The Scary Truth Behind Hacking Gone Wild

Over the past few months we've seen an unbelievable amount of successful hacking going on. Big names like Sony, Lockheed Martin, RSA Security, NATO and the International Monetary Fund have been in the headlines having suffered massive security breaches at the hands of groups like Anonymous and Lulzsec.

Adding to the madness, a recent article in the Wall Street Journal (http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html) highlighted the fact that in a 2010 the U.S. Secret Service and Verizon Communications's forensic analysis unit responded to a combined 761 data breaches (up from 141 in 2009). Of those, 63% were at companies with 100 employees or less. As also stated in the WSJ article, Visa estimates that about 95% of credit card data breaches involve its smallest business customers.

Yesterday, Fox News reported that "The world's most extensive case of cyber-espionage, including attacks on U.S. government and U.N. computers, was revealed Wednesday by online security firm McAfee" (http://www.foxnews.com/scitech/2011/08/03/massive-global-cyberattack-targeting-us-un-discovered-experts-blame-china/)

What is going on? It feels like a significant paradigm shift is happening in the information security industry and it is not a good one. But why is this happening? In my opinion, what is going on is very simple. Highly publicized hacks followed by named groups like "Anonymous" and "Lulzsec" create the unfortunately all to correct impression that hacking computers is easy. The fact that these attacks are not followed up by highly publicized arrests and convictions creates the unfortunately all to correct impression that you can hack computers and get away with it. Given the likelihood of success and of not getting caught, the situation, from a potential criminal's perspective, boils down to a quote from last week's PaulDotCom podcast - "If you can't do the time, do cybercrime".

The state of cyber security is poor, to say the least. Simple attacks such as spear-phishing and SQL injection are far too successful in far too many circumstances and the bad guys pull further and further ahead. Former L0pht member and current DARPA project manager Peiter Zatko (a.k.a. Mudge) gave a presentation at the most recent ShmooCon stating that the average piece of malware has 125 lines of code while the average piece of defensive software has around 10 million. This disparity creates a problem. Attackers can generate 80,000 different pieces of malware for the effort it takes us to create a single defensive application. And because their malware is much simpler, they would still win that race.

Our biggest problem is that we continue to think of information security in evolutionary terms. We have started with a fairly basic castle model - build big walls around our stuff. As we discovered that doesn't really work by itself, we added some monitoring capabilities and shifted, in thought if not in deed, to the mantra "protection is ideal but detection is a must". In fact, my friend Winn Schwartau wrote a great book called "Time Based Security" that basically stated that the level of security could be measured by the time it takes to detect and then respond to security threats. As we continued to tear holes in out "castles" as a result of third-party connectivity needs, remote workers, web application proliferation, etc. our model started to break again so we again shifted. Now we try to focus on the endpoint by deploying host-based IDS/IPS, endpoint protection, etc. We create walls using VPN tunnels and SSL encryption. Unfortunately, we are still stuck within the same castle - only now the castle just happens to move with us.

The castle was the major defensive military structure throughout the middle ages. The walls withstood prolonged attack and sieges were expensive and dangerous. Breaking castle walls required digging under them using sappers or employing complex siege machines like catapults and trebuchets. Both of these methods were complex, dangerous, expensive and had to be built at the scene of the battle. The came gunpowder and the state of warfare was changed. Now cannon could be deployed to break down castle walls. Those cannon could be build off-site and hauled to the battle by horses, could be fired at range and could be moved to knock down the next castle after the first was rubble. In modern information security, we still use castles - the bad guys use gunpowder.

As I mentioned, I believe a paradigm shift is necessary. One of the best ideas I saw was a posting by Lenny Zeltser entitled "Reflections on Deception and Protean Tactics" - http://blog.zeltser.com/post/7385712192/deception-and-protean-security-tactics. In this article, Lenny postulates about the use of technologies that are easy for us to deploy but that significantly disrupt or delay the attackers. Examples of these include the LaBrea Tarpit, honeypots and “Sparse” files that would look normal on the file system, but would be huge in size when being downloaded.

I don't know if this is the right approach, part of a right approach or if it is going in the wrong direction entirely. I do know that the approach we currently use is resulting in defenders falling further behind each day. While as an industry, I don't believe we have all the answers, I do believe that the first step is identifying the problem. After all, as they used to say on the G.I. Joe cartoons in the 80's, "knowing is half the battle".