The Wolf is Here

For decades we’ve heard that iCalamity is right around the corner. For decades we’ve largely ignored pleas to try and address computer security issues when they are relatively cheap and easy, before they got too large and complicated to do at all. We have been living a fairy tale life, and absent bold action and an emphasis on resiliency, it only gets grim(m)er going forward.

Reasonably affordable personal computers became a thing when I was in high school. I fiddled around a bit, but I didn’t know that computer security was a thing until I was on active duty and the Morris Worm was all over the news. Between the last time Snap! charted and today, we have covered a lot of ground from a general purpose IT perspective. We’ve gone from HTML and CGI to the cloud. From a security perspective however, we’ll still largely relying on firewalls, anti-virus, and SSL.

Why the disparate pace of progress? People demand that their technology be functional, not secure. Like so many areas of our lives, we worry about the here and now, not the what-might-be. We only worry about risks until a sufficiently horrific scenario occurs, or if one is not enough, until enough of them occur in a sufficiently short period of time.

Of course today we don’t just have to worry about securing PCs. By now it is fairly common knowledge that your car is full of computers, as is increasingly your house. Some people wear computers, and some of us are walking around with computers inside of us. Critical infrastructure is lousy with computers, and this week we learned that those shepherd boys crying ‘wolf’ all those years weren’t playing us for fools, they were just too early.

The fragility of our standard of living is no longer the musings of Cassandras. The proof of concept was thankfully demonstrated far, far away, but the reality is we’re not really any safer just because ‘merica. Keeping the lights on, hearts beating, and the water flowing is a far more complex endeavor than you find in the commodity IT world. It is entirely possible that in some situations there is no ‘fix’ to certain problems, which means given various inter-dependencies we will always find ourselves with a Damoclean sword over our heads.

Mixed mythologies notwithstanding, the key to success writ large is insight and resiliency. The more aware you are of what you have, how it works, and how to get along without it will be critical to surviving both accidents and attacks. I would like to think that the market will demand both functional and secure technology, and that manufacturers will respond accordingly, but 50 years of playing kick the can tells me that’s not likely. The analog to security in industrial environments is safety, and that’s one area power plants, hospitals, and the like have down far better than their peers in the general purpose computing world. We might not be able to secure the future, but with luck we should be able to survive it.

Save Yourself – Delete Your Data

You probably don’t remember but in the spring of 2015 I wrote:

What if ransomware is only the beginning? What about exposé-ware?  I’ve copied your files. Pay me a minimal amount of money in a given time-frame or I’ll publish your data online for everyone to see. Live in a community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door.

This week we learn:

Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.

My response now is the same as it was a before:

In an era when remedying computer security failures is cheaper than calling in computer security experts, we need to collectively get on board with some new ways of doing things.

For starters, we need to work at scale. Botnet takedowns are one example. I’m proud to have been associated with a few, and I’m not going to pretend every effort like this goes off without a hitch, but we need to do more at or near the same scale as the bad guys, and often. That’s really the only way we have any hope of raising attacker costs: when they’re fighting people in the same weight class with similar skills on a regular basis.

We also need to accept that the future has to be more about restoration than conviction. Most corporate victims of computer crime don’t want to prosecute, they just want to get back to work. Tactics, techniques, procedures and tools need to reflect that reality. If you’re law enforcement you don’t have a lot of leeway in that regard, but everyone else: are you really doing right by your customers if you are adhering to a law enforcement-centric approach simply because that’s how you were taught?

Finally, we need to retire more problems. You’ve heard the phrase: “if you’re so smart how come you’re not rich?” My variation is: “if you’re such an expert how come you haven’t solved anything?” Now, not every computer security problem can be solved, but there are problems that can be minimized if not trivialized. That would require regularly growing and then slaughtering cash cows. Business majors who run massive security companies don’t like that idea, but it is not like we’re going to run out of problems. So as long as there are new opportunities to slay digital dragons, you have to ask yourself: am I in this to get rich, or am I in this to make the ‘Net a safer place? Kudos if you can honestly do both.

…and I would add one more thing: If you don’t need data, get rid of it. I remember when storage was expensive and you had to be judicious about what you saved, but if you buy enough memory these days its practically free, which has led people to think that there are no consequences for control-s’ing their way to retention nirvana. The supposed value of “big data” doesn’t help. When you get down to it though, you can’t be held ransom – or extorted – over something you don’t have.