Sunday, March 1, 2015

On Cybersecurity

I've got you now, my pretty

What the hell?

Target, Best Buy, Anthem, Sony, Uber. It seems that hackers can pretty much penetrate any organization they want and steal whatever they can find. And yeah, if it seems that way, it's because that's exactly the way it is. The bad guys are winning. These are no longer the hackers of yore, although people have been slow to update their vision of the cyber world. These are professional organizations, well funded, staffed with some of the best programmers, psychologists and engineers in the world. They are for-profit businesses, operating in loosely coupled networks where they sell each other access to specific exploits, huge botnets and compromised servers on a per-hour basis. They make millions of dollars every week, and are immune to legal consequence due to both their geographic locations, and their operational security - everyone that has to know who and where they are is compensated out of the huge profits they generate, and no one has any incentive to shut them down.

Jeez, mikey, why can't we just prevent these breaches?

You have to understand the way this is done. Using some combination of malware and social engineering, the attackers work on specific individuals at a given targeted organization until they can successfully co-opt that user's network credentials. Now they can log on to the network, but they aren't some unknown alien entity, they appear to be the employee or contractor whose credentials they are using. Now, with access to the network, it becomes a matter of working horizontally, increasing access entitlements, elevating permissions, co opting more user and service accounts. At no time are they doing anything that would draw notice - they appear as employees or contractors doing their everyday work, or even worse, as automated systems that don't even have a human associated with them. The Target breach is a perfect example. The hackers got access to the network through the account of their HVAC contractor, and from there were able to install the malware on the POS systems, stage the credit card data on a database server they set up in Target's own data center, and periodically upload huge batches of stolen data to their own servers in Eastern Europe.

Is technology the answer?

It is an infuriatingly common trope that technology by itself can't save us from these unrelenting attacks. And of course, it's ultimately true. Like all complex problems, the solution requires a holistic approach, with training, policy, investigation, enforcement, regulation, compliance and widespread participation within the organization. That said, it's bullshit. A large scale modern network is generating hundreds of millions of events and transactions per second. There IS no non-technology solution, because the problem exceeds human capacity. Just as it takes a bulldozer to move a giant boulder, it takes very smart software on very powerful computers to monitor modern networks and figure out what is happening in real time, and what might be worth investigating.

OK, but what do you do when you find something bad?

That's something we're still struggling with. Obviously, the first step is to keep the data from being exfiltrated out of the organization, and to close the holes the attackers have drilled into the network, but while that protects the organization under attack, it doesn't do anything to protect the rest of the world from those attackers. There are those who are in favor of offensive cyber attacks as a response, but this is something you want to think very carefully about. Remember these attackers are as smart, as well organized and as well funded as anything arrayed against them, including most nation states. If you want to raise the stakes from an economic battle to a war, make sure you have the wherewithal to win. And right now there is no reason to believe that we have that ability. The US already has the responsibility of being the nation that first unleashed kinetic, destructive cyber war with the Stuxnet attacks against Iran. It's very much a "be careful what you ask for" situation.

I keep hearing that we are vulnerable to a "Cyber Pearl Harbor".

Like so many things we hear about today, it's a scary phrase, but there's a reason why nobody ever drills down into it. What would comprise this devastating surprise attack in cyberspace? While it's certainly true that various installations in the electric grid, municipal water supplies and major chemical plants and refineries are vulnerable to destructive cyber attack, it's hard to see how simultaneous successful attacks could be coordinated and carried out against hundreds of different installations. While one can easily envision an electrical blackout in a major metropolitan area, or a major fire at a chemical plant that releases a toxic plume, the question of whether those kinds of attacks rise to the level of a "cyber Pearly Harbor" is entirely subjective and difficult to conclude.

So what happens next?

We're still in the arms race stage. And, of course, in addition to the organizations launching the attacks - organized crime stealing money and nation states stealing knowledge - we now know, thanks ironically to cyber criminal Edward Snowden, that global intelligence agencies are actively working to keep weaknesses and vulnerabilities in place. And everything they can exploit can also be exploited by the criminals. So you have this tension where industry is struggling to harden their network security even as their own governments are working even harder to weaken it. The battle over SSL/TLS and access to encryption keys is one worth watching, because governments are perfectly willing to commit crimes, even work with the criminals, while industry is dead set on making it much harder for them to either steal information or demand it through legal channels.

But one can imagine a time - still years in the future, but on this side of the horizon - where the internet and the enterprise network are mostly secure. Think of banks - they can still be robbed, but there's really not much of a living to be made doing so. When the revenue stream that can be generated by hacking networks becomes a trickle, the criminal organizations will move on to another, more lucrative area, and the nation states will return to more traditional methods of espionage. But for now, expect to have your data stolen on a semi-regular basis.


  1. It's a big deal, Nasdaq-wise.

    People rushed out of GoPro and into CYBR.

  2. Yeah, the infosec startup universe is literally awash in VC money. Since I've been doing security analytics for two years now, it's really tempting to chase some of that money...

    1. Then, of course, you will need a competent architect to design you residence/compound. Preferably on one of the undead variety, so that whole "threat to one's life" thing doesn't offer a flaw.

    2. My concern is my practical demands around perimeter defenses and area denial features will not fit with your design aesthetic...