Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/6/2019
10:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Security Goes Off the Rails

Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis.

"I'm just amazed at the amount of failure that goes along here," said Bruce Landsberg, National Transportation and Safety Board's (NTSB) vice president, during a recent hearing about the fatal December 2017 Tacoma Amtrak derailment, according to the Seattle Times.

"We have five or six or seven different organizations that all say safety is their primary responsibility, and yet nobody seems to be responsible," Landsberg observed. "And it just flows all the way throughout the entire operation here, from the very top management down to the lower levels."

Let's change the word safety to security because in today's world, where security is everyone's responsibility, this report offers an opportunity to reflect on the similarities and differences between the highly regulated world of rail travel and the world of Internet technologies.

One crucial difference between cybersecurity and transportation is that there's a widely respected organization, the NTSB, that comes in after accidents and produces a report, and that report establishes facts. Despite many calls for such an organization in the technology world, we still do not have one. There are also important differences between a cyber investigation and a real-world accident involving trains, planes, automobiles, and other vehicles. For example:

  • People often die in transportation accidents.
  • Transportation accidents are defined by law.
  • Transportation accidents are hard to hide.
  • There is industry support for transportation investigations.
  • The accident scene is easy to define with yellow tape that circles the site.

None of these apply to cyber incidents, where, in contrast, the relevant systems may be virtual machines long since shut down, the logs aggregated, and the computers involved owned by many different parties, including individuals.

Time for a Cyber Safety Board?
The NTSB has issued a preliminary synopsis of a forthcoming report, and the 10 pages are both thought provoking and easy reading. I read the report because it was a local tragedy, and, like most NTSB reports, it doesn't have very much to do with cybersecurity. But as I read, I noticed a couple of things as I went through it.

First, the cause of the accident is established, as are contributing factors. There are technical, training, and process failures, and many of these are interesting to us in cybersecurity.

Perhaps most interesting are the training findings: "Amtrak did not provide sufficient training on all characteristics of the Charger locomotive," and "Engineers could better master the characteristics of a new locomotive with the use of simulators."

How many of us have gotten "sufficient training" on "all characteristics" of the software we use to get our jobs done? What would that even mean for a systems administrator? How long is sufficient RedHat system administration training? What does it mean to get sufficient training on an Amazon Web Services component, which is subject to change at any time? How many of us have ever used a simulator or range?

We are far more open about breaches than we were even a decade ago, but facts are often thin on the ground. We have a tremendous stream of speculation. We can look over at the transportation sector and see the value of impartial analysis. And that is value to us. It's time for our industry to figure out how we can get an impartial investigator in cybersecurity.

Related Content:

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Your new device is too complex. Me stick with iWheel.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21312
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...
CVE-2021-21313
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not proper...
CVE-2021-21314
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
CVE-2021-27931
PUBLISHED: 2021-03-03
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.
CVE-2021-27935
PUBLISHED: 2021-03-03
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.