Complex Problems Remain

October 4, 2015

All of us involved in global financial services continue to be confronted with an expanding universe of “cloud” and “mobile” and “agile” options. Too many marketers for too many of these vendors seem to exercise increasingly predatory behaviors. A key result seems to be an escalation of risk management complexity…

In that context, I have been working on some complex issues…
Hofstadter’s Law (1979) still applies.

Hofstadter’s Law states that “It always takes longer than you expect, even when you take into account Hofstadter’s Law.”

Hofstadter’s Law:

Six Months of Cyber-Attacks Against the Financial Services Sector

June 24, 2015

For years, the finance industry has been under attack by groups of hostile parties.

The frequency and sophistication of targeted cyber-attacks is a top-tier risk for our industry.

A threat intelligence vendor, WebSense, recently released a short report outlining their analysis of the actions and attack patterns directed against organizations in the financial services sector. This type of information can be used to help enterprises more effectively protect customers’ data and assets (as well as — for some types — to market their products and services).
This report identifies some key cyber threats and tactics targeting the financial sector, briefly discusses their effectiveness along with the respective volumes of those attack techniques from January through May of this year.

This type of information may be viewed under the category of “forewarned is forearmed.” It can help organizations to construct more proactive resistance to attack, quicker incident detection, and faster responses.

We are enablers & users of global operations that flow trillions of dollars daily.
That, along with the fact that we also host large numbers of personal and identity information, results in our being a continuous focus for hostile agents world-wide — agents who are motivated to constantly optimize their activities.

Financial information and the sensitive personal information of millions of consumers under our care, we must continually strengthen our security practices — our technology, tools and talent — in order to maintain effective (good-enough) defensive and reactive capabilities.

A key message of the WebSense report is that there appears to be no single path to effectively combat threats and risks presented by cyber-security attacks.
Comprehensive, edge-to-edge due diligence is still required.

2015 Industry Drill-Down Report Financial Services” is worth a read, and contains a range of reusable facts & assertions.


“2015 Industry Drill-Down Report Financial Services.”
By Raytheon & WebSense, 06-23-2015.

Can Financial Services Explain How Mac OS X Security is Good Enough?

April 29, 2015

After years of attempting to generate love by claiming that a Mac “doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” ( 2012)”, Apple has introduced technology for at least 4 different approaches to strengthening OS X resistance to hostile malware.

These features include:

  • gatekeeper
  • xprotect
  • OS X sandbox
  • code-signing

Each of these features is an attempt to compensate for and overcome software architectures, designs, and implementations that are overly-permissive — resulting in software that too easily “trusts.”  They represent the type of “bolt on security” that Financial Services enterprises are expected to implement throughout their secure software practices.  “Secure-enough” software needs to be created or adapted with that goal in place throughout the entire SDLC and/or acquisition process and must not treat risk management as something that is applied to software only after it is finished.

There is a lot of evidence that these features are still far too little, too late. In a recent presentation at RSA, Patrick Wardle, Director of Research, Synack, described the current situation as “lots of Macs, feeble anti-malware protections, os x malware, and limited detection/prevention tools.” He then walked the audience methodically through exploits against each of the Apple OS X anti-malware protections, and then outlines a range of approaches to Mac malware persistance. Finally, he mentions a couple tools for detecting OS X malware: knockknock (ui) & blockblock.

Wardel’s presentation references OS X malware/exploit work by fG!. In one relatively recent talk at SyScan15, after 165 slides outlining OS X threat vectors and their exploit he concluded that “Apple product security strategy is reactive not proactive. If they have any strategy at all…”

These guys don’t represent an isolated fringe of the the professional risk management world.  They are serious professionals, attempting to help others “get it.”  Their work seems to be a shout for recognition that OS X malware-enabled exploits represent a foundational and (for most Financial Services enterprises) critically-important risk.

Why is this such a big deal?  Remember, each of our organizations needs to be diligent and effective at resisting attack along all vectors, while attackers need only be successful against one of them.  Attackers know that Macs are vulnerable via a number of vectors, that Mac security products are not great, and that Mac users are finding ways to “plug them into” corporate environments.

For many Financial Services enterprises, request by request, exception by exception, members of the workforce have been hosting an increasing range of business activities on Macs (on both unmanaged, and under-managed endpoints).  They are granted remote access.  They are plugged into our “trusted” internal networks.  And they get the same “trusted” access as heavily-managed, standard Windows endpoints.  Sometimes an organization has a fog of “managed” or “secured” and authorized Macs that mask this core risk management issue — which, for the most part, remains the same.

As a result, we need to help our leaders carefully think through:

  • Whether this is risk-appropriate for any given Financial Services use case,
  • What alternatives to current Mac-enabled practices exist, and should we migrate to them? Are isolation techniques “good-enough?”
  • How we are going to protect our assets and operations from the threat vector Mac endpoints pose?
  • How are we going to tell our Mac endpoints risk management story to all relevant stakeholders?


“Malware Persistence on OS X Yosemite” by Patrick Wardle (
Thursday, April 23, 2015


“BadXNU — A rotten apple!.” by fG!/@osxreverser (



Risks of Unnecessary Admin Privileges Continue to Increase

February 18, 2015

Excessive access has been an acknowledged risk since the earliest days of distributed data-communication networks in the 1970s.  One key way that some organizations attempt to ‘keep things moving’ is to grant administrative privileges to ranges of individuals & groups who may need some small subset of those permissions in the course of normal operations or in dealing with troubleshooting requests.  In most situations, it would be possible to grant only those permissions required to perform truly required tasks. In the most of the rest of the situations, broader administrative access can be protected with strong two-factor authentication (which will resist many threats that depend upon stolen user credentials).

Constraining and/or hardening administrative access has also been one of the easier ways for large enterprises to materially reduce their attack surface which results in a lower overall risk profile.

A core risk management principle — ‘least privilege’ — reasons that users should be granted only enough rights to support performing the tasks required for their role, and no more.

This is not only a Windows issue,  but Antone Gonsalves (CIO OnLine) passed along today that a review of Microsoft’s Windows vulnerabilities in 2013 (333, of which 147 ranked ‘critical’), showed that fully 60% of them would be mitigated by removing user’s admin rights. Gartner has also argued that 90% of security threats could be eliminited by removing user’s administrative permissions.

Hostile uses of malware and social engineering continue to advance. This results in increasing the gravity of Financial Services organization’s excessive administrative access issues.  The key message is that the risks associated with malware infection could be materially-reduced if we tamped down granting of administrative privileges.


“Time to drop unnecessary admin privileges.” By Antone Gonsalves, 02-18-2014.

“Trends (and other things) Learned at the Gartner IAM Summit.” By Mark Weiner, 12-11-2014

Completosec on Risks of Malicious Code:

Predictable Techniques Succeed in Big Bank Theft

February 14, 2015

In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says it has seen evidence of $300 million (or much more) stolen from more than 100 banks and other financial institutions in Russia, in Japan, the United States, and in at least 27 other nations.

The attack appears to have been initiated via a phishing campaign, followed by long-running surveillance malware, remote access trojans (low and slow), and finally exfiltration of large amounts of money — part via manipulation of bank accounting systems.  …Nothing new there, the story highlights the scale of cyber-crime successes.

The rest of the story will be outlined by Kaspersky on Monday.

Or you can watch a condensed version via YouTube.

This should also be a reminder that there are no security ‘ruby slippers.’  We need to keep rejecting vacuous vendor and pundit preaching about replacing our security perimeters with (pick your hot solution-of-the-moment) ‘the cloud,’ ‘an appliance,’ or some other replacement for common sense, intelligence, and hard work.  Optimizing a layered defense on top of active resistance to phishing (along with all other types of social engineering) and malware remains our primary path to risk-reasonable due diligence.  Announcements of cyber-thefts like the one mentioned above are reminders that there are still tough challenges for all of us in financial services security and risk management.


“Bank Hackers Steal Millions via Malware.”
By David E. Sanger and Nicole Perlroth, 02-14-2015

Updated 02-16-2015:

Report from Kaspersky:
and the full report at (downloaded 02-16-2015 @ 1 PM CST)

Video: “The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.”

For some context, see:

The Great Bank Heist, or Death by 1,000 Cuts?, By Brian Krebs, 02-15-2015

Mac Boot Hacked via Thunderbolt Port

January 14, 2015

Too many of us still have to deal with members of our workforce who hold groundless beliefs about the freedom from risk they enjoy while using their Macs.

Trammell Hudson described his most recent project at the last Chaos Communication Congress in Germany. It is called Thunderstrike and it can infect any modern Mac boot ROM via the Thunderbolt port — ultimately giving the attacker control of the endpoint. This “evil maid” attack gives us all another reason for concern. Anyone with physical access to a worker’s Mac could use this technique (or one of its predecessors) as a foothold into your network, as well as gaining “direct” access into any operations to which that user has been permitted. Traveling executives seem like obvious targets, but virtually any member of the workforce is a candidate.

Mr. Hudson describes the impact of his attack as:

“There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it.

Our proof of concept bootkit also replaces Apple’s public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker’s private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the hard drive has no effect.”

At a minimum, this should be used as input for traveler’s security awareness training.

It should also be injected into risk analyses of all BYOD scenarios.

“Thunderstrike.” By Trammell Hudson.

“De Mysteriis Dom Jobsivs: Mac EFI Rootkits.” By Snare (Blackhat 2012)

“Apple’s Mac EFI found vulnerable to bootkit attack via rogue Thunderbolt devices.” By Sam Oliver, Dec 22, 2014

“Thunderstrike: The scary vulnerability in your Mac’s Thunderbolt port.” By Christina Warren, Jan 02, 2015

Macs vulnerable to virtually undetectable virus that “can’t be removed” By Adrian Kingsley-Hughes, Jan 12, 2015

Will Governments Increase Their Involvement in Incident Response?

January 10, 2015

Time (and others) reported that NSA Director Admiral Michael Rogers told the International Conference on Cyber Security (ICCS) at Fordham University in New York:
“Sony is important to me because the entire world is watching how we as a nation are going to respond to [the attack on Sony].” “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”
The attacks against Sony had begun in September, he said, with a flurry of tightly focused phishing attacks against key individuals. This was then used to gain full access to the company’s servers and to steal data.
Rogers stated, “I remain very confident: this was North Korea.”

Some cyber security experts seem less sure that accurately described what happened.

Rogers also said that hacks against private companies may require economic sanctions.

How did terabytes of data get stolen from Sony’s private network? Did Sony invest enough in attack resistance, identification, & response? Should there be more objective criteria upon which to help frame decision-making on this topic?

Since November I have been hearing a lot of discussion about “Sony” and “The Sony Hack.”   Should we in Financial Services begin including NSA monitoring, forensic assistance, and consulting in our incident response planing?
How will the U.S. (along with other nations in this global business environment) decide which hacks against private companies deserve a governmental response, and which will not?  And what if your company has business in both the source and target countries of a given attack?  It seems like each of our organizations need to work through these issues before the day they become critically important — and a small herd of corporate officers on an incident response call are waiting for your direction.

What do you think?

“NSA Director on Sony Hack: ‘The Entire World is Watching’.”
By Sam Frizell, 01-08-2015

“FBI fingering Norks for Sony hack: The Truth – by the NSA’s spyboss.”
By Iain Thomson, 01-09-2015

“Are We Asking the Right Questions in the Wake of the Sony Pictures Breach?”
By Paul Martini, 01-09-2015


Get every new post delivered to your Inbox.

%d bloggers like this: