q and 10K reports, audited by an unnamed Big 4 accounting firm, estimated that Russian cyber criminals bagged $4.5 billion last year.

Inclined now to be skeptical of large numbers in this area, I asked someone who should know, and he said the absence of a methodology section in the report made it hard to take the claims seriously.

Of course, since you already know I'm a card carrying member of AAAJOA - Anti-sensationalist, Anti-alarmist Amateur Journalists of America, it may be hard to take my post entirely seriously. But I like the fresh perspective the NYT authors, Dinei Florencio and Cormac Herley, brought to a topic which we've all been rather slow to question in the past. Kudos.

Image credit: Public Domain Photos on

Tuesday, April 24, 2012

Town Hall Alert: NESCO Security Risk Management Practices for Electric Utilities

Here's news you can use.  And to save you time a la Joe Friday, just the facts:

When: Wednesday, May 30, 2012 - Thursday, May 31, 2012

Where: New Orleans, LA - New Orleans Marriott

Who (should attend): senior level industry executives, cyber security experts and peers from the security and utility communities, key decision makers and subject matter experts in critical infrastructure protection, cyber security and electric utilities.

What's it about: Security risk management is a topic of continued discussion in the electric sector. It can be a daunting task and often overwhelming when faced with trying to implement the many security risk management models available. This town hall style meeting brings together many of the industries leading security professionals to explore security risk management practices for the electric sector in depth. You will have the opportunity to participate in open discussions with security risk experts, hear about solutions implemented by utility security teams and learn about security risk management guidelines from the actual authors. Click HERE to register

Contact info: Abbie Trimble, 

Joe Friday / Jack Webb Photo Courtesy of Wikipedia

Monday, April 23, 2012

Time for the Electric Sector to Measure Up on Security

Let me begin by saying I'm so sick of alarmists. We are implored to "Constant Vigilance!" by Mad Eye Moody and to constant vigilance we at the SGSB are committed. But not to constant cowering.

OK, that said, you may recall I have a jones for business metrics. So much so that lately I've been suggesting them to the DOE Electric Sector Cyber Risk Management Maturity folks for inclusion in the Program Management part of their model.

Amidst the latest spate of Smart Grid security fear and loathing (documented here and here last week, and earlier here and here and etc.), maybe what Congress, FERC, utility boards of directors, consumer protection groups, and the man on the street need is evidence that we're making progress on protecting the grid and its constituent elements from the various forms of lurking badness out there.

Maybe that evidence, to be readily consumed by all of the above, needs to be communicated in plain language. Let's agree that business language is plain language.

So let's begin with Enernex CEO Erich Gunther's GridSec 2012 monster keynote preso Pragmatic Approach to Utility Cyber Security and one slide in particular "Approaches that Fail". These should all be quite familiar to y'all by now:
  • Attempting to explain the situation technically
  • Overwhelming with statistics – number of attacks, names and types of attacks, enumerating systems potentially affected
  • Using the “sky is falling approach” – we’re doomed!
  • Depending on government and regulation to “fix it”
For me, this outstanding presentation was an expertly crafted electric sector extension of Gartner Group analyst Jeff Wheatman's seminal 2011 paper: "Why Communication Fails: Five Reasons the Business doesn't get Security's Message".  I'm going to grab one of Erich's "Pragmatic Conclusion" bullets to segue to the next piece:
  • We need to be more well versed in the disciplines of the core businesses we are trying to protect
By apparently Divine intervention, Robb Reck's article, Making Security Metrics that Matter (to Business) was just published on InfoSec Island, where I found it this morning. The morning of the same day (today) I actually needed it.

Robb begins by asking security folks:
What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can't, you're not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it's the biggest reason current [overly technical] security metrics do not grab the attention of organization leaders.
He provides some excellent large and small company examples and begins his conclusion with:
Gone are metrics like “vulnerabilities found” and “patch level.” In their place are metrics that directly address the priorities of the business. By crafting the metrics in the language of our business leaders, we are demonstrating the value of their security investment in a way that matters to them.
I'll begin and finish my conclusion with the one security business metric that rules them all: the appointment and empowerment of a Chief Security Officer (CSO), with purview across the entire enterprise, and the authority to set and enforce security policy in both the IT and OT realms.

Show the man on the street and others an expanding list of utilities with CSOs as described above, and you can bet they'll all be sleeping better at night. And maybe we can all get up before the next alarm goes off.

Photo credit: mnapoleon at

Saturday, April 21, 2012

April is the Cruelest Month for Critical Infrastructure Security

We have none other than T. S. Eliot to thank for the prescient and uncannily accurate observation he made 90 years ago. Of course he was probably referring to something else ... I can tell you if you really want to know.

As my brother from another mother Earl Perkins just noted in a Waste Land-esque post yesterday, hoards of self-appointed guardians of realm have decided that it's time to call out the government and corporate conspiracies behind the grid modernization movement. Those scheming elites who either by design, or negligence, are setting us up for a future that would make Cormac McCarthy's The Road look like a stroll though Disneyland.

Perkins, just a hair's breadth away from boiling over, says: "Alright, that’s enough!"

And continues:
I cannot pick up a news feed or peruse a blog about ... industrial control security (e.g. securing the electric power grid, water, transportation, intelligent health care systems, etc.) without reading yet another story about how life as we know it will end any day now once mysterious governments and other dark elements of the Underworld wreak havoc on our comfortable lives. They will hack into nuclear power plants and cause meltdowns, they will control transportation systems and airport control towers and cause wrecks to occur and planes to crash, they will pollute the rivers and shut off the power, they will etc. etc. etc.
Alarmist people, please chill out. Why not use your energy for something more constructive? Take a photography class. Learn how to bake. Re-connect with family. Bike across Europe. 

Alarmists, I bet if you were around when our innovative ancestors were putting the finishing touches on the first wheels, you would have shouted that this technology would eventually lead to deadly cart, then chariot, then coach and car crashes. And certainly the mobility wheels would enable would threaten our privacy.

Alarmists, I can sympathize. Like you, I sometimes feel anxious. Spring-time stirs my dull roots too with memory and desire. But hey, let's use that energy to build and to secure. Not to tear down.

Listen, Earl's a reasonable man, but you don't want to see him when he's angry. Here's his post in FULL. Have a peaceful weekend all.

Image credit: Pieter Breugel via Exploring "The Waste Land"

Friday, April 20, 2012

Absurd David Chalk Smart Grid Security Talk

I know I tend to respond, Pavlovian dog style, when awful stuff like this pops up, but I can't help it. Perhaps you've seen THIS already, as Jesse Berst wrote a post around it on his widely read SmartGridNews site.

Purported Canadian security expert David Chalk is saying to anyone who will listen (and that's a lot of people) that there's a "100% certainty of catastrophic failure of the energy grid within 3 years."

Chalk's eight-minute, Smart Grid snuff film has all the requisite apocalyptic theatrics of a political attack ad. It shows light bulbs exploding in slow motion, shaky images of the 2007 DHS Aurora attack demonstration already posted on Youtube (HERE again if you like), and the following "Smart Grid Facts":

  • Completely Hackable
  • Bills Going Up
  • Privacy cost
  • Health Issues
  • Fires
  • Democracy Gone?

Beyond Chalk and the apparently unhinged Citizens for Safe Technology, not sure who benefits from this craziness. But it seems to be another odd thing for the media to shine a light on, attract moths and eyeballs, and spur less-than-lucid conversation.

The video concludes with a message that solar power is the one proven path to the world's energy salvation and away from the sure perils of the Smart Grid. As SGSB readers and many others already know, the current grid isn't well suited to handle large amounts of intermittent cleantech power.

Since one of the drivers for deploying Smart Grid tech is to allow wider use of wind and solar, Chalk and fellow film-makers, please figure out what you want. And please do so in private.

Tuesday, April 10, 2012

Former on Current and Future Grid Security Challenges

I've had a dozen or so copies of this article mailed to me in the past 24 hours. It describes attacks against 2009 vintage, semi-Smart Meters in Puerto Rico that appear to have cost the utility, PREPA, quite a bit of money.

The FBI is involved, and you get some good commentary from InGuardians as well as Itron. Security Engineer Robert Former, from the latter, has the best and final word I think:
What you’re hearing is the sound of [a] paradigm shifting without a clutch,” Former said. “Utilities have to be more enterprise security-aware. With these incidents at organizations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we’re going to fix a security problem is to expose it.
Back to the thorny subjects of information sharing and disclosure, not to mention future proofing. Let's keep pushing on all fronts, people. And sorry if all the puns in this post made you tense.

Monday, April 9, 2012

Economist on Data Breaches in US and Europe: As Always, Leadership is What's Needed

I've brought The Economist into the SGSB fray before and I'll do so again now.  There's a short piece just posted on one of their online nodes that talks about two recent studies on data loss and how it might best be averted.

Here's an excerpt:
[Out of 600 European businesses surveyed] more than half thought that technology can solve the problem. Only 1% of the businesses surveyed believed it concerned all employees—and thus required a change in behavior. 
I'm no technophobe, but neither am I a technophile, at least not from a cybersecurity point of view. For me the lion's share of the most effective security and privacy solutions focuses on the humans, and one particular type of human is a must if we're ever going to get in front of these problems: the leader.
Symantec’s study found a correlation between having a senior executive in charge of information security and lower costs of data breaches. “It has to start at the top,” says Marc Duale, Iron Mountain’s head. 
You can read the whole thing HERE ... it's pretty short, and makes an interesting comparison between American and European approaches.

Photo credit: SteFou! on

Saturday, April 7, 2012

USAF Seeking (More than) a Few Good Cyber Men and Women

Thanks to my friend and Academy classmate Chris Davis (USAFA '85) for the heads-up on this recent Air Force news.

Wonder if anyone in DOD has heard of the excellent NBISE, an organization dedicated to cranking out a better breed of cyber defense professional?  Anyone out there know Space Command's General Shelton, quoted within HERE? Maybe he could send some scouts to watch for talent at NBISE's upcoming US Cyber Challenge. It's open for registration now.

Here are a couple of plugs for the event. First, from the Hon. Mike McConnell former Director of National Security and Vice Chairman of Booz Allen Hamilton:
Our government and U.S. commercial companies are being besieged by attempted cyber attacks every day, and the nation needs as many resources as possible to prevent damage and the theft of intellectual capital. The U.S. Cyber Challenge offers a unique and exciting platform to identify the talent we need to defend our nation.
And here's Michael Assante, President & CEO, National Board of Information Security Examiners (NBISE):
The Cyber Quest competition and Cyber Camps are critical as our nation continually undergoes fast-paced changes in technology. Our growing reliance on digital technology requires concentrated efforts, like these, to identify and best develop the next generation of highly skilled cyber security professionals.
Please get the word out on this event if you can.

Wednesday, April 4, 2012

Smart Grid Privacy for Real

I find I like reading stuff by Jeff St. John at Greentech Media, because he covers all the bases. Almost a month ago he did a piece around San Diego Gas & Electric (SDG&E)'s use of the Ontario's "Privacy by Design" principles to ensure proper protections for their customers, and hopefully, in-so-doing, meet the requirements of the California PUC's privacy rules for the big 3 Investor Owned Utilities (IOUs).

I'll give him a little grief for this section:
... customers ... are worried that their smart meters will allow hackers, data thieves or other nefarious parties to know when they’re home and when they’re away, or to piece together other personal information. Sure, people tend to give away lots more personal information when they’re surfing the internet -- but they do so by choice, whereas smart meters are being installed on their homes without their direct permission. 
IMHO the additional behavioral information that can be gleaned from Smart Meters is incremental, not a game changing tidal wave of previously unknowable, super personal dirty laundry. And though no one, including the government, is making people: buy computers and smart phones, and no one is forcing them to use the web to buy things, consume entertainment, stay in touch with loved ones, get educated, find new friends, share secrets, do their banking, and even adjust their electrical plans, it would take an army to take that all away from folks now.

Survey after survey says they demand more self service, more flexibility and more options from their service providers. Smart Meters will eventually enable all of that and then some, so for me saying their having the meters forced on them is a bit of a rhetorical red herring. Like saying ATMs were forced on people. You want them gone too cause you weren't asked up front?

But I began by saying I generally like Jeff's stuff and this article is no exception. He handles citations from Ontario's Privacy Commissioner, Ann Cavoukian, with aplomb. I particularly like this one:
... the real threat utilities should be worried about is the dreaded privacy breach, Cavoukian said. Measured against the public relations and political ramifications for the smart grid of the possibility of a major loss or theft of customer data, “utilities shouldn’t be asking how much money it costs -- they should be asking how much money it will save,” to invest in privacy protection upfront, she said.
I won't throw numbers at you here, but suffice it to say that when you read about the weekly exposure of personal account information from successful cyber breaches of banks, retails, credit card companies, etc., one thing the public isn't exposed to are the amazing (and amazingly expensive) gyrations those companies go through to try and make things right. Picture boatloads of attorneys. Picture the mass combustion of 55 gallons drums worth of midnight oil. In other words, Cavoukian's got a point.

This is an interesting international collaboration between a Canadian province and an entity regulated by a US state. One thing they have in common is that both are very forward leaning in a number of ways, not the least of which is in their enthusiasm for modernizing the grid and grid systems. It's good to see that both acknowledge the responsibility to their citizens that comes with that.

And by the way, the other 2 California IOUs, Southern California Edison (SCE) and Pacific Gas & Electric (PG&E) are moving out on privacy and protection of customer data as well.

I'll leave it at that for now. Best thing you can do is read St. John's article yourself which you can do by clicking HERE. And be careful about what you put on Facebook ...

Monday, April 2, 2012

Will We Attain a More Secure Energy Future with Lasers?

You might think this is an April Fools headline, but it's not. At least I don't think it is.

From SGSB's FutureWatch desk, we bring you tales of 1.9 Gigajoules, and the potential to power all the world's grids sans fossil fuels. Bring on better electricity storage, and we may get to worry about other things in the future besides energy. There's security in that.

You may call me a dreamer, but I'm not the only one. See the folks at the National Ignition Facility (NIF) at the Lawrence Livermore National Laboratory in California, and see what you think.