THE DAILY CALLER | April 22, 2016
One of the National Security Agency’s (NSA) highest ranking officials warned Wednesday of a serious threat posed to the nation’s critical infrastructure from potential cyber threats
by Dr. Mike Lloyd, CTO RedSeal
The recently disclosed back door in Juniper’s ScreenOS software for NetScreen firewalls is an excellent reminder that in security, the first and foremost need is to do the basics well. The details of the vulnerability are complex and interesting (who implanted this, how, and what exactly is involved?), but that is not what matters for defenders. What matters is knowing whether or not you have basic network segmentation in place. This may sound counterintuitive – how can something as routine as segmentation solve a sophisticated problem like this? But this is a textbook example of the benefits of defense in layers – if you think too much about only one method of protection, then complex things at that layer have to be dealt with in complex ways, but if you have layers of defense, you can often solve very complex problems at one layer with very simple controls at another.
The vulnerability in this instance involves a burned-in “skeleton key” password – a password capable of giving anyone who can use it potentially catastrophic levels of control of the firewall. To compromise your defenses when you have this particular version of software installed, an attacker needs only two things – 1) the magic password string itself, which is widely available, and 2) ability to talk to your firewall. For point 1, the cat (saber-toothed in this instance) is long since out of the bag, but point 2 remains. If someone can talk to your firewall and present a credential, they can present the magic one, and in they go, with full privilege to do whatever they want (for example, disabling all the protections you bought the firewall for in the first place). No amount of configuration hardening can prevent this, since the issue is burned in to the OS itself. But what if the attacker cannot talk to the firewall at all? Then the magic password does no good – they cannot present a credential if they cannot talk to the firewall in the first place.
So note that someone who relies on strong password policies has a real problem here. If you think “it’s OK to allow basic access to my firewalls, nobody can get in unless I give them a credential”, well, that’s clearly not true. Unfortunately, many network defenses are set up in this way. If you think about this problem at the password or credential layer, the situation is a disaster. But if you think about multiple layers, something more obvious and more basic emerges – why do you need to allow anyone, coming from anywhere, to talk to you firewalls at all? You should only ever need to administer your infrastructure from a well-defined command and control location (using “C&C” in the positive sense used by the military), and you can lock down access so that only people in this special zone can say anything AT ALL to your firewalls and the rest of your infrastructure – you can effectively reduce the attack surface for an attack, directly mitigating the huge risk of this kind of vulnerability. Thinking in layers moves the question from “how do I prevent someone using the magic password?” (Answer: if you have the vulnerable software, you can’t), over to the easier and better question, “How do I limit access to the management plane of the firewall, to only the zone I run management from?”
Recent headlines tell us that “Feds Say That Banned Researcher [Chris Roberts] Commandeered a Plane.” As always, there is more to the story. In fact, there are claims and counter-claims about what Chris Roberts actually did. The FBI search warrant says he did actually send control commands that impacted the flight path of the aircraft, but this is currently unproven. The whole incident brings focus on the issue of what is called lateral movement – can someone with access to, for example, the inflight entertainment system of an aircraft use that toe-hold to reach further in to the network to do actual harm?
Once, aircraft control machinery was effectively offline, not connected to any outside networks. But, as we’ve seen in recent coverage (including the loss of Malaysian Airlines Flight 17) aircraft are much more inter-connected than they used to be. They connect to the outside world in several different ways, ranging from satellite-based networks for flight telemetry to networks used to provide Internet access from passenger seats. As these networks proliferate, they inevitably touch; and any touch point is something an attacker can use. The number of possible weak points multiplies over time.
The questions raised by this story are the current frontier of security, and apply well beyond aircraft. We rely more and more on networks that we cannot easily see or understand. Defects in one network can open up access to another. Attacks can work upwards like grass through cement, finding weak points and cracking hard defenses. What all defenders need to learn to do is to use technology to monitor technology. As our networks grow larger than we can understand, human effort and good will are not enough. This is why the current emphasis in security is on automated testing of defenses. We look for lateral movement opportunities, so we can isolate the truly critical things – say an aircraft’s control network – from the far less important, such as the inflight entertainment systems.
The watch-word for the SendGrid breach is “interdependence”. In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and with every other company they choose to deal with. This makes an ever-widening attack surface. (The breaking news about the Chinese “Great Cannon” software shows similar patterns.) These days, if you visit a website, you can be confident you are actually talking to a huge variety of other organizations who may provide ads, services, traffic monitoring, or any other legitimate services. One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains! The problem is that this array of services is very large, and a chain is only as strong as its weakest link. Attackers only need to find one weak point to start an attack.
I recently recorded an interview with KCBS, on Obama’s announcement of the Cyber Threat Intelligence Integration Center. I do believe this is good news, but I confess, I worry about the way all these proposals indicate how data will go in to the government, with very little said about how anything will ever come out. In the scope of a 5 minute live interview, there wasn’t a lot of time for that kind of subtlety!
The idea of the US and UK working together on war-games is a good one. It recognizes that we are in a war, and that we are losing. We need to improve our defensive game. Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.
The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense. War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance. Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations. This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities. The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all. War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first. Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.
Unemployment is bad, so negative unemployment must be good, right? Um, no. (I’ll steal a line from Douglas Adams: “It’s unpleasantly like being drunk” … “What’s so unpleasant about being drunk?” … “Well, ask a glass of water.”) Security as an industry is short-staffed – critically so, and it’s getting worse.
This came into sharp focus with the recent suit between MasterCard and Nike. I’ve no comment on the specifics of the case, but the general lesson is clear: security geeks are in desperately short supply. When I think of where this industry was just a few years ago, it would have been preposterous to imagine two household name, world class companies unleashing lawyers over such a fracas.
This is why security automation is such a big deal. Security teams everywhere are drowning in unaddressed, basic problems. We know plenty about what we need to do, but we just can’t get it all done – there aren’t enough fingers on the keyboards. (Anyone remember “The 5,000 Fingers of Dr T”?) We need machines to prioritize all the signal overload; there’s no other way to make headway.
It’s unthinkable: hackers targeting that sacrosanct American institution, the sports team? The recent incident in which the Houston Astros’ internal trade discussion were hacked and posted on the Internet shows that, today, no target is off limits. Jeff Luhnow, GM for the Astros, was quite right when he said: 
“It’s a reflection of the age we living in. People are always trying to steal information” The main problem that encourages this kind of illegal activity is that it’s really relatively easy. Nobody thinks the hacker who stole the information from the Astros was heavily funded by a foreign government, or anything like that. Indeed, it’s quite possible the person or people involved had no more motivation than curiosity, and found it easy to get in. The challenge, of course, is that every business has secrets – how it approaches negotiation, or the pricelist for its upcoming products, or its next quarter of advertising plans. All that information is useful to others if it’s exposed. Many businesses like the Astros have treated IT security as a “high end” problem – something for banks, the military, or energy companies to worry about. But it’s just not possible to operate that way anymore – the risk of corporate embarrassment, or worse, is escalating. Attackers are finding our complex defenses are badly deployed, badly coordinated, and easy to walk through. All the attacker needs is persistence, and the search for a forgotten, unlocked “side door” onto the business can be largely automated. Defenders need to understand all the gaps, and how all the security defenses work together, even if their only target is “good enough” security. As the Astros have found, the standards of “good enough” are rising rapidly.
Google’s move to set up Project Zero is very welcome. The infrastructure on which we run our businesses and our lives is showing its fragile nature as each new, successful attack is disclosed. 
Unfortunately, we all share significant risks, not least because IT tends towards “monoculture”, with only a few major pieces of hardware and software being used most of the time. Organizations use the common equipment because it’s cheaper, because it’s better understood by staff, and because we all tend to do what we see our neighbors doing. These upsides come at a cost, though – it means attackers can find a single defect, and it can open thousands or even millions of doors, as we recently saw with Heartbleed. This situation isn’t likely to change soon, so it’s welcome news whenever there are more eyes on the problem, trying to find and disclose defects before attackers do.
Attacks proliferate rapidly – very rapidly, in a quite robust market for newly found, highly effective vulnerabilities. As they do so, it has become crystal clear that traditional passive, reactive methods of defense are insufficient. Google’s investment underscores the critical importance of proactive analysis of potential attack vectors. Any organization that is not developing a set of defenses from proactive analysis through reactive defenses is leaving the door open to attacks. Defenders need ways to automate – to pick up all the discoveries as they are found by the “good guys”, so they can assess their own risk and keep up with remediation. Recent incidents like Code Spaces and Target make clear that the health of enterprises and the careers of their executives are at stake; just expecting defenses to hold without some way to automate validation is not tenable. Hope is not a strategy.
I recently wrote about the necessity of getting the right data for security analytics. But I’m continuously reminded how typical organizations lack an even roughly complete understanding of their network, or even a map of it. I can understand why this happens – entropy is just as inevitable for organizations as it is in Physics. Records don’t just keep themselves – networks change, and ideally it’s all planned and well controlled, but in practice, emergencies happen, corners get rounded off, triage goes on, and perfect record keeping is lost. I know organizations who aim to have very strong processes, control, and accountability, and while I commend them for it, I find that if I look at their data, I still find enough gaps and unknowns to be a worry. Sure, the mature organizations do better – they don’t tend to have records in the moral equivalent of a shoe-box under the bed (but I see enough of those). But the records still don’t add up.
I think what worries me more are the organizations who know they have information gaps, but don’t treat them as a priority. I see this as driving a car while blindfolded. How is security possibly going to be effective if you can’t map out the infrastructure – the whole infrastructure, warts, labs, virtualization and all – and just look at it, let alone ask decent, proactive questions about how to defend yourself? Imagine physical security – for example, badge reader installation – without having a map of the building, or even a vague idea of the number of doors that need to be secured.
Of course, I’m preaching to the choir – anyone reading this blog probably already understands that this is important. I sometimes wonder if the real challenges are political, not technical or intellectual. When a security team can’t get the blueprints to the network, what exactly is going on? Is it overload? Is it lack of people to go hunt down what’s missing? Or is it the classic challenge of “nagging for a living”? Many security teams I meet don’t have direct access to the network assets that are critical to defensive posture. This means they have to ask, or beg, or cajole the NetOps team into providing data. The strength of that team-to-team relationship seems to be a really important issue. I’ve seen organizations vary hugely in speed and success with data analytics, depending on whether someone in Team Security has a buddy in Team Networking or not. Perhaps the worst cases I’ve seen involve outsourced IT and networking – then it can get to levels nothing short of passive-aggressive.
Got war stories? Advice? Rotten fruit? Comments welcome …