Regular readers of this blog may have noticed the occasional appearance of "Aunt Susie." She's my model for the ordinary mortal, one of the two billion Internet users who don't happen to be IT security experts.
One of the people who typifies my experience of Aunt Susie called me while I was on vacation last week (hey, did I miss anything?). Someone from Microsoft was on the phone, she said, and had scary things to say about a botnet infection allegedly involving her computer. (It's a well-documented scam: they get you to open the Windows "eventvwr" log display application, show you some cryptic, scary-looking errors, get you to install a remote access application so they can "fix" the "problems," and then they pwn you.) My friend literally had the scammer in one ear and me in the other as I advised her on how to handle the call. Eventually at my urging she reverted to a broken record: "tell me how to get back in touch with you and I might call you back." Above all what surprised me about the encounter was the persistence of the scammer (25 minutes!), even after knowing that his target had phoned a skeptical friend. She told me that the background noise sounded like a call center. How many people are out there dialing for dollars like this?
Lots, in fact. After the call was over I related this story to the folks I was traveling with. One reported that her mom had recently been targeted in the very same way. This, together with the volume of comments to the story linked above, suggests a staggering number of targets. In the same way that spam e-mail arose as a cost effective way to make money (most people don't bite, but you can cheaply cast a wide net with gadzillions of e-mails), this scam is made cost effective by the fact that you can staff up an overseas call center with squads of affordable, English-speaking "support reps" equipped with robodialing and VoIP technologies that cost a minuscule fraction of the long distance bills that would have made such a model unworkable just a few years ago. What makes this problem more challenging? How can we improve Aunt Susie's lot?
Computers are still intimidating, mysterious black boxes to most of the people who use them. Can the computing experience ever be friendly and secure enough that error logs like those in the Windows Event Viewer or the OSX Console are less amenable to being exploited by an attack like this? Or is there no escape to the sentiment expressed in the T-Shirt we see year after year at hacker conferences? "Social Engineering Expert/Because there is no patch for human stupidity."
I have a colleague who feels strongly that Aunt Susie simply shouldn't be permitted to operate a general purpose PC as a privileged user without "adult" supervision. iPads and Gatekeeper equipped Macs for them only, I suppose (or maybe just i-Openers?) . My colleague, quite naturally, would expect to be exempt from such draconian restrictions: I smirk to wonder if he ever disables DEP on his Windows boxes.
It's helpful that Microsoft has a page about this sort of scam. There's some good general guidance reminding folks that Microsoft doesn't go around calling customers and asking for their credit card numbers. On the other hand, the very same page makes reference to the fact that Microsoft has, in fact, contacted customers directly during campaigns to take down botnets when warranted. How is Aunt Susie to know for sure when it's Microsoft on the line and not a scammer? Microsoft misses an opportunity to provide clearer guidance on how to authenticate a genuine Microsoft representative (an admittedly sticky wicket, but I'll wager they have enough smart folks on hand to work something out).
And the "let me call you back" approach we eventually took is no guarantee of a solution either: they may give you a toll number to call back and simply linger on the phone with you while you unwittingly pay them handsomely for the privilege.
Aside from improving on the basics (better user awareness, better endpoint vulnerability management, more robust trust relationships) I don't know if there's a solution to the challenge of keeping Aunt Susie safer on the Internet. But I do believe the task of finding it is an important one even if there is no way to keep an epic hack like the one involving Mat Honan from ever happening again. We expend significant resources in the development and deployment of technologies and processes for defending corporations against smart teams of foreign adversaries; why not do more to help their employees at home?
Are you worried about content-layer threats? According to the latest IANS research survey, you should be! The video below highlights the results collected by IANS from 105 security professionals, from companies with more than 1,000 employees, and offers some insight into what companies aren’t doing for their own security. So what did they learn? That people think that they are protected…when they aren’t. Companies mistakenly believe that their traditional security tools are sufficient even when they have undergone malicious attacks themselves that resulted in data theft.
We don’t want to give away too much, so check out this clip on the survey results!
I see two topics in the malware world today that bear some examination:
1. The lack of "Moore's Law" advancements in malware - and why
2. The players – who they are and what motivates them
The slow pace of malware advancement is easy to explain. Even while the march of processor advancements under Moore’s Law is starting to slow, the people writing malware and other badly-behaved software have stuck to their plan: not doing a lot of work. Apply the minimum effort necessary to get your goals accomplished and use a hole that you take a little time to find that no one knows about. It's clever, but more important, its follows the programmer’s central ethos: laziness. The less work you do for the biggest payout the better.
While some may be able to detect these advanced attacks, they are at best in the extreme minority with the largest population unaware of the attack until long after it happens, if ever. This is one of the biggest problems today: you can have data exfiltration or a subtle attack going on right under your nose and not know it. It doesn't even have to be sophisticated: FTP certainly isn't but it's extremely popular for exfiltrating a large quantity of data quickly (and insecurely). You just have to be looking in the right place at the right time to see it. Why is it that no one (else) talks about this happening? The reason is that most people either don't know it's happening to be able to report it, aren't legally obligated or are too embarrassed to say anything. I think the Verizon 2012 Data Breach report backs this up nicely. It shows the time to discovery is months, not hours or days, and most often reported by external sources.
The second issue is far more insidious, namely who the bad guys, or players, are. This can range from those interested in seeing what they can do to those with a political agenda and even to state-sponsored bad behavior now that cyber warfare is seen as more of a "spy-like, clean warfare" tactic. There was a huge panic attack, and let's face it our industry is rife with panic inducement, about insider threats. They do exist but it's been shown by many, including Verizon as mentioned previously and Carnegie Mellon, that they are far in the minority over external threats. I have come to believe that your adversaries are highly focused on your particular market. Right now banks have public enemies coming after them (mostly unskilled with financial grudges), government has interesting adversaries in foreign states sponsoring bad actors and the high-profile types looking to deface government agency websites and steal classified data, pharmaceuticals have both financially-motivated and healthcare reform actors after them, and so on. I think a full analysis by industry to see who is attacking and why would be an excellent thing to have. The most important use of this data set would be in letting us know what tactics the attackers can and will use based on the resources they have available and how "motivated" they are to get what they want.
There really are only two attack modalities. The first is the highly targeted attack which is looking for something "damning" as was seen in the Wiki Leaks attacks or something very specific such as Nation-State or targeted attack to get at one person or group. These highly targeted, whether to a company or an individual, and persistent threats have come to be known as Advanced Persistent Threats in the industry. The second modality is the splatter attack looking for as many victims as possible, like most financial scams designed to make money and get out fast. I think these both tie back into the overall motivations outlined above but they go a long way to understanding the kinds of attacks that have a higher probability of being used against a target.
While the future of malware is yet to be written you can be sure it will continue to issue from resourceful, focused and lazy authors using any obscure vulnerability they can find that you haven't patched and when you aren’t looking. You need to remain vigilant to ensure you aren’t losing data or being attacked without your knowledge. Finding this malware before it reaches your computers or before you begin losing data is a far less expensive proposition than the alternative.
I had the opportunity to attend the recently concluded Gartner Security Summit at National Harbor, just outside Washington D.C. Some of the sessions were really insightful (Howard Schmidt's talk, anything with John Pescatore) and there were a few that'll remain unnamed that weren't really my cup of tea. But the event lived up to its reputation - good content, smooth operation and great people.
Between all the talk of BYOD, mobile devices, the end of the perimeter and infrastructure based security attacks, I'm coming around to believing that some networks are almost 'Too Big to Secure'. Here's a set of observations to back this up:
- Large Enterprises are only getting larger, certainly in terms of business volumes, but also in terms of complexity. A large number of them have multiple 10Gbps links to the outside world and almost all of them have opened up to BYOD trends.
- Network security is lagging. For example, technologies with serious scalability constraints, like VM-based network-attached sandboxes for malware analysis, are seen as somewhat effective. But this effectiveness clearly applies to networks with modest traffic requirements and just cannot be used enterprise-wide. The effectiveness is also limited to a specific set of platforms and as we have more variety in end points, the viability of this approach is fading.
- Endpoint security is lagging. Mobile Device Management (MDM) is still in its infancy and a large number of popular mobile devices aren't covered by any of the vendors. Given the sheer variety in devices, I don't think this is their fault, but the day when enterprises only authorize BYOD devices that their MDM solution can manage isn't here yet. In the meanwhile, risks proliferate.
- Cloud deployments bring another set of challenges. There's a lot of work going on to manage multi-tenancy and hosting concerns but the other reality is that the set of network security tools available are strictly from the traditional bucket, such as firewalls.
So for the extremely large Enterprise, the layer of defense might simply be a firewall and IPS on the network and just the firewall in the case of third party cloud deployments. Add this up and the Enterprise comes to resemble the SMB market, while the smaller enterprise market gets to deploy with a variety of technologies, like sandboxes and full packet capture. Given that the large enterprise, by definition, has more to protect, this is untenable. Are we getting to the point where they're “Too Big to Secure?”