Hack The Planet

There is a perception that cyber criminals and nation state hackers are untouchable, and that hacking or cybercrime is low risk to the attacker. While this may be true in some cases, we have seen more and more hackers caught and sentenced for their digital crimes. It has become very apparent that if you commit a digital crime, you have a pretty good chance of ending up in a physical prison cell.

How do we capture these criminals? Just like in real life, we look for their mistakes. Whether it is sharing pictures on Facebook, or forgetting to login to an anonymizing service, these digital desperados are just people, and eventually everyone will have a slip up.

Napoleon said it well, “Never interrupt an enemy making a mistake.” We need to be patient and vigilant, because eventually our adversaries will make a mistake and we need to be ready for it.

That is all for now. Happy hacking!

For years, information security researchers have warned about attacks on ICS (Industrial Control System) infrastructure at power and water facilities but this year we may finally start seeing some executives taking it seriously…or are they?

In 2010, the world became aware of Stuxnet, an elegantly designed piece of malware targeted at SCADA (Supervisory Control and Data Acquisition) systems at Iran’s Natanz nuclear facilities. The goal of the malware was to cause the centrifuges at the facility to fail, and by all accounts it was very successful. Stuxnet woke up the information security world to the risk of what malware targeted against ICS/SCADA systems could do, and the risks we all faced. Sadly, many people in the C-Suite believed, as many people do, that attacks only happen to other people.

In 2017, the Triton\Trisis malware was discovered to be targeting a vulnerability in Schneider Electric’s Triconex firmware. One victim was reportedly in the Middle East, but how many organizations have been truly impacted is unknown. This RAT (Remote Access Trojan) triggered an emergency systems shutdown before it could deploy its payload, or we may have never have discovered it.

One of the interesting functions in both of these different malware samples is their ability to collect information from the systems they have infected. Stuxnet used this capability to replay information to the monitoring systems to show that everything was okay, while in reality the centrifuges were failing. Advanced, and motivated adversaries build these carefully crafted attacks to not only cause destruction, but to hide themselves and what is truly going on in the environment to extend their ability to cause damage. It is both impressive, and terrifying.

In a recent survey by Tripwire, people from the energy sector were asked about their concerns, the classic “What keeps you up at night?”. The answers were interesting if not expected.

91% responded that they were worried about cyber attacks against their ICS systems. It makes sense that they would be concerned, but I wonder if the other 9% didn’t understand the question. If you are in the energy sector and are not worried about this, then you should be replaced because you don’t understand your threat model and what you are up against.

70% responded that they were concerned that an attack would result in a catastrophic event. With the capabilities that Stuxnet, Industroyer, and Triton have at their disposal, the likelihood of an incident that causes massive loss of life is growing.

The one statistic that I really want to share, is that 56% of respondents stated that they will only see more security investment “Once there is a significant attack” against them. This is incredibly telling. This comes from the idea that it is cheaper to fail or be breached, than to properly secure your environment. Sadly this has proved out to some degree, and even more sadly shareholders are valued over lives.

I am sure we will see even more attacks moving forward, and I can only hope that we learn how to properly invest, and protect our energy and water facilities before it’s too late.

It has been talked about for years, but the cyber security talent gap, or the ability to hire information security folks with any real expertise, is still massive. In a recent study it was taking some organizations over 6 months to fill a position. Couple that with the ever increasing rise in cyber crime, and it doesn’t look pretty.

I spoke on Cybersecurity Education a few years ago, and the numbers then showed we would have over 1,000,000 unfilled seats by 2019, and from other reports it looks like we are already there. We are seeing more, and more need for individuals that can perform key cybersecurity duties, and a greater lack of skilled candidates than anticipated.

When I spoke, I mentioned we needed to train people using techniques such as gamification, and now a report from McAfee is looking at bring gamers into the field. I think this is a good idea, but they have to want to make the jump. Cybersecurity is a lot of fun, but only for those who are passionate about it. Gamers may be more likely to enjoy it than others because they are used to having an active adversary they are competing against. I know I love it.

One thing that seems to have been lost in the talent gap is how do we retain talent. As an industry we really need to make sure our executives and HR teams understand that it is easier to train someone, than hire the perfect candidate. Offering competitive training and helping your own people to future proof their careers, is a way to keep your best, and most loyal employees, but also to differentiate your organization when you are trying to hire that ever, elusive candidate.

To end with some good news, it is only taking organizations 101 days to discover an incident , down from 416 days in 2011. I mean, it isn’t great but we take any win we can.

Every week I wake up to news of a breach, or that a previous breach’s headcount has increased, or there is a new attack. We are still living in a digital wild west, where security sheriffs try and protect their town, but marauding bands of thieves continue to pillage with almost no risk of being prosecuted. Time to pull ourselves up from the latest news and get back to protecting our users.

Here are a few stories from this week that made the headlines and drove home the point that we have to do better.

After all of the news about Facebook giving access of user’s data to third party companies, which was then used against those user’s, the hits keep coming with the number of user’s impacted rising to at least 87 million and it will probably continue to grow.

As much as I love Panera’s soups and sandwiches, the way it deals with security vulnerabilities leaves much to be desired. If companies continue to behave like this, researchers will stop reporting vulnerabilities and the impact to the company will be much worse.

Anytime we make a tool for law enforcement, we must assume that it will be used by criminals, or in this case spies. Once a technology is available to anyone, it is available to everyone. We need to think about this as the battle over encryption and backdoors continues to be fought.

I like to end things on a fun note, so if you are going to be walking through a jungle you may not want to wear “Obsession for Men” unless you like the attention of cougars, and not the human kind.