I’ve been meaning to do a write up on some of the topics at the most recent RSA Conference on cybersecurity issues for a while, and it’s certainly overdue. Sure, a lot of the presentations are oriented towards private companies, but the issues matter to all entities – individuals, law firms, defense contractors, corporations, and governments. Let’s take a look at some of the big ideas:
Know Thine Enemy!
We don’t know the enemy, but the enemy knows us. Art Gillibrand of HP referred to Sun Tzu’s Art of War when articulating the current security climate. Defenders are at a real disadvantage these days, and it’s not going to change anytime soon. Gillibrand presented some rather depressing statistics: 94% of breaches are not detected by in-house IT. Meanwhile, between 2010 and 2011, the time spent to repair a breach had increased by 71%, while the cost of repairing a breach also increased by 41%. So, defenders are spending more time, and more money on fixing breaches, and haven’t gotten any better at detecting them in the first place. So, why are we losing ground, and what do we do about it?
We don’t understand cyberattackers. We don’t know how they work, we don’t know who they are, and as a result, we don’t know much about how to stop them. Meanwhile, cyber attackers have specialized, through the very same principles that organize companies. Almost every Hollywood movie with a hacking element in the plot depicts one guy who is single-handedly capable of breaching a system and exploiting the system for profit. Spoiler alert: Hollywood isn’t accurate. Criminal attacks generally operate in a market with a “distinct process”, and tasks are allocated to different actors within that market. Some individuals within the market are responsible for collecting data on suitable targets through various open-source opportunities, such as Facebook or Linkedin. These profiles are then sold to cyber attackers, who determine vulnerable access points and map the network. This information is then sold to the larger black market. This is of course, a simplification. A great resource on the how the market is organized and operates is a 2010 Panda Security Report, available here.
Gillibrand argues persuasively that there needs to be a new cyber strategy, one which acknowledges that cyber threats have been so effective in part, because they rely on a huge network of intelligence. Another statistic? 86% of total cyberdefense expenditures are oriented around infiltration blocking. It’s a losing battle. Instead, those with stakes in cyber defense need to figure out an efficient method to identify threats from individuals, organizations and markets, and communicate these threats to the broader community. This isn’t just something for private companies to figure out – policymakers should be taking note. Private organizations may not be the best equipped to handle the intelligence capabilities that the cyber environment requires on their own.
Authentication, Hostile Toasters, and Pseudonymity
This was a big topic at RSA. When Google devotes its time at an RSA conference to a topic, it’s worth it to pay attention. How do you ensure that people are who they say they are, but only to the entities that need to know? Can we also associate devices with their owners? Vint Cerf attempted to issue that very challenge to conference attendees, with the following requirements: a device must be constructed to generate unique key-pairs, the private key must not be extractable unless it destroys the pair, the private key cannot be computed from the public key, and either key must be able to encypt or de-encrypt on demand. It’s a tall order. It becomes a bigger problem when we consider the current and future scope of authentication needs. Cerf noted that internet-capable refrigerators, picture frames, and yes, even toasters, are entering the market and providing more opportunities for compromise than ever before. If you thought protecting your credit card was the big priority, just wait until hackers figure out how to burn your toast. Joking aside, the proliferation of devices associated with an individual are creating big problems for existing authentication measures.
|In 2002, LG introduced a $17,000 internet-capable refrigerator.|
Another conference attendee sought to address the problem. Paul Summers of the Jericho Forum and CEO of the Global Identity Foundation was also there to drum up support. “Right now, with the system we have in place, we don’t have any connection to the person.” Bingo. Biometric readers, DNA links, and iris reading are great new technologies. That doesn’t mean they’ve fixed the end-user issue. Summers’ proposal is interesting: assign a single crypto to an individual, which has several pieces of data - some of which are publicly available, some of which are privately held, and neither of which can be used to complete the full crypto. Each entity may only request and receive a certain number of crypto components for any given request. It’s an interesting premise, that’s been alluded to in other cybersecurity discussions elsewhere. It’s a nice idea, that may eventually transform the way we interact online, but there’s definitely a lot that still needs to be fleshed out. How does a bank make sure that the two components received are the right ones? Will it be one private crypto component, and one public crypto component? Can it be ensured (in this day and age), that all components of the crypto could not be found through some online research? The proposal reminds me a bit of the security questions often used to authenticate identity. Name of my first pet? Chances are, you could probably find that out on Facebook or by calling my mother under false pretenses. No, the name of my first pet is not on Facebook, but for a lot of people, that information probably is. Also, please don’t call my mother.
And My Personal Favorite: “Lessons from Stuxnet” (for Defenders) – William Cheswick (Cheswick.com)
You really can’t have any serious discussion about cyber attacks without at least acknowledging Stuxnet. Stuxnet is one of the most visible examples of a remote cyber attacks which resulted in actual physical damage. There are just so many interesting components worth discussing. So, what makes Stuxnet so scary?
-How easy it is. Okay, it’s not actually really easy to design a highly specific bit of code that only affects one particular kind of hardware, put it into a USB drive, and then make sure it gets into one of the most secure places in Iran. But what is scarily easy about it – is that it only takes one USB stick. That’s right, just one. Cheswick highlighted the problem perfectly: if you put a flash drive in an organization’s parking lot, it only takes one person to pick it up, and plug it in at work. Humans are naturally curious, and in a room of a few dozen people, one person is going to try to plug the thing in. We’re not sure if that’s precisely the scenario that happened, but the problem would still be the same. Defenders have to make sure ALL employees know not to play with foreign USBs.
-How damaging it can be. Estimates vary as to how much damage the Stuxnet worm actually did in terms of Iran’s nuclear program. However, Stuxnet wasn’t just about “hard damage”. It was also about soft damage. In the Stuxnet case, it was engineered to overwhelm centrifuge components, but it was also about decreasing overall confidence in the venture. Soft damage can also simply be the erasure of data. A cost and labor intensive project could potentially be shelved simply on the basis of soft damage.
-If you’re not actively looking for the threat, you won’t find it. There’s a lot of ways for a Stuxnet-style attack to happen undetected for a long time. Apparently, there are a lot of people in IT who just don’t bother updating their network maps regularly enough. Network maps should (but often don’t) include everything from printers to industrial controllers. Bought a new printer and forgot to add it? Mistake. Printer firmware is fabulous for hiding all sorts of things. Also, network maps typically have notes about exactly what is on there. Centrifuge locations on there? That’s just reduced time and effort for attackers to know exactly where they need to go on their shopping spree. Meanwhile, this attack doesn’t even need the internet to tell its creators that it’s working. It just needs to create a live link, perhaps through a VPN, using STP headers to release small chunks of information. Only a small amount of information is necessary, as in just one or two packets per day, making it even more difficult to detect. A Stuxnet-style attack could also use a cell network to exfiltrate information. So, not only can your employees only use work-issued USBs, they may also not be able to bring their cell phones to work.
But there’s hope. This presentation was geared towards (primarily) private industry. Cheswick raised some interesting points though that will probably have to be (or already have been) put in place in law firms, defense contractors, and government agencies. The new rules in a post-Stuxnet era: keep your network maps updated, don’t allow foreign USB drives, be discriminatory about cell phone access, and monitor low TTL packets. For those interested in the technical details about Stuxnet, here's the Symantec report. Fair warning, don't expect a Live Free, Die Hard action sequence in there.
Now that we've covered all the good stuff, I'm looking forward to hearing about the DEFCON conference in August. I bet there will be a lot of complaining over the recent conviction of Andrew "Weev" Auernheimer under the Computer Fraud and Abuse Act, for his exploitation of AT&T back in 2010. If the RSA conference was any indication, the FBI isn't going to be the only one collecting information on guys like Weev. Hackers may very soon have profiles on them distributed throughout the security community. It's about time.