“We drive into the future looking into our rear view mirrors” Marshall McLuhan

(The views expressed in this article are entirely my own do not reflect the position of my employer the Federal Reserve Bank of Richmond, the Federal Reserve Board of Governors, or the Federal Reserve System as a whole.)

Or, perhaps the “paid paranoids” across the security community are still wrestling with the decision of which existing security risk management framework applies to this peer-to-peer distributed ledger technology, if any at all.

The very definition and basic characteristics of blockchains challenge many leading security models and in particular leading security risk management frameworks (NIST Risk Management Framework, International Organization for Standardization (ISO)) built on the underlying premise that information systems supporting core business functions and organization missions need to be confined to a virtual “boundary” and with a singularly identified “system owner” to achieve “certification”/”authorization.”

With the widely accepted definition that blockchain is a distributed database with an open ledger implying that data isn’t stored on a single computer but rather on many different computers, known as nodes in a peer-to-peer network, renders the legacy consideration of a ‘boundary’ for an organization’s blockchain quite challenging.

It gets even more complicated when we dive deeper into other key characteristics of blockchain summarized as follows:

• Distributed data ledger used, updated and verified by participants in the blockchain versus centralized database (more on public versus private blockchains shortly)
• Identity verification and authentication executed by the participants
• Logic and rules embedded in the transaction versus in a separate application layer
• Traceability of changes from the beginning
• Documents maintained separate from the ledgers

The aforementioned characteristics further challenges any assertion regarding a clearly defined system boundary under singular control of a distinct system owner.

The ‘security boundary’ and “authorizing official”/”system owner” decision is further complicated by the different blockchain network topology options an organization can choose, for example:

1. Cloud-hosted One Network:  Each participant owns a number of peer nodes including validating nodes.  In this configuration the blockchain network is in a cloud and hosted by a vendor who owns the physical hardware.  The participants contractually control the computing resources making the configuration decentralized within a centralized environment.
2. Cloud-hosted Multiple Networks:  This environment allows participants to have their peer nodes hosted by any cloud provider given that peer nodes can connect via the peer to peer protocol typically https.
3. Participant-hosted Intranet:  This environment uses networks that are owned by participants with https channel used for peer-to-peer communications

So what model should a practitioner apply to a technology that’s causing so much disruption to legacy business processes and practices globally?  Or does any such model exist?

The actual architectural stack of a typical blockchain implementation is also worthy of deeper exploration.  This stack can usually be divided into three primary functions described as follows:

1. Membership Function – this is where membership registration, identity management and auditability occurs

NB: This function is the key differentiator between private, for example Permissioned Blockchain, and public for example Permissionless Blockchains which rely on “proof of work” mechanisms for node validation

2. Blockchain Services Function – this is where your Consensus Management, Distributed Ledger, Peer to Peer Protocol Management and Ledger Storage occurs
3. Chain-code Functions – decentralized transactional program running on the validation nodes within Secure Containers and Secure Registry

Layering on top of and across these three primary functions is the application interface layer where APIs, SDKs and other UI interact with the functions.

Cyber Defenders charged with protecting this stack have much to worry about in all three of these functional areas.  For Private/Permissioned Blockchains ensuring the technologies providing the membership functions and cryptographic functions from the certificate authority are properly configured.  Similarly, for Public/Permissionless Blockchains, ensuring validity and cryptographic integrity in “proof of work” mechanisms will be critical.

There is some paranoia around “Consensus Management” in Permissionless Blockchains that revolve primarily around how agreement is derived since its basically a voting system where more than 50% of the nodes need to agree on a transaction to make it effective.

This 50% agreement therefore implies that when more than half the computing power on a public blockchain mining network is controlled by an entity it can effectively certify false transactions.  Of note is that it has been reported that in April 2016 over 70%’ of transactions on the Bitcoin network were flowing through four companies in just one country and most of them flowed through just two of those companies

For the Chaincode services functions, cyber defenders will want to pay particular attention to whether the chaincode relies on a virtual machine, computer language, or something like Docker to contain chaincode execution, each with varying degrees of risk.

In closing, despite the potential lack of ‘fit’ of blockchains into current security risk management paradigms, several core cyber defense tenets and practices should still hold true and perhaps will become even more foundational in blockchain implementations.

Further, the cybersecurity risk ‘lens’ that any particular blockchain implementation must be viewed through will depend on the particulars of the operational model of the blockchain architectural stack and network topology being deployed. This further underscores the urgency of having those charged with organizational cyber protections involved early in any corporate blockchain pilots or proofs of concept.

The post Blockchain Adoption and the Cybersecurity Practitioners Dilemma appeared first on Security Current.

At the risk of being ‘voted off CISO island’ or worse, ‘lose my CISO card,’ I’m prepared to make an argument contrary to the popular opinions expressed by many of my fellow CISOs. I believe cloud-based migrations can actually bring several security advantages for certain organizations and especially SMBs.

I find it surprising that so many fellow security practitioners are still discussing the ills of the nefarious “cloud.” I also wonder why many of the pundits, in their haste to further incite fear, uncertainty and doubt (FUD), often never take time to delineate the differences between the various “clouds” before piling on.

But then again, if they did attempt the delineation of the various types of cloud offerings – private cloud versus public cloud, platform as a service (PaaS), infrastructure as a service (IaaS) and software as a service (SaaS) – the fallacy of their logic would be revealed. So, instead they opt for broad generalizations that have limited substance and accuracy.

A few of the more overused FUD tactics, of course, are those of data residency, commingling of data and access controls. You may recognize the following rhetoric: “when you move to the cloud, your data could be anywhere,” “your data will be commingled with everyone else’s,” and lastly “anyone and everyone has access to your data in the cloud.”

Many of these fear factors are only applicable to public SaaS, but this fact is usually disregarded or overlooked. Furthermore, with both geo-load balancers aside and pre-negotiated contractual terms and conditions, it would make little sense for a SaaS provider to not house client data in proximity to where it’s being used to minimize latency and improve performance.

So in defense of cloud providers everywhere, here are my arguments for why organizations should consider cloud migrations and their security advantages:

1. “Trust” is the basic building block of the go-to-market business strategy of all cloud providers and with fragility of that trust by clients, cloud providers have zero tolerance for poor practices that could compromise their systems and hurt their “brand.”

2. Most cloud providers of infrastructure, platform or software exist within regulated industries themselves or they serve clients in these industries, and hence the tools, tactics, techniques and procedures of most cloud providers are held to very exacting compliance standards by various examiners, standards bodies and compliance organizations.

3. With few exceptions, the size, annual budget spend and talent skillset of most cloud providers typically exceed those of in-house cyber resources.

4. If my fellow CISOs would for a moment remove the blinders, they should pause when they consider that small businesses are what fuel the US economy. Most small and medium-sized businesses can ill-afford the kind of capital and operational expense investments that it takes to truly protect their businesses from cyber criminals. As an industry, we should be encouraging SMBs to move to the cloud versus feeding them baseless FUD.

Want to Read an Executives View on Why to Avoid the Cloud, Read:

A CISO Checklist: 11 Reasons to Avoid the Cloud by Farhaad Nero Bank of Tokyo-Mitsubishi UFJ, Ltd., VP Enterprise Security

The post Cut the FUD: Four Reasons Cloud Brings Security Advantages appeared first on Security Current.

I recently sat on a panel with fellow security executives to discuss the general topic of innovating as a CISO. Unsurprising and somewhat understandable, the conversation quickly devolved and topics covered included RSA’s Innovation Sandbox, the large number of startups CISOs visit at RSA each year and how many trips CISOs make to Silicon Valley or abroad to meet with startups.

I say ‘unsurprising and understandable’ because the natural tendencies of most cyber and overall IT practitioners in general tend to gravitate toward tactical technical investments as ‘innovation.’

I’d have preferred to have much more focused discourse about strategic security and privacy business process innovations, which executives are undertaking to enhance the go-to-market strategy of their businesses.

Take for instance, the challenges of recalibrating the legacy secure software development lifecycle to adapt to the ‘market speed’ with which products are now being deployed using the Agile methodologies (Secure DevOps). To ensure they are securely enabling their businesses to react at market-speed, more CISOs should pursue innovations in Secure DevOps.

Similarly, with the importance of protection of corporate brands from the recurring onslaught of phishing campaigns exploiting the trust consumers place in many corporate brands, I continue to be amazed at the low adoption rate of Domain-based Message Authentication, Reporting & Conformance (DMARC), which is an email authentication protocol that allows senders and receivers to improve and monitor protection of their domains from fraudulent email.

With the data on end-user systems being susceptible to exposure and often highly exposed, innovations around auto-tagging, labeling, classification of sensitive data and the consequent authorization and encryption at a granular level are areas of concern that seem ripe for innovation, yet robust implementations are very few and far between.

Furthermore, the absence of discourse around innovations at the human firewall layer is increasingly evident in the low adoption rates of gamification to improve corporate security awareness programs.

Lastly, with the increased focus on insider threat, security innovations that deliver robust monitoring while balancing privacy concerns are sadly sorely missing from many CISO conversations and considerations.

And whereas my wish list for more strategic discourse on game-changing security innovations is also very technically focused, unlike rhetoric around number of startups I visited last year, I’d like to think that the initiatives I outlined all have direct traceability to key business or operational objectives.

The post Innovating as a CISO: Changing the Conversation appeared first on Security Current.

The list of security products and technologies resulting from searches by even the least sophisticated Internet Search Engines across any of the major security product categories can be quite overwhelming. These categories include ‘firewalls,’ ‘IDS/IPS’, ‘SIEM’ and don’t even mention “Threat Intelligence” since, thanks to the associated market hype-cycle, even vulnerability scanners are now being branded as “threat intel.”

As daunting as the plethora of security products and technologies listed online can be, stepping onto the showroom floor at any large security conference such as RSA, brings that reality into very sharp focus.

In light  of this security product deluge and with the operational exigencies of their roles prioritized toward protecting their company’s vital assets, the average resource-constrained CISO in many cases  defers exhaustive product testing, technical bake-offs and comparative product analyses to industry think-tanks and high-paid consultants.

There are many, many shortcomings to relying on the results of think-thank reports or consultant recommendations. These reports are often ‘stale,’ reflecting features and functionalities of previous versions of the products in question; are often based on sanitized lab testing environments not reflecting real operational environments; and in some cases have  questionable vendor affiliations. This has given rise to more and more CISOs basing their technology investment decisions  on the experiences and recommendations of other CISOs in their “circles of trust” rather than industry think-tanks or consultants.

The industry transformation that a “Crowd-sourced CISO Product Recommendation Matrix” would have is only limited by the logistics involved with scaling the “trusted CISO circle” model to cross-industry, national and international levels.

The post The Wisdom of the CISO Crowd…In an Era of Security Products and Technologies DELUGE appeared first on Security Current.

In a November 2014 article, Lowell McAdam the CEO of Verizon made the following very bold public statement, “It’s Wrong That in a Room of 25 Engineers, Only 3 Are Women.”

Lowell’s very intriguing article went on to quote several other very compelling facts and figures triggering resonance at so many levels, including the prediction that, “80% of all jobs in the next decade will require Science, Technology, Engineering, and Math (STEM) skills.”

The prediction by itself on the surface is unsurprising since we can all relate to the transformational effects that information technology has had on our personal and professional lives.

When analyzed however, from a socio-economic context and ‘fused’ with another set of similarly quoted figures i.e. “74% of young women in middle school express interest in STEM, yet when choosing a college major, just 0.3% of young women in high school select computer science,” the implications and associated macro-economics become outright scary.

If you’re an African American or Latino, where the diversity representation approximates to roughly 50% of the net female representation in STEM related disciplines and particularly in the practicum of cybersecurity, it even more dismal.

Hence a ‘recast’ of Lowell’s bold statement to reflect the broader minority cybersecurity divide, the caption I suggest would most likely read as follows, “It’s Wrong That in a Room of 25 <>, Only three Are Women and only one is African American or Latino.”

Lowell is certainly not the first, nor is he the only one making these very public and very bold statements regarding the “Great Minority Cyber <> Divide,” or as it has become known in many circles,  “The only one in the room problem.” The lack of women (and minorities) in STEM has been cited as recently as September 2014 in a US News & World Report as a “National Security Issue.”

The compulsion of the very necessary and the immediacy to just  ‘do something’ to effect some small measure of social/societal change, in the face of a dramatic decline in interest level and involvement from minorities in the very fields that will be the backbone of the future global economy, gave birth to the formation of a grassroots volunteer-led 501(c)3 non-profit organization. This organization is  dedicated to closing the gap of under-representation of women and minorities in the field of cybersecurity.

Obtaining official approval by the United States Department of the Treasury Internal Revenue Service (IRS) as a Tax Exempt Non-Profit Public Charity organization operating under Section 501(c)(3) of the Internal Revenue Code in July of 2014, the International Consortium of Minority Cybersecurity Professionals (ICMCP) began official operations in September of 2014. ICMCP is organized exclusively for charitable educational purposes, specifically to provide educational/technical scholarships to its members, mentoring opportunities, professional development and networking.

With cybersecurity being cited as one of the most serious economic and national security challenges we face across the world, ICMCP is among very few non-profit organizations intent on bridging that “Great Minority Cyber Divide.”

The post If Not Now, When? If Not Us, Who? – “Tackling The Great Minority Cyber Divide” appeared first on Security Current.