I do cyber security research, lately more than ever. As most companies have lately, there is an uptick on attacks, some because of recent bugs being published, others because cyber is both big business and sadly, seems to be what governments all over are doing.
It's an open secret that everyone is hacking everyone in terms of spying and trying to get or keep the upper hand in trade. While I am not involved in that I see it all the time. Typically when someone gets attacked it is some user or contractor or supplier that opens the door to the wrong email or link or attachment. We say we have to teach the users and we do.
But then a user clicks the wrong thing and people start pointing fingers. "Why did you do that", implying the user is an idiot or something. Anyone who knows me knows I do not advocate blaming users. They just want to do their jobs and get work done. Sometimes they have to chill and read email or whatever and most of the time, 99.9999% of the time (completely made up but you know what I mean) they don't click the link and trash phishing emails. But the one time in thousands of emails they get and they slip up once they get pointed to as 'the guy'.
It's not fair or even helpful to blame them so we have to stop it. The blame stands only on the people doing the attack, not the user who clicked the link, not the researcher who found the flaw in your program or product, not the people who wrote the software or the OS (sorry no Microsoft jokes today) but the guy who made the attack and the people who back him.
Yes all of those people, the user, programmers, cyber techs, systems admins do have a role to play in making the attackers life harder but it's the attackers who hold 100% of the blame.
I write software. I want the software to just work for users and not be a pain to use, pleasant even, but I also have to consider the security issues and I wish I didn't have to, but I do. It makes programming slower and it makes software slower. I can't see us getting out of this. I do see that we need to make our defenses stronger, always practice defense in depth, segregate our networks, use decoys, honey and tar pots a lot more.
With world events and history as our guide I don't see any of the governments (all of the governments) ever being brave enough to admit they have been doing this or forward thinking enough to use that admission to pressure others to do the same and get started breaking the cycle. The current thoughts seem to be we have to do it because everyone else is.
With the current trend of breaking into control systems of industrial systems, scada or otherwise, at some point someone will get into the wrong thing. Something big and dangerous that should never have been connected anyway but it was easier to do it this way, you know how it is. And once connected they will experiment with it and something horribly goes wrong and people get killed or worse. At that time it becomes a physical attack and then what happens?
None of us want this to happen but it will.
In the time being we all hear the talking heads. The head of some US agency telling people that there are two types of big businesses in the US (and I suspect of every country) "the ones who have been hacked by china, and the ones who don't know they have been hacked by china". In Canada the boogyman, rightly or wrongly is Russia at the moment with people all talking of "sandworm." And yet there is evidence that the malware being used is attacking everyone, Russia included and maybe the top target. Whoever it is seems to also be attacking Ukraine as well so I really don't see who would attack both sides in that conflict except maybe newspapers or TV news.
If we believed everything in the news you would think the west was perfect but as we saw in the leaks by Ed Snowden the west, especially the group of five my own country is in, is just as bad if not worse. Probably not worse, but maybe.
I stand with the users, ordinary people and ordinary companies that just have a job to do and want to feed their kids, make the world a bit better etc. We just want to be able to do our jobs, play a few games and be sociable. Maybe the governments of the world should all just go and make their own network (not the one we took from you) and leave the rest of us alone. Is it to much to ask?
Until then, invest in open source, it seems to be more secure and we can at least find the back doors, turn on your firewall and change the default passwords (to keep the media out), put your must be secure stuff on it's own network segment with another (open source) firewall that is not the same segment that external entities can log into and use a decoy/honeypot to confuse attackers.
Use vpns internally between secure segments. Your switched network is just too easy to spoof but a secure tunnel makes it just that much harder for the attackers. Use two, and only use encrypted protocols on all of your servers all the time, mixing it up and using real certificates and passwords.
Crack your user password database, teach your users when to use secure passwords and when not to, otherwise you end up with password stickies everywhere.
Educate your users but quit blaming them, let them work.
All of that stuff you put in place to better control your users use of your company computers, it's making it easier for you to be attacked. Diversity is strength, both in people and in computers. You can still use Windows if you want (and you turn on the firewall) but embrace Mac and Linux and Everything. A diverse network confuses hackers to no end.
Learn what your attackers know. Personally learn it. It's way too easy to learn about your company on line without alerting you to the fact you are being stalked. (That also goes for the attackers, they are not as smart as they think they are, and neither am I apparently, amazing how the most views on my various accounts have swung to mostly from Russia lately, they topped the Chinese this month. What I get for baiting them on line I guess, Hi Guys.)
Use the tools they use. Set up a test network in your office (even the CIO should try this once) and hack the hell out of it. Put computers (I use a virtual network populated with virtual machines behind a virtual firewall/router virtual machine and I update it all the time. On there I have a virtual machine running Kali Linux and I also added some new tools for PLCs and snmp and one of my virtual machines is a virtual plc/virtual sensors) using your chosen company os and software. Then search for exploits.
If you have time try fuzzing your network and then start reverse engineering the malware that has worked against your company. I am sure you have something somewhere that was compromised. Hack the software the hackers used to hack you. It will teach you. There are many good tools for reverse engineering code. be careful, hacker code is obfuscated and poorly written for the most part. It can make your brain hurt to see some of the coding used. Also don't believe everything you read. If it includes a language, for instance, that language is used in a lot more than one place in the world. Russian does not mean Russia any more than English means England. IP addresses do lie, just like the cake.
Do all of this and you give yourself a better chance but don't stop, security is a journey not a destination.
You dear reader have most likely already been hacked or compromised in some way or another. If you don't think you have look harder. If you have, look for more. Stopping the attackers from getting in is one thing, stopping them from getting out is the other.
I love fake data. Something that looks real but if used will not work. Fake systems (honey pots), false leads and looking for that false information to show up somewhere have to be part of the deal. Finding the error in your false lead code out there in the wild allows you to connect the dots. There was a company released its own fake version of a game to people to pirate. When people started asking questions about the error message that only showed up in the pirated version it was funny. Do the same to malware users. It's satisfying.
Look at me go on, sorry. But there you have it my advice today on what to do to be secure, basically, open source, diversity and go hack yourself, have fun.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment