Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Disaster Recovery isn’t Security Recovery

By

(C) Depositphotos / Ysign

I had an interesting conversation about data integrity attacks recently.  Those involve altering records, rather than stealing them.  The initial reaction was that they’d just restore from backup (like a disaster recovery plan).  When I pointed out that most advanced attacks are in the environment for months before discovery, the light bulb went off: You can’t roll a big enterprise back a couple hundred days.  Disaster backups are insufficient as security backups.  So what do we do?

I’ve written before about the advent of integrity attacks – changing information, rather than stealing it or denying access to it.  Stuxnet was such an attack, where it was used to change values on the control systems that later destroyed the equipment.  Other examples are the classic student changing grades that we saw in Wargames, or changing the expiration date on an account to gain free services.  Those are simple examples, where a single point in time change achieves the desired results.

On the other hand, more complex attacks, where the changed data is then used for subsequent transactions – or critical business decisions – present a far more difficult challenge.  Let’s take a theoretical example: changing financial records to manipulate earnings reports or equity or commodity prices. Both internal and external decisions have been made based on that information, potentially for weeks or months before discovery.

Disaster recovery systems, even with a near-real-time replication capability, don’t help with either of those, as they’re generally designed to return the entire system or organization to a point in time.   While we can probably use granular backups to recover from simple changes, for ones with dependencies, RPO (recovery point objective) doesn’t have much meaning– you can’tsimply recover to a previous state in those cases.

So the conversation turned to having robust transaction logging strategies.  For simple changes, that are independent in scope (like changing grades), once detected (no mean feat itself), they definitely help with recovery.  Simply undo the transaction and Bob’s your uncle. For dependent transactions, it’s far more difficult, and as much a legal and policy issue as technical problem: if someone manipulates a stock price through cyber means, how is that any different from pump and dump or outright earnings fraud?  We don’t roll back the stock market in those cases, so we wouldn’t for a cyber attack either.   Yet there’s often a knee-jerk assumption that we can ‘always restore from backup if we get hacked.’

And that’s my point here – our current backup and recovery strategies aren’t as broadly applicable as we might assume.  BC/DR use cases are very different from integrity recovery (though BC/DR definitely helps with ransomware recovery).  I’m not sure we can really plan a response for a dependent attack, as there’s too many variables to account for.   In any case, these conversations are just starting to pop up, and no one has a clear answer yet.  I’d love to hear any ideas or thoughts you might have in the comments section below.

Blockchain: One strong link doesn’t make a strong chain

By

(C) Depositphotos / @ filmfoto

I’ve written before about the hype around AI, where there’s lots of potential, a ton of smoke and mirrors, and a few real things.  Blockchain is right there contending for the king of the mountain.  So what’s real, what’s hype, what’s plain dumb, and what isn’t anyone really talking about?

I’m going to assume that you already have a working knowledge of blockchain – that it’s a digital ledger that records transactions in a distributed manner using cryptographic mathematics.  Fundamentally it’s focused on protecting integrity – non-repudiation, with a secondary nod to availability (due to the potential for running on a distributed network).  Confidentiality is always an add-on – you can previously encrypt content on the entries, but blockchain itself doesn’t provide that capability.  Anonymity is a common feature, but again, not a fundamental part of the design.  Blockchain is only one small component in an overall solution – it solves one problem well, but it’s not a magic bean.

There are very real use cases for blockchain.  The most common are cryptocurrencies – bitcoin and so forth.  Just remember that cryptocurrencies use blockchain, but blockchain is not a cryptocurrency.  I’m not a fan of cryptocurrencies as an investment since they fundamentally aren’t tied to any form of goods or services – to be fair, most modern currencies aren’t either, yet ‘full faith and credit of the united states’ is more sound than ‘investor interest in owning it’.  Still, using cryptocurrencies for payments is a practical use case (setting aside speculators) – in particular, I see them replacing traditional wire transfers as a lower cost and more competitive option. But I don’t see blockchain replacing traditional currency anytime soon, as it’s not currently possible to apply nation-state level monetary policy, and particularly changing the supply of money, using a cryptocurrency with a fixed potential.

Using blockchain ledgers for bills of lading has the potential to transform the transit industry and greatly reduce overhead costs.   In a similar fashion, using them to track authentic parts across supply chains to reduce counterfeit parts (and provide instant paperwork for things like airplane repairs), is a transformative capability.  Financial services is the other industry that’s furthest along, where they’re looking at blockchain ledgers for both internal transactions as well as interbank transfers.

The worst use case is for voting.  Blockchain, by itself, only provides a record of a vote.  It does nothing to ensure that the right person voted, or that they only voted once.  It doesn’t provide a voter-verifiable audit trail of how they voted, and relies far too much on fallible software to provide those other services.   The hype is far out of whack with the risk, and that experiment is grossly ill-conceived – there is currently no secure way to vote electronically.  Full stop. As I’ve written before, the only secure method presently available is to validate voter identity against registration, then either provide the person with a paper ballot that they mark and validate, or use an isolated system that prints a paper ballot from user choices that they can validate after printing, and finally use a separate system to tabulate the votes – or worst case, use a hand count of those paper ballots.  That system minimizes the technology involved, and the official record is on durable paper.

But here’s the thing that no one’s really talking about.  What happens if the math breaks?  We’re seeing that with hash functions, and while there’s no real threat to the encryption algorithms today, attacks always get better.  Plus quantum (I probably need another post about that hype) is on the horizon.  That’s the security guy in me, I’m always looking for how things break.  As we do roll out blockchain, are we building in safeguards against a fundamental compromise in the math?  In most cases not.  To be fair, the current processes have vulnerabilities in integrity as well – particularly from an internal conspiracy, and blockchain would make that much more difficult.  But it is something to think about.

In the end, when you hear someone talk breathlessly about blockchain, get out your paper bag and help them stop hyperventilating.  It is being used, and it has solid potential, but only as one component in an overall solution.

Business stakeholders need the full story

By

(C) Depositphotos / @ efks

There’s a lot of talk about aligning security programs and business or functional goals, but in practice, that’s much easier “powerpointed” than done.  Business consequences of security decisions, and security consequences of business decisions in the broader context are all too often missed or ignored, sometimes even deliberately.   As Obi-Wan said to Luke, “What I told you was true, from a certain point of view”.

Let me share a couple of examples to frame this conversation.

Security ignoring functionality.  The TSA is studying reducing security at smaller airports to refocus the spend at larger facilities.  The plan would be to do minimal screening initially, then rescreen passengers when they arrive at a larger airport.  Critics and defenders jumped into the fray – critics that there’s a reduction in security for part of the system, and that attackers would then simply target those facilities, and defenders that this is a reasonable cost tradeoff given limited resources.

The problem is that both of those people are viewing this within a narrow security-only view and miss the broader impact:  it would require massive infrastructure investment at airports and break the business model of most of the major airlines.  Rescreening passengers from feeder airports would require all connections to extend by another hour, raising operating costs, and the airports would have to be reconfigured to add internal screening checkpoints.  The total economic cost would far exceed the projected $115M in TSA budget savings.

Functionality ignoring security.  Let’s look at autonomous vehicles.  Don’t get me wrong, the folks developing those system do have an awareness of some the security risks, but they’re again, focused within the system (preventing the vehicle from being hacked).  Yet they ignore the risks of the vehicles being used exactly as intended.  Just one example:  a terrorist loads explosives on a vehicle, and then programs it to drive a route, with a GPS trigger that sets off the bomb, while they’ve already flown out of the country.  That’s not a hack, it’s building a smart bomb with the self-driving software as the navigation unit.  There’s no security measure in the autonomous vehicle that can prevent that misuse case from happening.

In both cases, this is due to the scope of vision.  Within each individual team, the approach and decisions are valid, but when taken in the larger context, they no longer are.   That’s driven by cultural and budget divisions:  the TSA doesn’t own a budget for the entire air transit system, and the autonomous vehicle company doesn’t own the societal impact of the invention.  Risk adjusted total economic cost is something that entrenched interests rarely address because doing so with intellectual honesty requires facing answers that are at odds with their worldview.

To be fair, those are both extreme examples to illustrate the point, yet the same thing occurs within our organizations on a smaller scale.  I’ve written before that the business stakeholder is the only one that can make the final tradeoff decision between security and functionality.  In most cases, neither the reporting structure or culture support a true peer conversation.  If the CISO (security) reports to the CIO (functionality) are you getting the full, uncolored view of both sides?  That’s why I’m seeing a growing trend to move the CISO out from IT and into either a full peer role, or under the CRO (Risk Officer) so the tradeoff decisions are presented to stakeholders from equal peers.

Culture is much harder to change, and we’re always going to have bias in these decisions.  The TSA has a culture (understandably) of being unwilling to step back on current measures for fear of blame if something later happens.  Autonomous vehicle developers are unwilling to slow down for fear that a competitor will get their first.  Apple appears unwilling to admit that sometimes thicker, heavier, and having ports and buttons is more secure and more usable for fear of…well, I’m not sure what (losing dongle profits?), but you get the point.

Right now, we can at least get the organizational structure out of the way and give both risk and function equal voices so our business stakeholders can make fully informed decisions.