No One is Too Small to Attack

If you’ve been a security practitioner for any length of time, you have probably hear this from a client at least once:

We’re too small/unimportant to be a target of hackers.

If you’ve been doing this for any length of time you also know this is the point in the conversation where you smile politely, get up, and excuse yourself while they go back to their business and you go on to your next meeting. Anyone who has it in their head that they don’t have a red laser dot on their forehead is not going to be convinced by your war stories or ream of counter-examples.

They will learn the hard way.

The thing you want to tell these folks is that anyone online is a target because everyone online has something of value. The reason most folks who think they’re not targets think the way they do is because they don’t deal in valuable information. Data breaches at banks, government agencies, or credit bureaus make headlines because your name, along with your birth date, social security number, bank account, and so on are monetizable.

If you move or make commodity widgets, your efficiency and up-time are what you consider valuable. The design of the widget is not special; they’re one of a hundred factories worldwide that make widgets. What these folks don’t realize is that just having a computer online is a valuable resource to someone. That’s one more processor that a bad guy didn’t have before. It’s one more hard drive they can store illicit material on. One more system they can hop through or use to target another victim. You may not be a target, but you could be an accessory.

It’s also important to note that while you may not be the intended victim of someone else’s attack, that you were involved means down-time, and the expense of cleaning systems, and most all the other issues that the actual victim has to deal with. Yes, on a smaller scale, but it’s not zero, which is the sum you came up with when you decided you weren’t a target.

The widget makers of the world are right to look with a jaundiced eye at calls to spend a lot on security, or to procure a lot of fancy boxes and software. When solutions are designed by people who cut their teeth on fighting nation-state adversaries and “advanced” threats, there isn’t a lot of options for people who need the basics.

Success in cybersecurity at every level means paying attention to business needs, and acceptable risks, not just external threats. The best advice is holistic in nature, not a pitch that plays to your professional strengths. That you know how to wield a hammer is not an excuse for only paying attention to exposed nails.

Most of the time, the best security recommendations are the cheap and unglamorous ones. No, it’s not pretty or fun, but it’s what you owe your clients if you’re really about security.

C.R.E.A.M. IoT Edition

I didn’t get to see the discussion between Justine Bone and Chris Wysopal about the former’s approach to monetizing vulnerabilities. If you’re not familiar with the approach, or the “Muddy Waters” episode, take a minute to brush up, I’ll wait….

OK, so if you’re in one computer security sub-community the first words out of your mouth are probably something along the lines of: “what a bunch of money-grubbing parasites.” If you knew anyone associated with this event you’ve probably stop talking to them. You’d certainly start talking shit about them. This is supposed to be about security, not profiteering.

If you’re in a different sub-community you’re probably thinking something along the lines of, “what a bunch of money-grubbing parasites,” only for different reasons. You’re not naive enough to think that a giant company will drop everything to fix the buffer overflow you discovered last week. Even if they did, because it’s a couple of lines in a couple of million lines of code, a fix isn’t necessarily imminent. Publicity linked to responsible disclosure is a more passive way of telling the world: “We are open for business” because it’s about security, but it’s also about paying the mortgage.

If you’re in yet another sub-community you’re probably wondering why you didn’t think of it yourself, and are fingering your Rolodex to find a firm to team up with. Not because mortgages or yachts don’t pay for themselves, but because you realize that the only way to get some companies to give a shit is to hit them where it hurts: in the wallet.

The idea that vulnerability disclosure, in any of its flavors, is having a sufficiently powerful impact on computer security is not zero, but its not registering on a scale that matters. Bug bounty programs are all the rage, and they have great utility, but it will take time before the global pwns/minute ratio changes in any meaningful fashion.

Arguing about the utility of your preferred disclosure policy misses the most significant point about vulnerabilities: the people who created them don’t care unless it costs them money. For publicly traded companies, pwnage does impact the stock price: for maybe a fiscal quarter. Just about every company that’s suffered an epic breach sees their stock price at or higher than it was pre-breach just a year later. Shorting a company’s stock before dropping the mic on one vulnerability is a novelty: it’s a material event if you can do it fiscal quarter after fiscal quarter.

We can go round and round about what’s going to drive improvements in computer security writ large, but when you boil it down it’s really only about one of and/or two things: money and bodies. This particular approach to monetizing vulnerabilities tackles both.

We will begin to see significant improvements in computer security when a sufficient number of people die in a sufficiently short period of time due to computer security issues. At a minimum we’ll see legislative action, which will be designed to drive improvements. Do you know how many people had to die before seatbelts in cars became mandatory? You don’t want to know.

When the cost of making insecure devices exceeds the profits they generate, we’ll see improvements. At a minimum we’ll see bug bounty programs, which is one piece of the puzzle of making actually, or at least reasonably secure devices. Do you know how hard it is to write secure code? You don’t want to know.

If you’re someone with a vulnerable medical device implanted in them you’re probably thinking something along the lines of, “who the **** do you think you are, telling people how to kill me?” Yeah, there is that. But as has been pointed out in numerous interviews, who is more wrong: the person who points out the vulnerability (without PoC) or the company that knowingly let’s people walk around with potentially fatally flawed devices in their bodies? Maybe two wrongs don’t make a right, but as is so often the case in security, you have to choose between the least terrible option.

The Wolf is Here

For decades we’ve heard that iCalamity is right around the corner. For decades we’ve largely ignored pleas to try and address computer security issues when they are relatively cheap and easy, before they got too large and complicated to do at all. We have been living a fairy tale life, and absent bold action and an emphasis on resiliency, it only gets grim(m)er going forward.

Reasonably affordable personal computers became a thing when I was in high school. I fiddled around a bit, but I didn’t know that computer security was a thing until I was on active duty and the Morris Worm was all over the news. Between the last time Snap! charted and today, we have covered a lot of ground from a general purpose IT perspective. We’ve gone from HTML and CGI to the cloud. From a security perspective however, we’ll still largely relying on firewalls, anti-virus, and SSL.

Why the disparate pace of progress? People demand that their technology be functional, not secure. Like so many areas of our lives, we worry about the here and now, not the what-might-be. We only worry about risks until a sufficiently horrific scenario occurs, or if one is not enough, until enough of them occur in a sufficiently short period of time.

Of course today we don’t just have to worry about securing PCs. By now it is fairly common knowledge that your car is full of computers, as is increasingly your house. Some people wear computers, and some of us are walking around with computers inside of us. Critical infrastructure is lousy with computers, and this week we learned that those shepherd boys crying ‘wolf’ all those years weren’t playing us for fools, they were just too early.

The fragility of our standard of living is no longer the musings of Cassandras. The proof of concept was thankfully demonstrated far, far away, but the reality is we’re not really any safer just because ‘merica. Keeping the lights on, hearts beating, and the water flowing is a far more complex endeavor than you find in the commodity IT world. It is entirely possible that in some situations there is no ‘fix’ to certain problems, which means given various inter-dependencies we will always find ourselves with a Damoclean sword over our heads.

Mixed mythologies notwithstanding, the key to success writ large is insight and resiliency. The more aware you are of what you have, how it works, and how to get along without it will be critical to surviving both accidents and attacks. I would like to think that the market will demand both functional and secure technology, and that manufacturers will respond accordingly, but 50 years of playing kick the can tells me that’s not likely. The analog to security in industrial environments is safety, and that’s one area power plants, hospitals, and the like have down far better than their peers in the general purpose computing world. We might not be able to secure the future, but with luck we should be able to survive it.

Cyber Security Through the Lens of an Election

Inauguration day has come and gone, giving us some time to reflect on both the previous election process as well as what lies ahead for the next four years. There are a number of parallels between running for office and running a cyber security operation, and a few lessons learned from the former can help those involved in the latter.

It’s a Campaign, Not a Day Hike

Depending on the office you’re running for, your campaign might start years before the winner takes the oath of office. Likewise, it is likely to take years to reach the ideal end-state for the IT enterprise you’re responsible to protect. To further complicate things, technology in general and security threats specifically will change over time, which means the probability you’ll see the end of the race is very close to 0. Not running is not an option, so pace yourself.

You Need a Team

Every chief executive needs a team to get things done. In government, it’s called a “cabinet” and in business the “C-suite.” Regardless of the nomenclature, the purpose is the same: they are the people who specialize in certain things who help you formulate and execute policy. If you’re lucky you’ll get a team that buys into your vision, trusts you implicitly, and has the resources necessary to get the job done. More than likely you’re going to have something more akin to a Team of Rivals, but not ones you got to pick.

 (All Kinds of) Experience Matters

There is no one-size fits-all career path that leads to the White House. People that get into cyber security have a wide range of backgrounds. Yet in both fields people love to poke at perceived shortcomings of those who aspire to (or end up in) top positions. We pick on Michael Daniel or Rudy Giuliani for their lack of technical acumen, forgetting that George Washington never went to high school and his first job was blue collar. Being able to cast a vision, manage people under stress, mange limited resources, and inspire confidence; none of those things requires a given type or level of education, and all of them can be developed in a variety of ways.

Everyone is a Constituent

If you’re in security, everyone is “your people.” You don’t have a party, you don’t have a faction, you have to make everyone happy. At the very least you have to keep everyone from revolting. Everyone has a different agenda, different needs, different outlooks. You will make enemies, and different people will be your friend or foe depending on the situation. Success depends on keeping all those factors in balance so that you can move the center forward.

It’s a great parlor game to try and figure out what the next four years is going to be like on the political front, but the fact of the matter is we have no real idea how things are going to go. In that sense politics is a lot like cyber security: you prepare for the worst, you assume every day is going to be rocky, but sometimes you get pleasantly surprised.

Hail to the Chief! All of them.

Save Yourself – Delete Your Data

You probably don’t remember but in the spring of 2015 I wrote:

What if ransomware is only the beginning? What about exposé-ware?  I’ve copied your files. Pay me a minimal amount of money in a given time-frame or I’ll publish your data online for everyone to see. Live in a community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door.

This week we learn:

Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.

My response now is the same as it was a before:

In an era when remedying computer security failures is cheaper than calling in computer security experts, we need to collectively get on board with some new ways of doing things.

For starters, we need to work at scale. Botnet takedowns are one example. I’m proud to have been associated with a few, and I’m not going to pretend every effort like this goes off without a hitch, but we need to do more at or near the same scale as the bad guys, and often. That’s really the only way we have any hope of raising attacker costs: when they’re fighting people in the same weight class with similar skills on a regular basis.

We also need to accept that the future has to be more about restoration than conviction. Most corporate victims of computer crime don’t want to prosecute, they just want to get back to work. Tactics, techniques, procedures and tools need to reflect that reality. If you’re law enforcement you don’t have a lot of leeway in that regard, but everyone else: are you really doing right by your customers if you are adhering to a law enforcement-centric approach simply because that’s how you were taught?

Finally, we need to retire more problems. You’ve heard the phrase: “if you’re so smart how come you’re not rich?” My variation is: “if you’re such an expert how come you haven’t solved anything?” Now, not every computer security problem can be solved, but there are problems that can be minimized if not trivialized. That would require regularly growing and then slaughtering cash cows. Business majors who run massive security companies don’t like that idea, but it is not like we’re going to run out of problems. So as long as there are new opportunities to slay digital dragons, you have to ask yourself: am I in this to get rich, or am I in this to make the ‘Net a safer place? Kudos if you can honestly do both.

…and I would add one more thing: If you don’t need data, get rid of it. I remember when storage was expensive and you had to be judicious about what you saved, but if you buy enough memory these days its practically free, which has led people to think that there are no consequences for control-s’ing their way to retention nirvana. The supposed value of “big data” doesn’t help. When you get down to it though, you can’t be held ransom – or extorted – over something you don’t have.

Cyber Responsibility: The Trickle-Down Effect

There was a time when cyber security was the sole responsibility of IT, but those days are long gone. Today’s executives know better than to presume themselves and their enterprises immune from a cyberattack, which is why staying safe online requires more than an old “do as I say” mentality. A pair of Cisco leaders, CEO John Chambers and SVP and Chief Security and Trust Officer John N. Stewart place the responsibility squarely on the leadership’s shoulders. “The CEO must make it clear that security is not just an IT problem—it is a priority for the business that is top of mind. Business and technology leadership must work together to discuss potential risks and find solutions that protect intellectual property and financials alike.” (CIO)

Toujours en Avant. I just made this very same argument recently to a room full of CxOs and board members, to varying levels of agreement. You’re never going to convince someone who has had the ‘lead from the front’ mantra drilled into his psyche that there is any other approach, but then in business circles not everyone at echelons-above feels the same way. Regardless of your leadership style remember one thing: people will focus on whatever they are rated on or compensated for. If cyber security is not something that impacts their personal bottom line, they won’t do it regardless of what you say or do.

We Learn From Death

Why are we perpetually surprised (or not, depending on how you look at it) at the failure of so many at both the organizational and individual level to take cybersecurity seriously? I would argue that most people are placing cybersecurity exactly where it should be when it comes to the myriad risks in their lives, and that is unlikely to change until it is far too late for some.

On the radio the other day there was an interview with an airline crash investigator. Airline crashes are rare, and when one happens the investigation defines “comprehensive.” But contrary to what amateurs or outsiders may think, there is really only one reason why an investigation is conducted:

It’s not to let the families know what happened and it’s not to let the lawyers know what happened, it is to prevent this happening again in the future. That’s absolutely the reason for an air crash investigation.

Closure for the families? Don’t care. Assigning blame so lawyers can address issues of liability? Don’t care. I mean, investigators are human beings, they care on one level, butthe true motivation for a crash investigation is singular: reducing the probability that what caused this crash ever happens again. I know you don’t pay attention, but airlines have safety briefings for a reason. They de-ice control surfaces for a reason. You can design and engineer and test all day long, but sometimes problems don’t surface until thousands of hours of flight time under real-world conditions has been logged. To that point:

Aviation has never been safer because we have essentially conquered most of the problems that emerged in the first century of commercial flight. But now we’re starting into the second century of commercial flight and there’s all sorts of new and different challenges.

She goes on to point out that one of those challenges is cybersecurity, but it is not necessarily the most pressing challenge. Why? The interview doesn’t get that in-depth but it is worth noting that ransomware-for-cockpits is not a thing; aircrews not grokinghow automation works is most assuredly a thing.

Stealing credit card numbers, bank account details, social security numbers, medical files, even taking over one’s entire identity doesn’t equate to death. The economics of cybercrime today are such that malicious actors can cause pain, but victims are readily made whole again. In such an environment why would we expect cybersecurity to get better? Why would we expect individuals to care? Why would we expect businesses to do anything more than is absolutely mandated? We don’t catch enough bad guys to provide closure. The industry has successfully fought off efforts to assign liability. The system is basically designed to ensure we will remain victims in perpetuity.

We don’t learn from incompetence, we don’t learn from inconvenience, we don’t even learn from pain: we learn from death. Cybersecurity will get better when people die in sufficiently large numbers.“Cyber” has certainly killed, but as callous and morbid as this sounds, it hasn’t killed enough. How much is enough? I suspect a lot more than have died due to pilot error.

Better Design, Better Security Participation?

A new study by NIST found that a majority of typical computer users experience “security fatigue” that often leads to risky computing behavior at work and in their personal lives. Security fatigue is defined in the study as a weariness or reluctance to deal with computer security. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said Brian Stanton, a cognitive psychologist and co-author of the report . “It is critical because so many people bank online, and since health care and other valuable information is being moved to the Internet.” (Biometric Update)

Security products are developed by security nerds, for security nerds, which are an increasingly rare breed. Think about how you get a new app for your phone: search, click link to install, start using app. Now think about all the flaming hoops you had to jump through the last time you had a security problem, or tried to install some security mechanism. The less users have to think about making sound security decisions, and the easier it is for them to take action, the less likely they are to become victims. Hard core security wonks will laugh at the idea of cybersecurity UX, but there is a reason why the more elegant and efficient a tool the more passionate its users. 

Good Cyber Security is Not Glamorous

One of the more common reasons why most organizations push back on spending for cyber security is the lack of a “return on investment.” All that fancy, shiny cyber-y stuff costs a lot of money without providing a clear benefit that is commensurate with the expenditure. Firewalls are expensive. IDS/IPS are expensive. SIEMs are expensive. Talent to run it all (if you can even find it) is expensive.

Yet for all that expense the end result may still be a breach that costs millions of dollars, and the source of that breach is almost assuredly something that makes all that expense seem like a waste, not an investment. Advancing cyber security starts with promulgating the message that like most things in life: success is about the grind.

The Importance of Blocking and Tackling

A good, sound security capability can in fact be very pedestrian. Take some time to look at the SANS Top 25 (formerly 10) lists going back several years. Do the same thing for the OWASP Top 10. If you look closely you’ll notice that while names may change, the basic problems do not. Buffer overflows and cross-site scripting are not “advanced” or “sophisticated” but they work.  All year, every year.

Addressing the most common security problems facing any enterprise does not require floor-to-ceiling displays showing maps of the world and stoplight charts and data flows from country to country. It doesn’t require a lot of software or hardware or subscriptions or licenses or feeds. The biggest problems are the most common ones that don’t necessarily require advanced skills or technology to resolve. You can harden your enterprise against the most likely and most dangerous problems without ever talking to a salesperson or worrying about how much you’re going to have to pay that guy with all the letters after his name.

Are You Ready For Some Football?

It wouldn’t be fall without a football analogy, so here is the first one of the season: If you knew who Odell Beckham Jr. was before Lena Dunham did, you know where I’m going with this. If you didn’t, go to YouTube and enter his name, I’ll wait…..

Amazing plays are not the result of practicing acrobatics in full pads. Wide Receivers don’t take contortionist classes. Training for football season at any level is about fundamentals. Everyone doing the same drills, or variations on a theme, that they’ve done since they first put on a helmet. Why? Because the bulk of success on the field is attributable to fundamentals. Blocking and tackling. Plays that make the highlight reels are the result of individual athleticism, instincts, and drive, but no receiver gets into position to make the highlight reel without mastering the basics first.

A team of journeymen who are well versed in the basics alone may not make the playoffs, much less the Super Bowl, but that’s not the point; you want to avoid being beaten by the second string of the local community college. If you want to know how well buying expensive “solutions” to your problems works, I invite you to check out the drama that has been Washington Redskins since 1999.

Its About Perspective

You can’t read an article on cybersecurity and not see the words “advanced” or “sophisticated” either in the text or the half-dozen ads around the story. Security companies cannot move product or get customers to renew subscriptions without promoting some level of fear, uncertainty and doubt. No product salesperson will bring up the fact that procuring the next-generation whatever they are selling is almost assuredly buying a castle that will be installed on a foundation of sand (to be fair: it’s not their job to revamp your security program).

This is not to say you ignore the truly advanced or dangerous, but you need to put it all into perspective. You don’t buy an alarm system for your house and then leave your doors and windows open. You do not spend more money on the car with the highest safety ratings and then roll out without wearing your seat belt. You don’t buy your kids bicycle helmets and then set them loose on the freeway. You do all the things that keep you and yours safe because to ignore the basics undermines the advanced.The same holds true in cyber security, and the sooner we put on our Carhartts and spend more sweat equity than we do cash, the sooner we are likely to see real improvements.

Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet – and commercial concerns that use it – above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo – and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes.In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war. 

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.