A Focused, Expert Hacker Will Always Get Past Security: Experts Amazed Sony Made It So Easy For The Hackers
That is certainly something I have strongly argued on this blog these past two years. But, just like if you leave your keys in the ignition of your car and leave it parked while you go and run an errand — you are much more susceptible to having your car stolen — poor cyber hygiene is the equivalent to leaving one’s keys in the ignition. While the U.S. must not allow the Sony hack to go unpunished — many cyber security experts are surprised “Sony made it so easy for the hackers.”
Bruce Schneier, long considered one of the top cyber security guru’s in the world; and, who is currently a Security Technologist at Harvard Law School’s Berkman Center for Internet and Society, and Chief Technology Officer at Co3 Systems, an IT-Security Firm, had an Op-Ed in the December 20, 2014 Wall Street Journal, emphasizing that “a focused, expert attacker, will always get past security.”
Mr. Schneier writes, “your reaction to the massive hacking of such a company [Sony], will depend on whether you’re fluent in information-technology security. If you’re not, you’re probably wondering how in the world this could happen. If you are,” he writes, “you’re aware that this could happen to any company (though it is still amazing Sony made it so easy) he writes.
“To understand any given episode of hacking,” Mr. Schneier contends, “you need to understand who your adversary is. I’ve spent decades,” he adds, “dealing with Internet hackers (as I do now at my current firm), and I’ve learned to separate opportunistic attacks — from targeted ones.”
Low-End, Low Focus Hacks Are The Most Prevalent; And, Usually The Least Impactful, And Can Be Mitigated Relatively Quickly
“You can characterize attackers along two axes: skill and focus,” Mr. Schneier says. “Most attacks are low-skill, and low-focus — people using common hacking tools against thousands of networks worldwide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it; and, click on a poisoned link. I think of them as the background radiation of the Internet,” he writes.
“High-skill, low-focus attacks are more serious,” he observes. “These include the more sophisticated attacks, using newly discovered “zero-day” vulnerabilities in software, systems, and networks. This is the sort of attack that affected Target, JP Morgan Chase, and most of the other commercial networks that you’ve heard about in the past year, or so.”
High Skill/High Focus Hacks Are The Most Threatening
“But, even scarier are the high-skill, high-focus attacks — the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using spying tools such as Regin and Flame, which many in the IT world suspect were created by the United States. Turla, a piece of malware that many blame on the Russian government; and, a huge snooping effort called GhostNet, which spied on the Dalai Lama, and Asian governments — leading many of my colleagues blaming China. (We’re mostly guessing about the origins of these attacks; governments refuse to comment on such issues.) China has also been accused of trying to hack into the New York Times in 2010, and in May, Attorney General Eric Holder announced the indictment of the Chinese military officials for cyber attacks against U.S. corporations,” Mr. Schneier wrote.
“This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet security firm, HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and, posted them. If you’ve heard the IT-security buzz phrase, “advanced persistent threat,” this is it,’ he says.
“There is a key difference among these kinds of hacking,” Mr. Schneier argues. “In the first two categories, the attacker is an opportunist. The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do. But, a skilled, determined attacker wants to hurt a government, or leader enmeshed in a geopolitical battle. Or, ethical: to punish an industry that the hacker abhors, like big oil, or big pharma. Or maybe the victim is just a company that hackers love to hate. (Sony falls into this category: It has been infuriating hackers since 2005, when the company put malicious software on its CDs in a failed attempt to prevent copying).”
“Low-focus attacks are easier to defend against: if Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often it isn’t. We’re much better at such relative security than we are at absolute security,” Mr. Schneier says.
“That is why security experts aren’t surprised by the Sony story. We know people who do penetration testing for a living — real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker — and, we know that the expert always gets in. Against a sufficiently skilled, funded, and motivated attacker, all networks are vulnerable. But, good security makes many kinds of attacks harder, costlier, and riskier. Against attackers who aren’t sufficiently skilled, good security might protect you completely.”
“It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personal information won’t end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn’t have to leave so much information exposed. And, they didn’t have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.”
“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection, and response. You need prevention to defend against low-focus attacks; and, to make targeted attacks harder. You need detection to spot the attackers, who inevitably got through. And, you need response to minimize the damage, restore security, and manage the fallout.”
“The time to start, is before the attack,” Mr. Schneier advises. “Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama, or insulted its stars — or, if their response systems had been agile enough to kick the hackers out before they grabbed everything.”
“My second piece of advice,” Mr. Schneier writes, “is for individuals. The worst invasion of privacy from the Sony hack didn’t happen to the executives, or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations — gossip, medical conditions, love lives — exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.”
“This could be any of us,” Mr. Schneier warns. “We have no choice but to entrust companies with our intimate conversations: on email, on FaceBook, by text, and so on. We have no choice but to entrust the retailers that we use with our financial details. And, we have little choice but to use cloud services such as iCloud and Google Docs.”
So, the bottom line, Mr. Schneier concludes is, “be smart. Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn’t something markets can fix.”
Some Steps To Mitigate The Chances Of Being Hacked
First of all, Mr. Schneier is 100 percent correct. As the old saying goes, the only two sure things in life are taxes and death. If a well-resourced, sophisticated, and determined adversary wants into a particular network or IT ecosystem, chances are — sooner or later — they are very likely to get in. Best cyber hygiene practices, encrypting data at rest, two-step authentication, etc. are small things; but, taken holistically — they can negate or prevent/deter a majority of cyber breaches. Cyber criminals and others will go for the weakest link in the chain; or, even more worrisome — the trusted insider.
But, the cyber breaches of Target, Home Depot, JP Morgan, and Sony are all high-profile enough that the American public is finally beginning to understand the nature, character, and magnitude the cyber threat poses to our very way of life here in America.
Silicon Valley, social media, and the Internet of Things are extremely crucial to the U.S. economic engine. Without that sector of our economy, things would indeed be much more bleak for our economic future. Corporate America’s very DNA, resides on an IT ecosystem that is under constant assault. The U.S. has been taken to the cleaners with respect to protecting our intellectual property and critical research and development.
But, as Jonathan Zittrain writes in his book, “The Future Of The Internet, And How To Stop It,” “with the unwitting help of its users, the generative Internet is on a path to lockdown — ending its cycle of innovation — and facilitating unsettling new kinds of control.”
Future Of The Internet Is At Stake
As part of a series of reports marking the 25th anniversary of the Web, Pew Research Center’s Internet Project, in partnership with Elon University’s Imagining The Internet Project, asked nearly 1,500 Internet experts earlier this year — open-ended questions the future of the web.”
Bridigett Shirvell, writing in the March 11, 2014 website PBS.org, “15 Predictions For The Future Of The Internet,” the majority [of Internet experts] believe the Internet will become like electricity during the next decade, less visible; but, more important…and, embedded in everyday life. While a majority of the experts surveyed agreed that the Internet is likely to continue to grow/expand, there was disagreement on the implications — especially with respect to its good and bad aspects. But, for the first time since the survey began in 2004, ten years ago,, there were as many negative concerns as positive. “They worry about interpersonal ethics, surveillance, terror, and crime; and, the inevitable backlash as governments and industry try to adjust,” said Elon University Professor Janna Anderson, a primary author of the report.
Just as the Internet of Things is starting to gain traction, ‘The Internet of Threats’ is also surging. Will this latest nation-state cyber attack be a turning point in the future of how the Internet evolves; or, can we devise new ways to enhance the safety and security of the digital universe — which can save this new and wonderful entity. Otherwise, we are headed for a complete Balkanization of the Internet, with gated communities, ubiquitous encryption, and clever cyber malcontents and thieves — bent on gaining wealth, and prestige on the backs of others. V/R, RCP