 |
| Image from Pixabay |
It's not a fair fight. A hacker only needs to find one
tiny hole to break into a system, while we have to protect the entire universe.
If the hacker manages to find a system where the latest security patch is missing and he can exploit this vulnerability,
he is in. We have so many systems that run so much software that there is
always a vulnerability somewhere. It's not fair. I have thrown this lamentation
at my audience during countless presentations.
Do you know MythBusters
, the often spectacular show with Jamie Hyneman and Adam Savage, which
aired on the Discovery Channel? Last Wednesday I felt like I was in a special
episode of it, when Etay Maor gave a keynote at ISACA's Risk Event entitled
“Busting cyber security myths”. The very first myth, which he busted, was
exactly what is stated in the paragraph above. Ouch.
He used the MITRE
ATT&CK matrix to make his point (I’m sorry, but the MITRE Corporation thinks you should write “attack”
that way). That matrix is fourteen columns wide, and the last one lists the
types of impact an attack can have: data manipulation and destruction, data
encryption (ransomware) and denial of service, to name a few. And all other
columns list things an attacker can do to achieve the desired impact. It starts
in the first column with all kinds of reconnaissance, followed by finding the
necessary resources, gaining access and then all kinds of steps aimed at owning
the intended system. Each column is a kind of drop-down menu. Not that an
attacker will use this matrix to determine how to proceed - this matrix focuses
on analysts, who can gain a better understanding of an attack.
To make his point, Etay Maor has mapped REvil ransomware
to the MITRE ATT&CK matrix. That was actually quite easy, because that
ransomware has already been completely dissected on the MITRE website; Maor
only had to colour the corresponding boxes in the matrix. This resulted in no
less than fourteen red squares in seven different columns. Many of those boxes
contain sub-items. The last column, with the impact, contains another four red
boxes. So the maker of REvil had to do a lot more than find just one hole. The
complete table of activities for REvil is forty rows long. By the way, REvil is
not just ransomware, but ransomware-as-a-service
(RaaS). This means that REvil is a service that can be hired by others. Yes
people, the underworld has service providers, too.
Back to the allegedly unfair fight. My starting point was
a ratio of one to infinity – one hole compared to the entire universe. Maor's
example brings the ratio to forty to infinity. I still think that it is
unfairly distributed, although I now look at it in a more nuanced way.
The question is: what do you do about it? How do you
protect the universe, or more specifically: the cyber universe? It starts with security
by design, including security from the outset in the design of your application
and your infrastructure. Because if the design of a new car is already
completely finished and you only then find out that it still needs brakes, then
you’re looking at a quite difficult – and expensive – job. Later on in the
process, during the realization, it is important to maintain that security
mindset. This is where craftsmanship comes into play. The brake lines must be
properly connected and testing for leaks is always a good idea. And once the
product is running, it is important to maintain it properly (in the car analogy
you take that for granted). That includes understanding that hardware and
software by definition contain errors, and that some of those errors not only can
be harmful to the security of the product itself, but also can have an impact
on other products. You must keep looking for this as long as the product is in
use, and any defects found must be remedied in a timely manner. Before someone
else finds them and uses them unfairly.
On Thursday 24 November, a special
will be published on the occasion of Check-your-passwords-day. That week’s
regular Security (b)log is cancelled.
And in the big bad world…
This section contains a
selection of news articles I came across in the past week. Because the original
version of this blog post is aimed at readers in the Netherlands, it contains
some links to articles in Dutch. Where no language is indicated, the article is
in English.
- the
Digital Trust Center has already warned many companies about vulnerabilities. [DUTCH]
- Google pays hundreds of millions of dollars for collecting location data.
- you can, of course, also hack a satellite, says this head of space security.
- You shouldn’t hide your security cameras.
- Meta
employees have hijacked Facebook and Instragram user accounts. [DUTCH]
- maybe
there is Russian software in your phone.
[DUTCH]
- the
government should better describe the privacy risks of using US cloud storage
services. [DUTCH]
- the
number of reports of WhatsApp fraud is falling.
[DUTCH]
- Here's
how to get back money lost due to WhatsApp fraud. [DUTCH]
- the
football world cup harms your privacy.
[DUTCH]
- a
hospital employee accessed almost a hundred patient files illicitly. [DUTCH]
.jpg)
No comments:
Post a Comment