Cyber Security: The Sky is Falling

Friday, February 24, 2012

J. Oquendo


Cyberthreats are real, they're active and I believe just now they compromised my keyboard in hopes of engaging me into game of Cybergeddon Pearl Harbor.

I say this because it is obvious, the news agencies are telling me so. Not only did they tell me so, but so too did many policy makers who know as much about computers as my newborn puppy Kenji. Recently, the hot topic is: "Anonymous Will Take Over The Internet" [1] (no this is not a typo).

With an even more laughable comment: "NSA director Gen. Keith Alexander issued his warning in private government meetings, and Anonymous hasn’t yet been added to any public threat list." The comment is not only funny, but it can be misconstrued. Funny: "We haven't added them to any list yet"... Really? Who are you planning on adding? An individual, a Guy Fawkes mask?

Misconstrued: "You know enough about the individuals involved but haven't determined whether to arrest them?", or “you haven’t determined how you want to classify them? Non-enemy combatant, terrorist, i-Terrorist?”

We have calls for "Cyber Peace Keepers" [2], talks about "Cyber Grenades" [3], "Cyber Arms Race" [4], and so forth. It would seem that as long as an article has a wordcount of at least 200, the word "cyber" will be used no less than 50 times. Therefore, it MUST be true, and it MUST be worthwhile reading.

Enter the "Cyber Military Industrial Complex 101" expose you are now reading.

Common sense dictates that there is money to be made in “cyberlandia.” A lot of money and someone is going to make it. They will make it by using any boogeyman available. Cyber is definitely the new Gold Rush, however much of what is being portrayed to and by the media is blown out of proportion and unrealistic.

Let us take a look at Anonymous. The news theory goes (not my words): "Anonymous will take over a power plant, cut power..." chaos ensues and so forth. The reality is that our current infrastructure has been attacked millions of times since the inception of the Internet and, in fact, there are plenty of hardcore competent security individuals actively scoping out vulnerabilities in this sector.

For example, the talented crew over at Immunity and researchers at Gleg offer existing SCADA exploits [4]. The world did not come to a halting stop because they have done so. No visible hackers are going on a global scale and shutting down each others’ electrical, water or gas infrastructures.

Unless there are gaping holes in the existing infrastructure, I do not foresee Anonymous doing much to attack it either. You see from the security perspective, Anonymous has yet to come out with vulnerabilities and or vulnerability research.

Anonymous has seemed to thrive on finding existing holes and social engineering. The vast majority of those holes have been SQL related from what I have read. They have exploited common human error or stupidity depending on your point of view.

Now, I hate to sound harsh but: “there is no patch or fix for stupidity.” Proper training in common security objectives; password re-use, proper policy, log monitoring and existing security technologies can keep hackers like Anonymous at bay. There is nothing that the group has done that I have read about to make me say “wow.”

This is not to say that they are low level hackers, on the contrary, they were smart enough to beat many so called security professionals.

I believe that any “security” downfall will come via way of the herding instinct where in the security industry, is rampant. An electrical or nuclear facility being compromised won’t likely come via way of a “zero-day” or "technical" exploit, but it will likely come via way of human error. Someone would have re-used their password, an engineer would have likely placed a critical machine in the wrong network.

This ultimately means that I anticipate either sheer stupidity – or lack of oversight (your choice) – or a client side attack will cause an event. I will not get into client side attacks for those who don't understand it (please Google the term client side attack).

So how do we a) Stop the attack and b) Stop the Fear-mongerers from continuously bombarding us with fictitious tales of  “a bored hacker is (obviously) going to be mad enough and one day take over an Airplane, force it to crash and burn, while taking over a nuclear facility and blacking out the west coast.” Stop the attack – stop following the crowd.

Many documents regarding security defenses have been written, re-hashed, re-written, developed, deployed, tested, vetted and so forth. Many of these fail miserably. They fail not because an author didn’t understand security, but because the individual implementing it either had little clue, was only dealing with security measures to cross their T's and dot his I's. Security, wasn’t understood.

Individuals in an environment where interconnections between machines, and information technologies are a daily task need better training and awareness. Unlike the 80's and 90's where if a machine sprouted up on a network, it was given an address and fed to the sharks (anything on the network), today’s networks and interconnections need to be thought out thoroughly. Not only to keep them from the sharks in the ocean, but any threats within an organization.

The threat can be something as benign as an operating system update - as that too has the potential to cause the same type of damage as an attacker. Segregation of not only duties, but networks and machines need to be performed as well. Stop the fear-mongering – The Cyber Military Industrial Complex.

Individuals in security companies need to stop with their nonsensical games of FUD based marketing. Far too often, many are making outrageous claims and always have an agenda. That agenda is to sell security products:

“Look at the Whitepaper we’ve created, we have an uber-hyper staged attack that will scare you into submission. The attack? So far-fetched that you’d have a better chance at hitting the lottery than pulling this off. But hey! If we can think it, so can an attacker, therefore give us your cash and we’ll protect you!”

The reality is that many of these same companies offered and are offering you the same technology time and time again. The same technology that they swore would protect you long ago. First it was the firewall, then it was Intrusion Detection, followed by Intrusion Prevention. Now it is “Intrusion Tolerance” and Data Loss Prevention.

For all the technology they’re feeding you, companies are still getting compromised. It is not the technology that is the failure, it is the people and it is the implementation of these technologies. It is the lack of understanding of one’s own network.

When will security “evangelists” stop thinking of “unique” titles to add to their names and start focusing back on the core fundamentals of security? It is not that difficult as many security professionals would have you believe it to be.

Security isn’t a product, it isn’t a certification. Security is a procedure, it is a process, it involves thinking. Perhaps therein lies the problem, NIST has not created NIST1337 “A Critical Guide to Common Sense in the Security Industry”.

Possibly Related Articles:
Information Security
SCADA Vulnerabilities terrorism Cyber Security Attacks Network Security Infrastructure Anonymous Hacktivist hackers FUD vendors J. Oquendo
Post Rating I Like this!
Krypt3ia "Bravo" says the guy who posted the "Anonymous is an existential threat and full of malice toward America" post? Holy shit Robin, take your meds and get on an even keel.

Jay, you and I should talk soon. Pop up on Twitter.
Eric Cissorsky "Security isn’t a product, it isn’t a certification. Security is a procedure, it is a process, it involves thinking." - Amen!
Mikel Gore A lot of the problems in security are as systemic as they are about user error. It takes a series of failures to allow nearly any major disaster. With every system brought to production there is a series of give and take decisions made as to usability and ease of use. Most of the time ease of use has executive backing while acceptable loss rules the day concerning security. There is also little consideration given to the security of a new technology as it races to market. If this weren't the case we wouldn't need to redesign just about everything after it hits the market and gets picked apart once it becomes highly accepted.
J L "Security isn’t a product, it isn’t a certification. Security is a procedure, it is a process, it involves thinking."

I agree 100%. Intellectual laziness and thinking aren't compatible.
Lucian Andrei "Security isn’t a product, it isn’t a certification. Security is a procedure, it is a process, it involves thinking."

I 100% agree with you. There is another problem: in order to think security you must study it, day after day.

If you passed CISSP or CISA 10 years ago, and read only Forrester and sellers brochures in the meantime, you are not capable of thinking security. Maybe if you do only security engineering will work, but if you are a manager, architect, analyst... you must keep the pace with the enemy.
Ian Tibble "keeping pace with the enemy" is a valid point although I won't go into talk of CISSP etc because it tends to evoke quite emotional responses.
The best way to know the enemy from existing media sources is probably Hackers by Steven Levy, and I relate my own experiences of working with Hackers in my chapter 2 of my book Security De-engineering (
The article covered a lot of points. The highlights for me were the last 3 paragraphs. I elaborate on some of my own experiences in this area also in Security De-engineering. These ideas are getting more widespread but they're far from mainstream.
With most networks there are a number of mindless hacks open to malware writers' and manual bad guys - this is true. Then there is "there are plenty of hardcore competent security individuals actively scoping out vulnerabilities in this sector". This is also true, and it's why focusing on patch and protect doesn't work, and it's also why "zero day" is a very real problem. It's another problem we need to try and deal with, just as much as password re-use (and other low hanging fruit vectors) is a problem.
Anonymous - as far as we know they haven't compromised infrastructure, but this is because it wouldn't seem to be their target. They seem to have setup their own legal system and violators of their laws are the targets. If they target infrastructure they would be successful in a short period of time probably.
"Anonymous has yet to come out with vulnerabilities and or vulnerability research" - yes because they want to keep the vulnerabilities for themselves and "they were smart enough to beat many so called security professionals". - doesn't take much from what i've seen.
"Individuals in an environment where interconnections between machines, and information technologies are a daily task need better training and awareness"...yes. I completely agree, and the general jist has to be to re-orient security back towards a technical base aimed at educating pros in the technical risks with core technologies, applications and networks...more detail in Chapter 11 of my book.
The example that was given about connecting boxes in the wrong subnets etc...this can happen and it does happen. Anything to do with IT and nasty ...computers is fobbed off to IT ops. The security department is too advanced to handle such things....they're above that type of work. They are more "business" and "management" oriented, even though they have 2 seconds experience and a MBA. IT ops and security analysis - they are not the same. Does a typical IT ops staff member understand technical risks and attack vectors? Usually...not.

- Security is broken, and skills that were lost in the late nineties need to be re-introduced at the Analyst level. More importantly - the management level needs addressing too. This is the root of all evil today.

tim belina Well written! As well as firewalls and DLP, don't forget the other silver bullets that have been pressed on hapless customers by the marketing brigade over the years:
- Smart cards
- And now, cloud.
All one-shot silver bullets that on their own and without process, provided no benefit at all.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.