slideshow 1 slideshow 2 slideshow 3 slideshow 4 slideshow 5 slideshow 6 slideshow 7

Cyber Defense Consulting

Stiennon works with senior executives and boards to evaluate an organization's cyber preparedness. Gaps in technology, people, and process are identified and roadmaps created to enable an enterprise to counter highly targeted attacks.

Advisory Services

IT-Harvest works with Wall Street Analysts, Private Equity Firms, Vendors, and  Venture Capitalists to identify market movers, inflection points, and emerging technology vendors. Follow Richard Stiennon on Gerson Lehrman Group's expert network for commentary on publicly traded security vendors.


IT-Harvest tracks over 1,200 security vendors and publishes' white papers and industry reports on trends and disruptive changes in the market. See our Security Analysts at conferences worldwide or follow the Cyber Domain blog on

The Incredible Power of XKeyscore

First appeared in securitycurrent December 20, 2013

Der Spiegel makes light of an incredible tidbit they extracted from a 50-page catalog of exploit technology apparently developed by the NSA’s Tailored Access Operations (TAO).  The German newspaper describes, and dismisses as not very threatening the ability of an analyst using XKeyscore to identify a target’s machine, probably by IP address.     

Then, if that machine ever files a crash report with Microsoft (or presumably any application such as Mozilla’s Firefox) the vast store of data that the NSA has collected is investigated with XKeyscore to recover a copy of that crash report --which was captured, along with everything else, by the NSA’s taps into most network traffic.

Wait, what? Crash reports are not encrypted when sent to Microsoft or Mozilla? Apparently, not. Microsoft’s documentation states that Personally Identifiable Information (PII) is encrypted via HTTPS but not the rest of the information.

As if we needed it, here is yet another reminder that software developers can be woefully ignorant of the need for security. Crash reports often contain a snapshot of memory at the time of the crash. An attacker could use that information to understand the processes running on the target machine. Even passwords, or at least hashes of passwords, can be revealed in crash reports. This is a process vulnerability that Microsoft will have to address immediately.

It is Time for the TCG to Repudiate the NSA

First published in securitycurrent October 22, 2013

Trust is fragile and the decade long effort on the part of the NSA to compromise all security models has destroyed trust.  From its inception the coalition of industry giants who have backed the concept of hardware-based security, the Trusted Computing Group (TCG), have been at odds with the “information should be free” crowd. The problem these giants (Microsoft, Intel, AMD, IBM, HP) faced a decade ago was software and media piracy. As the biggest backer, Microsoft, was the most suspect. In recent weeks that suspicion of Microsoft has exploded into bald-face claims from the German BSI that the Trusted Platform Module, the hardware component of Trusted Computing is an NSA backdoor. And who knows what further releases of the Snowden files will unveil about the NSA’s involvement with the Trusted Computing Group?

Floundering Frameworks: NIST as a Case in Point

First published in securitycurrent October 24, 2013


Thanks to a directive from President Barak Obama, NIST has released its Preliminary Cybersecurity Framework for critical infrastructure. Like most security frameworks it is fatally flawed. The framework is poisoned with Risk Management thinking, a nebulous concept borrowed from the world of finance and actuarial tables that simply does not work for cyber security.

The problem with frameworks in general is that they are so removed from actually defining what has to be done to solve a problem. The problem with critical infrastructure, which includes oil and gas pipelines, the power grid, and city utilities, is that they are poorly protected against network and computer attacks. Is publishing a turgid high-level framework going to address that problem? Will a nuclear power plant that perfectly adopts the framework be resilient to cyber attack? Are there explicit controls that can be tested to determine if the framework is in place? Sadly, no to all of the above.

Sometime in the late ‘90s, Risk Management started to infiltrate the thinking of corporate IT security functions, probably because audit departments and outside consultants such as PwC (where I worked in the past) had to convert a problem into language that CEOs and boards would understand.  And there is nothing a consultant loves more than a framework for defining its expensive engagements.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer