The bombs that killed three people and wounded nearly 200 yesterday are a stark reminder that the odds are stacked against us when it comes to fighting crime.
While it appears that the response of the FBI, DHS, Boston Police Department, EMS and others was reasonably coordinated and effective, these situations inevitably raise recurring questions.
- Were we prepared?
- Who did this?
- Why did this happen?
- Could this have been prevented?
Governments, embassies, corporations and other entities have spent much time, money and energy in the hours since the Boston bombings reviewing (maybe panicking) and fortifying their protections.
And while this latest horror has caused all of us to ask these questions of ourselves, there is truly only one question that matters.
- Is what we’re doing to protect ourselves really worth it?
At a time like this, when lives have been lost, Presidents are holding press conferences and emotions are high, this question seems callous.
This is not to suggest that we shouldn’t be putting protections in place – far from it. In fact, I’d argue that all too often we as human beings would rather “take our chances” than protect ourselves proactively. It’s exactly why we see businesses getting owned by hackers every day.
But oftentimes we see the knee-jerk reactions caused by these events distracting us from the real objective. If we had just stayed the course and done a decent job of understanding our risks all along we may not have been so vulnerable in the first place.
So we mourn our losses. These tragedies seem unavoidable, and perhaps they are.
But if we don’t learn from our mistakes it is all for nothing.
Two weeks ago travelers in the Austin, TX Amtrak station got a big surprise – a squad of anti-terrorism forces armed with assault rifles and specialized inspection equipment. It was just one of hundreds of [probably not so] random appearances being made by the Transportation Security Administration’s (TSA) VIPR Team all across America.
The VIPR (Visible Intermodal Prevention and Response) team is not new, in fact it was launched in 2005 after the train bombings in Madrid. Its tactics, however have been changing over time. Random appearances are part of their “new strategy”.
Since September 11, law enforcement and counter-terrorism agencies have been focusing on the areas that, at the time, appeared to have the greatest exposure. Airlines, densely populated urban areas and critical infrastructure all made the list.
Unfortunately our enemies are smart enough to strike where we our defenses are least fortified.
Enter the VIPR Team.
The bombing in Madrid ushered in a new phase of terrorism, and subsequently a new phase of security. Our enemies began attacking softer targets, becoming more unpredictable. It was the definition of terror. We could take a few lessons from this new thinking.
During a half-day conference in Albany, NY recently we had the opportunity to speak to over one-hundred security professionals about the current state of information security. We discussed current trends, new threats and some recently targeted organizations. When it was over, we passed around a pocketknife and about a hundred audience members joined our wolfpack.
Perhaps most important of all the topics we discussed was the failure of the things we trust most in information security today. Cornerstones like defense in-depth, antivirus and least privilege. They all sound great, but the problem is, they’re not working.
Maybe it’s because we don’t have the resources. Maybe it’s because security still isn’t a priority for many organizations. Maybe it’s because we’re not measuring performance.
Or maybe, just maybe, these things are so predictable that our enemies know exactly how to get around them.
If I were an Internet criminal operating out of unsaid country in Eastern Europe, I would have a pretty good idea of where to start. I’d know which rootkits and payloads I’d need to deliver, and how to get them to their intended targets.
I’d know pretty much what to expect once my backdoor was operational, and I’d have a pretty good idea of how to pivot around my subject’s network. I’d know how to exfiltrate my objective and which tracks to cover.
And this goes for any organization.
How could this be? It’s not because I’m that smart or have intel on every company out there. It’s because most organizations [don’t] defend themselves in the same way.
So here’s an idea; the next time an uninvited intruder shows up on your network, surprise them. Utilize a control in a different way or implement it somewhere it normally isn’t found. Take a look at all of the things you’re doing, turn them 90 degrees, spin them once and give them a kick and see where they land. If they could be effective there in a different way, consider making the change.
Predictability is a vulnerability in itself. The VIPR Team has figured this out and so can we.
Doomsday Preppers, National Geographic Channel’s new hit series – is awesome.
The show follows various survivalists through their daily lives as they prepare for the end of civilization as we know it, whether it be from massive economic collapse, nuclear war, the melting of the polar ice caps or the failure of the power grid.
Each prepper, and sometimes their families, friends and neighbors has undertaken serious precautions, from stockpiling months of non-perishable food and water, to training in self-defense to building bunkers in the desert. All based on their belief that at some point – in their lifetime – they will need it.
They are then scored by survival experts in five categories of survival; water, food, shelter, security and an x-factor.
Some score quite well. Others? No.
Most people find it entertaining due to the uniquely odd and dysfunctional nature of the preppers themselves.
I recall one episode specifically where one prepper had stockpiled nearly 50,000 rounds of ammunition, built a sniper nest in a tower, and then proceeded to have his ear blown off because his companion was had no experience with firearms and because he wasn’t wearing appropriate ear protection.
Sometimes it’s the little things.
But I find it entertaining for different reasons.
First, if you ask the experts that are closest to these scenarios – financial collapse, cyberterrorism, chemical and nuclear weapons – they’ll tell you that the likelihood of them making a significant impact on our lives is higher than most think.
The joke’s on us.
Second, human beings aren’t very good at identifying the real threats in any situation.
In the event that water, food and shelter become scarce due to some epic disaster, the threat isn’t going to be the flood waters, chemical agents or viruses. The real threat will be your neighbor.
People are always the biggest threat.
Hurricane Sandy was a massive storm, but one could argue that the worst damage was fairly localized. If you lived on the Jersey coast, lower Manhattan or Long Island, things were very bad, but outside of those areas you may have only gotten a little rain.
Yet inside of two weeks people were pulling guns and knives on each other, just to get in line for gas. What would it have been like if the damage was more widespread and the shortage sustained?
We saw the same behavior during Katrina. People were killed for food and guns. Society started breaking down. Quickly.
By nature we are all survivalists. It’s why we have a massive brain and opposing thumbs. The human race has endured for thousands of years because this is how we’re programmed. In many ways, we’re all Doomsday Preppers.
What’s your score?
Piracy off the coast of Somalia has dropped off dramatically in 2012. Successful hijackings of American and other ships has decreased from 31 in 2011 (and 49 in 2010) to only four so far in 2012.
Unsuccessful attacks have also decreased, falling from 199 reported attacks in the first nine months of 2011 to 70 attacks over the same span in 2012 — a 65 percent drop.
However, diminished activity has not resulted in a decrease in the cost of sailing around the Horn of Africa.
Pressure continues to mount on International trade partners to increase the security of their vessels passing through these once heavily pirated trade routes. The risks of shipping goods through these waters increased to a point where excessive defensive means were necessary, both politically and militarily.
But risk avoidance has come at a high cost.
Anyone in the defense contracting business knows that these services are expensive. Water cannons may be cheaper, but they just don’t have the same effect.
And so we see several examples of Risk Management at work here, on both sides of the proverbial coin:
- International shippers made the decision to spend X on armed guards, along with their required equipment, firearms and ammunition. In addition, the countries involved have begun increasing their naval presence, coordination and response plans to counter these activities, all at increased costs. This all to protect a bounty worth Y. We expect that if and when X exceeds Y that these practices will be suspended, and the shippers will go back to taking their chances.
- Somali (and other) pirates on the other hand, could at one time hijack a ship with four men, a couple of Kalashnikovs and a ladder, at a cost of X. To be successful today, they require far greater coordination, communications, firepower and manpower. Their costs have increased dramatically, while the bounty remains at Y. Factor in the recent increase in likelihood of death by armed paramilitary, and the decision becomes even clearer. The costs have outweighed the benefit.
Any organization today can apply the same methodology to make decisions about the procurement and implementation of security controls, even though they may not be shipping food, fuel and jewelry through International waters.
In a recent conversation with a prospect we discovered that a number of edge security devices were upgraded, to the tune of $80K. The obvious questions were launched:
- Did these investments address your most critical risks?
- Were these investments worth it?
Like any good cliffhanger, I’ll leave the responses to another post. Let me instead redirect and suggest that you ask yourself the same questions of your own investments.
You may also want to ask yourself if you’re the shipper, the pirate or both.
Luckily for us, we’re the armed guards.
On Wednesday, January 11, as the USS John Stennis and three other carrier battlegroups arrived in the Gulf region, two anonymous hitmen rode up alongside the Peugeot 405 being driven by Mostafa Ahmadi-Roshan and “pasted” magnetic shape charges to the cabin exterior. They exploded seconds later, destroying the interior of the vehicle and leaving their surroundings untouched.
This bold, high-tech act comes on the heels of two other attacks, both aimed at disabling or stalling Iran’s nuclear capabilities.
The first is a series of suspicious explosions at Iran’s nuclear facilities, one of which killed another top scientist. These explosions were documented by US satellites which clearly demonstrate the origin and impact of the blasts. These explosions occurred “around the time” that Iran was found to have in its possession an RQ-170 stealth drone.
It is suggested that the Lockheed Martin RQ-170 Sentinel is designed primarily for reconnaissance. Of course it’s 66 feet wide and weighs close to 10,000 pounds. That’s one mighty big camera. Oh and it also has modular bays that can be adapted for “strike missions”.
The second is a high-tech operator that executed missions on the ground. Using covert tactics and the latest intelligence, this foot-soldier infiltrated Iran’s top-secret nuclear facilities and quietly disrupted core processing. Rapidly moving from reactor to reactor, this highly trained assassin combined speed, stealth technology and the latest weapons to sabotage Iran’s nuclear capabilities.
It wasn’t until the damage was done that this assassin was given a name.
We called him Stuxnet.
Now we can speculate whether or not Israel or the United States was behind Stuxnet, but one thing has become alarmingly clear – someone wants to destroy Iran’s ability to produce nuclear assets and weaponized software was a key component of the campaign.
Stuxnet, at its time hailed as the most sophisticated piece of malware ever conceived, dawned a new era. It was not the first time that cyberwar had been waged, but it was the first time that cyber was elevated to that rarefied ether of air, land, sea and space. Even the decompiled code was classified for a time.
Today, nation states are hard at work developing weaponized software that will disable their enemies’ critical infrastructure, destroy military intelligence and render nuclear and other traditional weaponry useless. Cyberwarfare is young, but maturing in dog years. Stuxnet already has one child, and they’re multiplying fast.
In October of 2011, it was made public that the United States Air Force experienced an outbreak of malware on a network associated with assets used to control drones in the Mideast. The origin of the malware was never declassified, nor was the resolution of the incident. Some of us thought that perhaps it was a US Government concoction once again targeting Iran that escaped the labs.
- Step 1: Build Malware
- Step 2: Infect Drone
- Step 3: Crash Flying USB Stick in Iran and Watch From Satellites as it Blows Up Nuclear Plant
Looking forward, it’s clear that software has become part of our military arsenal. We will continue to see more frequent headlines telling stories of cyberattacks on military installations, cyberespionage and weaponized software. Let’s remember that just as China and other countries have stolen our blueprints for drones, tanks and fighter aircraft, they have also built their own cyberweapons.
For now though, I’d turn down that job as an Iranian nuclear scientist.
There’s been a lot of chatter over the past week regarding the alleged breach of U.S. Military unmanned aerial vehicles, or at least the networks that they use to transport video streams back to Operation Command Centers in Nevada, or wherever their 19-year old operators and joysticks are positioned.
The media have speculated that a virus, introduced from external media penetrated critical networks and was doing bad things. The Government has done its best to misinform and parry, suggesting (and confirming in some way?) that whatever malware did make its way onto its networks is just a nuisance. It was even suggested that the malware was the military’s own, a weapon that somehow escaped the labs.
Of course, the Department of Defense doesn’t comment on classified networks, so there’s a good chance we’ll never know the real story.
The real question we should be asking is, who cares?
I don’t mean to sound glib, but if Uncle Sam says it’s not a problem, maybe it’s not? After all, even if video streams from Unmanned Aerial Vehicles (UAVs) were intercepted, intended targets likely wouldn’t have time to escape before they were made into Afghani pottery anyway, so what’s the big deal? Perhaps, you say, the enemy is collecting intelligence on UAV flight patterns, so that it can predetermine and thusly avoid detection. Perhaps.
Or perhaps this story is more important to the media than it is to the masses? Not unlike the incessant droning (sorry) on about malware being delivered to Android-based phones these days. It’s a [nearly] proven fact that over 10% of Android applications do things we don’t want them to do, whether they’re harmlessly hijacking GPS coordinates and personal information to push personalized ads to your browser or they’re outright malware stealing online banking credentials. Here’s the thing – people don’t care. Androids – and their applications, stuffed with privacy-violating “features”, are flying off the shelves.
And when will it be time to start vulnerability scanning our cars? We’ve already seen Subaru Outbacks compromised using integrated Wi-Fi, and many vehicles braking systems are vulnerable to attack. And let’s face it – OnStar is a mass botnet just waiting to happen. Don’t look for the “Hardened Security Vehicle” checkbox at your local auto dealer – they don’t care either.
Perhaps the Department of Defense is giving us the cold shoulder because they’re a little embarrassed. Perhaps they’ve declassified this information because it’s helpful for the information security community. Or perhaps it’s because redirection and confusion is all part of their Computer Incident Response Team (CIRT) procedure.
Or perhaps they’re just teaching us a lesson. If we can care so much about a remote control airplane flying over a desert 7,000 miles away that we’ve never seen and will never have any effect whatsoever on us, why can’t we care about the stuff we use every day?
Like most people, I remember September 11, 2001 like it was yesterday.
It was a bright and beautiful afternoon as we drove North along the 3 headed back to Zürich, following a 10-day visit to Innsbruck, Venice, Milan and a number of other quaint countryside villages. I was visiting a good friend who had recently moved to Switzerland, and we were taking some time to enjoy Europe’s best sites. The Alps are breathtaking, no matter what time of year it is.
As we entered the city center and got closer to Andre’s apartment, we could feel the end of our trip growing closer. I was scheduled to fly out the following morning and Andre was headed back to work. As we mentally switched gears, we also switched radio stations, changing from the throbbing dance music that kept us hammering on the Autobahns to a local news broadcast. It was in German, so I only caught every fifth word.
I will never forget the look on Andre’s face.
“An airplane crashed in to the World Trade Center”, he said in his thick Dutch accent.
Simultaneously piecing together in my mind what I just heard and sorting through the possibilities of mis-translation, I immediately began rationalizing what might have happened. Once I gathered my thoughts I explained to Andre that this had happened before, and that the buildings are so big that a small Cessna wouldn’t cause much damage.
For a while I lived in New York City just three blocks South of the World Trade Center. I lived in a large apartment on the 26th floor with a balcony that overlooked the towers. I walked through World Trade South nearly every day. My apartment didn’t need paintings or artwork, I had the New York City skyline.
“It wasn’t a Cessna, it was a jumbo jet.”
For Americans, everything changed on 9/11. The inconceivable events that transpired on that day shifted everything we knew in a different direction. Finances, politics, healthcare, education, relationships – everything we knew suddenly took on a different perspective. A different priority. But none of these things changed more than our position on security.
The 9/11 Commission spent nearly three years collecting, analyzing and documenting the 585 pages of data resulting from that day and the years leading up to those horrific events. In the end, the Commission determined that there was a single condition that made the events of that day possible.
We didn’t think it could happen to us.
As simple and sad as that seems, there’s another chapter to this story. We face a much greater threat today, and we find ourselves repeating history. The infrastructure that our very existence depends on is in jeopardy, and we have put our heads in the proverbial “9/11 sand”. An exploitation or compromise of our power, water or financial networks could result in a complete collapse of society and death tolls that bin Laden himself could not imagine.
This is not science fiction. Thanks to Hurricane Irene, we have seen very recently what power and water loss of only a few days can do to a community. Now imagine this on a global scale.
By the year 2020, there will be 50 billion devices connected to the Internet. There will be tens if not hundreds of thousands of hackers and organized cybercriminals. If it took the United States ten years to track down one man moving from cave to cave, how long will it take us to dismantle an organized network of 100,000 computer hackers?
On this, the ten-year anniversary of the worst security incident in United States history, I urge you to ask yourself the following question:
What are we doing to avoid Cyber 9/11?
As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.
I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.
Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.
And then it occurred to me – what if the same was true of information security?
I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.
But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:
- With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
- The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.
The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.
And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.