The solution to security breaches? Kill the human middleware It's a computer security truism that human beings are the biggest network threat. Sysadmins have always assumed that means users, but it may be time to take a long, hard look in the mirror. At the Versus conference in San Francisco on Thursday – a conference that its organizers say they set up to challenge the security status …
Went to a Security conference the other month. As normal they started handing out free USB sticks like candy, we love free IT stuff and candy. Wonder how many people plugged them straight into a corporate asset..... This was a security conference!! So tempted to put some call home software on some sticks and hand them out and see how many call home. Would be an interesting test.
I freely admit my ignorance of the underlying hardware here.
If you have a booby-trapped USB device which is designed to 'fry' what it is plugged into, is there any protection in first of all plugging it in via a USB hub?
Or, simply plugging into a powered (or unpowered) USB hub to ensure it discharges the capacitors into something relatively cheap and disposable first before plugging it into a PC? Of course, it might just take USB power to repeatedly recharge the capacitors and so repeatedly discharge nasty voltages.
And, in terms of protection against malware; is there any benefit in plugging into GNU/Linux or BSD systems to get the interesting/useful data off? There might be merit in having a sacrificial netbook (Remember those? If not, I think The Register has a well-known picture of one of the original netbooks to illustrate the device I'm talking about) to allow relatively safe data transfer.
Perhaps we should go back to distributing copies of slide-packs, documentation etc on CD or DVD?
https://www.usbkill.com/
The device uses the power provided by the computer over the USB port to charge capacitors then discharges the capacitors through the data data pins.
In most cases that will quickly kill the USB port, and often the computer.
The device is unaffected and can be re-used.
.. and it is very easy to make, you don't need to spend €50 plus shipping to get one if you have some skill with a soldering iron.
Everyone who shouldn't be, talks about cybersecurity these days, and thinks they (a) know what it is and (b) how to "make things secure". This is not because they know much, but rather the inherent human need for order and an over-estimation of a person's influence. It's why Trump wants to build a wall along the Mexican-American border: Not because it will do any good, but because it looks like a decisive take-charge can-do action. It makes people feel good. Cybersecurity is like that: Most of what people think will make things secure are based on incomplete knowledge and over-estimating their abilities -- they want to quantify the risk, somehow manage it. People despise unknowns.
-
Here's the truth: The most basic working definition of "cyber" (I will never like that word) security is that "the device does what I expect it to do, and does not do what I do not expect it to do." Whether it is malware that destroys your server, or a software bug, or human error, the result is the same. The cost is the same. And any infrastructure meant to protect from that happening must be all-encompassing. Unfortunately, security will never be perfect. It won't even be good. This isn't because we can't design secure systems, but rather that the designs are not open. There are no laws or regulations governing proper design -- our industry is an unregulated one. Oh yes, bad hacker -- shame on you for stealing all our personal information. We're going to give you 500 consecutive life sentences in the electric chair! But the law is silent on what we should be doing to prevent such problems in the first place.
.
We've grown accustomed to corporations selling our personal data, our phones tracking our every move, our computers having 'telemetry', and companies big and small can roll out a new product without any certification or validation. But worse than that, because of copyright and patent law, it is *illegal* to follow good engineering practice. When we construct buildings, we do so with the collective knowledge of every engineer who built one that fell down. We share that knowledge freely, blueprints and designs are available for any who know where to look to see. And as a result, very few buildings fall down.
.
But in this industry, everything is a black box. We don't share blueprints -- we sue people who try to copy ideas, and make sure those ideas can't be copied without being sued for hundreds of years. Everyone has to reinvent the wheel, and possibly reinvent it many times, to avoid patents and copyright lawsuits. We've had successful lawsuits with hundreds of millions of dollars hanging in the balance over *beveled* corners. And so knowledge of how to build something properly just isn't there. Every engineer in this field can only advance to his or her own level of understanding -- they cannot build, or even see, the work of others. And as a result, our information infrastructure regularly suffers catastrophic failures... and these too, are not shared. It's illegal to know or use a well-understood and known method of doing pretty much anything... and if and when something fails, the default is to cover it up and whistle loudly.
.
Our problems with "cyber" security have nothing to do with the technology and everything to do with a broken system that values profit above solid engineering practice. It's why we have a "cyber" security problem in the first place -- old vulnerabilities never truly die, because everyone is forced to build everything from scratch. No matter how good you are, you're going to make at least one mistake in your design. Meanwhile, the criminals, the neer-do-gooders, are not hindered by laws, ethics, or any of that -- they share their knowledge with each other freely. The end result is, they know all the millions of places you can make a mistake... and computers and software, freed of legal obstructions, can go through all those millions of places with solid design, peer review, and decades of historical data at their fingertips and find every crack in your armor.
.
If you want "cyber" security, stop screwing around and demand that we treat our information systems like any other engineered system: Delete the broken patent and copyright systems, and allow that knowledge to be shared. Force every corporation that releases a product to the public to disclose its source code. And don't even think of giving me any crap about how this isn't secure because "terrorism" or "hackers", or whatever boogyman you're worried will look at it and think bad thoughts. Boeing tells everyone exactly how their planes are built -- and air travel is the safest way to move people because there are many, many eyes looking at each and every design inside and outside the company, and everyone in the industry can look at other designs and know which ones work, why they work, and when failure happens -- it is an open and transparent process to find out and disseminate the findings to keep it from happening again.
.
Everything else is just buzzword bingo... it's so-called "experts" re-arranging the deck chairs on the Titanic.
"Why are we not insisting the security standards for every connected device/application are not public and audited/auditable?"
Just look at the response to Schneier's testimony yesterday on Capital Hill. Stunning ignorance, even when you have someone sitting directly in front of you with a clue. Instead of taking that moment as an opportunity to reduce ignorance and gain perspective, it's used as a sound bite moment for personal attention.
"If you want "cyber" security, stop screwing around and demand that we treat our information systems like any other engineered system: Delete the broken patent and copyright systems, and allow that knowledge to be shared."
Simple answer: no one will play. Knowledge is power, literally, and there are many out there who DON'T want their knowledge shared. If not allowed to exploit their knowledge, they'll take their ball and go home, leaving society hungry. That's why we have patents and copyrights in the first place. Without some incentive, not enough people are willing to come forward; end result, society is starved for knowledge. You don't need to do away with the systems because people can and have released their stuff either out of copyright but patented but only for anti-exploitation reasons. The TERMS of those patents and copyrights can be adjusted to reflect changes in society, however. Copyright was once life of author without extension for a person or about 25 years for a business. I think reeling terms back to those roots (based on the face they're supposed to be LIMITED, under the Constitution, IIRC) would help speed things along with documents and so on. As for patents, change the terms to reflect the industry they apply. Machinery and so on tend to have long work cycles, so patents of 25 years are still appropriate. Medicine can also make a case due to all the legal hurdles a drug maker has to clear just to get things to market; they really only get a few years to sell their stuff IF they get the go-ahead. Non-physical stuff? Stuff moves fast here, so what if patents for these get limited to, say, three years tops?
Go and read a few decent journals. Every now and again someone leaves USB sticks in a car park in a university (where all the clever and educated people are) and lo and behold... most people plug them in. Really? This is news?
Security as a domain of human activity needs to secure my and everyone else's normal behaviour, not make me contort my behaviour into some twisted version of itself. You don't build a building with doors and then act surprised when people try to use them. If a door should not be used it is either not in the building design in the first place or it is locked. Then idiots like me don't have to be given a list of doors that are there but that we must not use. This is not a perfect analogy, but then that's the nature of analogies.
"Security as a domain of human activity needs to secure my and everyone else's normal behaviour, not make me contort my behaviour into some twisted version of itself. You don't build a building with doors and then act surprised when people try to use them. If a door should not be used it is either not in the building design in the first place or it is locked. Then idiots like me don't have to be given a list of doors that are there but that we must not use. This is not a perfect analogy, but then that's the nature of analogies."
But ANY door can be a way in for a bad guy. Trouble is, many doors MUST be open to the public because it's the way in or out for them. Meaning if you interact with the public, you're vulnerable, period. And if you're vulnerable, you can be hit for EVERYTHING since the heist may know where to find the good stuff. Which poses a problem. Because an assumption one WILL be hit ALSO means the assumption that WHEN one gets hit, he/she will be hit for EVERYTHING: an existential threat. So a surrender mentality is incompatible because it also implies a suicide mentality.
….. and then the system watches all the interactions between your machines, flagging anything that looks unusual or breaks with high-level policies written on top of it (like dev machines only talking to other dev machines).
Do you mean dev machines like elected presidents talking to appointed prime and sub-prime ministers/defeated presidential candidates plotting/chatting behind closed doors with disgruntled and disruptive donoring agents …. or are those interactions usual?
Is there not already systems monitoring in place for such shenanigans, although to be fair by all accounts of the evidence which is presented, is it a paper tiger pussy of an operation and an embarrassment which just keeps on giving failure and breach for further exploitation and exploration?
Nice one, DNI Clapper. We thank you for the service.
"The answer is to step away from the idea of security as preventing anything from entering and look at monitoring what is going on inside your network to look for anything unusual"
I have to call CyberBS on this, it's not a human problem, it's a computer problem. The solution is to run your internal data on encrypted drives and run all network communication over fully encrypted channels. That way, there is no inside to hack. All you'll see is gibberish and any attempt to execute commands on the system will appear as gibberish. All user access is through a hardware authenticated dongle. That way you only have two layers to deal with, the data to the system and the system to the end-user.
"automating security, and letting your machines protect themselves in much the same way that your body's immune system works.
That analogy has been done to death and isn't helpfull. It's an example of what Ranum called enumerating badness, as in it don't work. Running scripts you downloaded over the web does not for a good security model make. It must have been a quick hack in the beginning of interactive web apps, but has lead directly to the current fiasco in 'computer' security. It must be possible to achieve todays computer usability without executing someone elses code every time you click on a link or open an email attachment, something these cyber geniuses can't seem to achieve.
No good. They'll just target the endpoints, one of the few places where the data MUST be decrypted because the Eyeball v1.0 doesn't grok encrypted data. The only way around that would be cybernetic eyes connected directly to the brain a la Ghost in the Shell.
As for downloading scripts, what if the copy you download has a hole in it? At least the one kept at the writer's site would be kept up to date, meaning the hole gets patched ASAP. You can't win. Either you let a hole fester or you download one. And humans are fallible and formal proofs have a very narrow scope.
"The answer is to step away from the idea of security as preventing anything from entering and look at monitoring what is going on inside your network to look for anything unusual."
And by the time you discover something unusual going on and stop it what damage might have been done? And what might it have installed somewhere inside? At this point you've got a clean-up to mount.
Surely prevention is still the first line of defence and monitoring the second.
Quite. What's more, who monitors the monitoring software?
They say that the problem is that humans make errors and so need to rely on software, but who created that software? And who is responsible for making sure it's still running correctly? There's a worrying degree of arrogance (and complacency) in "You're only human so you make mistakes... you need our software to monitor your system for those inevitable mistakes."
Though you have to remember that these people publishing their opinions are really just saying "You need our product".
"Surely prevention is still the first line of defence and monitoring the second."
But you can't prevent a zero-day because you have no foreknowledge of the exploit. Trouble is, the moment one is in, one has to assume the worst (they've already gotten access to everything) which is usually too late for a clean up.
Another bit of fluff to push the latest and greatest CIO/CISO 'must have' solution. The most impressive security improvements I've seen always revolve around 'humans' and actually getting them to give a s$!t. Not statistically, but actually changing the culture, getting management, users, techies involved, incentivised, informed. Using creative, amusing and relevant information, distributed in an easily accessible format. Then when you introduce new security software, systems and services you've got a fighting chance of them being implemented and used properly rather than circumvented.
I'll get back in the corner...
This article sounded a lot like a sales person making an end run around the technical experts and selling directly to management. For example, "Cohen told us later than one client he had – a large bank – was amazed to find that in its environment of 125,000 servers there were 3,000 dev servers that were talking directly to production servers. That's something that even the most hard-working sysadmin is going to be hard pressed to discover." So the dev machines were running in a production environment and didn't have an enclave of their own with a firewall preventing just this sort of thing? It's not that a competent admin wouldn't catch this, it's more that one was not on the job when this crap was put in place. I've stepped into environments where this was going on and helped put a stop to it. It's pretty obvious and if you think otherwise you have probably been on the management side of the fence for too long.
Also, I heard an awful some fluff about configuration and mitigation. So how would one automate security and let machines protect themselves in much the same way that your body's immune system works? What if your boxen get cancer?
why not just implement default-deny on all things operating systems? So that the user will have to approve the installer, approve the Mirco$oft Word application etc etc... it will be a real PITA but at least you won't get any nasties trying to sneak in past you...
...but it is impractical though. Most people will just blithely do the clickety click routine in order to get their favourite Java game/app to work...
«and the inability to pin the attack squarely on the Russian government was one example» Seems to me that the wording here shows an attempt to find evidence for a certain predetermined conclusion, rather then to examine the evidence in order to come to a conclusion. Quelle surprise !...
Henri
Pretty much every intelligence related agency in the US government agrees it was the Russians. They have the motive and the means. If they were allowed to release the evidence, it would probably be sufficient to convict in a court of law. Of course, we all know there have been cases where someone is convicted of murder but later found innocent - even a confession isn't a foolproof measure of guilt.
Regardless of whether you believe the Russians were responsible, only a fool would think they don't have a vested interest in trying to hack any and all data they can get their hands on concerning the levers of power in the US government. Now that those levers are passing to the republicans, they will a greater interest than previously to hack them. Perhaps even moreso with Trump's election, to help them gain insight into what Trump plans to actually do. Trump certainly shouldn't consider himself 'safe' because he says nice things about Putin, but maybe he's only worried about his mythical 400 pound guy on a bed.
Is not Wall Street and Washington the cancerous enemy within America? Ponzi Master Puppeteers at No Work. Zero Rest and Infinite Loopy Play is a recipe for Greater IntelAIgent Games Disasters?
The problem is surely concentrated in the distinct evident lack of Novel Intellectual Property Supply/Future Building Capability. And that is either a Human Failing with Virtual Machines or a Virtual Machinery Failing with Humans. Both though just need a new SMARTR Alternate Reprogrammed Mass MultiMedia Programming Operating System Running in Parallel atop existing exhausted and exhausting Command and Control Centres/SCADA Levers, to take and make over with future perfected reins and reigns. Or is all of that too spooky and disruptive and terrifying a medium for you to contemplate and engage with, now that terror and debt and deficits are defaults and the favoured unnatural destructive status quo choices for change and power.
The other real leading question to ponder and wonder at is .... Do you have any choice and power to effective engage with and driver the future in a direction of your choice or are you always destined/fated to receive what you be given?
And that further leads inquiring minds and stout brave hearts to ask ...... Given by whom and for what? GOD for Global Operating Devices?
The part that truly amazes me is that not once have I heard the phrases "encrypted", "hashed", "salted", or "split into DBs stored on separate servers".
And yet this is where most companies are failing right now. Customer data should not be stored as a one-slurp Candyland. Even seemingly inconsequential data should a) still be encrypted and b) split within reason into separate DBs so that even once slurped and cracked, all you have is a list of nameless home addresses, or a list of first names only.
PITA? Absolutely. For both you and the hacker. "You need to assume a breach!" Make your data as useless as possible to any single attack. And make them work hard to decrypt it just to find out!
Congratulations on hacking one of our servers! Too bad all you got was this lousy t-shirt. Nya nya!
"And yet this is where most companies are failing right now. Customer data should not be stored as a one-slurp Candyland."
Ideally, business shouldn't have access to customer data at all. But then, how do they mail bills and so on? Make a government bureau to mediate and it immediately becomes a hack target. Heck, it's starting to come to a point that miscreants are directly hacking people in their homes to get the information.
Which means people ARE going to know about you, period. It's just too valuable information to leave behind these days. Knowledge is power.
This article has a lot of merit, but does miss some things as well.
First: any security device be it physical or logical is a tool, not a solution. Left to its own devices without monitoring, upgrading and replacing on schedule, will become an injection point for a malicious hacker. There are many other points, but you should know these along with proper defense in-depth, to include internal network security lockdown methods; such as proper VLAN creation/enforcement.
Second: system admins are the most dangerous users on a network. Most are not properly trained, don't have a 4 year degree in systems/computers, are overworked, are understaffed, and therefore try to get through things as quick as possible. They don't have security in mind, and rarely follow installation instructions as prescribed by engineers. Many will use their accesses to get around policies, procedures etc. Finally, most SAs use email with an account with admin privileges.
Third: Management is ignorant.Proper policies and procedures for security are often ignored or worse... don't have proper security engineers trained to do a complete and skillful risk assessment of the policies and procedures... let alone network tools.
As an experienced red team member for nearly 30 years, I typically take these 3 things into account when attempting to breach network systems. It's not just people, but the policies and procedures along with improper risk assessment/mitigations which provides attacking points.
How many system items can any organization within a company order without knowledge of security personnel? A LOT. Not just USB sticks, but keyboards, KVMs, mice, adapters, etc.
How many people touch a newly ordered router before it gets to network engineers, and are there procedures to ensure nothing was tampered with along the way? It doesn't take a genius to get into the supply chain of IT equipment and add malicious technology into the stream.
Yes of course, as security people you get the obvious; however, malicious hackers don't often work the obvious. You also don't hear about many breaches, such as supply chain tampering... because this type of breach is usually not handled by local authorities. Also, don't believe each and every report you hear about. Just because an particular attack method is publicized, doesn't mean it this is actually what happened.
Don't just read a book about security, you need to be critical thinkers and work outside the box. Follow your instincts and experience. Take the time to do it right.
"Don't just read a book about security, you need to be critical thinkers and work outside the box. Follow your instincts and experience. Take the time to do it right."
The problem is that, more often than not, you're not given the time or resources to do it right, and IT tends to be pretty low on the corporate totem pole. So how do you do it right with a tight deadline and a shoestring budget?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
