Thursday, July 6, 2017

A Maturity Primer for Vulnerability Coordination

At the FDA Cyber Summit in Washington DC last year January, issues concerning the security of medical devices & patient records was discussed and a couple of resolutions were passed by the key policy wonks/attendees/manufacturers during the summit. Make no mistake, I’m still of the opinion that the healthcare industry is the most technology-retarded. There are too many well-purposed and fragmented efforts in healthcare cybersecurity and it’s about time we bound them together.

Less than seventy-two hours ago, the prestigious UK National Health Service patient records, systems etc were compromised. It affected about seventy-five thousand victims and has spread to ninety-nine countries. This is fast becoming a popular trend and I believe CISOs, C-Level Executives, and even last-mile employees/end-users should upturn the overarching narrative by employing the right strategies. Most organisations should be focused on looking for solutions for vulnerabilities and quit living in the denial of asking the IF probabilistic question.
The way and manner we approach vulnerability concerns could determine the posturing of our organisations, our customers and how we effectively defend against threats. It's about time we employ new strategies because the threats of today cannot be remediated by yesterday's strategies. The standards for vulnerability disclosure (ISO 29147) and vulnerability handling processes (ISO 30111) are still quite valuable in the grand scheme of things but seeking out ingenious methods is a way to go. The Vulnerability Coordination Maturity Model stirred up by other known maturity models will assist organisations:
  • Appraise their level of preparedness in the advent of a breach and acting on the vulnerability reports submitted by the Information Systems/Information Security Auditor.
  • Gird-up a list of activities to heighten their effectiveness to respond to security bug reports in their own software or services.
  • Establish a guideline towards bettering their vulnerability coordination and security with time.
The Vulnerability Coordination Maturity Model inspired by HackerOne focuses on five capability areas namely:
  • Organizational: This focuses on the people, processes, and resources that would handle potential vulnerabilities. With the maturity model, you have got three different levels of capabilities namely Basic, Advanced and Expert. With the Basic, it means you have the executive support to respond to vulnerability reports and a commitment to security and quality as core organisational values. Advanced focuses on policy and process for addressing vulnerabilities according to the ISO 29147 and ISO 30111 or any other comparative framework. Expert level buttresses on the fact that you have got executive support, processes, budget and dedicated personnel to handle vulnerability reports.
  • Engineering: Evidently, to address concerns, you will need an Engineering team that can do the analysis. The team must be able to evaluate and remediate security holes and improve the software development lifecycle. At the Basic level, you should have a clear mechanism to receive vulnerability reports and an internal bug database to track them to resolution. ISO 29147 would be a good reference point at this instance. At the Advanced level, you must have had a dedicated security bug tracking and documentation of security decisions, deferrals, and tradeoffs. At the Expert level, the team should have been able to use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. Refer to ISOs 29147, 30111 and 27034 as a guide.
  • Communications: At this stage, the focus is on the ability to communicate to audiences internally and externally about vulnerabilities. At the Basic level, you will have the ability to receive vulnerability reports and a verifiable channel to distribute advisories to the affected party. At the advanced level, you will have tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. At the Expert level, you will be providing structured information sharing programs with a coordinated distribution of remediation.
  • Analytics: This is where you take every information you have learned about vulnerabilities, do a data analysis of it to identify trends and improve processes. At the Basic level, you track the number and severity of vulnerabilities over time to measure improvement in code quality. At the Advanced level, you use root cause analysis to feed back into your software development lifecycle. At the Expert level, this is where you use telemetry and real-time threat detection to drive dynamic pivots of the remediation strategy.
  • Incentives: This is an area where you are trying to hit the goal of getting vulnerability researchers to report issues directly. At the Basic level, you give thanks or little gifts like T-Shirts and most importantly state in your vulnerability disclosure policy that there wouldn't be any legal action taken against anyone who reports bugs. At the Advanced Level, you give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. At the Expert level, you should have a detailed understanding of adversary behaviour and vulnerability markets, and structure advanced incentives to disrupt them.
The recent cyber-attack being spread is a Ransomware. It's a type of malware that once executed, encrypts all your files and demands the payment of a ransom before they can be decrypted. The Ransomware is nomenclatured in various ways as WannaCry, WanaCryp0r, WCry and the malware is believed to be among a tranche of brawny hacking tools stolen from the NSA in August of 2016. The attack vectors and its reach is quite broad in scale as the spread has gotten to Europe, Asia, North and South America and Africa (North & South).
This malware exploits a known Windows vulnerability, bypassing traditional antiviruses and firewall protection and granting full administrative privileges over the victim's computer. The common mode of delivery is via eMail and if mistakenly opened, starts to encrypt user's files. As soon as that's done, it locks the victim's out of their computers and demands a ransom to be paid in BitCoins. As a fundamental rule of thumb, do not open eMails from people you don't know or eMails that have an acute sense of urgency. E.g. "Click on this link to avoid losing access to your account" etc.

If you aren't infected, please run your Windows update as soon as possible and if you are yet to download the Microsoft Fix, kindly do so below:

MSU Files X64 http://bit.ly/2rdH9DI
MSU Files X86 http://bit.ly/2pKJzZa

Be safe.

This article first appeared on http://www.kingsleyudoh.com/blog/2017/05/14/a-maturity-primer-for-vulnerability-coordination/

Spouts on the Future of Work

Everyone in an organisation needs to start thinking about the organisation of the future and this is an important aspect the public sector in Africa shy away from. From my vantage point, the most senior people in organisations are the most change resistant. One of my favourite books after Mavericks at Work by Bill Taylor & Polly LaBarre is definitely The Constraints of Corporate Tradition written by Alan Kantrow which was published in 1987. One of the mistakes leaders keep making is that they don’t understand the history of the organisations they work in and the portfolios they hold. Kantrow’s book posited that power doesn’t reside with the Chief Executive or the Line Managers; it might be a mid-level executive or a retired executive who still wields a lot of influence. How are five of the most important decisions that were made in last ten years made? What were the two decisions that should have been made that weren’t made?
Most organisations and countries are smart. They have thought about lots of ideas and it just never worked. You have got to do forensics to decipher what was wrong and the key to this is that you have to listen to people. Listening is such a hard skill to acquire and looking at this in hindsight, the best nuggets come in the last 15 seconds of a one-hour conversation. If you don’t have anyone in the top leadership group who doesn’t want to change, I think you are wasting your time. The biggest driver of change in economic power is urbanisation. On every strategic map of cities, Lagos takes a prominent place. I write this with some trepidation because a sitting Governor for eight years built under 5000 housing units in eight years. Contrasting this to the 1980’s of Lateef Jakande, 20,000 units were built in four years. Too much for revisionist theory.
Leaders are trying things out. The order of the old isn’t going to sustain the future. Fabrizio Freda, President and Chief Executive of Estee Lauder have laid out plans for his top 250 executives to think outside of the box. He has proposed and implemented that his top executives should have reverse mentors. Each of them now has a 26-year-old or less mentoring them and every day, they get new insights and challenges moving into the new age. Can you beat that? In the public sector, the Ruler of Dubai, Sheikh Mohammed Bin Rashid Al Maktoum employs this same strategy to aid the culture of entrenched innovation. I’ve learnt not to pedestrianise the power of an individual – the singular visionary who lays the big ideas on the table and sets the vision like Deng Xiaoping did in Shenzhen in 1980 and George Soros did in 1992 with the Bank of England.
FREE FACT: There will be 2.4 Billion new middle-class consumers over the next seven years and they are situated in Africa and Asia. This number is 1000 times more than the industrial revolution.
Contrast the picture of Shenzhen in 1980 to its outlook in 2016 and you will see what I’m saying. Shenzhen’s 2016 image is replicated in over 200 cities in China and George Soros, hedge fund manager and entrepreneur forced the almighty Bank of England to devalue in 1992. I also agree that Soros epitomising the strengths of the capital market in 1992 isn’t something that can happen in 2016 due to Geopolitical risks but he dared to dream. I have come to see that as a people, the black race and Nigeria, in particular, have an acute self-esteem challenge. Everywhere I go, I keep hearing senior executives talk about having an outpost in Nigeria, yet, the citizens themselves don’t believe in whatever the government is willing to do. I don’t blame the young people leaving in droves and it's okay to get cynical about government when the indices so far show that you should. If you don’t have equality of opportunities, it produces a very bad outcome just as we have witnessed.
I’ve said this a thousand times and I’m willing to reiterate, Jack Ma wouldn’t come to Africa and the next Jack Ma has more than enough incentives not to come to Africa, how do we rescue ourselves out of these abysses? Can we bring in big thinking into government for once and quit the rigmarole and tribal slurs plugged into the very innards of its operation? Deng Xiaoping famously said, “I don’t care if it’s a white cat or a black cat, if it’s a communist cat or a capitalist cat, as long as it catches a mouse, I’m fine.” I know most trend spotters have not noted this in Nigeria, but the productivity growth the country has witnessed over the last 16 years isn’t because of technology but because of women entering the workforce in the early 2000’s in large numbers, yet, there’s no elaborate program across the board to encourage this demographic. No African country is yet to have a broad plan on immigration reforms to retain and bring in the smartest talents into the continent. We just have to stop throwing money at every challenge. The 21st century is a huge resource war and we should think resources first.
Overall, I’m optimistic irrespective of the level of volatility and technology makes me very optimistic when we get more people participate in the global economy through digitisation. Also, education makes me optimistic too. If we can educate 30 Million more Nigerians, we sure will have several Einsteins amongst us. What I’m worried about from a business perspective is that our institutions aren’t fit for purpose. After World War 2, the world changed dramatically and it takes really brave leaders to do things and we presently don’t have a lot of that. We need to sit back and introspect. The average washing machine today has more computing power than all the machines that powered NASA to the moon in 1969. Let’s give ourselves another chance and not despise our days of little beginning, this could be the renaissance we so desire if we decide to focus on the right things.
This article first appeared here: http://www.kingsleyudoh.com/blog/2017/02/10/spouts-on-the-future-of-work/