DEFCON 19 - 2011 – Strategic Issues in Security
August 2011 by Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
DEFCON usually presents a number of issues that are very interesting from an Executive Management perspective; this year is no exception, with a number of strategic issues in cyber security. These issues span security events that are impacting and will impact organizations in the next 2 to 10 years. Examples of these include new high level Top Level Domains (TLDs), IPv6 and APT, to name a few.
Michael Hayes CTO of B-4-U Inc. / ROBOTS-4-U
Three presentations fall into this strategic realm, they are “Cyber Security Trends” by Rick Howard “Strategic Cyber Security “by Kenneth Geers and “Assessing Civilian willingness to participate in an online Conflict” by Thomas J Holt. What is interesting about these presentations is that they key in on issues that have been talked about, but not necessarily actioned. Many of these issues are new technology issues and are going to cause a change in behavior of corporations and maybe some nations.
The most telling phrase in the conference is that the Chinese Government is “pushing for IPv6 to reduce or eliminate anonymity on the networks”. This will change the behavior of abusers and users on the network. This of course will be a multi-year transition.
“Networks Perimeters” are changing; one of the big issues is the fact that today’s networks are very porous, and the definition of behind the firewall from both a physical and logical perspective is very difficult to define. With the prevalence of “Jailbroken” phones, it has been proven that they are less secure than non-jail broken counter parts and are targeted devices for malicious codes. In fact iDefense predicts “that at least one malicious application in the Android store will receive 50,000 downloads in 2011 / 2012 time frames”.
iDefense outlines that “64 bit machines” are growing in the market and from a security perspective they are more secure, primarily due to 64-bit versions that include Kernel Patch Protection (KPP), or Patch Guard. This feature prevents 64-bit versions of Windows from loading kernel drivers that developers have not signed with a legitimate Authenticated signing certificate. Malware authors have already implemented this certificate signing tactic and this makes it hard for administrators to detect rootkits. The certificate authority responsible for the code-signing certificate may revoke the certificate, but it may be a challenge to detect this issue. TDL3 ( Rootkit ), has already implemented this technique to properly infect 64-bit systems. The rootkit overwrites the system’s master boot record (MBR) to take control of the system before the protection is in place, disabling KPP. It should be noted that user-mode rootkits are still capable of hiding files and system modifications from the user.
A number of the presenters indicated that Advanced Persistent Threat (APT) is a major threat for Fortune 500 companies and government agencies, institutions especially Defense contractors. “The entry point for many of these attacks is ‘Low Distribution APT Malware hiding in plain sight’. Anti Virus programs are not likely to detect malware of this type very quickly; attackers distribute this type of malware in very small numbers, such as to those users who are targeted in attacks often characterized as APT’s.”
“Vulnerability Trends are changing, increases in Out-of-Band Patches from Notable Software Vendors. The vulnerability disclosure landscape dramatically changed over the course of the last years. The emergence of multiple vendor bounty programs, increase in standard payment for vulnerabilities, and the creation of coordinated vulnerability disclosure reenergized relationships between security researchers and vendors”,
Major vendors have now implemented off-cycle updates, to plug security holes. This is a response to increased discovery of threats and vulnerabilities, which is in part due to the bounties offered by companies like Google, Mozilla, CISCO and other Internet suppliers. In turn it has caused bidding war for independent researchers’ efforts, raising the industry’s standard payment for vulnerabilities.
Wiki-leaks as an example of Hacktivism was one that attracted worldwide attention. Other groups, like Anonymous, hit the headlines with their supportive approach of the founder of Wiki-leaks. The threat of groups using Cyber Attacks to promote their agendas is ever increasing. Individual corporations now have to protect themselves both from organized Hactivism and the other threats in the wild.
Cyber Security Disruptors (Ten Years Out) as identified by iDefense and other presenters.
SCADA - and other infrastructure control systems attacks have already occurred. Now industries like the Petro Chemical, Electric Power and Water are under threat from attacks on their Scada and control systems. These threats are real and have become a big concern. In most EU and NA countries this is recognized as a growing concern.
Cloud Computing - is now a fact of life with most corporations. This is opening up different issues both legal and technical, regarding the protection and privacy of networks. Ownership of data and applications off-shore hosting, international boundaries and, of course, how secure are these hosting companies that provide “Cloud Computing”. What security and Malware protection are they managing? Who is responsible for PCI and other security audits, and how they can be carried out?
APT – Intellectual Property is at risk, this is an un-measured threat. There are concerns that many corporations have this threat in their underlying IT Infrastructure, waiting to be triggered at a later date. The biggest issue is that this is like finding a needle in the haystack, and few companies can find this threat themselves. The big challenge is only a few companies, like Raytheon in the U.S., have had any real success in discovering these types of threat.
Cyber Terrorism – is a growing concern. As the impact of STUXNET has demonstrated against infrastructure and control systems, there is a serious concern that malevolent organizations will strike out at control systems and cause damage as part of revenge or rage equivalent to kinetic impacts.
Metaverse and Virtual Universes, - are parts of the daily life of many employees and this of course opens new un-tested attack vectors. In the next 5 to 10 years, Marketing, Product testing, and new ways to connect to customers will be involved in these types of Universes. As the numbers of users grow, the chance for new exploits grows as well in this environment, and this will become a hotbed of Malware, Viruses or Network and Application penetrations.
Mobile Platforms & Application Stores are a great source for users to pick up useful functions that they need. The problem is these stores may also be the source for a variety of new malware applications and viruses, damaging individual smart devices, but also providing a stepping stone for Enterprise. This can cause the opening of new holes in the already challenged fabric of a secure network.
INFRASTRUCTURE Shifts and Changes - A number of security advocates and strategic visionaries have identified that the only way to secure the internet is to introduce a fundamental change to the internet. The comment by the Chinese government reinforces this at a cost, “pushing for IPv6 to reduce or eliminate anonymity on the networks”. Two changes in the INFRASTRUCTURE, are DNSSEC and IPv6. These are and have been the start of some very complex set of changes. During the transition to IPv6, this will introduce a period of parallel infrastructures and new attack vectors, but very necessary changes.
Infrastructure due to market Level changes includes the introduction of Domain Extensions and International / non English Domains. These two activities will introduce complexity in Black List management, and may cause companies to look to the outsourcing of at the enterprise level.