All advantage goes to the offense in cyber-war

I watched the 60 Minutes segment on the attack on Sony recently (4/12/15). If you didn't get a chance to watch I'd recommend you follow the link and watch it. There are a number of lessons and learnings for us all. The piece revealed that more than 3,000 computers and 800 servers were destroyed by the attackers. Astonishing. One of the experts interviewed stated that "even big corporations with sophisticated IT departments are no match for the dozens of countries that now have offensive cyberwar capabilities." Followed by this comment a bit later: "There are probably three, four, five thousand people that could do that attack today." Couple these comments with the title of this post: All advantage goes to the offense in cyber-way. On the defensive side, you have to say I must defend all 100,000 machines, all 50,000 employees. The offense side thinks, "I only need to break into one and I'm on the inside."

Think about it. Here we are, as IT professionals, playing defense and trying to protect all of our machines and all of our employees. The cyber-criminals need only compromise one machine or one unwitting employee. Who is the favorite in this race? While we are trying to protect everything and everyone the cyber-criminal is looking for a single weak link: "And there's no shortage of weaknesses. Most company employees are allowed to browse online or visit Facebook on corporate computers and many take them home for personal use. All it takes to contaminate a network is for one person to unwittingly access an infected file that looks an Adobe Flash Player update or an email that pretends to be from Apple Support." From my college statistics class I would assign the probability of an employee contaminating a network equals one - an event that will almost definitely occur.

So how are we to react to this news? What do we need to do? 

  1. Admit defeat immediately: Surrender to the fact that you are probably incapable on your own to thwart or prevent a concerted attack on your company. In fact, you may already be compromised and not know it. Does this mean give up? No, absolutely not but lose the mantra of "it won't happen to us". Lose any ego that you might have that you are smarter than them. When there's a fire what do you do? You pull the fire alarm. If you are being robbed what do you do? You call the police. Who do you call when you are being hacked? What alarm do you pull? You need an answer to those questions. My recommendation is that you have an outside firm working for you so when you pull the alarm they are (already) there for you. A firm that eats, lives and breathes cyber-security, cyber-crime and cyber-war. I'm thinking of someone like the Secureworks Counter Threat Unit. It's time to be proactive.
  2. Employ multiple layers of defense: A firewall used to be sufficient. Now it is just the crunchy outside of the network that protects the soft and chewy inside. It's time for all of us to start liking hard candy. We need the equivalent of the old Jawbreaker candy. Hard and tough all the way through. In IT terms I'm talking about multiple layers of defense: two-factor authentication, adaptive or risk-based authentication & authorization, privileged account management, real-time intrusion prevention systems, context-aware application intelligence, content filtering and, of course, a working identity and access management system.
  3. Eliminate passwords: Excuse me? Jackson, did you say eliminate passwords? Yes, I did. Let me be candid: If you watch the 60 Minutes video - which I highly recommend you do - you'll see a short section at about 7 minutes and 40 seconds into the interview where they are purportedly showing some of the files the hackers released. What was the common thing I noticed about all those files? Most of them had the word "password" in the title. We - you and I - are drowning our end-users in passwords. We are drowning our end-users in so many password with so many password policies (change them every 45 days, must be 12 characters, must contain special characters, must not have been used before, etc) that these drowning end-users have reached for the only thing that can save them: The virtual sticky note under the keyboard - a spreadsheet or document that holds them all. Find that one file and you've struck gold because if that file doesn't open an important door it probably opens a door to another person or machine that you may be able to strike gold with. I'm hoping that Microsoft's Next Generation Credential and the folks in Quest End User Computing group will help us achieve that end. In the interim, we all need to be reducing the number of passwords our end-users must maintain via single sign-on and integrated authentication with Active Directory coupled with two-factor authentication to better protect ourselves. Oh, and it wouldn't be a bad idea to scan your file servers for filenames that contain the word "password" just to get an idea of how deep the water is your end-users are treading.
  4. Be prepared: Just as the old Boy Scout motto means. Be prepared with an action plan, your "fire" alarm drill and responses, your insurance and your outside experts. Come from the side that you're already compromised and act accordingly.
  5. Learn from history: This 60 Minutes episode can teach us something just as in November when 60 Minutes highlighted the Veterans Administration (VA) and their problems with identity management and single sign-on. The Target hack came about because a contractor's account was compromised and that one compromised system became the jump point for the whole breach. TJ Maxx used one of the weaker WiFi encryption standards and sent un-encrypted files to their banks containing credit card information. Are you encrypting sensitive files? Are you using 802.1X security for your WiFi networks

As the CISO for my home network I've been increasing my own security posture. A few months ago I stopped relying on my cable modem for security and installed a SonicWall TZ215 firewall. I've enabled its built-in intrusion protection, content and application filtering along with botnet and Geo-IP filtering. I've added two-factor authentication to many of my high value accounts like my bank and PayPal. I'm researching how I can put my various IoT devices (Smart TV, Apple TV, Roku, phones) on a separate virtual segment so they are isolated from our laptops. Is it enough? No, but I don't want to be that one end-user with the very thin, crunchy outside...