I’ve been meaning to do a write up on some of the topics at the most recent RSA Conference on cybersecurity issues for a while, and it’s certainly overdue. Sure, a lot of the presentations are oriented towards private companies, but the issues matter to all entities – individuals, law firms, defense contractors, corporations, and governments. Let’s take a look at some of the big ideas:
Know Thine Enemy!
We don’t know the enemy, but the enemy knows us. Art
Gillibrand of HP referred to Sun Tzu’s Art of War when articulating
the current security climate. Defenders are at a real disadvantage these days,
and it’s not going to change anytime soon. Gillibrand presented some rather
depressing statistics: 94% of breaches are not detected by in-house IT.
Meanwhile, between 2010 and 2011, the time spent to repair a breach had
increased by 71%, while the cost of repairing a breach also increased by 41%. So,
defenders are spending more time, and more money on fixing breaches, and
haven’t gotten any better at detecting them in the first place. So, why are we
losing ground, and what do we do about it?
We don’t understand cyberattackers. We don’t know how they
work, we don’t know who they are, and as a result, we don’t know much about how
to stop them. Meanwhile, cyber attackers have specialized, through the very
same principles that organize companies. Almost every Hollywood movie with a
hacking element in the plot depicts one guy who is single-handedly capable of
breaching a system and exploiting the system for profit. Spoiler alert:
Hollywood isn’t accurate. Criminal attacks generally operate in a market with a
“distinct process”, and tasks are allocated to different actors within that
market. Some individuals within the market are responsible for collecting data
on suitable targets through various open-source opportunities, such as Facebook
or Linkedin. These profiles are then sold to cyber attackers, who determine
vulnerable access points and map the network. This information is then sold to
the larger black market. This is of course, a simplification. A great resource on the how the market is organized and operates is a 2010 Panda Security Report, available here.
Gillibrand argues persuasively that there needs to be a new
cyber strategy, one which acknowledges that cyber threats have been so
effective in part, because they rely on a huge network of intelligence. Another
statistic? 86% of total cyberdefense expenditures are oriented around infiltration blocking. It’s a losing battle. Instead, those with stakes in
cyber defense need to figure out an efficient method to identify threats from
individuals, organizations and markets, and communicate these threats to the broader
community. This isn’t just something for private companies to figure out –
policymakers should be taking note. Private organizations may not be the best equipped to
handle the intelligence capabilities that the cyber environment requires on their
own.
Authentication, Hostile Toasters, and Pseudonymity
This was a big topic at RSA. When Google devotes its time at
an RSA conference to a topic, it’s worth it to pay attention. How do you ensure
that people are who they say they are, but only to the entities that need to know?
Can we also associate devices with their owners? Vint Cerf attempted to issue
that very challenge to conference attendees, with the following requirements: a
device must be constructed to generate unique key-pairs, the private key must
not be extractable unless it destroys the pair, the private key cannot be
computed from the public key, and either key must be able to encypt or
de-encrypt on demand. It’s a tall order. It becomes a bigger problem when we
consider the current and future scope of authentication needs. Cerf noted that
internet-capable refrigerators, picture frames, and yes, even toasters, are
entering the market and providing more opportunities for compromise than ever
before. If you thought protecting your credit card was the big priority, just
wait until hackers figure out how to burn your toast. Joking aside, the
proliferation of devices associated with an individual are creating big
problems for existing authentication measures.
 | ||
| In 2002, LG introduced a $17,000 internet-capable refrigerator. |
Another conference attendee sought to address the problem. Paul
Summers of the Jericho Forum and CEO of the Global Identity Foundation was also
there to drum up support. “Right now, with the system we have in place, we
don’t have any connection to the person.” Bingo. Biometric readers, DNA links,
and iris reading are great new technologies. That doesn’t mean they’ve fixed the end-user issue. Summers’ proposal is interesting: assign a
single crypto to an individual, which has several pieces of data - some of
which are publicly available, some of which are privately held, and neither of
which can be used to complete the full crypto. Each entity may only request and receive a
certain number of crypto components for any given request. It’s an interesting
premise, that’s been alluded to in other cybersecurity discussions elsewhere.
It’s a nice idea, that may eventually transform the way we interact online, but there’s definitely a
lot that still needs to be fleshed out. How does a bank make sure that the two
components received are the right ones? Will it be one private crypto
component, and one public crypto component? Can it be ensured (in this day and
age), that all components of the crypto could not be found through some online
research? The proposal reminds me a bit of the security questions often
used to authenticate identity. Name of my first pet? Chances are, you could
probably find that out on Facebook or by calling my mother under false
pretenses. No, the name of my first pet is not on Facebook, but for a lot of
people, that information probably is. Also, please don’t call my mother.
And My Personal Favorite: “Lessons from Stuxnet” (for
Defenders) – William Cheswick (Cheswick.com)
You really can’t have any serious discussion about cyber
attacks without at least acknowledging Stuxnet. Stuxnet is one of the most visible examples of a remote cyber attacks which
resulted in actual physical damage. There are just so many interesting components
worth discussing. So, what makes Stuxnet so scary?
-How easy it is. Okay, it’s not actually
really easy to design a highly specific bit of code that only affects one
particular kind of hardware, put it into a USB drive, and then make sure it
gets into one of the most secure places in Iran. But what is scarily easy about
it – is that it only takes one USB stick. That’s right, just one. Cheswick
highlighted the problem perfectly: if you put a flash drive in an
organization’s parking lot, it only takes one person to pick it up, and plug it
in at work. Humans are naturally curious, and in a room of a few dozen people,
one person is going to try to plug the thing in. We’re not sure if that’s
precisely the scenario that happened, but the problem would still be the same.
Defenders have to make sure ALL employees know not to play with foreign USBs.
-How damaging it can be. Estimates vary
as to how much damage the Stuxnet worm actually did in terms of Iran’s nuclear
program. However, Stuxnet wasn’t just about “hard damage”. It was also about
soft damage. In the Stuxnet case, it was engineered to overwhelm centrifuge
components, but it was also about decreasing overall confidence in the venture.
Soft damage can also simply be the erasure of data. A cost and labor intensive
project could potentially be shelved simply on the basis of soft damage.
-If you’re not actively looking for the
threat, you won’t find it. There’s a lot of ways for a Stuxnet-style attack
to happen undetected for a long time. Apparently, there are a lot of people in
IT who just don’t bother updating their network maps regularly enough. Network
maps should (but often don’t) include everything from printers to industrial
controllers. Bought a new printer and forgot to add it? Mistake. Printer
firmware is fabulous for hiding all sorts of things. Also, network maps
typically have notes about exactly what is on there. Centrifuge locations on
there? That’s just reduced time and effort for attackers to know exactly where
they need to go on their shopping spree. Meanwhile, this attack doesn’t
even need the internet to tell its creators that it’s working. It just needs to
create a live link, perhaps through a VPN, using STP headers to
release small chunks of information. Only a small amount of information is
necessary, as in just one or two packets per day, making it even more difficult
to detect. A Stuxnet-style attack could also use a cell network to exfiltrate
information. So, not only can your employees only use work-issued USBs, they
may also not be able to bring their cell phones to work.
But there’s hope. This presentation was geared towards
(primarily) private industry. Cheswick raised some interesting points though
that will probably have to be (or already have been) put in place in law firms,
defense contractors, and government agencies. The new rules in a post-Stuxnet
era: keep your network maps updated, don’t allow foreign USB drives, be discriminatory
about cell phone access, and monitor low TTL packets. For those interested in the technical details about Stuxnet, here's the Symantec report. Fair warning, don't expect a Live Free, Die Hard action sequence in there.
Now that we've covered all the good stuff, I'm looking forward to hearing about the DEFCON conference in August. I bet there will be a lot of complaining over the recent conviction of Andrew "Weev" Auernheimer under the Computer Fraud and Abuse Act, for his exploitation of AT&T back in 2010. If the RSA conference was any indication, the FBI isn't going to be the only one collecting information on guys like Weev. Hackers may very soon have profiles on them distributed throughout the security community. It's about time.
Posts
No comments:
Post a Comment