Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/19/2014
06:00 PM
Paul Vixie
Paul Vixie
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Internet's Winter Of Discontent

The new great cybersecurity challenge in trying to sum up the most dangerous weaknesses in the world's connected economy is that the hits just keep on coming.

“They built machines that they can’t control and buried the waste in a great big hole.”  -- Sting, “We Work The Black Seam Together”

The great challenge in showing what’s wrong with Internet security has always been finding something new to complain about, rather than showing stuff that’s five to ten years old and remains unfixed. I’m talking about systemic problems like IP packet-level forgery that allows lightly invested attackers to launch attacks that have to be taken seriously by heavily invested defenders, or any of the other myriad ways that the Internet’s humble academic origins and its attendant lack of admission control are making the world’s connected economy less resilient than at any time in recorded human history.

The new great challenge in trying to sum up the most dangerous weaknesses in the world’s connected economy is that the hits just keep on coming, and every day some new headline grabbing example of lost money, lost information, or lost privacy seems to beg, “don’t be too proud of the list of high profile attacks and vulnerabilities you’ve created, because by next week, it’ll seem quite dated and naïve.” Yes, things are moving that fast.

Let’s talk about Sony Pictures Entertainment (SPE), which has all the makings of this month’s edition of the worst attack of all time (although, wait for next month’s headlines before you decide with certainty.) The FBI now reports high confidence that the attack was directly sponsored or directed by a nation-state actor, which news sits prominently alongside the FBI’s indictment earlier this year of several officers of another nation-state’s army for other attacks against commercial infrastructure in the USA. How should the commercial security industry, or the risk management industry, position itself against nation-state attacks which formerly, in a pre-Internet era, would have been the military-industrial complex’s problem?

By all published accounts, the team that invaded SPE had nearly complete access for a period of months – one does not simply exfiltrate several terabytes of data in a single day. To those who ask, “how did SPE not know this was going on?” I’ll challenge you as follows: what confidence test do you run on a daily or hourly basis that assures you with any confidence that your company’s large and heterogeneous digital infrastructure has not also been invaded?

One of the most chilling side plots of the SPE story is that one executive whose files were compromised had come to SPE with a personal laptop that still contained sensitive data (letters offering employment) from her previous job. Once that personal laptop was part of the corporate backup system, it was an easy target for SPE’s invaders. Apparently, this executive’s former employer, as well as SPE itself, should have had a much stricter Bring Your Own Device (BYOD) policy.

Economic progress involves the creation of new wealth, which in turn requires investment, which in turn requires a stable investment climate. The Internet has historically offered that kind of stability, and so has the technology industry in general. No doubt many investors and entrepreneurs are viewing the now endless-seeming wave of headline-grabbing attacks on connected infrastructure as an opportunity to develop new products and services to profit by defense, but any reader of the Full Disclosure or BugTraq mailing lists can tell you that defense technology is not an unalloyed good, since it adds logic and complexity to an already not-understood system, and puts that added logic in the most critical possible path.

Cause for hope would have to come in the form of new thinking, radically different from the thinking that brought about our current circumstances. My contribution is a company (Farsight Security) whose goal is to increase understanding of complex connected digital systems by increasing observability. My customers sometimes complain that I’m trying to sell them a shovel when what they want to buy is a hole. Now you know why I take the business risk of trying to make my customers stronger, more aware, more independent, and more autonomous. Security does not come in a box. It’s a way of thinking.

Dr. Paul Vixie is an Internet pioneer and thought leader who designed, implemented, and deployed several Domain Name System (DNS) protocol extensions and applications that are used throughout the Internet today. He is CEO of Farsight Security Inc. Previously, he served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/22/2014 | 11:12:19 AM
Security that is integral... not an additive.
Good points in the article Paul.

I particularly keyed on the last small sentence.
Awhile back, my supervisor rhetorically asked me why we had so much difficulty implementing basic security practice and controls.
He didn't expect an immediate answer from me, but I already had the answer locked and loaded: security culture.

I was in the military for 22 years.  From the first day of basic training to the last day of service, every member of the military forces learns what security means.  Security concepts become ingrained into life even beyond the installation gates.  Military service is a security oriented service with a security oriented culture.
If a practice is deemed unsecure for even the smallest detail, it is remedied faster than most civilians can imagine possible.  If a new security control is to be put in place there are questions (contrary to popular belief, the military troops are allowed to ask questions) but the answers to those questions are quickly (if not already) prepared and communicated so the troops can efficiently digest the information and begin to make any necessary adjustments to operations in order to accomodate the new control.  Exceptions to security policies are well documented, heavily monitored, and NEVER considered permanent.  There is flexibility, but with attention to detail and an expectation of remediation to the common standard so that a solution can be better managed long term.  Too many variations and exceptions make it difficult to manage any security program.
Even with all that...  bad things happen. 
The military fully understands that there is always a chaos quotient in any hostile environment or encounter.  The need to mitigate damages through thoughtful design and planning and preparation is key to the military security doctrine.  Some call it defense-in-depth or environment hardening or "improving the fighting position".  Whatever one calls it, the goal is to make it so that every malicious effort an attacker wants to make has a heavy cost with (hopefully) reduced gains and added risk to their own plans and resources.

It is apparent that SPE executive and corporate board members simply had not grasped the concepts regarding risk management and IT.  Their actions (or non-action) demonstrate to me they did not believe they needed to take strong and specific steps to implement practices in order to improve their security profile.  They had not engaged in a security culture that should exist throughout the organization.
BTW...  security culture concepts always pour from the top of the mountain and every effort should be made to have it run all the way down all slopes and into adjacent valleys (if possible, splash some on adjoined mountains as well).

Without the establishment of a security culture, the only security controls that will likely work well are those that are fully automated.  And those automated controls will likely be at risk due to people who feel that the control is not necessary or a burden to their operations.  The most common source for problems I had to remediate were people who simply did not take security controls seriously.

Some would say that too much security culture can hamper most private sector businesses.  I say that is just a perception from those who do not understand and appreciate security culture. 
Banks conduct business constantly, yet many (not all) have some very mature security programs. 
Apple Inc. is famous for keeping their new product projects under a relatively (not perfect) effective security umbrella. 
Businesses that know that their IP is valuable also know that their systems holding their IP must be protected and handled properly.  
Security culture in the private sector exists...  but only as small, quiet islands of light in a sea of darkness.  SPE was apparently not one of those islands.  It remains to be seen if things will change for SPE.  That will be the task of SPE leadership going forward. 

Enough of my rambling....  I have more security culture establishment to work to do here... as is always the case.

Happy holidays to you and yours.  :-)

 
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.