Perimeter Defense is Dead

Yet again, a critical vulnerability in commercial, high-end network equipment. This time, BIG-IP gear offers any hacker the ability to remotely access the management interface. The intruder doesn’t need authentication and can run any command. It’s rated a scary 9.8 (CRITICAL) on the CVSS scale, and it is being actively exploited.

If you still needed convincing that your network needs micro-segmenting or a zero-trust architecture, here is another piece of proof. This is not cheap consumer-grade gear. This is a highly reputable vendor of expensive equipment used by most large companies around the world. They can’t keep their devices secure, even though they are supposed to implement best practices in secure software development.

Depending on perimeter defense today is like being France in 1939 believing in the Maginot line. If you are a CIO, today would be a good day to chat with your network team about just how securely segmented your network is.   

Security is Somebody Else’s Problem

There is good reason security is invisible: It is Somebody Else’s Problem (SEP). In his geek classic “The Hitchhiker’s Guide to the Universe,” author Douglas Adams describes how the secret to making something invisible is to surround it with an SEP field.

Security is not actually invisible – I’m at an event in Copenhagen with 3000 security professionals this week. But it is still considered Somebody Else’s Problem by the rest of IT. Except for basic Authentication and Authorization, security is not on the minds of developers and system administrators.

We cannot magically make people care. We already know that to get good testing, we have to add professional testers to each team. To get a good User Experience, we need to add UX professionals to each team. We won’t get improved security until we also add security professionals to each team.

Do You Trust Amazon?

The default is no trust. You shouldn’t trust a random USB stick you pick up in the parking lot, and your customers and users don’t trust you. If you want trust, you have to be transparent in a way your users understand and appreciate.

Somewhere in the Amazon terms & conditions it probably says in illegible legalese that everything you say to your Alexa smart speaker can and will be used against you. Researchers have shown that your interactions with Alexa are reported to dozens of advertisers, and Amazon says the research is flawed. Who do you believe?

Amazon have hundreds of lawyers and are probably within the law. The problem is that they are not complying with users’ expectations. If you want any kind of goodwill from your users and customers, you have to meet their actual expectations. Hiding behind reams of legalese doesn’t cut it.

Vulnerability Chains

Are you sure you own your devices? Or do you just have a temporary ability to use them that could vanish any second?

Smart home enthusiasts taken by Insteon marketing found out the hard way that their devices function at the suffering of the Insteon servers. When the company abruptly shut down, users found none of their devices worked because everything depended on a connection to servers that were no longer there.

This is an example of a vulnerability chain where the Insteaon servers proved the weakest link. Every networked device has a vulnerability chain from the client endpoint through multiple network devices until it reaches the server. Are you aware of the vulnerability chain from the card readers that control access to your building? Don’t be blindsided by a risk you hadn’t even considered.

Do You Let Convenience Trump Security?

Personal data on anyone is available from all the large U.S. social media platforms and ISPs to anyone who cares to ask. The mechanism is an Emergency Data Request (EDR). When law enforcement doesn’t have time to wait for a court order because someone’s life is in imminent danger, they send an EDR. This is simply an email from a law enforcement mail address. To send a fake EDR, you simply purchase a legitimate government email address from a hacker who has breached one of the more than 15,000 police forces in the U.S.

You would never divulge information on your customers based on just a plausible-looking email. But how do you ensure that expediency has not trumped security somewhere in your organization?

How are you Vetting New Packages?

Some of the code you depend on was written by Ukrainians, Russians, and hacktivists. Deep in the dependency tree of NPM packages your software depends on, you will find node-ipc. That package was recently drafted into the ongoing war in Ukraine. If you are in Russia or Belarus, it will delete your files. Otherwise, it will only write an anti-war message to stdout and put it on your desktop.

As a professional organization, you are surely not just getting the latest software packages directly from a repository on the internet. But what is your procedure for vetting new versions you incorporate into your blessed repository? With the current threat level, having a single overworked developer do this in addition to his normal development tasks is not a good idea.

Cybersecurity Insurance: Read the Fine Print

When are you in a war? Your cyber security policy probably contains the standard exclusion: It does not cover acts of war. But when the war is being fought partially in cyberspace, it can be hard to tell if you are part of it.

Insurers tried to use the war clause to wriggle out of a cybersecurity claim lodged by Merck. Merck was hit by the NotPetya attack that spilled over from Ukraine into the systems of global shipping giant Maersk as well. They insurers claimed it was war, but a judge recently dismissed that argument and ordered insurers to pay up.

The insurance industry is tightening up their exclusion language with new definitions from Lloyd’s Market Association. If you recently got an email from your insurance company with a boring “we have clarified the terms” subject line, read it carefully. You just might find that your insurance company has re-defined your cyber security coverage to be worthless.

Cybersecurity must be risk-based

Good cybersecurity is based on risk analysis. It is not based on locking down everything as tightly as you can.

I’ve been discussing the consequences of the war in Ukraine with several cybersecurity experts. Some argue that if you have to strengthen your defense now, it means it was too weak before. That is a fundamental misunderstanding of security. Security, like availability, reliability, and many other aspects of your technology is a trade-off. Higher security costs more money and slows your organization down. You don’t need maximum security always. You need a security level that is appropriate to your risk.

Right now, cyber-warriors and vigilantes are firing indiscriminately in all directions. You might get caught in the crossfire even if you have nothing to do with either side in the war. That’s why your risk has increased and you need to strengthen your cyber security posture. When the war is over, you can reassess your risk again.

Check your defenses

Your risk profile just changed dramatically. You might think the war in Ukraine will not affect you, but your risk is higher than you think.

Do you know who ultimately writes the code your vendor delivers? Your contract is with a large system integrator in your own country. They outsource actual coding to several subcontractors, who sub-subcontract until the actual code is written by a team of three people in a basement in Kyiv. And right now, an adversary with nation-state resources is out to destroy the Ukrainian software industry along with the rest of the country.

Remember the attack that hit Maersk Lines a few years ago? They are the world’s largest container shipping company and have strong cyber defenses. Nevertheless, they suffered a two-week outage and lost $300 million because an attack on their Ukrainian subsidiary got through their defenses.

Revisit your risk management plan. You need stronger network security towards your all your suppliers.

Shooting the messenger

Even though the clueless Governor of Missouri tried to shoot the messenger, he missed. Last year, a reporter published his findings that private data on more than 100,000 teachers was available to anyone who knew how to click “View Source” on a web page. The Governor held a widely-ridiculed press conference where he vowed to prosecute the “hackers” who had told the world about the incompetence of the state IT department.

A thorough report by law enforcement now roundly exonerates the journalist. It also exposes that personal information on more than half a million people had been available for a decade to anyone who care to look.

Even professional IT organizations occasionally fail like the state of Missouri did here. You have a little simple system, you are under schedule pressure, and you forgot to book time with the security team. So you roll it out without a security review. The antidote to this is to maintain a complete systems inventory with a field for the name and email of the person who did the security review. That will show you if this step got skipped, and allow you to quickly ask questions about any alleged security issues before you start shooting at the messenger.