Tag Archive for: Thought Leadership

Digital Resilience: A Better Way to Cybersecurity

CIOReview | September 12, 2016

By Ray Rothrock, CEO, RedSeal

Who says prevention is better than cure? Since the advent of networks and hacking, prevention, coupled with detection, has been the primary cyber strategy to counter cyberattack. But, with the exponential increase in the pace and complexity of digital connections, and sophistication of the attackers, this approach is falling short as the breaches at JP Morgan, IRS, Target and UCLA Health so clearly demonstrated.

“Hide & Sneak.” Playing Today’s Cybersecurity Game

I recently came across a rather nice title for a webinar by A10 Networks’ Kevin Broughton– “Hide & Sneak: Defeat Threat Actors Lurking within your SSL Traffic”. “Hide & Sneak” is a good summary of the current state of the cybersecurity game. Whether our adversaries are state actors or less organized miscreants, they find plenty of ways to hide, stay quiet and observe. They can keep this up for years at a time. Our IT practices of the last few decades have engineered very effective business systems. On the other hand, they are sprawling and complex systems, made up of tunnels, bridges and pipes — much of which is out of sight, unless you take special pains to go look in every corner.

The “Hide & Sneak” webinar focuses on SSL, just one aspect of just one kind of encryption used in just one kind of VPN. This is worthwhile – I mean no criticism of the content offered. But if we think about how complex just this one widely used piece of infrastructure is, and then take a step back to think about this level of detail multiplied across all the technologies we depend on, it’s obvious that it’s impossible for any single security professional to understand all the layers, all the techniques, and all the complexity involved in mission-critical networks. Given staff shortages, it’s not even possible for a well-funded team to keep enough expertise in-house to deal in full depth with everything involved in today’s networks, let alone keep up with the changes tomorrow.

If we can’t even hire experts in all aspects of all the technologies we use, how can we defend our mission-critical infrastructure?

We can break the problem down into three parts – understanding the constantly-shifting array of technologies we use; keeping up with the continuous stream of new defects, issues and best practices; and thinking through the motivations, strategies and behaviors of bad actors. Of these three, the first two are highly automatable (and essentially impossible without automation). The third is the ideal domain for humans – no computer has the wit or insight to think strategically about an intelligent, wily adversary. This is why automation is best focused on understanding the infrastructure, and on uncovering and prioritizing vulnerabilities and defensive gaps.

The best security teams focus human effort on the human problem – understanding the thought patterns of the adversaries, not on learning every detail of every aspect of every technology we use.

RedSeal CEO Ray Rothrock Shares Insights on Mad Money with Jim Cramer

MAD MONEY WITH JIM CRAMER | August 25, 2016

Our CEO Ray Rothrock shared the latest on cybersecurity as a guest on Mad Money with Jim Cramer (CNBC) today, covering a variety of topics – from why perfect firewall management doesn’t provide perfect protection, to the risk of a hacking attack on electrical grids and nuclear power plants.

RedSeal CEO Ray Rothrock Talks Cybersecurity on Mad Money w/ Jim Cramer

Our CEO Ray Rothrock shared the latest on cybersecurity as a guest on Mad Money with Jim Cramer (CNBC) today, covering a variety of topics – from why perfect firewall management doesn’t provide perfect protection, to the risk of a hacking attack on electrical grids and nuclear power plants.

Credit: CNBC

Some highlights:

Jim: What goes into my digital resilience score?

Ray: There are three things that really matter. First is configuration checks. You’ve got all this equipment—network equipment—it’s probably configured by really good people, but it may not be perfect. We can assign that.

Vulnerabilities—that’s what everyone talks about. Vulnerabilities are interesting but you need to know where it is in the network. Is it reachable for the bad guys on the outside? We can tell you that. So why spend all your time scanning and fixing a computer that’s not reachable? That’d be a waste of your time and money.

And the third thing – and this is what gets the CISOs quite nervous – it’s called the incomplete model.

Learn more about how you can make measure your organization’s digital resilience score by contacting us here.

Closing (and bolting) the back door in ScreenOS

by Dr. Mike Lloyd, CTO RedSeal

The recently disclosed back door in Juniper’s ScreenOS software for NetScreen firewalls is an excellent reminder that in security, the first and foremost need is to do the basics well.  The details of the vulnerability are complex and interesting (who implanted this, how, and what exactly is involved?), but that is not what matters for defenders.  What matters is knowing whether or not you have basic network segmentation in place.  This may sound counterintuitive – how can something as routine as segmentation solve a sophisticated problem like this?  But this is a textbook example of the benefits of defense in layers – if you think too much about only one method of protection, then complex things at that layer have to be dealt with in complex ways, but if you have layers of defense, you can often solve very complex problems at one layer with very simple controls at another.

The vulnerability in this instance involves a burned-in “skeleton key” password – a password capable of giving anyone who can use it potentially catastrophic levels of control of the firewall.  To compromise your defenses when you have this particular version of software installed, an attacker needs only two things – 1) the magic password string itself, which is widely available, and 2) ability to talk to your firewall.  For point 1, the cat (saber-toothed in this instance) is long since out of the bag, but point 2 remains.  If someone can talk to your firewall and present a credential, they can present the magic one, and in they go, with full privilege to do whatever they want (for example, disabling all the protections you bought the firewall for in the first place).  No amount of configuration hardening can prevent this, since the issue is burned in to the OS itself.  But what if the attacker cannot talk to the firewall at all?  Then the magic password does no good – they cannot present a credential if they cannot talk to the firewall in the first place.

So note that someone who relies on strong password policies has a real problem here.  If you think “it’s OK to allow basic access to my firewalls, nobody can get in unless I give them a credential”, well, that’s clearly not true.  Unfortunately, many network defenses are set up in this way.  If you think about this problem at the password or credential layer, the situation is a disaster.  But if you think about multiple layers, something more obvious and more basic emerges – why do you need to allow anyone, coming from anywhere, to talk to you firewalls at all?  You should only ever need to administer your infrastructure from a well-defined command and control location (using “C&C” in the positive sense used by the military), and you can lock down access so that only people in this special zone can say anything AT ALL to your firewalls and the rest of your infrastructure – you can effectively reduce the attack surface for an attack, directly mitigating the huge risk of this kind of vulnerability.  Thinking in layers moves the question from “how do I prevent someone using the magic password?” (Answer: if you have the vulnerable software, you can’t), over to the easier and better question, “How do I limit access to the management plane of the firewall, to only the zone I run management from?”

Using inflight entertainment systems to hack into commercial airline controls?

Recent headlines tell us that “Feds Say That Banned Researcher [Chris Roberts] Commandeered a Plane.” As always, there is more to the story. In fact, there are claims and counter-claims about what Chris Roberts actually did.  The FBI search warrant says he did actually send control commands that impacted the flight path of the aircraft, but this is currently unproven.  The whole incident brings focus on the issue of what is called lateral movement – can someone with access to, for example, the inflight entertainment system of an aircraft use that toe-hold to reach further in to the network to do actual harm?

Once, aircraft control machinery was effectively offline, not connected to any outside networks. But, as we’ve seen in recent coverage (including the loss of Malaysian Airlines Flight 17) aircraft are much more inter-connected than they used to be.  They connect to the outside world in several different ways, ranging from satellite-based networks for flight telemetry to networks used to provide Internet access from passenger seats.  As these networks proliferate, they inevitably touch; and any touch point is something an attacker can use.  The number of possible weak points multiplies over time.

The questions raised by this story are the current frontier of security, and apply well beyond aircraft.  We rely more and more on networks that we cannot easily see or understand.  Defects in one network can open up access to another. Attacks can work upwards like grass through cement, finding weak points and cracking hard defenses.  What all defenders need to learn to do is to use technology to monitor technology. As our networks grow larger than we can understand, human effort and good will are not enough. This is why the current emphasis in security is on automated testing of defenses. We look for lateral movement opportunities, so we can isolate the truly critical things – say an aircraft’s control network – from the far less important, such as the inflight entertainment systems.

What SendGrid can teach us about dependency

The watch-word for the SendGrid breach is “interdependence”.  In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and with every other company they choose to deal with.  This makes an ever-widening attack surface.  (The breaking news about the Chinese “Great Cannon” software shows similar patterns.)  These days, if you visit a website, you can be confident you are actually talking to a huge variety of other organizations who may provide ads, services, traffic monitoring, or any other legitimate services.  One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains!  The problem is that this array of services is very large, and a chain is only as strong as its weakest link.  Attackers only need to find one weak point to start an attack.

KCBS Interview on Obama’s information sharing initiative

I recently recorded an interview with KCBS, on Obama’s announcement of the Cyber Threat Intelligence Integration Center.  I do believe this is good news, but I confess, I worry about the way all these proposals indicate how data will go in to the government, with very little said about how anything will ever come out.  In the scope of a 5 minute live interview, there wasn’t a lot of time for that kind of subtlety!

US & UK Joint Wargames – let’s not wait for Pearl Harbor

The idea of the US and UK working together on war-games is a good one.  It recognizes that we are in a war, and that we are losing.  We need to improve our defensive game.  Chris Inglis, the former NSA director, has commented that the state of security today massively favors the attacker – he suggests that if we kept score, it would be 462-456, just 20 minutes into the game, because our defense is so poor.

The continuous stream of announcements of new breaches, along with the UK stats indicating the vast majority of large companies are suffering serious breaches, adds up to clear evidence of weak defense.  War games are a good way to get one step ahead, shifting to a proactive rather than purely reactive stance.  Nation states can do this with teams of people, but this is too labor intensive and expensive for most organizations.  This is why the security industry puts so much emphasis on automation – not just the automated discovery of weaknesses, but automating the critical process of prioritizing these vulnerabilities.  The inconvenient truth is that most organizations know about far too many security gaps to be able to fix them all.  War-gaming is a proven approach to dealing with this reality – find the gaps that are most likely to be used in a breach, and fix those first.  Perfect security is not possible, but realistic security comes from understanding your defensive readiness, stack-ranking your risks, and acting on the most critical ones.

Is Nothing Sacred Anymore?

It’s unthinkable: hackers targeting that sacrosanct American institution, the sports team? The recent incident in which the Houston Astros’ internal trade discussion were hacked and posted on the Internet shows that, today, no target is off limits.  Jeff Luhnow, GM for the Astros, was quite right when he said: batter_swinging_baseball_bat_at_a_pitched_ball_0515-1104-1601-5532_tn“It’s a reflection of the age we living in. People are always trying to steal information” The main problem that encourages this kind of illegal activity is that it’s really relatively easy.  Nobody thinks the hacker who stole the information from the Astros was heavily funded by a foreign government, or anything like that.  Indeed, it’s quite possible the person or people involved had no more motivation than curiosity, and found it easy to get in. The challenge, of course, is that every business has secrets – how it approaches negotiation, or the pricelist for its upcoming products, or its next quarter of advertising plans.  All that information is useful to others if it’s exposed.  Many businesses like the Astros have treated IT security as a “high end” problem – something for banks, the military, or energy companies to worry about.  But it’s just not possible to operate that way anymore – the risk of corporate embarrassment, or worse, is escalating.  Attackers are finding our complex defenses are badly deployed, badly coordinated, and easy to walk through.  All the attacker needs is persistence, and the search for a forgotten, unlocked “side door” onto the business can be largely automated.  Defenders need to understand all the gaps, and how all the security defenses work together, even if their only target is “good enough” security.  As the Astros have found, the standards of “good enough” are rising rapidly.