News Column

IT security advice from an ex-CIA cyber-master

June 11, 2014 Staff

When you consider a cyber-security expert, what picture comes to mind? A Russian botnet general perhaps? Or a LulzSec-style Anonymous affiliate with a gravy-stained "I-heart-UNIX" t-shirt? Surely a sound candidate must be Robert Bigman, former chief information security officer at the CIA and current private-sector IT security consultant.

Bigman recently addressed delegates at the Gulf Information Security Exhibition and Conference (GISEC), held at the Dubai World Trade Centre. In his keynote address Bigman shared a range of tips for securing the corporate network, many of which were significant departures from traditional approaches. But much of his talk centred on decrying the gaping holes in software vendors' products.

"I think IT vendors largely put product compatibility [first], especially backwards compatibility," he said. "If we could just come to a compromise with [the likes of] Microsoft and Adobe and say 'Don't worry about having to make your systems and your new releases backwards compatible,' we would start to see code that was a lot more secure," he said.

He also was critical of software houses' attitudes to the robustness of code in subsequent versions of their products.

"What a lot of vendors tell me is 'We try to write secure code but if we don't it's okay.' Do you think they care about the reputation risk? No, they don't."

Software vendors were by no means alone in this approach, Bigman warned. He highlighted the example of consumer routers that update firmware using established credentials.

"The vendors do this to make life for you consumers easier," Bigman told delegates. "So you don't have to worry about the drivers; you don't have to worry about the firmware. They will do it for you, using the SSL connection you have already established."

Continues on next page>>

In looking for solutions, Bigman made clear that he did not feel the cyber security industry held any quick answers.

"The cyber security industry is all about solving the symptoms of the problem, but not the problem. It's [like prescribing] cough syrup. You're not coughing anymore, but you're still sick. The problem is not going to be solved by securing software with other software. A lot of companies that are in the cyber security business themselves, don't deliver secure software. Some the biggest holes I've found have been in security products.

"We have published standards and we have implemented standards. Very few security standards, including SAML [Security Assertion Markup Language - an XML-based protocol for securing point-to-point data transmission] actually operates the way the standard prescribes. And some of the cyber-laziest companies I have found are, guess who? The cyber security consultants. They don't practice what they preach, but they tell us 'We have the answer.'"

Data encryption was one such answer, Bigman explained, and he lauded progress in that field, saying that sound methods did exist.

"The very last thing that the Chinese government and the PLA [People's Liberation Army] want to find is a collection of [well-protected data]. If they find encrypted data they send it off to another organisation in the Chinese government, which works through it with various techniques, usually brute force. That's where I want my data to be."

The problem with encryption software solutions, Bigman explained, is when the encryption software is tied to the network access method for the data (for example, Active Directory) to make life easier for users by presenting them with transparent access to the encrypted data. Unfortunately such approaches mean that an attacker who has spoofed the necessary user credentials will not be stymied by the encryption any more than a valid user would be.

Continues on next page>>

Another breakthrough craze that Bigman feels has underperformed against industry expectations is whitelisting. The mirror of blacklisting, whitelisting is a methodology that blocks everything (for example, applications allowed to access the Internet) by default and then composes a list of trusted entities that are allowed to perform a specific function or have access to certain resources.

Next on his list was SIEM (Security Intelligence and Event Management), a big-data analytics approach that tries to monitor network behaviour and share data about attacks so that - theoretically - a zero-day attack could be subverted.

"Cyber-intelligence is not necessarily a bad notion; it's just not going to solve the problem," he said. "The cyber-sharing, cyber-intelligence big data [idea is] the answer is out there; you just have to collect all the data, put it in your SIEM collection engine, throw these technologies at it, get data from your peer organisations and find the problem before it hits your company. Does that sound right to you?

"In the US government we can't even agree on the standard for how to share the data. The idea that we are all someday just going to collectively start sharing data without any restrictions and move it transparently across organisations and governments... I would love to see that; it would be wonderful. But it's not going to happen."

Bigman believes that the big data approach ignores the existence of, or at least underestimates the effectiveness of zero-day attacks.

"If you don't have a signature, it doesn't matter how fast you pass the signatures around," he reminded delegates. "I was told this directly from a Russian hacker. 'I don't care how fast you can build the signatures; I don't care what you do with the signatures; I'm not using your signatures.'

"If you look at the most recent attacks, the most important change we've seen in the last six or seven months is really sophisticated obfuscation. Either hiding inside authorised sessions, processes and protocols, or spoofing themselves to convince the security software or operating system that they are [a valid user]."

Continues on next page>>

Bigman painted a picture of the hacking community as ever-ready students of the industry they are such a menace too. They understand insecure code within the OS itself, and particularly APIs (Application Programming Interface), because they study code releases. They pay particular attention to backwards compatibility code.

"There's an entire industry that does nothing but develop and sell zero-days against Microsoft operating systems," Bigman said. "And there is a similar industry for Linux."

The cyber miscreants are not just students of technology. They will stretch their monitoring to any area that will allow them to infiltrate valuable systems.

"They don't just study cyber problems; they study your organisation," Bigman said of hackers. "One Russian organisation noticed that this one company in the US had a contract with another company to provide their heating and air conditioning support. [The contracted company] monitored [the customer's] stores to make sure the temperature and humidity was [set correctly]. To do that they talked to the IT chief who ran that part of the infrastructure and they convinced him to give them access to the network. Without consulting anyone else in the company, including the CSO, I believe, they went ahead and initiated the contract. [The contracted company] began monitoring these stores and realised they had a lot of access to the corporate network, at one point even joking with one another, saying, 'Hey, you want to order some bicycles?'"

Delegates were able to guess that Bigman was referring to US retail giant Target.

Bigman also singled out Alureon (also known as TDSS and TDL-4) for mention. Alureon is a massive botnet that distributed malware that was notoriously difficult to remove because it burrowed into the master boot sector of the target machine.

"This is probably the most sophisticated malware codebase that exists today," he surmised. "It comes right out of the Russian security service and is being used by hackers in Russia, China and everywhere else today as a foundation for [other] toolkits. Almost all of the US companies I have visited have at least one TDL-4 infection. I can't remember one where I didn't see it. It has some of the most sophisticated obfuscation techniques I have ever seen. It runs exclusively on some operating systems as a rootkit authorised kernel process and communicates in such a way that it runs at least three tests to ensure that the connection with the master bot will not be seen. And if it cannot guarantee that integrity, it doesn't run."

Continues on next page>>

While Bigman painted a bleak picture, he shared some insight with delegates on what kind of measures are sound steps towards true security.

"I have done some studies on which companies have good information security programmes and which don't," he said. "And I know you think the big organisations with big programmes do it well. You would be wrong. It's about fifty-fifty.

"You tend to find that companies that have centralised IT management - a CIO that enforces ruthless standards and configuration management and processes in their business - tend to have the best security. It's not the size of the security organisation that matters; it's the influence of the security organisation that matters. What I find works well, is if the CSO has the same influence as the CIO. And, by the way, the CSO should never work for the CIO. Never, ever. That's mistake number-one."

As Bigman believes that products alone don't work, he advocated a compartmentalisation of network architecture, into private and public components. In this model, private data and private communications do not touch the Internet. Email for example, would be split into employee-to-employee memos and external messages. External comms would pass through a single interface between the private and public infrastructures and be handled by relays in the public part. Bigman argues that the architecture would allow easier monitoring of threats to the important, private part, because there would be a single point of entry. Also, the design uses valve-like connections through which data can only pass in a single direction. Since the most unwelcome malware is concerned mainly with exfiltration of data, its prime mission would fail.

Bigman also gave a list of technologies that hackers "don't like", including micro-virtualisation, digital rights management, malware sandboxing, Type 1 bare-metal hypervisors and encryption that operates in isolation of the file access method. He also recommended use of Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which works to prevent software vulnerabilities being exploited.

Awareness of one's own architecture always serves as a good first step, Bigman advised.

"You have to know where all your network interfaces are. I can't tell you the number of companies I've gone into where they [don't know]."

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: (United Arab Emirates)

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters