Category Archives: IoT

Cynic Modelling for Legacy Energy Infrastructure

A brief synopsis of my findings in “Legacy Energy Infrastructure Attack Surface Assessment, Threat Count, & Risk Profile” using my “cynic modeller”:

  1. Adversaries who are attracted to the contained assets: Everyone (hobbyists, criminals, state actors, your gran)
  2. Attack surface: As far as the eye can see
  3. Attackers who are capable of acquiring the assets starting from the attack surface: Lots
  4. Therefore the attacker population size is: Computer literate population of earth
  5. Threat count: Np-Complete;
  6. Emerging threats: IIoT and non-cybersec savvy devops rushing intodigital transformation projects
  7. Risk level: Orbital
  8. Impact of realized threat: Expansive (yes, expansive not expensive, but that too)

Assessment: Buy gas lamps, work on your natural night vision, learn to skin rabbits, move far far away from nuclear reactors, buy shares in candle companies.

ENDS

Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog

ENDS

Software Industry Greed is Driving the Assault on our Privacy & Security

The motivation to release software, without proper testing, in order to generate a quick buck is as much of a threat to our security and privacy as the activities of hackers and alphabet agencies. It is time that software companies started to pay the price for the sorry mess that their greed is helping to create.

Once upon a time these matters could be considered in isolation but with the “Internet of Things” connecting millions more devices every day we are headed for a world that will have 28 billion IoT devices by 2020.

Consumer concern will not halt the rollout. A staggeringly high number of consumers hold serious concerns about the possibility of their information getting stolen from everyday devices – their smart home, their tablet, their laptop. One would think therefore that this concern would pressure software manufacturers to be more rigorous in their pre-GA testing activities. Not so.

Why? Because so much of this IoT stuff is embedded and consumer awareness is mainly limited to the high profile exposures. Consumers are not hesitating to purchase connected devices because consumers do not know that the devices are connected.

Samsung’s SmartThings smart home platform is a leaky colander of loosely connected hack prone software. IoT security hardening is not just about the particular application but also about building security into the network connections that link applications and that link devices.

And then there is the “Data”. The amount of this stuff that is generated by IoT is intractably large. As few as 10,000 households can generate 215 million discrete data points every day. This creates more entry points for hackers and leaves sensitive information vulnerable.

The number and variety of privacy attack vectors becomes unmanageable very quickly. From the CIA hacking your Samsung TV, uBeacons doing their bit (uXDT & Audio Beacons – Introduce your Paranoia to your Imagination), hackers controlling your car, it’s a worryingly real threat to the personal security and privacy of every one of us.

If the CIA’s Directorate of Digital Innovation (DDI), who are tasked with delivering cyber-espionage tools and intelligence gathering capabilities, cannot even secure their own USB drives then what chance do the rest of us have.

Unfortunately the answer is that we have no chance.

ENDS