Monday, December 31, 2012

Best Book Bejtlich Read in 2012

It's time to name the winner of the Best Book Bejtlich Read award for 2012!

I started seriously reading and reviewing digital security books in 2000. This is the 7th time I've formally announced a winner; see my bestbook label for previous winners.

I posted yesterday that 2012 was the year I changed what I read. For example, in 2011 I read and reviewed 22 technical books. In 2012, which a change in my interests, I only read and reviewed one technical book. Thankfully, it was a five star book, which means it is my BBBR 2012 winner!

As you might have figured out yesterday, this year's winner is SSH Mastery by Michael W Lucas. Feel free to read my Amazon.com review for details. Note that I bought a Kindle version from Amazon.com, and later MWL mailed me a print copy.

Besides the excellent style and content, one of the reasons I read the book was to experience MWL's first release of a self-published technical book. I think it was a successful endeavor, although I'm not prepared to try that route myself anytime soon.

If I were to name my favorite non-technical book I read in 2012, it would be For the President's Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush by Christopher Andrew. I enjoyed learning more about American history through the eyes of the intel world, but I was shocked by how poorly most presidents understood and (mis)used intelligence.

I'm probably done reading and reviewing technical books, so I consider this to be the final BBBR post. I have over 100 possible (mainly nontechnical) books to read on my Kindle now (in Sample form), but I doubt I will review them when done.

Good luck reading in 2013!

Sunday, December 30, 2012

2012: The Year I Changed What I Read

If you've been reading this blog for a while, you probably know that reading and reviewing technical books has been a key aspect since the blog's beginning in January 2003. In fact, my first blog post announced a review of a book on Border Gateway Protocol (BGP).
Looking at my previous reviews, it's clear that my interest in reading and reviewing technical books expired in the summer of 2011. Since then, the only technical book I wanted to read and review was Michael W. Lucas' excellent SSH Mastery. MWL is such a great author that I read just about anything he writes, and I was interested in his first self-published technical work.
So what happened? Becoming CSO at Mandiant in April 2011 contributed to my changing interests. Since that time I've spoken to almost a hundred reporters and industry analysts, and hundreds of customers and prospects, answering their questions about digital threats and how best to live in a world of constant compromise. (I listed some of the results of talking to the reporters on my press page.)
For me, the most interesting questions involved history, political science, and public policy. Probably not be accident, these are the three subjects in which I have degrees.
Accordingly, I bought and read books to add the historical, political, and policy content I needed to balance my technical understanding of the threat landscape. I also read a few books based purely on personal interest, without a work connection.
I thought you might want to know what these books were, despite my lack of interest in reviewing them at Amazon.com.

The books on Chinese topics included:

Of these five, the first was probably the most interesting. The way Chinese intelligence agencies work today appears very much the same way that the author described them almost twenty years ago.
I read three books on intelligence and Russia:

Of these three, the first was exceptional. It combined a history of the US with a history of intelligence through the end of Bush 41's term.
Finally, I read two other books; one related to security, and one completely unrelated:

The first was Bruce Schneier's latest, which I found largely interesting. I recommend reading it, because it may convince you that all the technical safeguards our industry pursues contribute probably less than 10% of the risk mitigation we need in the real world.
The second was another biography of my favorite historical figure, US Grant.
I'm trying to finish Tim Thomas' latest book, Three Faces of the Cyber Dragon, by the end of tomorrow, as well.
In my last post of 2012 I'll announce my Best Book Bejtlich Read in 2012 winner.


















Five No Starch Books for Kids, Reviewed by Kids

No Starch was kind enough to send me five books for kids, which I asked my 6- and 8-year-old daughters to read. (I didn't need to "ask," really -- like my wife and I, our daughters think reading is something you have to be told "not" to do, e.g., "put the book down; we don't read at the dinner table.")

I did have to encourage my daughters to review the books. Although the older one writes book reports for school, she's not accustomed to writing reviews for books sent by publishers.

The five books, with links to the Amazon.com reviews, are:

I agree with my daughters: all five of these books are excellent. However, for readers of this blog who have kids, I would most strongly recommend the Python book. I would start with the book we previously reviewed, Super Scratch Programming Adventure!, and then see what your kid can do with Python.

Kudos to No Starch for publishing high quality books that teach kids skills they can use in the work place (programming), or for fun!

Wednesday, December 26, 2012

The Value of Branding and Simplicity to Certifications

At the risk of stirring the cyber pot (item 3, specifically) I wanted to post a response to a great mailing list thread I've been following. A reader asked about the value of the CISSP certification. Within the context of the mailing list, several responders cited their thoughts on SANS certifications. Many mentioned why the CISSP tends to be so popular. I'd like to share my thoughts here.

In my opinion, the primary reason the CISSP is so successful is that it is easy to understand it, which facilitates marketing it. It is exceptionally easy for a recruiter to search LinkedIn profiles, other databases, or resumes for the term "CISSP." If you encounter a person with the CISSP, you basically know what the person had to do to get the certification.

Before continuing, answer this quick question: what are the following? 1) SSCP, 2) CAP, 3) CSSLP?

Let me guess -- you didn't recognize any of them, just like I did?

Now, let me see if you recognize any of the following? 1) GGSC-0400, 2) GNET, 3) GAWN-C, 4) GBLC, 5) GCIM?

I believe you didn't recognize any of those either.

How about? 1) GISP, 2) GLEG, 3) GCIH, 4) GAWN?

I'm guessing some of you might recognize GCIH as the SANS "GIAC Certified Incident Handler," which actually doesn't have much to do with "incident handling." That's a topic for another day, but it does show GCIH benefits from decent branding.

You've probably figured out that the last two lists of acronyms were SANS certifications. The first list was a selection of a few of the retired SANS certifications. There's 26 of those.

The second list was a selection from the list of 24 active SANS certifications.

What about the first list, starting with "SSCP?" Those are other certifications offered by ISC2. They're utterly forgettable. Had I not visited the ISC2 Web site, I would never have known they existed.

Now, one could argue that the brand "SANS" is as recognizable, or even more recognizable, than the brand "CISSP."

The problem is that a person's resume could list "SANS" as a course he or she attended, without noting if a certain achievement (i.e., certification) was achieved. "SANS" is also a poor search term because the diversity of the SANS ecosystem means you could be dealing with a legal person, or a reverse engineer, or a UNIX system administrator.

What is the answer for SANS, if the CISSP will likely continue to out-market it? I recommend adopting the model used by Cisco. If you hear a person has a CCIE, that means something -- you immediately think of deep knowledge, several levels of work, and grueling hands-on testing over two days in a controlled environment.

The genius of Cisco's approach is that they have "tracks" for the CCIE, e.g. Data Center, Routing and Switching, etc. Those aren't the brands though; that stays with CCIE.

The Cisco approach isn't perfect, because you can't simply search resumes for "CCIE" intending to get a CCIE in security. You might find a CCIE in routing and switching, or wireless. However, if one finds a CCIE, you get a sense of the level of seniority and ability to operate in a stressful environment (at least as far as a test can simulate).

SANS has tried something like the CCIE with their "GIAC Security Expert (GSE)." The GSE is similar to the CCIE in many respects, including horribly tough hands-on labs, but unfortunately hardly anyone knows about it. It is really difficult to reach that level in SANS certification. However, because only 63 people hold it, there's no real market for them.

By the way, I smell a branding failure when SANS certifications like GSE, GCIH, and so on all have a "G," which references another acronym -- "GIAC," for "Global Information Assurance Certification." That doesn't even include the term "SANS," which is the stronger brand. GIAC originally meant "Global Incident Analysis Center," but that's another story.

In brief, I think SANS could increase the branding value of their certifications if they retired the existing acronyms and names, incorporated "SANS" into a new naming scheme, and concentrated on a "level" approach seen with Cisco. Focus on Entry-Level, Associate, Professional, and Expert as Cisco does, and develop programs to accelerate the adoption of the Expert level among its constituency as Cisco did with CCIEs.

Rebranding would cause lots of SANS folk plenty of heartache, but I think integrating "SANS" into the new level-oriented structure would more than compensate for the initial transition costs. Ultimately the system would be stronger for everyone.

What do you think?

Monday, November 26, 2012

Why Collect Full Content Data?

I recently received the following via email:

I am writing a SANS Gold paper on a custom full packet capture system using Linux and tcpdump. It is for the GSEC Certification, so my intent is to cover the reasons why to do full packet capture and the basic set up of a system (information that wasn't readily available when setting my system up)...

I am already referencing The Tao of Network Security Monitoring.

These are the questions that I came up with based on questions other peers have asked me...

Here are the questions, followed by my answers. Most of this is covered in my previous books and blog posts, but for the sake of brevity I'll try posting short, stand-alone responses.

  1. As an information security analyst in today's threat landscape why would I want to do full packet capture in my environment? What value does have?

    Full content data or capturing full packets provides the most flexibility and granularity when analyzing network-centric data. Unlike various forms of log data, full content data, if properly collected, is the actual data that was transferred -- not a summarization, or representation, or sample.

  2. Where should I place a full packet capture system on my network - are ingress/egress points sufficient?

    I prioritize collection locations as follows:

    • Collect where you can see the true Internet destination IP address for traffic of interest, and where you can see the true internal source IP address for traffic of interest. This may require deploying two traffic access methods with two sensors; so be it.
    • Collect where you can see traffic to and from your VPN segment. Remember the previous IP address requirements.
    • Collect where you can see traffic to and from business partners or through "third party gateways." You need to acquire the true source IP, but you may not be able to acquire the true destination IP if the business partner prevents collecting behind any NAT or security devices that obscure the true destination IP.
    • Collect where your business units exchange traffic. This is more of a concern for larger companies, but you want to see true source and destination IPs (if possible) of internal traffic as they cross business boundaries.
    • Consider cloud or hosted vendors who enable collection near Infrastructure-as-a-Service platforms used by your company.
  3. What advantages are there to creating a custom server with open source tools (such as a server running Linux and capturing with tcpdump) opposed to buying a commercial solution (like Solera or Niksun)?

    A custom or "open" platform enables analysts to deploy the sorts of tools they need to accomplish their security mission. Closed platforms require the analyst to rely on the information provided by the vendor.

  4. Now that I have full packet data, what kind of analysis goals should I have to address advanced threats and subtle attacks?

    The goal for any network security monitoring operation is to collect and analyze indicators and warnings to detect and respond to intrusions. Your ultimate role is to detect, respond to, and contain adversaries before they accomplish their mission, which may be to steal, alter, or destroy your data.

  5. Any other advice for an analyst just getting started with full packet capture systems and analyzing the data?

    Rarely start with full content data. Don't dump a ton of traffic into Wireshark and start scrolling around. I recommend working with session data (connection logs) and application-specific logs (HTTP, DNS, etc.) to identify sessions of interest, then examine the content if necessary to validate your suspicions.

I could write a lot more on this topic. Stay tuned.

Sunday, November 25, 2012

Spectrum of State Responsibility

"Attribution" for digital attacks and incidents is a hot topic right now. I wanted to point readers to this great paper by Jason Healey at the Atlantic Council titled Beyond Attribution: Seeking National Responsibility in Cyberspace.

ACUS published the report in February, but I'm not hearing anyone using the terms described therein. Probably my favorite aspect of the paper is the chart pictured at left. It offers a taxonomy for describing state involvement in digital attacks, ranging from "state-prohibited" to "state-integrated."

I recommend using the chart and ideas in the paper as a starting point the next time you have a debate over digital attribution.


Saturday, November 24, 2012

Recommended: The Great Courses "Art of War" Class

I recently purchased and listened to an audio course titled The Art of War (TAOW) by Prof Andrew R. Wilson and published by The Great Courses. From the first few minutes I knew this series of six 30 minute lessons was going to be great.

For example, did you know that "Sun Tzu" didn't write "The Art of War?" An anonymous author wrote the book in the 4th century BC, based on Sun Tzu's lessons from his time in the 6th century BC.

Also, "The Art of War" isn't even the name of the book! It's actually "Master Sun's Military Method." Furthermore, the use of the term "Master" is significant as it was a term not usually associated with generals.

I especially like two aspects of the course. First, the lecturer, paraphrasing his own words, didn't choose to simply peruse TAOW looking for trite phrases. He equates that approach with telling a stock broker to "buy low, sell high." Instead, Prof Wilson is more concerned with explaining the context for the book and what the words really mean.

Second, the lecturer extends his discussion beyond the history of China's Warring States Period, the era from which TAOW was born. Prof Wilson applies lessons from the book to military history and business situations. He also applies TAOW to modern Chinese cyber espionage, showing he keeps current with contemporary issues.

Consider buying TAOW as a holiday gift for yourself or your friends!

Friday, November 23, 2012

Commander's Reading List

Last month a squadron commander asked me to recommend books for his commander's reading list. After some reflection I offer the following.

I've divided the list into two sections: technical and nontechnical. My hope for the technical books is to share a little bit of technical insight with the commander's intended audience, while not overwhelming them. The plan for the nontechnical items is to share some perspective on history, policy, and contemporary problems.

The list is in no particular order.

Nontechnical books:

Technical books:

I also recommend any books by Timothy L Thomas.

Update: For the more technically-minded reader, I'm adding the following:

Practical Malware Analysis by Michael Sikorski and Andrew Honig.

Note: The above do not necessarily constitute my "best" or "favorite" books. Please see Best Books for blog posts on that subject.

Thursday, November 22, 2012

Do Devs Care About Java (In)Security?

In September InformationWeek published an article titled Java Still Not Safe, Security Experts Say. From that article by Matthew J. Schwartz:

Is Java 7 currently safe to use?

Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass the Java sandbox. In other words, while fixing some flaws, Oracle opened the door to another one.

In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect the most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed the exploited vulnerabilities to Oracle in April. "In that context, disabling Java until proper patches are available seems to be an adequate solution," he said via email.

A month later I read a new article in InformationWeek titled "Oracle's Java Revival," also available as Two Years Later: A Report Card On Oracle's Ownership of Java by Andrew Binstock. The article appeared in the 29 October 2012 issue of InformationWeek, at a time when the security community continued to reel from repeated hammering of Java vulnerabilities.

I expected some mention of Java security woes in the article. About halfway through, with the word "security" not yet in print, I found the following:

In 2011, Oracle did not fare much better. The welcome release of Java 7 was marred by the revelation that it included serious defects that the company knew about.

Ok, maybe there will be some expansion of this idea? Shouldn't a terrible security record be a major factor affecting enterprise use of Java and a reflection on Oracle's handling of Java? Instead I read this:

I'm inclined to agree with James Gosling's revised opinion of Oracle's stewardship, that it's been good for Java...

However, the record is mixed in other areas...

Oracle's ambiguous relationship with the JCP and the OSS communities remain two other weak points.

That's it? Security pros continue to tell enterprise users to disable Java, and the development community is more concerned about features, personalities, and community relations?

I think the Java development community, and especially Oracle, must reevaluate their responsibilities regarding security. Otherwise, they may find themselves coding for a platform that enterprise users will increasingly disable.

Sunday, October 14, 2012

Review of Super Scratch Programming Adventure! Posted

Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure!. From the five star review:

I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote the following:

"I think it's a very great book. I love the storyline, but my main concern is that I could not find a trace of the Super Scratch folder.

How hard is it to draw the Mona Lisa? I have Scratch version 1.4, and I found it difficult drawing Le Louvre.

On the flip side, I learned a lot. Who knew you could make Scratchy move with 1) arrow keys and 2) a medium sized Script?

I enjoyed watching the Magic Star Web change colors.

Overall, I think it's a very great book, and I highly recommend it to anyone who is interested in programming."

I agree that this is a great book. My daughter wanted to learn how to program a video game, and I thought it would be a lot more difficult. Shortly after starting to read and apply this book, she coded a video game!

I'd like to thank No Starch for sending us a review copy.

Tuesday, October 09, 2012

Washington National Guard: Model for Cyber Defense?

My friend Russ McRee pointed me to an article recently: WA National Guard focusing on cyber security. From the article:

The Washington National Guard is leveraging a decade of investment in cyber security at Camp Murray in Lakewood into projects that could protect state and local governments, utilities and private industry from network attacks.

The aim is to bring to the digital world the kind of disaster response the National Guard already lends to fighting wildfires and floods, said Lt. Col. Gent Welsh of the Washington Air National Guard.

“Just as ‘Business X’ needs the National Guard to come in and fill sand bags, ‘Business X’ might need to call the National Guard if it’s overwhelmed on the cyber side,” Welsh said.

The new task plays to a growing strength in the state’s National Guard, which draws on employees from companies including Microsoft and Amazon to provide special expertise in its network warfare units.

I first learned of this initiative when Russ Tweeted about it in June. In an email exchange he described his role in the Washington State Guard (WSG):

"The WSG is an all volunteer force that is a state defense force, with what is typically an emergency management mission. See Title 38 of the Revised Code of Washington (RCW). WSG is also authorized by Federal law, Title 32 of the United States Code.

We most often serve as liaison officers in support of the Emergency Support Function (ESF) 20 (defense support for civilian authorities) function per Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) / Incident Command System (ICS) guidance during major events (disasters, natural or human caused).

WSG remains a place where extremely experienced soldiers who have exceeded age requirements for active/reserve service can continue to serve as well as folks like me with no prior service who can't get the federal services to consider them for age reasons.

We can be called to active duty but in-state only. I was on active duty with orders for two days in June for a major statewide exercise. When we're called up for such activity we become peer in rank and responsibility to our National Guard counterparts.

I'll also be seeing some active duty time again in the immediate future in support of the initiatives mentioned in the article."

I think this is a great start on a journey towards applying private sector expertise to national digital security problems, but on a local scale. The News Tribune article mentions that the Guard (in all its forms) is working to figure out how it can provide help to besieged companies, from a legal and logistical perspective.

I think this line from the news article summarizes a key theme in this discussion:

"We're not going to wait for the feds to hand us everything," Welsh said.

In our Federal system, we should allow the States (per the 10th Amendment) the freedom to innovate, and thereby invent multiple approaches to fighting digital threats.

Thursday, October 04, 2012

Inside Saudi Aramco with 60 Minutes

I just watched a recent episode of 60 Minutes on CNBC and enjoyed the segment on oil production in Saudi Arabia. It featured a story from late 2008 on Saudi Aramco. You may recall this name from recent news, namely data destruction affecting 30,000 computers. A recent Reuters article said the following:

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

"All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

"Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus."

It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet.

While watching the video I was struck by the following comments by the CEO of Saudi Aramco, giving Leslie Stahl a tour of their 21st century operations center (pictured here). From the transcript:

Abdallah Jum'ah, Saudi Aramco's president and CEO... gave 60 Minutes a tour of the company's command center, where engineers scrutinize and analyze every aspect of the company's operations on a 220-foot digital screen.

"Every facility in the kingdom, every drop of oil that comes from the ground is monitored in real time in this room," Jum'ah explained. "And we have control of each and every facility, each and every pipeline, each and every valve on the pipeline. And therefore, we know exactly what is happening in the system from A to Z."

Aramco engineers are making sure that not one drop of oil is overlooked: computers are receiving data, via satellite, from sensors mounted on drill bits that are burrowing deep into the oil fields all over Saudi Arabia. Engineers are sending instant messages that actually guide the drill bits.

"He is now directing that drill bit to go into the best areas of the reservoirs. And suck that oil from it, and not leave any oil behind," Jum'ah explained.

He says the drill bit is a bit like a snake, going down and following where the oil is. "And mind you, this is happening 400 to 500 miles from here geographically. And we are sending that drill bit also two or three miles in the ground."

The screen capture at right appears to show this control process in action on a Windows XP computer. (Remember, this show was filmed in late 2008.)

You can watch the segment (in two parts) for more details, if you like.

Now, it's entirely possible that the sorts of systems depicted in the video were not affected by the malicious code that allegedly struck 30,000 systems. Then again, it's not unheard of for malicious code to propagate from one enclave to another.

Hopefully we will hear more details on what happened, either to Saudi Aramco or apparently other companies. Again, from Reuters:

Qatar's natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whether Shamoon was the virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.

Its parent firm Qatar Petroleum, which also owns Qatar's other main natural gas firm Qatargas, said it was unaffected but implied that other companies had been hit.

"Qatar Petroleum has not been affected by the computer virus that hit several oil and gas firms. All QP operations are continuing as normal," it said in an official tweet on Monday.

Saturday, September 29, 2012

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post.

I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure.

However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event.

The reason this caught my attention was that it reminded me of the Best Single Day Class Ever, taught by Edward Tufte. I attended his class in 2008 and continue to recommend it.

I've since blogged about Tufte on several occasions.

Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons program. To show that, he literally drew a red line on a diagram representing Iranian progress on uranium enrichment.

Now, there's some confusion about what that red line really means. The point is that people are talking about the red line, and that means Netanyahu at least partially achieved his goal.

This is the take-away for those of us who speak in public: rather than develop Yet Another PowerPoint presentation, determine 1) what message you want your audience to remember, and then 2) figure out how you can escape from flat land to grab your audience's attention.

If you want to learn more about these techniques, take Tufte's course!

You can read a transcript of the speech as well as see the video. Besides the red line segment, I thought it was a powerful speech. I'm convinced that unless Iran changes course, Israel will disable Iran's uranium enrichment capability.

Friday, September 28, 2012

Celebrate Packt Publishing's 1000th Title

I'm pleased to announce a special event involving Packt Publishing. The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members.

I'm interested in two recent titles:

Metasploit Penetration Testing Cookbook by Abhinav Singh

Advanced Penetration Testing for Highly-Secured Environments by Lee Allen

In a few months a third book will arrive:

BackTrack 5 Cookbook

At this point I don't have personal experience with any of these titles, but I plan to take a look.

Thank you Packt for sharing part of your library with us!

Wednesday, September 26, 2012

Top Ten Ways to Stir the Cyber Pot

I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them.

If you want to start a debate/argument/flamewar in security, pick any of the following.

  1. "Full disclosure" vs "responsible disclosure" vs whatever else
  2. Threat intelligence sharing
  3. Value of security certifications
  4. Exploit sales
  5. Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT
  6. Reality of "cyberwar"
  7. "Builders vs Breakers"
  8. "Security is an engineering problem," i.e., "building a new Internet is the answer."
  9. "Return on security investment"
  10. Security by mandate or legislation or regulation

Did I miss any subjects people raise to "stir the cyber pot?"

Tuesday, September 25, 2012

Unrealistic "Security Advice"

I just read a blog post (no need to direct traffic there with a link) that included the following content:

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

This author is well-meaning, but he completely misses the bigger picture.

Against a sufficiently motivated and equipped adversary, no device is impenetrable.

Mobile devices are simply the latest platform to be vulnerable. There is no reason to think your corporate laptop is going to survive any better than your iPhone.

Now, I believe that non-mobile devices enjoy some protections that make them more defensible compared to mobile devices. Servers and workstations are generally "wrapped" with multiple defensive layers. Laptops benefit from those layers when connected to a corporate network, but may lose them when mobile. Still, even with those layers, intruders routinely penetrate networks and accomplish their missions.

One might also argue that mobile devices are more likely to be lost or stolen. I agree with that. However, full device encryption and passcodes can mitigate those risks. That's not the same as "zero-day vulnerabilities and clever exploitation techniques" however.

Despite these limitations, we still conduct work on computing devices. If we didn't, what would be the point?

We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.

Software developers and security engineers should of course continue to devise better protection and resistance mechanisms, but we must remember we face an intelligent adversary who will figure out how to defeat those countermeasures.

Sunday, September 23, 2012

To Be Hacked or Not To Be Hacked?

People often ask me how to tell if they might be victims of state-serving adversaries. As I've written before, I don't advocate the position that "everyone is hacked." How then can an organization make informed decisions about their risk profile?

A unique aspect of Chinese targeted threat operations is their tendency to telegraph their intentions. They frequently publish the industry types they intend to target, so it pays to read these announcements.

Adam Segal Tweeted a link to a Xinhua story titled China aims to become world technological power by 2049. The following excerpts caught my attention:

China aims to become a world technological power by 2049 and strives to be a leading nation in innovation and scientific development, according to a government document released on Sunday.

The document, released by the Communist Party of China Central Committee and the State Council, or the Cabinet, namely opinions on "deepening technological system reform and accelerating national innovation system construction," sets the goal for the country to be "in the ranks of innovative nations" by 2020...

In this intro we read two key dates: 2020 for "in the ranks of innovative nations" and 2049 for a "world technological power." As we've seen during the last 10-12 years, one of the ways China pursues these goals is to steal intellectual property from target industries. What are those industries?

The development of strategic emerging industries, such as energy preservation and environmental protection, new-generation information technology, biology, advanced equipment manufacturing, new energy and material as well as green vehicles, should be accelerated, it said.

Major breakthroughs of key technologies should be materialized in sectors including electronic information, energy and environment protection, biological medicine and advanced manufacturing, it said.

Those industries have already been targeted and compromised by Chinese intruders. If you work in these areas but aren't actively seeking to detect and respond to Chinese intruders in your enterprise, I recommend taking a closer look at who is using your network.

Later in the document I was somewhat surprised to read the following:

And technological innovation should be made in industries that were related to people's livelihoods, such as health, food and drug safety, and disaster relief, the document said.

The underlined industries explain some activity I've seen recently, and it may be a warning for those of you in those sectors.

The last part of the document I would like to mention says the following: It called for an enhanced system to integrate the technologies for military use and those for civilian purposes.

The document said the nation's technological plan would be more open to the outside world in terms of cooperation, and international academic institutions and multinational companies would be encouraged to set up R&D centers.

None of that is new, but it shows the Chinese commitment to applying "dual use" technologies to both sides of that equation. It also shows the Chinese think they can still fool Western companies into sending engineers to China, where stealing IP is as easy as setting foot in an office building. Unfortunately plenty of Western companies appear to be falling for this ploy.

Wednesday, September 19, 2012

Understanding Responsible Disclosure of Threat Intelligence

Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a "dead drop," a clandestine method to exchange messages.

You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items to the place you found them.

Returning home you eagerly examine your photographs. Because you're clever you eventually decode the messages captured in your pictures. Apparently a foreign intelligence service (FIS) is using the dead drop to communicate with spies in your area! You're able to determine the identities of several Americans working for the FIS, as well as the identities of their FIS handlers. You can't believe it. What should you do?

You decide to take this information to the world via your blog. You found the messages on your own, and you did the work to understand what they mean. If the press reads about your discovery, they'll likely take it farther.

You consider going to the press first, but you decide that it won't hurt to drive traffic to your own blog first. You might even be able to launch that small private investigator practice you've always wanted!

After publishing your post, the press indeed notices, and publishes an expose featuring an interview with you. Several US intelligence agencies also notice. They had been monitoring the dead drop themselves for a year, and had been working a complex joint case against all of the parties you identified. Now all of that work is ruined.

Before the intelligence agencies can react to your disclosure, the targets of their investigation disappear. They will likely be replaced by other agents quickly enough, using other modes of communication unknown to the US agencies. The FIS will alter their operation to account for the disclosure, but it will continue in some form.

That is the problem with irresponsible disclosure. To apply the situation to the digital security world, make the following changes.

  • Substitute "command and control server" for "dead drop."
  • Substitute "tools, exploits, and other digital artifacts" for "messages."
  • When the adversary learns of the disclosure, they move to other C2 infrastructure and develop or adopt new tools, tactics, and procedures (TTPs).

What should the hypothetical "security researcher" have done in this case?

It's fairly obvious he should have approached the FBI himself. They would have realized that he had stumbled upon an active investigation, and counseled him to stay quiet for the sake of national security.

What should "security researchers" in the digital world do?

This has been an active topic in a private mailing list in which I participate. We've been frustrated by what many of us consider to be "irresponsible disclosures." We agree that sharing threat intelligence is valuable, but we prefer to keep the information within channels among peers trusted to not alert the adversary to our knowledge of intruder TTPs.

Granted, this is a difficult line to walk, as I Tweeted yesterday:

Responsible security intel teams walk a fine line between sharing for the benefit of peers and risking disclosure to the detriment of all.

The best I can say at this point is to keep this story in mind the next time you stumble upon a package in the woods. The adversary is watching.

Tuesday, September 18, 2012

Over Time, Intruders Improvise, Adapt, Overcome

From TaoSecurity
Today I read a well-meaning question on a mailing list asking for help with the following statement:

"Unpatched systems represent the number one method of system compromise."

This is a common statement and I'm sure many of you can find various reports that claim to corroborate this sentiment.

I'm not going to argue that point. Why am I still aggravated by this statement then? This sentiment reflects static thinking. It ignores activity over time.

For both opportunistic and targeted threats, when exploiting unpatched vulnerabilities no longer works, over time they will escalate to attacks that do work.

I recognize that if you have to start your security program somewhere, addressing vulnerabilities is a good idea. I get that as a Chief Security Officer.

However, the tendency for far too many involved with security, from the CTO or CIO perspective, is to then conclude that "patched = secure."

At best, patching reduces a certain amount of noise because it deflects opportunistic attacks that work against weaker peers. Should patching become more widespread, opportunistic attackers adopt 0-days. We've been seeing that in spades over the last few months, even without widespread adoption of patches.

In the case of targeted attacks, patching drives intruders to try other means of exploitation. I've seen this first hand, with intruders adopting 0-days as a matter of course or trying other attack vectors. Targeted intruders learn not to trip traditional defenses while failing to exploit well-known vulnerabilities.

If someone asks you if "unpatched systems represent the number one method of system compromise," please keep this post in mind. Remember we face an intelligent adversary who, over time, acts to improvise, adapt and overcome.

We must do the same, over time.

Monday, September 17, 2012

Does Anything Really "End" In Digital Security?

Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit. He said in part:

15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end.

Now, I'm not a programmer, and I don't play one at Mandiant. However, Adam's last sentence in the excerpt caught my attention. My observation over the period that Aleph One's historic paper was written is this: we don't seem to "solve" any security problems. Accordingly, no "era" seems to end!

Is this true? To get a slight insight into whether my sense of history is correct, I consulted the Open Source Vulnerability Database and ran queries like the following:

Query for all vulnerabilities of attack type "input manipulation," with "buffer overflow" in the text, from time 1 Aug 96 to 1 Aug 97

I chose to run these "August" periods to capture time as it passed since Aleph One's paper was published in August 1996.

The results were:

Year Vulns
1997 11
1998 10
1999 6
2000 48
2001 41
2002 43
2003 94
2004 127
2005 86
2006 27
2007 29
2008 39
2009 36
2010 48
2011 44
2012 45
As a chart, they looked like this:

I find these results interesting, and I accept I could have run the query wrong by selecting the wrong terms. If I managed to get in the ballpark of the correct query, though, it seems we are not eliminating buffer overflows as a vulnerability.

I suppose one could argue about where researchers are finding the vulnerabilities, but they're still there in software worth reporting to OSVDB, and apparently trending upward.

My bottom line is to remember that security appears to be a game of and, not a game of or. We just add problems, and tend not to substitute them.

Wednesday, September 05, 2012

Encryption Is Not the Answer to Security Problems

I just read Cyber Fail: Why can't the government keep hackers out? Because the public is afraid of letting it, an article in the new Foreign Policy National Security channel. I've Tweeted on Mr Arquilla's articles before, but this new one published today offers a solution to security problems that just won't work.

Consider these excerpts:

Back in President Bill Clinton's first term, the "clipper chip" concept was all about improving the security of private communications. Americans were to enjoy the routine ability to send strongly encoded messages to each other that criminals and snoops would not be able to hack, making cyberspace a lot safer.

I see two errors in this section. First, having lived through that time, and having read Steven Levy's excellent book Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age, I disagree with Mr Arquilla's statement. The Clipper Chip was the government's last attempt to keep tight control of encryption, not "improve the security of private communications."

Second, Mr Arquilla implies that encryption = "making cyberspace a lot safer." That fallacy appears later in the article.

Sadly, industry leaders have never emphasized the value of strong crypto sufficiently either. There are many reasons for this neglect -- the most likely being that encouraging ubiquitous use of strong crypto could weaken sales of the firewalls and anti-viral products that form so much of the cybersecurity business model.

Here is my key issue with this article. An enterprise could encrypt every single piece of information at rest or in transit, and intruders would still win.

The fundamental reality of cryptography in the enterprise is that users and applications must be able to access data in unencrypted form in order to use it.

In other words, if a user can access data, so can an intruder.

Cryptography certainly frustrates some bad guys, such as amateurs who eavesdrop on encrypted communications, or thieves who swipe mobile devices, or intruders who remove encrypted files without bothering to obtain the material necessary to decrypt it.

However, cryptography will not stop your Web app from suffering SQL injection, nor will it keep Java from being exploited by a client-side attack.

The article concludes in part by saying:

But ways ahead do exist. There is a regulatory role: to mandate better security from the chip-level out -- something that Sen. Joseph Lieberman's Cybersecurity Act would only have made voluntary.

This sounds like an advertisement for a chip maker. I've heard their lobbyists use the same terms on Capitol Hill. "Mandating security" at the "chip level" would be as effective as FISMA -- a waste of time.

Mr Arquilla does make a few points I agree with, such as:

[W]e should treat cybersecurity as a foreign-policy issue, not just a domestic one. For if countries, and even some networks, can find a way to agree to norms that discourage cyberwar-making against civilian infrastructure -- much as the many countries that can make chemical and biological weapons have signed conventions against doing so -- then it is just possible that the brave new virtual world will be a little less conflict prone.

However, do not be fooled into thinking that encryption is the answer to our security problems.

Monday, September 03, 2012

Bejtlich Interviewed on This Week in Defense News

Last week Vago Muradian from This Week in Defense News with Vago Muradian interviewed me for his show. You can see the online version here.

The online version is about two minutes longer than the broadcast version. We recorded the extra material separately and the video staff added it in the middle of the session. They were so smooth I didn't originally notice the change!

Vago asked questions about how companies can defend themselves from digital threats. He wanted to know more about state-sponsored intrusions and how to differentiate among different types of threat actors.

In the extra session Vago and I talked about recent SEC activities and how to tell if your organization has been victimized by a targeted attacker.

There's a possibility Vago will invite me back to participate on a panel discussing digital security. I look forward to that if it happens!

If you have any questions on the video, please post a comment and I'll answer. Thank you.

Thursday, August 30, 2012

My Role in Information Warfare during the Yugoslav Wars

This morning I read a Tweet from @AirForceAssoc reminding me that:

Today in Airpower History, August 30, 1995: NATO and U.S. aircraft began airstrikes on Serbian ground positions in Bosnia-Herzegovina to support the U.N. Operation Deliberate Force. The airstrikes, with a Bosnian-Croatian ground attack, convinced the Serbs to accept peace terms in late 1995.

I'm not particularly fond of commemorating airpower campaigns, but the Tweet did remind me of the small part I played in the Yugoslav Wars of the 1990s. Many Americans remember the 1990s, and especially the Clinton presidency, as a "quiet decade" between the first Gulf War led by President GHW Bush and the so-called "Global War on Terror" led by President GW Bush. Instead of a quiet decade, I remember a an exceptionally busy time for the Air Force, including some of the first "information operations" that combined digital and physical effects.

In fact, fifteen years ago, almost to the week I believe, I volunteered to deploy from San Antonio to Joint Analysis Center (JAC) Molesworth in the UK. They needed intelligence support in the targeting shop, so as an Air Force intel officer I fit the bill. I decided to volunteer to go to the UK over the holidays (through early January) at a time of my "choice," rather than wait for the inevitable call to deploy to the desert, where US forces were still conducting counter-Iraqi operations.

Besides other targeting duties, the most interesting aspect of the shop was a requirement we received concerning a counter-propaganda campaign. Serbian Radio Television (SRT) was broadcasting fairly vile and false information to undermine the peace process. The Stabilization Force (SFOR) commander asked the JAC for options to shut down SRT transmissions, i.e., how to conduct "offensive counterinformation" operations against the Serbs.

We did some technical analysis of the SRT communication infrastructure and determined that if a certain set of transmission towers were "out of commission," that would end the broadcast problem. Part of the shop thought 500 lb bombs would be the best answer. Others thought we should apply a nondestructive approach and simply seize the towers by surrounding them with troops and tanks.

The photo in this post, attributed to the 55th Combat Camera Company, tells you what happened the morning of 1 October, 1997. SFOR seized four towers (Hill 619 in Duga Njiva is depicted), effectively terminating the SRT propaganda campaign. SFOR didn't destroy anything, but it conducted an information warfare operation to achieve the desired objective -- control of adversary mass communication.

If you'd like to read more about the history and theory of this operation, please see Physical Attack Information Operations in Bosnia: Counterinformation in a Peace Enforcement Environment by Major Arthur N. Tulak. I haven't yet read Memory, the media and NATO: information intervention in Bosnia-Hercegovina by Monroe Price, but it also discusses the same operation.

Thursday, August 09, 2012

DOJ National Security Division Pursuing Cyber Espionage

I just read Justice Department trains prosecutors to combat cyber espionage by Sari Horowitz, writing for the Washington Post. The article makes several interesting points:

Confronting a growing threat to national security, the Justice Department has begun training hundreds of prosecutors to combat and prosecute cyber espionage and related crimes, according to senior department officials.

The new training is part of a major overhaul following an internal review that pinpointed gaps in the department’s ability to identify and respond to potential terrorist attacks over the Internet and to the rapidly growing crime of cyber espionage, the officials said, describing it for the first time.

In recent weeks, Justice has begun training more than 300 lawyers in Washington and nearly 100 more across the county in the legal and technical skills needed to confront the increase in cyber threats to national security...

Under the reorganization, teams of specialized lawyers within NSD in Washington will work with other agencies, the military and companies facing cyber intrusions. They will develop protocols for the intelligence community and federal agents in how to deal with private companies that are victims of cyber attacks. The issues revolve around how to build possible prosecutions within guidelines covering information sharing, privacy and civil liberties.

At least one prosecutor in each of the 94 U.S. attorney’s offices around the country has been designated and will be trained to gather evidence and prosecute cyber espionage and similar Internet-related cases.

This is very interesting if the focus is truly on cyber espionage cases. DOJ persecutes physical espionage cases routinely (albeit with difficulty due to the nature of the laws). Cyber espionage cases are almost never pursued. Working with private companies will be key to this problem, and that aspect is mentioned specifically in the article.

Let's see what happens!

Thursday, July 05, 2012

Israeli Agents Steal Korean Tech for Chinese Customer

Thanks to the show Asia Biz Today I learned of an industrial espionage case involving South Korea, Israel, and China.

In brief, agents of the South Korean branch of an Israeli company stole technology from two South Korean companies, and passed the loot to Chinese and Taiwanese companies.

On June 27th the Yonhap news agency in South Korea reported the following:

Key technologies to manufacture advanced flat-panel displays at Samsung Mobile Display and LG Display have been leaked by an local unit of an Israeli company, local prosecutors said Wednesday, raising concerns the leakage could pose a major threat to the national interest.

The Seoul Central District Prosecutors' Office indicted under physical detention three employees at the local unit of an Israeli inspection equipment supplier, including a 36-year-old man surnamed Kim, on charges of leaking key local technologies used to produce active-matrix organic light-emitting diode (AMOLED) displays and white organic light-emitting diode (White OLED) displays.

They also indicted without physical detention three other employees and the local unit, the prosecutors said, without identifying the Israeli firm.

According to the prosecution, the indicted employees photographed circuit diagrams of yet-to-be-released 55-inch AMOLED television panels when they were let into Samsung and LG's manufacturing factories to check defects of inspection equipment from November of last year to January of this year.

They stored the images on portable memory cards and slipped them into their shoes, belts and wallets to avoid suspicion, prosecutors said...

Prosecutors said the stolen information was likely relayed to the Israeli headquarters and Chinese and Taiwanese display-making rivals, including the biggest Chinese panel manufacturer BOE.

"It is very likely that the stolen technologies have been given by the Israeli firm to foreign rivals," a prosecution official said. "This may expectedly deal a massive economic blow to the entire nation and can cause a sea change in the landscape of the global display market."

This Korea Herald story revealed the name of the Israeli company and an additional receiving company in Taiwan:

According to prosecutors, circumstantial evidence suggests that circuit diagrams of the two companies’ active-matrix organic light-emitting diode, or Amoled, display technology have been leaked to their rivals in China and Taiwan, including the BOE Technology Group in China, and AU Optronics Corp. in Taiwan...

Prosecutors have indicted six officials from Orbotech Korea, the Korean subsidiary of Orbotech Ltd., an Israeli company specializing in automated optical inspection equipment, on charges of technology theft...

Prosecutors say Orbotech officials in China and Taiwan sought to win inspection contracts from display panel manufacturers there using the circuit diagrams as bait.

So, while the original article implied theft for purposes of duplication, the second article implied theft "to win inspection contracts." That is a narrower function and in line with Orbotech's corporate function as "an international developer and producer of automated optical inspection (AOI) and related imaging and computer-aided manufacturing systems" according to Wikipedia.

Image credits: Korea IT Times.

Wednesday, July 04, 2012

Impressions: Three "Internals" Books for Security

As of last month I'm no longer reviewing technical books. However, I wanted to mention a few that I received during the last few months. All three have an "internals" focus with security implications, and all three are written by authors I've reviewed before.

The first is The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, Second Edition by Bill Blunden. I reviewed the first edition two years ago. I am not in a position to comment on the merit of Bill's technical approach (Greg? Jamie?) but I can say the following about the book.

First, it appears current, with references to developments over the last few years. Second, it is well-sourced, with lots of footnotes. For me, that is a sign that the author cares about attribution and scholarship. Third, I must admit I am very happy to see several references to posts on this blog and also tools and techniques authored by Mandiant (such as Redline and Memoryze.

With respect to citing my practices and philosophy, as well as thoughts by others, I believe author Bill Blunden does a good job placing his technical work in a bigger overall framework. To me, this is a sign of a more advanced book, regardless of the exact technical details.

The second book is Windows® Internals, Part 1, Sixth Edition; Covering Windows Server® 2008 R2 and Windows 7 by Mark E. Russinovich, David A. Solomon, and Alex Ionescu. I reviewed the fifth edition last year. Like the rootkit book, I am not a Windows kernel developer, but I believe everyone would agree that you cannot beat the Russinovich-Solomon-Ionescu team when it comes to how Windows works!

One of the most intriguing aspects of this book is that it's been split into two parts. The previous edition was a hardcover with 1232 pages and a list price of $69.99. Part 1 of the new edition is a paperback with 728 pages and a list price of $39.99. Part 2 will arrive in September, according to the O'Reilly listing, and will feature 688 pages and a list price of $39.99.

The authors decided to split the book into two parts to speed the delivery of material to readers. The new books cover Covering Windows Server® 2008 R2 and Windows 7, but Windows 8 will likely arrive this fall -- just as Part 2 hits Kindles and book stores.

Some might argue that books, even split into parts, aren't the right way to deliver technical material these days. I agree with that sentiment in some respects, but there isn't as much support in the traditional publishing world for supporting and delivering shorter works. I also think authors like to present unified works, not a series of chapters. Does that sound like artists wanting to release albums and not cut singles? We'll see.

The third and final book in this post is FreeBSD Device Drivers by Joseph Kong. I reviewed his book Designing BSD Rootkits in 2007 and interviewed him as well.

This book appears very heavy on readable code and light on theory. I think this approach makes sense given the topic and the expectations the author sets for the reader. I am pleased to see No Starch provide a forum for books like this. They continue to produce high-quality works that read well and address subjects seldom found elsewhere.

Tuesday, July 03, 2012

Not Just Clowns, But Criminals

It turns out my April post Clowns Base Key Financial Rate on Feelings, Not Data was too generous. I cited an Economist story which outlined how LIBOR rates — and the returns on $360 trillion of financial contracts related to them, five times global GDP — are based on best guesses rather than hard data.

I continue to cover this story because the financial industry routinely scoffs at the "risk management" practices of non-financials, as I wrote in 2007.

It turns out that these clowns are actually malicious, as reported in Lies, damn lies, and LIBOR: Barclays, Diamond, and a devalued benchmark:

A pattern of deception extending over a period of years. A flouting of the law to profit at the expense of others on three different continents. And a belief that the rules did not apply to them.

No, not the latest mafia family to be taken down by a special prosecutor. But Barclays PLC, the sprawling British banking group that recently paid a $450 million fine for seeking to rig LIBOR, a benchmark interest rate used to value trillions of dollars of investments...

In simple English, that's an assertion that Barclay's employees on at least three continents spent years lying in order to fix benchmark interest rates that help determine the value of about $10 trillion of global debt and $350 trillion in derivatives, mostly swap contracts.

For instance "Barclays based its LIBOR submissions for US Dollar... on the requests of Barclay's swaps traders, including former Barclays swaps traders, who were attempting to affect the official published LIBOR, in order to benefit Barclays' derivatives trading positions."

The daily LIBOR fixing by the BBA is based on self-reporting from major financial institutions on the cost of short-term unsecured borrowing. Though it's based on the honor system (a regulatory failure if ever there was one) that daily fixing is used as a benchmark that effects the prices of swaps and debt instruments in dollars, pounds, yen, and euros. So if you can fiddle the LIBOR number, you can manipulate markets to your advantage.

I expect more banks to be named in the coming days and weeks.

It's easy to win at "risk management" if you cheat.

How to Kill Teams Through "Stack Ranking"

The newest Vanity Fair offers an article titled Microsoft’s Downfall: Inside the Executive E-mails and Cannibalistic Culture That Felled a Tech Giant. It starts with the following:

Analyzing one of American corporate history’s greatest mysteries — the lost decade of Microsoft — two-time George Polk Award winner (and V.F.’s newest contributing editor) Kurt Eichenwald traces the “astonishingly foolish management decisions” at the company that “could serve as a business-school case study on the pitfalls of success.”

Relying on dozens of interviews and internal corporate records — including e-mails between executives at the company’s highest ranks — Eichenwald offers an unprecedented view of life inside Microsoft during the reign of its current chief executive, Steve Ballmer, in the August issue...

Eichenwald’s conversations reveal that a management system known as “stack ranking” — a program that forces every unit to declare a certain percentage of employees as top performers, good performers, average, and poor — effectively crippled Microsoft’s ability to innovate.

“Every current and former Microsoft employee I interviewed — every one — cited stack ranking as the most destructive process inside of Microsoft, something that drove out untold numbers of employees,” Eichenwald writes.

“If you were on a team of 10 people, you walked in the first day knowing that, no matter how good everyone was, 2 people were going to get a great review, 7 were going to get mediocre reviews, and 1 was going to get a terrible review,” says a former software developer. “It leads to employees focusing on competing with each other rather than competing with other companies.”

When I read that section, I immediately recognized similarities with programs at former employers.

This is not a comfortable post to write, but I believe it is important to learn from management and business failures as well as successes. Clearly programs like "stack ranking" are destructive for organizations and individuals. The sooner managers and human resource departments learn that lesson, the better for the business and its team members.

Is "stack ranking" something you've encountered?

Monday, July 02, 2012

Thoughts on Lessons from Our Cyber Past: The First Cyber Cops

In May I was pleased to attend Lessons from Our Cyber Past: The First Cyber Cops hosted by Jay Healey at the Atlantic Council and featuring Steven R. Chabinsky, Shawn Henry, and Christopher M. Painter. The transcript as well as audio for the event are now online.

All of the attendees made great points, and I wanted to highlight a few.

Mr. Chabinsky:

I think that we’re getting to this point where we really have to reflect upon what risk mitigation looks like in this area, whether our policies that focus predominantly on vulnerability mitigation, are actually a successful long-term security model.

If you think of most security models, I think predominantly you’d find that they rely on threat deterrence, that the notion that the actor won’t act because there will be some penalty-based deterrent at the end of it – they’ll be captured, they’ll have some penalty. Here [in digital security] we have a model where people are predominantly focused on hardening the target, patching their systems. That’s not how we live in the real world. That’s called a fortress, right? I mean, the technology is not meant to be bunkered down.

And so it’s not surprising then, as we move further and further into this model of accepting devices that are not fortified and bunkered down, without a risk model that predominantly relies upon threat deterrence, we would fall further behind. I agree with that sentiment. As I've written before, Real Security Is Threat-Centric.

Mr. Painter emphasized that you need capacity, laws, and global cooperation to make a difference when fighting digital threats.

Mr. Henry:

What I wanted to do – because I’d talked to some people who were in the cyber space – what I wanted to do was to bring many of the things that we had done in the physical world successfully against organized crime groups and against terrorist organizations – white collar crime, public corruption cases – I wanted to take some of those investigative tactics and I wanted to apply them in the cyber realm.

Because I’ve always seen that there are actually more similarities between the physical space and cyber space than there are differences, and I can relate many things in the physical world to the cyber world, and vice versa. And I had a lot of experience working undercover operations and using authorized digital intercepts, using informants and the like.

That is an important point. I think law enforcement has made the most progress when they use old-fashioned infiltration methods and put less emphasis on technical measures to identify intruders.

Sunday, July 01, 2012

Thoughts on Air-Sea Battle Briefing at Brookings

Last month I attended an event at the Brookings Institute about the Air-Sea Battle concept, which I mentioned in China's High-Tech Military Threat and Air Sea Battle yesterday. A good companion to the briefing is the article Air-Sea Battle: Promoting Stability in an Era of Uncertainty published in February in the journal The American Interest. In that article, General Norton A. Schwartz, USAF (at right in the picture) & Admiral Jonathan W. Greenert, USN write:

When Secretary of Defense Leon Panetta introduced the new strategic guidance for the Department of Defense, he stated that the “smaller and leaner” Joint Force of the future must be prepared, in conjunction with allies and partners, to confront and defeat aggressors anywhere in the world, “including those seeking to deny our power projection.”

The new strategic guidance directs U.S. forces to maintain the “ability to project power in areas in which our access and freedom to operate is challenged” and to be “capable of deterring and defeating aggression by any potential adversary...

With Air-Sea Battle, we are reinvigorating the historic partnership between our two departments to protect the freedom of the commons and ensure operational access for the Joint Force.

Air-Sea Battle provides the concepts, capabilities and investments needed to overcome the challenges posed by emerging threats to access like ballistic and cruise missiles, advanced submarines and fighters, electronic warfare and mines...

Air-Sea Battle relies on highly integrated and tightly coordinated operations across warfighting domains—for example, using cyber methodologies to defeat threats to aircraft, or using aircraft to defeat threats on and under the sea. During the Brookings event, the General and the Admiral were careful not to mention China at all. In fact, I checked the transcript and didn't read either of them saying that word, although reporters asked them about China.

I don't have a problem with that, although I think it's a little disingenuous. The remainder of the American Interest article explains a variety of so-called A2AD scenarios, while also never saying "China." It does mention Iran, however.

Saturday, June 30, 2012

China's High-Tech Military Threat and Air Sea Battle

Two months ago Bill Gertz published an excellent article titled China's High-Tech Military Threat. I wanted to share a few excerpts that resonated with me.

[I]n November 2011, the Pentagon conducted an unusual rollout of a new military unit called the Air Sea Battle Office...

The concept calls for the Air Force, Navy, and Marine Corps to integrate forces and other capabilities to defeat what the Pentagon has labeled “anti-access and area denial weapons” — high-technology arms that can prevent or deter the United States military from operating in certain areas...

When pressed on the question of whom the initiative was targeting, one official responded, “The concept isn’t about a specific actor; it’s about countering anti-access, area-denial capabilities...”

[T]he Air Sea Battle Concept is the culmination of a strategy fight that began nearly two decades ago inside the Pentagon and U.S. government at large over how to deal with a single actor: the People’s Republic of China...

The reluctance to publicly identify Chinese belligerence as the impetus for the concept is merely a ruse to mollify adherents of a “Benign China” school of foreign policy — the losing side of the long internal policy fight.

The ideological godfather of the benign-China school is Harvard professor and former Clinton administration defense policymaker Joseph S. Nye. In 1995, Nye put forth the notion that if the United States treated China as a threat, it would become a threat.

Nye, who is also one of the progenitors of the soft-power school of policymaking now adopted by Secretary of State Hillary Clinton, has called the notion of a threatening China a self-fulfilling prophecy only warmongers and defense contractors would or could celebrate.

The Gertz article continues by describing the battle for leadership between the "Benign China" and "realist" China schools of thought.

For more information on this issue, please consider reading another Gertz article: Panda War.

Photo credit: ChineseDefence.com