Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Striking back against cyber attack: tempting, but no

By

(c) Depositphotos / Gorodenkoff

Andy Kessler wrote an op-ed in the Wall Street Journal last week advocating for striking back against every cyberattack.  I’ve written before about why that’s a bad idea for private organizations, yet in this case he’s advocating for a government response.  While it’s very tempting emotionally, when we step back and look at the options and risk, it’s not really viable.

Look, I get it, we have nation state actors probing our networks, attacking our critical infrastructure, intercepting sensitive government communications, and conducting economic cyber espionage against us.  We, and every nation state, does all that except for the economic espionage.  The argument is that if these were kinetic attacks, we’d be dropping bombs on the perpetrators before lunchtime, but unfortunately the analogy doesn’t really apply.

First, there’s the problem of vulnerabilities.  Unlike bombs where we can just manufacture more, once a particular exploit is used against a target, it’s likely spent.  Upon discovery it’ll be remediated, so if we’ve used it to ‘fire a warning shot’, we may not have a capability to take more aggressive action in the future.  That’s also true if it’s a simple credential compromise – once used, the credentials are changed, and we lose access for future action.

But what’s worse is the potential for the adversary to capture the exploit code and weaponize it against us.  Or, and history shows this to be likely, a targeted attack causes widespread collateral damage because the code is self-propagating.   Both bring us to the problem of stockpiling vulnerabilities versus having vendors patch them.  We use many of the same systems as the bad actors do, so we’re at as much, or more, risk than they are.  Put simply, I’d much rather have my water system or power grid patched so we stay up, than be able to take someone else’s down.

Of course, before we even have the option of hacking back, we have to know who hacked us to begin with. I’ve written in detail on the problem of attribution, and not much has changed.   If it becomes known that we hack back reflexively, we’ll see one actor spoofing attacks by another in order to create international chaos.   Both hacking the wrong target, and even hacking the right one risks significant escalation and put our civilian population in jeopardy. The lead time to replace major components of our electrical grid, fuel pipelines, and water systems is measured in months, not days or weeks.  Yes, we’re at risk of that now if, as one CISO put it, “the cyber cold war turns into a cyber hot war”, but so far, Mutually Assured Destruction (MAD) applies as much to cyber as it does to nuclear warfare.  It’s irrational, but it works – and we can even back up cyber-MAD with kinetic attacks too.

A better option is to unilaterally declare, much like the START treaty, a Strategic Cyber Arms Reduction Effort (SCARE, yeah, sorry) by aggressively testing and remediating vulnerabilities across our critical infrastructure.  Every vulnerability we find and patch removes the exploit from everycyber arsenal.  Fewer cyber arms makes for a safer world – and we have far more to lose than our adversaries.

Fortunately most of the impactful attacks at the moment are economic in nature, and deserve an economic response. We can’t conduct economic espionage because no American company would ever use that information – lawsuits abound (and the government isn’t exactly going to sell foreign credit card numbers on the black market!).  So the only viable option to address things like intellectual property theft, and one for which there’s widespread bi-partisan support, is via trade policy and other diplomatic efforts, which are underway.

Those two efforts aren’t perfect. Diplomacy is open to violation of agreements.   Testing and remediation is unlikely to find everything. Yet the combination is a far better option than playing chicken with critical infrastructure.

Managing online risk – beyond the basics

By

I had a conversation recently with someone who’s a ‘high value target’ about how to stay safe online and recalled an article earlier this year that a famous actress no longer will take selfies with fans because they include time and location information, as well as what she’s currently wearing.  She’s worried about stalkers.  While not exclusive to folks like celebrities and politicians – they really do have different threat models – we can all learn from their situation to help protect ourselves.

So this builds on my previous post about staying safe online, and touches on some of the same things, but unlike that one where the advice is broadly applicable, much in this one is about tradeoffs and risk tolerance.  Follow that previous advice, then check below for updates and more ideas.

Passwords

I continue to recommend 1Password from AgileBits as a password manager, especially with the new features (I’m a paid customer, and happy to be one).  Yet it depends on having a secure passphrase, and none of the old techniques (e.g. using the first letter of the words in a phrase) have enough entropy to resist modern attacks.  Instead use a long sentence – something like ‘shark tornado pine tree Snowman h3ll0’ – length is king.  If you do that, and don’t get hit with a keylogger, you probably will never need to change it.  Don’t worry, after a bit muscle memory makes it easy to type.  Ditto on the password to unlock your computer.

Yes, this is somewhat inconvenient.  But it’s not optional for anyone these days – we’re all high value targets.

Vendors

There is no such thing as a free puppy – everything has costs, and someone’s always getting paid. If you’re not paying, most likely they’re selling your personal information either ‘anonymized’ (which is often poorly done and reversible), or outright as your individual data.   Companies hide behind massive EULA’s that no one reads, change terms and settings on a regular basis, and in some cases resort to dissembling, distracting and outright misleading statements – even to Congress.

So you need to choose what vendors you do business with.  I carry Apple devices because their business model isn’t based on exploiting their customers.  Do they gather data?  Sure. Do they also have an advertising business?  Yep. But of the options out there, they’re by far the best option.  I severely limit how and which social networks I use, including things like secure messaging (I use Signal instead), and would absolutely never use that identity to login to any other site or service.  Likewise, I’m in the process of switching my search engine default to DuckDuckGo (though I will use Bing, and then Google in a private window if I don’t get good results).

Two/Multi-Factor

Simply put, enable it.   If your vendor doesn’t offer it, or only offers SMS based solutions, complain or find a new one.  For most of us, SMS is better than nothing, but for a high-value target, spoofing SIM cards has become so easy that you need to move on to a vendor with a modern approach.

Apple has built 2FA into their devices, and 1Password now has integrated 2FA capability for most other sites.   App-based 2FA like Authy or 1Password even allows you to have multiple trusted devices, while others like Microsoft, only support a single device, which is a risk itself.  Note that this makes having a long and strong 1Password passphrase all that more important! Look for companies that support the TOTP standard.

Verbal passwords & Security Questions

This is so important I’m reviewing it again from the previous post.  Call every business you work with and add a verbal password to the account (store it in 1Password of course).  If the only field they have is ‘mother’s maiden name’, first, consider terminating your business relationship with them and switching to a vendor that cares about identity theft.   If you can’t, then at least create a unique word for each one – none of which can be found on your social media sites.  If they only offer the last four of SSN, won’t disable it as an option, and won’t add a verbal password, then find a new company to work with.  Full stop.  At this point that’s essentially negligent.

That’s one example of a ‘security’ question.  For online accounts, my advice remains the same.  Lie.  Use unique lies for each one, recorded in 1Password.  This is especiallycritical if you’re a public figure.  Most of the celebrity hacks have come by resetting passwords using security questions where the information is on social media (more on that later).

Likewise, lie about birth day, lie about where you live, lie about your hair color – lie about anything that the company doesn’t have a legitimate business, regulatory, or functional need to know.

Biometrics

There’s a whole lot of bad biometric systems out there, particularly in the inexpensive android world. Fig leaves aren’t secure!

Even with good ones, I’m not a fan of using biometrics to unlock your password manager.  Take the time and enter the passphrase.

For a public figure, I wouldn’t use them to unlock devices as there’s too many opportunities to capture information to spoof them. Instead use long complex passcodes (not a PIN!). This is a major inconvenience, so you’ll have to evaluate your threat model and see if it’s worth it.  For myself, I allow the phone to unlock with TouchID (as of this writing FaceID seems to be secure, but I continue to be skeptical), but not my mac (as there’s no wipe feature on the computer), and absolutely don’t allow my watch to unlock the computer.

Email accounts

Your email account is the most important one to protect, because it’s how all your other passwords are reset.  It absolutelymust have a robust random password on it.  You should neveraccess it from a device you do not own, and I’d highly recommend using an application rather than a web browser.

Consider using a business-grade paid service for your email.  It’ll allow you to separate your email account from the management account, so you can easily restore access if the email account is compromised.  Paid services, like Microsoft Exchange Online, provide much better protection across the board – encryption at rest, better spam and malware protection, and 2FA.  If you’re a high-value target, this is probably a mandatory change, and at around $4/month, well worth the investment.

See my original post for other email tips.

Location and Apps vs Browser

Location is of huge value to an advertising-based business model like Google Maps, Waze, Facebook, Instagram, and so on.  For public figures, this is a safety issue, and for the rest of us, something to think about.  For apps like Waze, I’d gladly pay for a ‘ad/tracking free and privacy first’ option, and hope that recent pressure moves companies like this to change their business model.

First, change the location privacy setting to ‘only while using’, and turn it off for apps that don’t need it (like Facebook).  Unfortunately, some apps like Netflix and Hulu require location tracking so they can respect content contracts, including those nutty sports blackout areas.  Be careful though, some apps are notorious for sharing more data than you intend, and in some cases, outright lie about what’s captured regardless of the settings.

Using a web browser prevents a lot of this – and if you put it into private mode and close your tabs on a regular basis, it’ll help prevent them from creating a dossier.

Pictures are the other big source of location leaks.  Your GPS data and time stamps are included in the metadata every time you take a picture- that’s what the actress is concerned about.  When I post photographs to my blog or LinkedIn, I export them from Lightroom and strip all metadata other than copyright.  If you’re a high-value target, especially if you’re concerned about physical safety, you probably need to take explicit steps to avoid leaking your location this way.

VPN

Mobile and landline data carriers leverage DNS and other traffic analysis to target advertising and generate revenue off what you do.  You can fix the DNS problem on your home network by changing to 9.9.9.9 (Quad9) or 1.1.1.1 (Cloudflare), and I use both (in that order) on my home network. 1.1.1.1 now has an iOS app that will tunnel your DNS queries to their servers rather than the mobile carrier, which is really cool!

Using a full VPN adds further protection, particularly if you’re on a public (e.g. hotel) network, but do you really need one?  If you’re a high-value target, I’d argue yes, but not without risk as you’re transferring trust from one company to another and the VPN industry is notoriously shady (run away from anything free).  For the record, I trust Cloudflare, and Quad9 (the latter alliance includes IBM).  I do use a VPN but am not comfortable endorsing one – research carefully.

Data

Let me close with the piece of advice both obvious, and one we forget.

We all need to realize that we will have an account compromised at some point, and they will go after exactly what we most want kept private.  Yet more than that:  even if it’s not a hack, public posts can come back to haunt you in job interviews or other ways.

I want to be clear – I am notblaming anyone who’s been victimized by a hack, particularly where very personal/intimate information or photographs have been exposed. That’s a horrific invasion of privacy, and my sympathy goes out to those impacted by such a betrayal.

Unfortunately, the Internet never forgets.  Please talk with your kids and make sure that they understand the risks, then go clean out your own archives.

Simply put, if it’s not online, it’s harder to steal.  If it doesn’t exist, there’s no risk.

2019 Security Program Horizons

By

One of the things I love most about my job is the opportunity to collaborate with hundreds of security leaders across many industries and geographies.  There’s definitely industry focuses, as well as some geographic trends, yet the overarching themes are common across the security landscape.  Following the usual year end tradition, here’s what I see on the horizon for our programs, as well as some things that aren’ton the radar that probably should be, and as a bonus, one that is, that probably shouldn’t be.

The overarching theme again in 2019 will be staffing and resources.  I separate those intentionally, both because people are more than just a resource, and because the staffing challenges are deeper than the budget challenges.  We’ve all heard the varying statistics about millions of unfilled cybersecurity jobs in the next few years, yet as damaging as unfilled positions are, the churn occurring within the existing staff is worse.

One CISO, at a medium sized company, has given up trying to retain most of his staff – he views himself as a farm team for the big companies.  So he’s trying to maintain a core of well-compensated people and live with the churn at the lower levels of the organization.  Many CISO’s have complained that their HR pay bands/scales/ranges are based on IT, rather than security, and are both low and far too static. Yet even when they are able to maintain market compensation, the mind numbing tedium of repetitive tasks cause job frustration and churn.

Those staffing challenges are driving the two big technical trends for 2019:  widespread adoption of machine learning in the SOC for incident discovery, and automation/orchestration for remediation. There’s (rightly) a lot of skepticism about machine learning and AI right now, yet real implementations and applications are having significant success in reducing the grunt work of low-level incident identification and analysis.   User and entity behavioral analytics are still in the early stages, though we’ll see wider adoption.  While some organizations will attempt to build their own security analytics data lakes using base ML technologies, as we’ve seen this past year, those efforts often fail, and I don’t expect widespread traction in that area.

Once the incidents are identified, for routine remediation, automation will explode next year.  That’ll be split about evenly between human in the loop and hands-off automation, depending on culture and the level of the incident.  One CISO has a policy that every time an incident is manually remediated, the next step is to automate it – the program goal is that manual remediation only occurs once. That’s improving staff morale and retention, allowing his highly skilled people to move up the value chain, and that approach will see widespread adoption next year, particularly for commodity incidents.

Another trend we’ll see, particularly among small and medium sized organizations is a move towards managed security services, at least for Tier-1 and often a hybrid model for Tier-2 and 3.  We’ll continue to see some dissatisfaction with MSS providers, and churn among those customers. Aside on that – the best practice is to make sure to own the analytics infrastructure and data, so that when the MSS changes, history isn’t lost.  The root cause of the dissatisfaction is that MSS contracts are written like IT outsourcing contracts, and have very clear specifications of what will be done. Understandable from a liability standpoint, but ineffective in a fast moving and dynamic cyber-hostile world.  I’m starting to see some MSS providers working towards more flexible contract language, but that’s slow going.  Still, due to the staffing shortage, particularly for off-hour support, MSS will be a core feature of a growing number of programs in 2019.

The flip side to MSS and it’s challenges, is the cloud.  In this case, I’m talking mostly about security fromthe cloud.  Right now, on-prem solutions require care and feeding, and often it’s the security professionals who are managing the tools.  Moving those solutions off-prem frees up staff to actually do security.  I saw the corner turn in 2018, with even risk-averse organizations embracing the cloud for select portions of their infrastructure. In 2019 that’ll accelerate, particularly for analytics and identity.  Related to that is the emerging trend of the cloud providers offering security solutions themselves.  Right now that’s rudimentary at best, and only for environments directly on their cloud.  I don’t expect major improvements in 2019 – but let’s revisit for 2020.

An honorable mention goes out to companies with large IOT deployments, particularly for critical infrastructure:  securing those environments will be the major program driver in 2019.  That’ll begin with security analytics – just being able to understand what’s happening in the OT network is the largest challenge.  The volume of events and data produced, as well as the unique characteristics of the environment, will require custom machine learning models to properly detect anomalies.  Rule-based analytics are likely to remain problematic for IOT data sources due to the high variance between implementations.

The next honorable mention is SSL decryption.  This is just started to emerge as a major concern over the past few months, and I had three conversations about it in the past two weeks alone.  Upwards of 60% of traffic is now encrypted, including the vast majority of CnC traffic and data exfiltration.  If the 2019 budget didn’t include SSL decryption funding, that’s likely to be an incremental ask.

The last honorable mention goes to our business stakeholders, who are now facing the reality that they need more than just technical means of addressing cyber risk.  First, there’s been a growing trend to move the CISO out from under the CIO or CTO, and to a risk, compliance, general counsel, or direct COO/CEO reporting structure, and I expect that to become much more common in 2019. Second, as the threat of a black swan event becomes real, business executives are growing concerned about having good crisis communication plans in place.   What looks like a good idea in the heat of battle often turns out to be a really bad decision, so a few forward looking teams are building those coms plans in advance.  Part of that includes being prepared for a question on an earnings call asking if you’ve ever experienced a breach.   The proliferation of privacy regulations makes answering those very touchy, as ‘breach, incident, disclosure’ and such all may carry specific legal meaning.  A few more big breaches, and this could be a major trend in 2019.

And that leads me to the things that should be major trends, but aren’t.  Those privacy regulations are largely known, but I’m not seeing significant efforts to address them programmatically.  Companies that had to comply with GDPR are assuming those efforts will be sufficient for the upcoming California or now-in-effect Colorado laws, and they’re probably in not too far off (assuming they did a worldwide adoption).  For organizations that didn’t have GDPR requirements, I’m not seeing widespread interest in a data classification and discovery effort. It’s hard and tedious, but if you don’t know where the data is, what it is, or who owns it, complying with disclosure regulations is essentially impossible.  If we get a national pre-emptive law (highly unlikely) those teams will be caught short.

That’s a good example of the big piece that’s missing from the hot trends: basic blocking and tackling. In addition to data governance, many organizations, including those looking at AI and machine learning, still don’t have positive control over what’s on their network, how it’s configured, or in many cases, even formal policies governing the environment.  Identity remains problematic, with a lack of centralized authority, integration with employee life-cycle, let alone SSO.  Gaps in that basic infrastructure will prevent the ‘hot trend’ initiatives from realizing full value.  It’s hard to do UBA without endpoint or identity management!

Now the bonus, I hear a lot of interest in threat hunting.  That’s one that commonly comes up in conversation, though honestly, the vast majority of organizations aren’t ready to really tackle it, at least not beyond the vanity title.  Let’s leave that for another blog post, and probably a 2020 trend.

In closing, I had a CISO, pretty worn out from a long year, wistfully hope for a ‘Christmas Truce’.  I suspect that desire is the widest trend of all, so here’s hoping for a Silent Night this season.

Merry Christmas to you and yours!