In Rob Wright’s CRN article, Assume You're Being Attacked Right Now, cybersecurity expert Roger Cressey states that organizations “have not done a good job of trying to address the fundamental issues that are driving cybersecurity” and I agree wholeheartedly. As someone who responds to cybersecurity incidents on a daily basis, I see firsthand the failures of both private and public sectors. However, Cressey also claims that organizations “have to assume somebody is on your network right now” which is the wrong way of thinking and the wrong form of motivation. Assuming your network is breached should not be the driving reason for organization owners to invest in a better security posture.
I have been involved in cybersecurity for more than a dozen years now and it still surprises me how often corporations deploy a flat network architecture. Granted, there are several reasons why a company would implement a relatively flat network such as simplicity of O&M, number of users, and the ever-present factor of cost. However, companies are missing two significant benefits of a network with well-planned segmentation as it relates to cybersecurity.
When I wasn’t staffing our booth and tweeting clues for our annual $1,000 giveaway, I managed to sneak away and, you know, learn some stuff (session details are here). Here are a few quick hits:
Million Browser Botnet
Jeremiah Grossman and Matt Johansen from WhiteHat Security do not have good news for us. Attendees were reminded that when you visit a web page (yes, this one too), you are essentially granting total control over your browser to the operator of the site. Last year, they took us through an alphabet soup of rotten stuff that can happen to Aunt Susie when she browses to a page: CSRF, XSS, clickjacking (more on that below) and on and on. Today’s session was all about taking these attacks to the next level, and on a distributed scale. What would it cost to borrow the combined computing and network power of, say, a million web browsers?
Without hacking. As the presenters pointed out, “The web is supposed to work this way.” Bummer.