The Tao of Cyber Security in today's reality
…consumes any cyber security professional, incident response personnelor senior executive when hearing the dreaded word “hacked”. At least this was the case some years ago. In today’s world, not so much. The implications of being “hacked” mean different things to different people and vary depending on perspective. They are drastically different depending on if you are a Corporate executive tasked with IP and system security, a health care company trying to manage HIPPA requirements and your medical history, your local national hardware chain struggling to secure PCI related transactions and your customer information, or mom trying to by that new book online. (I won’t even mention junior snap chatting or posting pics on his Facebook page with geo tag metadata or other personally identifiable information). This is not unique to private sector. Even our most trusted, and supposedly most secure, systems and infrastructures managed by a broad range of Federal agencies are rife with major security breaches and mass exfiltration of data. We hear these on the news on a nearly weekly basis. It has become the new normal. People are numb. We’re now seeing active penetrations targeting geopolitical outcomes with the recent revelation by Crowdstrike security in identifying two Russian intelligence-affiliated adversaries through their malware “fingerprints” and C&C (Command & Control) IP addresses embedded in the payload as the source of the compromise. This represents a major shift in the overall complexion of cyber security by leveraging information to influence election outcomes of another country. Cyber-attacks are typically perpetrated by individuals, organized crime, or nation states motivated by obtaining classified data, money, intellectual property or specific information to further their respective goals. Now we have a game changer. These events are not lost on industry professionals and government security agencies, but for the general public, it barely transcended two news cycles and only came up once more when the republican presidential nominee made the off handed remark about missing emails. But this is not about politics. It’s about the state of things today and what if anything is possible or practical for the future.
My concern is specific to Industrial Control Systems (ICS) and critical infrastructure where we’ve already seen catastrophic events due to security breaches
No Lack of Technology…
...exists in the Cyber Security landscape of intrusion detection and prevention and it is continuously improving. Intrusion prevention and detection systems, advanced stateful firewalls, centralized SIEM logging aggregators, data encryption, endpoint protection, net flow monitors, and packet capture systems are common place in the “best practices” security architectures today. It’s all about defense in depth and layered security right? This is the Tao. What appears to be the most common issue is the ability to effectively manage and monitor these systems.
Take some of the more recent large scale breaches in the news. In 2014, a well-known Big Box national hardware chain initially reported a breach lasting 3 weeks resulting in the exfiltration of 56 Million customer’s data and credit debit card info and 53 million email addresses. The actual duration of the presence in their network exceeded 400 days. Resulting in potential losses due to fraud of up to $3 billion dollars according to CBS news. Actual losses are still undetermined but initial estimates where around $63 million. To their credit, the breach was indirect but hit one of their self-checkout POS terminals using a 3rd part vendor logon. Actual impact to customers is yet to be seen but all those affected received free credit monitoring and identity protection for a year as a conciliation prize. In 2015, the average time to detect a breach was 98 days for financial institutions and 197 days for retailers. Do we really think as a modern day society more and more dependent on technology that this is sufficient?
Home Depot, Target, Wendy’s, Department of Energy, Office of Personnel management, the IRS! The list goes on and on.
I still can’t believe that just one week ago I received my third letter from a government agency, this time from OPM (Office of Personnel Management), informing me that due to a massive cyber-security breach; my sensitive and detail personal background data had been stolen along with some 20 Million (That’s MILLION with a capitol M) other people which included contractors, family members and others who had undergone background checks for federal employment. Everything from Social Security numbers to birth dates, even fingerprint records; was exfiltrated from Office of Personnel Management systems. Prior to that, it was the Department of Energy sending me greetings. And before that, Target and Home depot. All expressing regret and concern, and offering that same credit fraud and identify monitoring service to put me at ease and forget the problem.
Twenty six odd years into the digital age and the internet, we as a society have yet to come to terms with what has become a problem of epic proportions. And if we don’t deal with it as such, will eventually make e-commerce and the internet itself unsustainable. My area of concern is specific to Industrial Control Systems (ICS) and critical infrastructure where we’ve already seen catastrophic events due to security breaches. Both the Iranian nuclear programs and the Ukrainian power grid are the most recent well known examples. Any system can be breached. It’s just a matter of how long it takes. Advanced Persistent Threats and hacking tools and techniques are only becoming more prevalent and pervasive and do not require a great deal of expertise on the part of the hacker since most can be acquired rather than created. Phising techniques make it even easier. Securing the human and employee behaviors are an entirely separate challenge. Remember that you and your team must be right 100 percent of the time to be effective. Hackers only need to be right once.
The Road Ahead…
…is unknown but can be assumed to be only becoming exponentially more challenging. As computing power, technology, and the increasing “internet of things” approach to provide more and more direct access to everything you can imagine grows; so does the attack surface. So what can we do as cyber security professionals to mitigate an unwanted resume generating event? Beyond ensuring layered defense in depth, best practices security and monitoring systems are in place; change the mindset for yourself and your team. Move from prevention to detection based approach and be proactive on response. Consider Breach Detection Systems (BDS) not just IPS/IDS.
You must evangelize Cyber Security to your team and everyone you know from Senior Executive down to your next neighbor and in real world terms people can understand. Keep up the employee education on behaviors and threats. Educate everyone on the potential for disaster.
Build a “Hunt Team” and an incident response team within your organization. Assume you’ve already been compromised and actively look for the intrusion, the pivot, and the exfiltration of data. Check your LOGS! Tune up that alerting system to reduce the type-1 false positives but ignore nothing. I’d rather deal with a ton of false positives than one false negative. It’s not too much data to analyze or difficult to filter the noise. Use long-tail analysis and entropy to reduce the problem to a manageable level and streamline your efforts.
Challenge your assumptions each and every day. The threat landscape is always changing. Don’t ever get comfortable or confident you are doing enough. There is always something more that can be done.