When thousands of security professionals and exhibitors gather each year in San Francisco for the annual RSA Conference, the mood typically is one of hope and promise. Keynotes, session tracks and vendor pitches traditionally promote the ideal that, while today’s adversaries are worthy, cunning and deep- pocketed, they can be kept at bay with the right combination of people, policies and processes.
But just days before this year’s installment was set to open in February, hackers infiltrated the network of HBGary Federal to expose the sometimes-embarrassing email communications of the security services firm and its sister company, HBGary. The incident certainly placed a damper on the proceedings in the City by the Bay.
“I think people except basic companies to which security is not core to be more vulnerable,” says Josh Corman, a research director at the 451 Group. “But I think that was a smack to the head to say security companies are potentially as prone to attack. It got very real, very quickly.”
The news didn’t get any cheerier after the conference closed, with revelations that at least two other high-profile security firms, RSA and Comodo, sustained precision attacks that, at the very least, demonstrated the ease by which criminals can claim proprietary information that doesn’t belong to them.
Which all begs the question: Is today’s security model fundamentally broken? Some experts believe it is.
But the more pressing question may be: Should organisations housing valuable assets accept the inevitable – that their systems will be successfully penetrated, if they haven’t already – and instead face their fate by focusing efforts around limiting the damage and forcing the attacker to expend more resources than they would like?
It is a difficult question to answer “no” to, especially considering recent developments (including email marketing firm Epsilon’s massive breach), and going back
to last year’s stealthy “Aurora” compromises, in which Google and a number of other Fortune 100s were successfully penetrated by what has come to be known as the advanced persistent threat.
“Anyone who thinks if they are specifically targeted that they’re going to be able to keep the bad guys out, they’re naive to the point of stupidity,” says Mike Rothman, analyst and president at Securosis, a security consulting firm.
“If your organisation possesses something that is going to be of interest to a nation-state, you can pretty much guarantee you’re already compromised.”
A CISO’s perspective
Larry Whiteside, chief information security officer of the Visiting Nurse Service of New York, is responsible for information security at an organisation that has never been specifically targeted in an attack. But that hasn’t stopped the 38-year- old from being realistic about the current threat landscape – that he and his team are powerless to some extent.
“The big thing is [criminals are] getting smarter at a faster rate than security is,” Whiteside says. “It’s an uphill battle that we as security professionals are constantly striving to get ahead of. I just don’t know that we can.”
The company with about 8000 users, is the largest nonprofit home health care provider in the country. Its mission is to provide residential health aides to 10s of 1000s of patients, and it serves the five boroughs of New York and neighbouring Westchester
and Nassau counties. With no intellectual property to protect, the nurse service is no Google. But, with personal health information becoming increasingly attractive for cybercriminals wanting to conduct medical identity theft, it is a ripe target nonetheless. And while no malware has ever infiltrated the network in Whiteside’s 31⁄2- year tenure, he understands that relying on perimeter defences is an outmoded way to think about fortifying his network.
Instead, he entrusts a healthy chunk of his security arsenal to patch, configuration and standards management. “I don’t think putting an [advanced persistent threat] protection device in your environment is the answer,” he says. “I think that is one small part of a much larger issue. When I look at the tools, it’s not that the tools don’t have validity but there’s a good percentage of things you could stop right away if you have good patch management, configuration management, even turning on egress filtering. It’s a mandatory piece of my security infrastructure to be able to allow out only what needs to be allowed out.”
Whiteside has developed a standard model for how his organisation's systems should be configured and he uses a scanning tool from eEye Digital Security to profile ports, services, operating systems, vulnerabilities and patches to ensure they are compliant.
But don’t be deceived by Whiteside’s use of the term. Sure, the nurse service is hamstrung by a number of regulatory mandates but he values standards management above any government edict.
That is a lesson more end-users – and vendors – should take to heart, says Corman of the 451 Group. He says many well-resourced organisations are falling victim to advanced malware attacks because the security industry is suffocated by a compliance focus. Corman estimates that at least half, possibly all, of the Fortune 100 have had intellectual property stolen: “We’re wildly underprepared to protect our secrets; I’m not sure anyone can protect themselves and their [intellectual property]”.
Corman has a particular distaste for the Payment Card Industry Data Security Standard (PCI DSS), a 12-step, prescriptive baseline for protecting credit and debit card information. He says that while the guidelines have helped organisations more seriously consider data protection as a business imperative, they also have boiled security down to a least common denominator.
As a result, particularly middle- market businesses without budget to buy advanced analytical and detection tools, have suffered, he says: “The attacker knows you’re compliant and they do not care”.
“They’re not going to use techniques that are easily detectable by that very, very low bar. We are in serious need of an upgrade in the way we approach and do information security. There is a large gap that needs to be reassessed.”
If no action is taken – Corman believes more products need to be developed that contribute to situational awareness – the security market risks becoming a punch line. “If we’re not careful, we’re going to be the TSA (Transportation Security Administration),” Corman says. “Everyone knows the TSA is theatre but everyone in our industry thinks we’re better than theatre. Let’s stop thinking we’re going to prevent these [advanced attacks] with the current stuff.”
A game of economics
As sophisticated and well-funded as today’s adversaries are, they typically gain entry inside an organisation through the age-old tactic of social engineering.
Ryan Kazanciyan, principal consultant for Mandiant, a vendor that responds to about 35 advanced attacks a month at the world’s largest organisations, says most are from phishing a particular user.
Although businesses invest in user education so workers don’t click on a legitimate-looking attachment or link it takes just one duped user to infect the network, he says.
Where organisations can flip the equation back in their favour is by making the attackers have to work much harder once they establish their initial foothold. “Success is as much of a game of rapid detection and response and containment vs. 100 percent, bulletproof security because that’s just not realistic,” Kazanciyan says.
“The key is to make it as expensive as possible to maintain a presence in your environment and steal data. It’s absolutely an economics thing.”
Organisations must learn from each compromise, he says. To do that, they should search for indicators of infection through network analysis and host-based forensics. When investigating a breach, organisations must “fully scope the compromise”, reviewing which systems and accounts were accessed, which tools and network addresses were used, and what data was stolen.
Kazanciyan also advises victims not to tip off attackers that they are on to them, or risk the adversary changing tactics to again avoid detection. “The idea is if you are proactively looking for indicators of compromise, maybe you detect that successful attack within days or weeks rather than months or years,” he says.
Rothman of Securosis says that “until you know where the issue is, you’ve got no shot”.
He recommends full-packet capture, egress filtering, data-flow tracking, access restrictions to compromised devices, and network segmentation as helpful detection and remediation tools.
“I would make the assumption that the attackers are there,” Rothman says. “I want to acknowledge that they’re there and put them in a box as well as I can, and I want to monitor everything they’re doing.”
The future of cybercrime fighting Salvatore Stolfo, professor of computer science at Columbia University in New York, believes the IT industry is a long way from becoming dependable. He pins this on the fact that system creators are unable to measure their resiliency.
“This area lacks precision and science,” he says. “It’s mostly ad- hoc. It’s not like building a physical system, like a bridge, where you can estimate its lifespan, capacity and ability to resist wind. There’s no metric to security. You can’t apply mathematical formulation and rate the security of a system. Imagine if we had that, you’d be able to make rational decisions over which system and security is better. If we had that ability, then problem solved.”
So, as users await algorithms that could be decades away, Stolfo says the security industry must up the ante, drop conventional wisdom for a moment and think like a contrarian. An idea Stolfo suggests is what he calls “fog computing”, in which infected organisations mix decoy data with actual data that the attackers are trying to hijack.
“Let them break through – because they’re going to break through – and then give them something that’s going to poison them,” Stolfo says.
This tactic accomplishes two things: First, organisations limit the amount of real data that leaves their walls and, second, arguably more importantly, they are able to measure the course, cost and effort of the adversary.
Looking at the success of advanced malware from a more macro level, perhaps the celebrity hacker subculture partially also is to blame.
Marc Maiffret believes it is.
He says events such as the annual Black Hat Briefings conference, in which speakers often parade to the stage like famous stars to present their zero-day findings, contributes to a lack of interest in defensive disciplines.
Maiffret is no stranger to the stardom that can be cast on a hacker prodigy, having discovered big vulnerabilities in Microsoft products, including the hole that enabled the Code Red worm, before he was even old enough to drink. In 1999, he was featured on MTV’s True Life: I’m a Hacker and later was named to People’s 30 People Under 30 list.
But after a while, the allure of finding security bugs grew old.
“I kind of got sick of it and I don’t know if it’s helping people,” says Maiffret, who now is chief technology officer of eEye. “It’s 100 percent that it’s easier to do. That’s not in any way to discredit [vulnerability researchers]. But it is definitely more straightforward to find the next Adobe buffer overflow compared to making technology to keep Adobe secure from being leveraged by hackers.”
Now he focuses on defensive technologies – such as eEye’s vulnerability management offerings. In his view, organisations should operate under the assumption that they were compromised by zero-day flaws, which makes defensive research that much more important.
“I always encourage people who are really good at these things to give the defensive side a try,” Maiffret says.
“It’s hard, but that’s also what makes it intellectually challenging.”
Talented researchers are applying their skills to defence. For example, the company Immunity released El Jefe (pronounced ell heff- ay, Spanish for "The Boss"), an open-source, Windows process- monitoring solution that quickly shows users suspicious behaviour.
Back at Visiting Nurse Service of New York, Whiteside adopts Maiffret’s supposition that adhering to best practices, particularly configuration management, can make seemingly devastating incidents like Aurora and Stuxnet seem nothing more than drops in a bucket.
“That’s how I look at it,” Whiteside says. “If [victims] had [systems] patched or if they had a standard that they had applied to all of their systems – regardless of what kind of data they had on them – then maybe some of those [breaches] don’t happen.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
