The Sky is Falling: Maintaining Optimism in the Face of Doomsayers
This week proved to be highly eventful for the security community. There have been major announcements and big revelations daily. This week saw the revelation of the biggest bank heist of all time. There was the announcement by Kaspersky about the “Equation Group” thought to be the NSAs elite hacker group. There was even the discovery of some nasty malware that came pre-installed on consumer grade Lenovo computers. These three announcements alone have been eye-opening for the security world, and there are two very distinct ways of looking at all of this news. Either we could throw up our hands in despair at the realization that, despite all of our hard work, there is no way to stop these major breaches. Or, as is hopefully the more common response, we could accept that we have a LOT of work to do and be grateful that there will be no shortage of job opportunities for the foreseeable future.
Personally, I am in the second camp, maintaining my optimism in the face of seemingly unsurmountable odds. Despite the disheartening news and seeming inadequacy all of the controls we work so hard to enact, there is more we can do. We have known for a long time that nothing is ever completely secure. We have known that no amount of education and awareness training will keep users from falling victim to social engineering attacks. More than all of that we know, as security professionals, that a determined attacker will gain access to their target’s systems eventually if they try hard enough for long enough. This is not new information, though the amount of breaches being reported on can seem overwhelming. For my part, I will continue to persevere in my attempts to keep my employers and my clients from being the next to experience a major breach. With that in mind, I would like to briefly analyze some of the big stories of the week and discuss ways we can mitigate them.
First, the biggest bank heist of all time was announced this week by Kaspersky. There have been a multitude of articles written about it, and a lot of analysis has been done as well. One of the better assessments, as usual, was published by Brian Krebs. He compared the breach to the notion of bleeding to death from a thousand cuts. That is a perfect analogy. These attackers strayed from the brash “hit and run” techniques that many of the organized crime related hackers based in Russia have been using for years. They slowly and quietly infiltrated hundreds of banks. After gaining access, they did not just steal a large sum of money and run. Instead they just waited and watched until they understood the day-to-day activities and transactions. Once they understood these rhythms, they made relatively small and unobtrusive money transfers that did not set off fraud alerts. Their success with this strategy netted them somewhere around $10 million from hundreds of banks around the world. This entire process started with phishing emails. We as security professionals need to figure out new methods to detect this type of activity which gives us plenty of work to do in the near future.
Secondly, and possibly more disturbing, has been the revelations regarding the “Equation Group.” This groups of highly sophisticated hackers has been able to successfully infiltrate any target. It is thought that they are actually one of the elite teams that are part of the NSA. This seems likely as many of the tactics linked to them are very advanced and would likely have required substantial resources only available as part of a state sponsored program. It is also clear from the report that the activities reported are not very new, many occurred in the last five years. What we know about are the old techniques. The latest and best tactics are surely still hidden well from everyone. The only redeeming portion of this information is that all of these attacks were highly targeted and not likely to spread beyond their targets. Also, this revelation has provided interesting new techniques for researchers and penetration testers to begin testing and employing.
That last announcement is not terribly surprising. It has been known for quite some time that many “free” software packages and low-cost computers come jammed with junk ware. It was only a matter of time until some of that junk crossed the line to full force malware. We as a community need to take advantage of this news and use it as a learning opportunity. The public needs to be made aware of these dangers and security companies have an opportunity to begin releasing software that will clean out all of the junk from new systems. Lenovo is not the only company to fill their computers with advertising to save money. They are simply the first one that let a piece of malware get included (that we are currently aware of).
So, despite the litany of bad news that has come pouring out lately, we are not out of luck. We need to keep our heads up and remember why we got into the field to begin with. There will always be big breaches. There will always be scary news. This is not an invitation to start ringing our hands and beating our breasts. If security were simple and static, we would all be out of work tomorrow. It is the dynamism of the field, its constant surprises and unlikely quicksand paths that keep our work interesting and challenging. Rather than bewail our failures, we must use them as opportunities to expand our knowledge and sharpen our creative abilities. The sky is not falling, Chicken Little. It will all be okay.