Let's talk cybersecurity

For discussion of religion and politics

Moderators: LawBeefaroni, $iljanus

Post Reply
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Let's talk cybersecurity

Post by malchior »

I just sat through a internal webinar with a top former leader in the US Government. I can't remember hearing any briefing that was as dire in such a candid way since I heard Louis Freeh talk about the terror threat in the early 2000s. However, this one was different as the outlook and call to act is far less clear and likely to be effective.

His judgement seemed to be that the US government will not lead because we've been handcuffed by years of inconsistency in national cybersecurity policy. It's essentially the governance problem that is eating the US elsewhere but the impacts the public have seen are the Solarwinds hack, the Colonial Pipeline incident, etc. He said he expects years of this while the private sector is forced to step up and protect itself.

That being said, he did say that the Biden administration made good selections on appointments. The person selected as the National Cyber Director - Chris Inglis acknowledged openly that he is facing an uphill battle because steadfast policy is difficult and never seem to soldify. Also the CISA pick is supposedly strong and she will follow Chris Krebs who was competent even as he lacked a cybersecurity background.
User avatar
Grifman
Posts: 21196
Joined: Wed Oct 13, 2004 7:17 pm

Re: Let's talk cybersecurity

Post by Grifman »

I think part of the problem is that an effective defense is very expensive and very difficult. It's like missile defense against nuclear weapons - even if you shoot most of the missiles down, even if just a few get through, you have terrible losses. Software is written by humans and seems to always have flaws, and even then, you have phishing emails, which only needs one employee to open and then boom, you're in. Protections is just very very difficult - if it was easy, we would have handled it by now.
Tolerance is the virtue of the man without convictions. – G.K. Chesterton
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

Likening it to missile defense is a reasonable comparison. The difference is the payload doesn't explode on contact. Instead it is more like a bomb lands with a timer counting down. It's a little random but generally you have time to act. Most successful cybersecurity attacks take places over days, weeks or months. If you have an effective Detect & Respond capability you can generally knock them down after they breach the walls but before they do actual harm. The problem is our defenders are sometimes blind to their risks, have disorganized defenses, and are getting confusing direction from the government.

The Solarwinds attack is a great example. That is pointed at to say that 'zero day' attacks happen and you can't defend them. That wasn't the risk. Instead, Solarwinds wasn't adequately in control and monitoring their control of their landscape. They didn't detect an intrusion. They didn't have adequate controls to make sure code wasn't modified. They went the full worst case and were told about the issue when customers noticed problems.

What that implies is that you have to challenge your vendors to prove they are adequately defending themselves. In effect, we need to establish systems of accountability knitting everything together. We're starting to see companies do this now. They are challenging their vendors to prove they have control over their environments.

The real killer problem is one of latency. Defenders could have an advantage but they need successful attacks to spur investment from their boards/senior management. And then they need to spool up the capability which takes time. If the government had defined a solid policy, put out a framework that was more 'real' and communicated the risk to leaders in the business world we might start to move in the right direction. Until then the adversary is going to keep beating us.
User avatar
Formix
Posts: 639
Joined: Wed Jun 29, 2005 6:48 am

Re: Let's talk cybersecurity

Post by Formix »

It hard because the defense needs to be perfect, and the offense only needs to find one fault. One employee who makes one mistake is a very high bar to protect against. I'm too embarrassed to say what the percentages were at my organization of people who fell for our phishing test.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

Formix wrote: Thu May 13, 2021 4:36 am It hard because the defense needs to be perfect, and the offense only needs to find one fault. One employee who makes one mistake is a very high bar to protect against. I'm too embarrassed to say what the percentages were at my organization of people who fell for our phishing test.
It doesn't need to be perfect. More importantly we can't and shouldn't try to eliminate all risk. It's too expensive and restricts business flows too much. This is probably the number one misconception that the cybersecurity world needs to address. Back to the one person who clicks, this is something we now plan for. We try to minimize it through education but we defend it by having layers of the right preventative and technical controls to help mitigate that risk. As a comparison, in the physical world we have locks on the outer door but that doesn't mean someone won't be tricked into propping it open or leaving it unlocked. There could be locked filing cabinets, cameras, and other alarms in the building to provide more protection and give time for the intruder to be seen and stopped.

Here is the clicks example to show some common ways that we could block the vast majority of risks. Let's presume a person clicks and a malicious web site downloads a office macro. One way to limit the damage is not allow office macros to run on corporate assets. Maybe the download is from a web site that is known to be bad. That domain might be on a proxy filter list. Or perhaps it tries to download an executable. That executable does something unusual and a Endpoint Detect and Respond tool like Carbon Black or CrowdStrike Falcon picks up the behaviors. If behavioral or binary patterns in that malwares have been seen before it might be stamped out like the machine has been vaccinated. Ultimately all these security events are logged, analyzed, and generate alerts to security personnel to investigate. In the ideal case just to keep tabs on the control and make sure it is working right but respond if they don't or can't prevent the attack.

And importantly that first step of getting into the network is early in the typical attack chain. There is typically lots of follow on activity to pull off a ransomware attack, data steals, etc. They don't happen instantly the moment someone clicks. They usually lag by days, weeks, and months. In a well defended network that gives the security organization the time to see the unusual activity and respond before the attack does much damage.
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: Let's talk cybersecurity

Post by Pyperkub »

malchior wrote: Thu May 13, 2021 7:44 am
Formix wrote: Thu May 13, 2021 4:36 am It hard because the defense needs to be perfect, and the offense only needs to find one fault. One employee who makes one mistake is a very high bar to protect against. I'm too embarrassed to say what the percentages were at my organization of people who fell for our phishing test.
It doesn't need to be perfect. More importantly we can't and shouldn't try to eliminate all risk. It's too expensive and restricts business flows too much. This is probably the number one misconception that the cybersecurity world needs to address. Back to the one person who clicks, this is something we now plan for. We try to minimize it through education but we defend it by having layers of the right preventative and technical controls to help mitigate that risk. As a comparison, in the physical world we have locks on the outer door but that doesn't mean someone won't be tricked into propping it open or leaving it unlocked. There could be locked filing cabinets, cameras, and other alarms in the building to provide more protection and give time for the intruder to be seen and stopped.

Here is the clicks example to show some common ways that we could block the vast majority of risks. Let's presume a person clicks and a malicious web site downloads a office macro. One way to limit the damage is not allow office macros to run on corporate assets. Maybe the download is from a web site that is known to be bad. That domain might be on a proxy filter list. Or perhaps it tries to download an executable. That executable does something unusual and a Endpoint Detect and Respond tool like Carbon Black or CrowdStrike Falcon picks up the behaviors. If behavioral or binary patterns in that malwares have been seen before it might be stamped out like the machine has been vaccinated. Ultimately all these security events are logged, analyzed, and generate alerts to security personnel to investigate. In the ideal case just to keep tabs on the control and make sure it is working right but respond if they don't or can't prevent the attack.

And importantly that first step of getting into the network is early in the typical attack chain. There is typically lots of follow on activity to pull off a ransomware attack, data steals, etc. They don't happen instantly the moment someone clicks. They usually lag by days, weeks, and months. In a well defended network that gives the security organization the time to see the unusual activity and respond before the attack does much damage.
The issue with that risk mitigation is that it mostly can't completely address the zero-day issues and the always evolving methods of attack and burrowing in undetected. The attacks are constantly evolving and it's like playing missile defense against a pandemic.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

Pyperkub wrote: Thu May 13, 2021 11:30 amThe issue with that risk mitigation is that it mostly can't completely address the zero-day issues and the always evolving methods of attack and burrowing in undetected. The attacks are constantly evolving and it's like playing missile defense against a pandemic.
Right. I'll stress again there is no zero risk situation. I disagree strongly that risk mitigation is an issue. It is the *entire game*. You can't stop all risk. If someone thinks cybersecurity failed because a machine got infected then we are setting impossible goals. It is like the police stopping all crime or in a pandemic example saying well people get sick and throw up your hands.

I'll pick up on the zero day. I mentioned it earlier - they can be a problem. However, most of the big incidents with zero days that we've seen - Pfizer, Maersk, etc. were because they had insufficient depth of defense. The infection got in and blew through the entire flat network. At Pfizer, the manufacturing floor was essentially one firewall from the Internet. There was no protection of endpoints, segmentation of networks, comprehensive access control, monitoring was insufficient, etc.

Anyway, again the goal isn't to stop everything. But you need to adequately protect the critical systems, slow attackers down to give your team time to respond, and generally lower your risk. It works. Nearly every headline you see had major gaps in their defense. It is pretty much what I do every day and business is so good for us. And that comes down to many companies don't do even the basics.
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: Let's talk cybersecurity

Post by Pyperkub »

malchior wrote: Thu May 13, 2021 11:44 am
Pyperkub wrote: Thu May 13, 2021 11:30 amThe issue with that risk mitigation is that it mostly can't completely address the zero-day issues and the always evolving methods of attack and burrowing in undetected. The attacks are constantly evolving and it's like playing missile defense against a pandemic.
Right. I'll stress again there is no zero risk situation. I disagree strongly that risk mitigation is an issue. It is the *entire game*. You can't stop all risk. If someone thinks cybersecurity failed because a machine got infected then we are setting impossible goals. It is like the police stopping all crime or in a pandemic example saying well people get sick and throw up your hands.

I'll pick up on the zero day. I mentioned it earlier - they can be a problem. However, most of the big incidents with zero days that we've seen - Pfizer, Maersk, etc. were because they had insufficient depth of defense. The infection got in and blew through the entire flat network. At Pfizer, the manufacturing floor was essentially one firewall from the Internet. There was no protection of endpoints, segmentation of networks, comprehensive access control, monitoring was insufficient, etc.

Anyway, again the goal isn't to stop everything. But you need to adequately protect the critical systems, slow attackers down to give your team time to respond, and generally lower your risk. It works. Nearly every headline you see had major gaps in their defense. It is pretty much what I do every day and business is so good for us. And that comes down to many companies don't do even the basics.
Yeah, but it's also that there is so much to keep on top of - e.g. it appears as if the Colonial Pipeline attackers got in because Exchange wasn't patched. However, SolarWinds *wasn't* patched until after the attack was known and already widespread.

There is also the issue of, say, the NSA discovering zero-days, and using them rather than working to harden defenses against them.

At some point defense is going to be very, very AI driven - but that will also add another attack vector against the AI algorithms. Pay no attention to that man behind the curtain...
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

Pyperkub wrote: Thu May 13, 2021 11:55 amYeah, but it's also that there is so much to keep on top of - e.g. it appears as if the Colonial Pipeline attackers got in because Exchange wasn't patched. However, SolarWinds *wasn't* patched until after the attack was known and already widespread.

There is also the issue of, say, the NSA discovering zero-days, and using them rather than working to harden defenses against them.

At some point defense is going to be very, very AI driven - but that will also add another attack vector against the AI algorithms. Pay no attention to that man behind the curtain...
This is still tunneled on point failures. Even if there are a lot of these vulnerabilities, what I'm going to keep saying over and over is that is missing the picture. Everyone needs defense in depth. It comes down to preparedness, visibility, and ability to respond. There will be holes. How you detect and respond to them is *way* more important.

In this situation, Exchange wasn't patched. First observation was that was a well known, well communicated emergency patch. Their VM program likely is nonexistent or has major gaps. They should have done that 2 months ago. Still even then there should have been layers of defense to penetrate. This company almost certainly didn't have it. If they aren't applying emergency patches to Internet facing critical services then they probably have a piss poor or nonexistent security program. It isn't surprising. These companies don't value IT cost centers until they get hacked. And everyone somehow still thinks they won't get hacked. It's keeping me in a job with endless work but I worry that we're open to a big attack that'll do real damage.

Anyway, we'll have to wait on the report but I've seen this rodeo dozens of times personally. I would bet that the Exchange attack was days or weeks before the ransomware was delivered. The attackers have to rummage around and find the data they want to steal, evaluate what is good and what isn't, and executing the ransom note is well down the line. Let's even give them the benefit of the doubt and say they got hit in January or earlier and patching didn't matter. That'd still imply that the attackers were in the shadows for months. Which isn't atypical but meanwhile if you have a proper program with the right detective controls and monitoring they would have seen something out of the norm. It might be accounts logging in at weird times, privilege elevation indicators, pass the hash indicators, etc. Every attack I've personally seen should have been caught with a relatively low tech net - no need for AI at all. The real case for AI IMO is low level task automation. For example, opening tickets, correlating data, etc. And we need those because we can't hire enough professionals as is.
User avatar
gbasden
Posts: 7664
Joined: Wed Oct 13, 2004 1:57 am
Location: Sacramento, CA

Re: Let's talk cybersecurity

Post by gbasden »

malchior wrote: Thu May 13, 2021 11:44 am Anyway, again the goal isn't to stop everything. But you need to adequately protect the critical systems, slow attackers down to give your team time to respond, and generally lower your risk. It works. Nearly every headline you see had major gaps in their defense. It is pretty much what I do every day and business is so good for us. And that comes down to many companies don't do even the basics.
You are absolutely correct. The breaches I've had to deal with are because the defense was so rudimentary. A multi-layer risk mitigation strategy with an alert security group can deal with most threats without loss to the organization.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: Let's talk cybersecurity

Post by Isgrimnur »

Image
It's almost as if people are the problem.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

This is what I was talking about.

SolarWinds network compromised much earlier than first thought. Proper monitoring and risk management may have stopped one of the biggest hacks we saw last year.
SolarWinds saw signs of hackers invading their networks as early as January of 2019, about eight months earlier than the previously publicly disclosed timeline for the sweeping cyber-espionage campaign, and nearly two years before anyone discovered the breach.

SolarWinds CEO Sudhakar Ramakrishna said in an appearance at the 2021 RSA Conference that while the federal contractor had once estimated the hackers’ first suspicious activity at around September or October of 2019, the company has “recently” learned that the attackers may have in fact “been in our environment” much earlier.

“As we look back, they were doing very early [reconnaissance] activities in January of 2019,” he said.

Ramakrishna’s revelation provides a deeper understanding yet of the stealthy nature of what U.S. government officials and cybersecurity firms have labeled an incredibly sophisticated attack, even by the standards of the alleged Russian government-connected hackers behind the effort. By leveraging seemingly trustworthy updates of SolarWinds Orion software, the culprits were able to breach nine government agencies and many more private sector companies.
User avatar
NickAragua
Posts: 6100
Joined: Mon Feb 23, 2009 5:20 pm
Location: Boston, MA

Re: Let's talk cybersecurity

Post by NickAragua »

Now, here's a "positive" thought. If the US defensive cybersecurity state is pretty bad, imagine how horrible it is on the bad guys' end (Russia, China, etc).

Illustrated by stories like this: https://www.thedrive.com/news/38897/ado ... stores-ops.

Basically, instead of replacing or upgrading their timetable software, which ran on Adobe Flash, the guys running the railroad switchboard installed a bootleg older version of flash to keep things going once the non-bootleg version disabled itself. And this was an event that was talked about for several years, so these guys had years to replace their software. Now imagine that instead of a railroad timetable somewhere in the backwoods of China and a software update telegraphed three years in advance, there's an active attacker looking to do serious damage to more critical infrastructure.

Also, see those uranium enrichment centrifuges over in Iran that keep getting blown up by software sabotage carried out by unidentified *coughIsraelicough* attackers. Presumable after two or three incidents causing major damage, they'd have hardened their systems a little bit, but here we are.
Black Lives Matter
User avatar
Smoove_B
Posts: 54567
Joined: Wed Oct 13, 2004 12:58 am
Location: Kaer Morhen

Re: Let's talk cybersecurity

Post by Smoove_B »

Is this a cybersecurity topic? :lol:


Mo Brooks, who sits on the Science, Space, and Technology Committee, just posted a photo with his gmail password taped to the bottom of his screen. I seem to remember email security being a pretty defining topic for the GOP.
Maybe next year, maybe no go
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

:doh:
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Let's talk cybersecurity

Post by malchior »

Washington Post
Expansive new cyber reporting requirements now appear dead in Congress.

Congress has cut requirements for companies to share cyber threat information with the government from its must-pass defense bill, which passed the House last night and is expected to pass the Senate shortly.

The failure of such a popular and bipartisan effort – which would have marked the largest expansion of government involvement in private-sector cybersecurity in years – raises questions about whether Congress is up to the task of responding to a wave of ransomware and other attacks that have battered industry in recent years.

It would have required companies in critical industry sectors such as energy and transportation to alert the Cybersecurity and Infrastructure Security Agency whenever they’re hacked or hit with other significant cyber incidents.
It would have required disclosures from a far broader group of companies if they paid ransoms to hackers.
But the measure also looked meager given the hacking threats facing industry.

More than 90 percent of cyber experts and current and former officials supported the changes in a recent Cybersecurity 202 poll. The government has already imposed far more stringent cyber requirements on several key industry sectors in just the past few months.

“This result is beyond disappointing and undermines national security,” said House Homeland Security Chairman Bennie G. Thompson (D-Miss.) and Rep. Yvette Clarke (D-N.Y.), chair of the committee’s cyber panel and a sponsor of the House version of the bill.
I was a bit shocked. It looked even as of a couple of days ago that this was shoo-in for critical infrastructure. At this point I'd compare our national response to constant cybersecurity threats as just as uncoordinated as the COVID response. It is leaving us at risk of dire consequences nationally. Apropos of the "season" we are risking a cyber Pearl Harbor.
User avatar
stessier
Posts: 29816
Joined: Tue Dec 21, 2004 12:30 pm
Location: SC

Re: Let's talk cybersecurity

Post by stessier »

A twitter thread.

I require a reminder as to why raining arcane destruction is not an appropriate response to all of life's indignities. - Vaarsuvius
Global Steam Wishmaslist Tracking
Running____2014: 1300.55 miles____2015: 2036.13 miles____2016: 1012.75 miles____2017: 1105.82 miles____2018: 1318.91 miles__2019: 2000.00 miles
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: Let's talk cybersecurity

Post by Pyperkub »

stessier wrote: Mon Feb 07, 2022 2:57 pm A twitter thread.

The best part:
Spoiler:
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: Let's talk cybersecurity

Post by Max Peck »

FCC puts Kaspersky on security threat list, says it poses “unacceptable risk“
The Federal Communications Commission on Friday determined that security products from Kaspersky posed an unacceptable risk to US national security and added the company to a covered list of other firms not eligible for FCC funds.

The move adds Kaspersky to the same covered list that Huawei and ZTE landed on in 2021. Besides its Moscow headquarters, the company’s founder, Eugene Kaspersky, attended a KGB-sponsored technical college and has long been accused of having ties to Russian military and intelligence services.

Kaspersky, which was already banned from all US government networks, was one of three firms added to the covered list on Friday. China Mobile and China Telecom were the other two.

“I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list,” FCC Commissioner Brendan Carr said. “Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state backed entities seeking to engage in espionage and otherwise harm America’s interests.”

In a statement, Kaspersky officials wrote: “Kaspersky is disappointed with the decision by the Federal Communications Commission to prohibit certain telecommunications-related federal subsidies from being used to purchase Kaspersky products and services. This decision is not based on any technical assessment of Kaspersky products – that the company continuously advocates for – but instead is being made on political grounds.”

Ten days ago, Germany's Federal Office for Information Security, warned companies not to use Kaspersky products. Officials hinted that the company could be coerced into into assisting Russian intelligence services.
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
Post Reply