Enterprise Security and the tragedy of Orlando

Enterprise Security and the tragedy of Orlando

On hearing about the horrific events last weekend in Florida USA, I was saddened first and then struck by the bitter irony that these murders occurred in Orlando. Maybe it’s just me, but I was reminded that the magical central character played by Tilda Swinton in the movie Orlando transitions his gender and Orlando, Florida, USA the home of Disneyworld is billed as the happiest place on earth.

Whether or not the tragic and horrific murder that occurred in the Pulse nightclub in Orlando on 12 June is a hate crime on the LGBT community, a terrorist attack by a radicalised individual, or both, is probably a matter of semantics. I can’t see why it can’t be both, but it is definitely something that will be skewed by various political agendas.  Indeed, that started happening the following day!

Despite the fact that the Omar Mateen wasn’t on a shift at the time, the Orlando shootings are a security failure that has impacted the reputation of his employer. For G4S, Omar Mateen’s murderous attack in security risk terms seems like the classic nightmare – a ‘black swan’ event.  The high consequence of this low likelihood event is that one of their 600,000 employees killed en masse, with a resultant 5 percent fall in share price at time of writing.  With a market cap of almost $4 billion (USD) G4S value has decreased by $200 million as a result of this event. Whether or not it has long term implications is not easily foreseeable.

There are increasing indications that Omar Mateen was unstable. His ex-wife apparently left him after four months and an ex-colleague reported that he was prone to outbursts of anger. The FBI investigated Mateen as well, but they only seemed to be looking for signs that he had been radicalised, not that he was psychologically stable or had anger management issues. None of this seems to have triggered significant investigation by G4S.

This should be of significant concern to security professionals. Bloomberg reports Mateen was first recruited in 2007. On employment he apparently passed a psychometric test called the Minnesota Multiphasic Personality Inventory. He was apparently rescreened by his employer in 2013 and continued to work until his death. Mateen also held Florida state security and firearms licences. But somehow the indicators, which seem with hindsight to have been clear, that Mateen was no longer suitable for employment as a licenced armed security guard, do not appear to have triggered internal ‘aftercare’ or due diligence processes.

More concerning is that this may be a systemic failing. In 2009, another employee of G4S, Danny Fitzsimons killed two other staff in Iraq. One of them was an Australian, Daniel Hoar.  In 2015, the UK Coroner’s inquest released its findings. Coroner Joanne Kearsley found that Fitzsimons’ employer did not make sure that he was adequately vetted before he killed his fellow employees. Coroner Kearsley reportedly said that the killing was ‘a defining moment globally in the security industry’.

Unfortunately, we may find that Coroner Kearsley’s words are equally applicable to the killings in Orlando.

In any case, these events provide significant food for thought for enterprise security professionals. Organisations do not sit in isolation, they are part of the society in which they operate, whether this is online or in the real world. Marketers tell us that their companies’ employees are “part of the community”, which is true, but this highlights the fact that there is not a hard perimeter for an organisation, if there ever was. It is an increasing expectation of our societies that organisations take care of the bodies and minds of people that work for them.  Organisational resilience comes from companies recognising this and truly caring, because in the end it affects the bottom line.

http://www.bloomberg.com/news/articles/2016-06-12/orlando-shooter-worked-for-security-firm-with-government-ties

https://en.wikipedia.org/wiki/2016_Orlando_nightclub_shooting

https://www.theguardian.com/uk-news/2015/may/11/security-contractor-vetted-iraq-killings-coroner

ENTERPRISE SECURITY AND THE TRAGEDY OF ORLANDO

 

Good cybersecurity is repetitive and boring

The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring

The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.

The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.

The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.

The Boring but tremendously important bits

Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”

Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!

  • Assess the business impact levels for your systems
  • Patch
  • Authenticate
  • Minimise privileges
  • Scan your logs
  • REPEAT

There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out.  http://www.asd.gov.au/publications/protect/top_4_mitigations.htm

This Koala is completely secure from cyber attack
This Koala is completely secure from cyber attack

The answer is not more power for intelligence and law enforcement

Let’s keep it simple

  • Assess the business impact levels for your systems
  • Patch
  • Authenticate
  • Minimise privileges
  • Scan your logs
  • REPEAT

If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.

Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.

Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.

Where might government focus its resources?

Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.

Mandatory Disclosure

Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.

I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.

Data centralisation

Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.

Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.

It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!

When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.

Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.

Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.

Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.

The way to make the argument is to do so on the basis not of security, but finance.

Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.

Here’s a collection of links, which might be useful

http://www.npr.org/2015/06/05/412177006/opm-hack-exposes-records-of-4-million-federal-employees

http://www.politico.com

http://www.engadget.com/2015/06/06/opm-hack-details-revealed/

https://threatpost.com/opm-hack-may-have-exposed-security-clearance-data/113184

http://www.govexec.com/technology/2015/06/massive-data-breach-puts-spotlight-shared-it-services/114613/?oref=ng-channelriver

http://www.theguardian.com/technology/2015/jun/05/us-government-opm-hack-data-collection-powers

http://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html

Help

We can help your agency set up its cybersecurity defence policies and procedures.

Contact us at [email protected] to talk to a cybersecurity policy expert.

Security Standards are important

Security Standards are vital to our society

That’s why Alex Webling has accepted a nomination to join the Australian Standards Committee for Security Standards and to join the Australian Delegation to ISO TC292, Morioka, Japan in March 2015.

We congratulate Alex on this recognition of his security knowledge and expertise particularly  in the areas of enterprise security and resilience and his work in the Australasian Council of Security Professionals and its successor, Security Professionals Australasia.

The Technical Committee will have the following provisional title and scope:

Title: Security

Scope: Standardization in the field of security, including but not limited to generate security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security.
Excluded: Sector specific security projects developed in other relevant ISO committees and standards developed in ISO/TC 262 and ISO/PC 278.
The committee temporary structure covers the following areas;

ISO/TC 223/WG 1 – Framework standard on societal security management
ISO/TC 223/WG 2 – Terminology
ISO/TC 223/WG 3 – Emergency management
ISO/TC 223/WG 4 – Resilience and continuity
ISO/TC 223/WG 6 – Mass evacuation
ISO/TC 223/AHG – Professional development
ISO/TC 223/AHG – Information exchange
ISO/TC 223/AHG – Continuity management
ISO/TC 223/AHG – Revision of ISO 22320
ISO/TC 223 TF – Task force on strategic dialogue
ISO/TC 223/AHG 4 – Communication group
ISO/TC 223 DCCG, Developing countries contact group
ISO/TC 247/WG 1 – MSS for security assurance
ISO/TC 247/WG 2 – Terminology
ISO/TC 247/WG 3 – Guidelines for interoperable object and related authentication systems to deter
counterfeiting and illicit trade
ISO/TC 247/WG 4 – Product Fraud Countermeasures and Controls
ISO/TC 247/WG 5 – Document Fraud Countermeasures and Controls
ISO/PC 284/WG 1 – Management system for private security operations – Requirements with guidance

—-
 Security Standards ISOWe also wish to thank IAPPANZ and Attorney-General’s Department for supporting Alex’s nomination.