Well, vacations are over and the summer sun is once again setting behind us. On a completely unrelated subject, let's chat about Windows 8.1. I got busy installing the preview on a laptop the other day and I was relatively disappointed/flabbergasted about one of the first features that greeted me.
It does not seem to be possible to create offline accounts anymore like one could in Windows 8.
Once you couple that with the fact that Windows 8.1 and SkyDrive are tightly intertwined, a whole bunch of warning bells go off inside my brain. If I were Keanu Reeves, I would probably go "woah" in that way he does it... Anyway, why do I feel like this?
Well for one thing, your profile is now online, which means Microsoft can track you. When you log on, etc... I'm not a big fan of this. It's just like in the computer gaming world where companies like Electronic Arts are producing all their games (well, almost all) to be always online (in some fantastically lame attempt to combat piracy). Gamers over there are absolutely livid about the concept, particularly when it begins to translate into single player games where one must be online to be able to play. Now I can no longer play SimCity while in flight... Talk about an idiotic concept. Anyway, I'm sure there's a debate there, but this isn't the point of this blog.
No, today I want to talk about SkyDrive, how all your documents in Windows 8.1 get automatically uploaded to SkyDrive. Moreover, Microsoft (and read their EULA, it's in there) reserves the right to monitor content in SkyDrive to make sure it doesn't violate the EULA (so no nasty things allowed). This brings me to the story of the Liberal Arts student who took pictures of herself 'au naturel' as part of a study of the human form. Obviously, this wasn't meant to be gaudy or pornographic, but Microsoft deemed that content utterly inappropriate and promptly suspended her account. All of it, SkyDrive, Hotmail, etc... And even after complaining about it, Microsoft said the customer was violating their EULA and the decision would stand. I cannot claim to know how exactly this fracas panned out, but needless to say, I really hate it when corporations reach into peoples private lives to tell them what is acceptable and what isn't. In a way, it's a bit ironic since a lot of people are focusing on government while ignoring the fact that corporations have a LOT more access and control to their data and private lives.
And this is where this whole thing brings us. Microsoft has access to YOUR data. All your documents, all your pictures, everything under your profile is automatically uploaded to Microsoft (by default). Ask yourselves these questions: What if SkyDrive gets hacked? How much of your data does Microsoft analyse? How much access does the NSA have (for those wondering, the answer is 'all') . Are you getting worried yet? Well guess what, if you are a professional with regulatory obligations (i.e. lawyer, doctor, etc...), then you need to realize that all your sensitive data would end up outside your sphere of control and thusly, you are in violation of your regulatory obligations.
I assume many of you will point out that this feature can be turned off. This is true. Now, guess how many people out there will know where to go turn that feature off? Most computer users won't even realize it's happening and will be blissfully unaware that all of their data is now in the hands of Microsoft.
Anyway... Strangely enough, I like the SkyDrive feature and how it automatically backs up all of your data. This is good. What is bad is, now Microsoft (and by proxy, other influences) can now access your data.
And this is where encryption comes in (and the point of this blog). I love encryption. But not just any kind of encryption. I think features offered by services like Google or Amazon who promise you encryption to secure your data are full of crap. It's a lot like airport security. It 'looks' secure, but it really isn't. For one thing, Google controls the cryptographic keys, so if they want to access your data, they can just go ahead and do it. Let's tie this back to the NSA or to what happens if Google gets hacked and one skilled in the arts would quickly realize that there might as well not be any encryption. The only encryption that works is the one where the encryption happens on YOUR device using YOUR cryptographic keys.
SkyDrive and DropBox and all these nice services are really cool, but under the increasing threats to privacy, I would encourage everyone to thread carefully. Make sure you encrypt your data. Make sure the products you use ensure that you are in control of your cryptographic keys. Use products like CypherX (yes, I know, shameless plug, but it's a seriously good data protection product) and you'll be able to enjoy all the nice 'connected everywhere' features the future has in stores for you, without fear that your data will be seen by prying eyes.
Sunday, 8 September 2013
Thursday, 13 June 2013
Why is everyone so bumfuzzled?
I'm sure most of you have been following, in one way or another, the developments relating to the NSA spying 'scandal'... I for one am simply stupefied that anyone would be surprised by this. For one thing, experts have been telling everyone FOR YEARS that the government was spying on them. After all, the Patriot Act basically gives the government that power.
So why is it that suddenly everyone is shocked and dismayed? Obviously, I suspect that politicians are fanning the ambers of this issue in order to score points with their constituents. But why is the media all bumfuzzled? Shouldn't the astute journalist point out that none of this is really new and that all of this has been debated in one way or another over the course of several years?
I don't think anyone in the security industry was surprised by this. Well actually, I guess we might have been surprised by peoples reaction, but not surprised by the facts.
Some people call Edward Snowden a hero while others call him a traitor. I call him stupid... He threw away his career, his girlfriend, his family, his financial future and his freedom in order to basically state the obvious. Of course, there is a part of me (you know, the little part which loves entertaining conspiracy theories) which considers that Edward Snowden was actually a spy working for the Chinese who managed to maximize his egress from the US by successfully creating all this wonderful scandal out of things that were basically all well known. It is an interesting possibility considering that Edward seemed rather focused on pointing out things like the part where the US is hacking China (well, duh...) and also the part where his escape route is Hong Kong....
Anyway... Fanciful conspiracy theories aside, everyone needs to realize that none of this is new. Acting surprised and dismayed at something that is totally obvious simply makes us look like idiots...
cheers,
Luis
So why is it that suddenly everyone is shocked and dismayed? Obviously, I suspect that politicians are fanning the ambers of this issue in order to score points with their constituents. But why is the media all bumfuzzled? Shouldn't the astute journalist point out that none of this is really new and that all of this has been debated in one way or another over the course of several years?
I don't think anyone in the security industry was surprised by this. Well actually, I guess we might have been surprised by peoples reaction, but not surprised by the facts.
Some people call Edward Snowden a hero while others call him a traitor. I call him stupid... He threw away his career, his girlfriend, his family, his financial future and his freedom in order to basically state the obvious. Of course, there is a part of me (you know, the little part which loves entertaining conspiracy theories) which considers that Edward Snowden was actually a spy working for the Chinese who managed to maximize his egress from the US by successfully creating all this wonderful scandal out of things that were basically all well known. It is an interesting possibility considering that Edward seemed rather focused on pointing out things like the part where the US is hacking China (well, duh...) and also the part where his escape route is Hong Kong....
Anyway... Fanciful conspiracy theories aside, everyone needs to realize that none of this is new. Acting surprised and dismayed at something that is totally obvious simply makes us look like idiots...
cheers,
Luis
Tuesday, 4 June 2013
The Report of the Commission on the Theft of American Intellectual Property... And lunacy ensues!
Like many other people within the security industry, I took the time to read
the "The Report of The Commission on the Theft of American
Intellectual Property" which was published by "The
IP Commission". For the most part, the report is pretty
unsurprising reading. They talk about the different types of issues that
surround intellectual property theft, from patents to trade secrets to
trademarks and copyright. And at first, I was pretty sure it was going to be
one of 'those reads' where everything is pretty much something I already knew,
that was until I turned to page 81 and then stuff got really interesting... In
a bad way…
The first hint that things were going off the rails was the recommendation titled "Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means." which basically entertains the notion that intellectual property holders should have the right to devise software that would lock computers down should they detect that someone may be using some of their intellectual property without permission. In turn, the said offending users whose computer has been locked down would have to go and call the police, thus being forced to incriminate themselves, in order to get the password that unlocks their computer. Not only that, but said offending users might have to pay a 'fee' in order to get that password. For those not paying attention, this is basically a redo of 'ransom-ware', evil little malware programs designed to lock down computers until owners of said computers pay a ransom. Basically, hostage taking of computers.
The fact that anyone would entertain that idea is beyond me. Not only that, but the authors of the report wrote “Such measures do not violate existing laws”… Now, I am not a lawyer, but being somewhat educated, I am pretty sure that this idea violates in some way the 4th Amendment, the 5th Amendment and the 6th Amendment. Ignoring those pesky amendments, the authors of the report have also neglected to consider the unintended consequences of what happens when there are false positives? What happens when there is a false positive and a mission critical computer gets locked down? What happens when there is a false positive and a life critical computer gets locked down? What happens when hackers figure out (and they sure as hell will) how to cause false positives at will? I don’t know about you, but as someone who knows a thing or two about hacking and computer security, I have to say that all these questions and the answers that lie behind them, scare me.
So then I kept on reading the remainder of the “Cyber Solutions” section and all semblance of lunacy seemed to calm down. That was until I read the next section titled “Potential Future Measures” and my jaw dropped. I’m not sure what the commission authors were smoking that day, but here are the recommendations they gave and my comments thereafter:
“Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves”
I could go on a rant on this, but instead I am going to ask you, the reader, to try and answer the following questions … How does anyone reliably find cyber IP thieves? Won’t cyber IP thieves just get really good at covering their tracks? What happens when retaliation ends up targeting the wrong people? Where are the checks and balances to make sure those being targeted for aggressive counter-measures are in fact guilty? Won’t this just turn into a “cyber arms-race”? I can see a lot of innocent ‘computers’ getting caught in the cross-fire on this one.
“Recommend to Congress and the administration that U.S. funding to the World Health Organization (WHO) program budget in whole or in part be withheld”
YES! Because world health and intellectual property thieves are two closely tied entities… Sarcasm aside, this is an asinine idea. For one thing, a considerable amount of WHO resources would have to be diverted to developing, maintaining and auditing a regulatory system designed to make sure the WHO never deals with anyone who might be involved in intellectual property theft (i.e. for example, third world countries). Secondly, it would also require foreign agencies that the WHO deals with to have regulatory compliance as well. After all, nothing spells regulatory compliance more than impossibly impoverished third world countries in dire need of medical assistance. This entire idea ends up offloading the cost of IP theft on organizations and countries that are already stretched thin…
“Recommend that Congress and the administration impose a tariff on all Chinese-origin imports, designed to raise 150% of all U.S. losses from Chinese IP theft in the previous year”
Once again, YES! Let’s make ALL AMERICANS pay (through a dramatic rise in the cost of goods) for the theft of intellectual property originating from China. Obviously, the Chinese government will retaliate with their own tariffs which will end up closing the door to China for many US producers, thus costing jobs. But then again, the WTO might have something to say about this…
The first hint that things were going off the rails was the recommendation titled "Support efforts by American private entities both to identify and to recover or render inoperable intellectual property stolen through cyber means." which basically entertains the notion that intellectual property holders should have the right to devise software that would lock computers down should they detect that someone may be using some of their intellectual property without permission. In turn, the said offending users whose computer has been locked down would have to go and call the police, thus being forced to incriminate themselves, in order to get the password that unlocks their computer. Not only that, but said offending users might have to pay a 'fee' in order to get that password. For those not paying attention, this is basically a redo of 'ransom-ware', evil little malware programs designed to lock down computers until owners of said computers pay a ransom. Basically, hostage taking of computers.
The fact that anyone would entertain that idea is beyond me. Not only that, but the authors of the report wrote “Such measures do not violate existing laws”… Now, I am not a lawyer, but being somewhat educated, I am pretty sure that this idea violates in some way the 4th Amendment, the 5th Amendment and the 6th Amendment. Ignoring those pesky amendments, the authors of the report have also neglected to consider the unintended consequences of what happens when there are false positives? What happens when there is a false positive and a mission critical computer gets locked down? What happens when there is a false positive and a life critical computer gets locked down? What happens when hackers figure out (and they sure as hell will) how to cause false positives at will? I don’t know about you, but as someone who knows a thing or two about hacking and computer security, I have to say that all these questions and the answers that lie behind them, scare me.
So then I kept on reading the remainder of the “Cyber Solutions” section and all semblance of lunacy seemed to calm down. That was until I read the next section titled “Potential Future Measures” and my jaw dropped. I’m not sure what the commission authors were smoking that day, but here are the recommendations they gave and my comments thereafter:
“Recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves”
I could go on a rant on this, but instead I am going to ask you, the reader, to try and answer the following questions … How does anyone reliably find cyber IP thieves? Won’t cyber IP thieves just get really good at covering their tracks? What happens when retaliation ends up targeting the wrong people? Where are the checks and balances to make sure those being targeted for aggressive counter-measures are in fact guilty? Won’t this just turn into a “cyber arms-race”? I can see a lot of innocent ‘computers’ getting caught in the cross-fire on this one.
“Recommend to Congress and the administration that U.S. funding to the World Health Organization (WHO) program budget in whole or in part be withheld”
YES! Because world health and intellectual property thieves are two closely tied entities… Sarcasm aside, this is an asinine idea. For one thing, a considerable amount of WHO resources would have to be diverted to developing, maintaining and auditing a regulatory system designed to make sure the WHO never deals with anyone who might be involved in intellectual property theft (i.e. for example, third world countries). Secondly, it would also require foreign agencies that the WHO deals with to have regulatory compliance as well. After all, nothing spells regulatory compliance more than impossibly impoverished third world countries in dire need of medical assistance. This entire idea ends up offloading the cost of IP theft on organizations and countries that are already stretched thin…
“Recommend that Congress and the administration impose a tariff on all Chinese-origin imports, designed to raise 150% of all U.S. losses from Chinese IP theft in the previous year”
Once again, YES! Let’s make ALL AMERICANS pay (through a dramatic rise in the cost of goods) for the theft of intellectual property originating from China. Obviously, the Chinese government will retaliate with their own tariffs which will end up closing the door to China for many US producers, thus costing jobs. But then again, the WTO might have something to say about this…
Anyway, I apologize if I’ve been a bit rant’ish, but I expected something
a lot smarter from a group of people who should definitely be more level
headed.
Friday, 17 May 2013
Compliance and Security in the Single Instance SaaS cloud vs. Multi-Instance SaaS...
Sorry for the big title... But I wanted to talk about compliance and security in the cloud, drawing particular attention to the differences between large multi-instance SaaS clouds such as Sales Force and smaller single instance offerings. Confused a bit?... Let me explain. There are several different models of SaaS (Software as a Service).
On one side of the spectrum, we have very large multi-tenant offerings like Sales Force where all tenants and all processing is done within one procedural domain and backed by one large ubiquitous database. Data for multiple tenants gets treated side-by-side within the same executable and all tenant data is stored within the same database. In an of itself, this model becomes very efficient from a provisioning stand point when large numbers of tenants are involved, but from a compliance and security stand point, it's a bit of a nightmare. Usually, after a certain threshold is achieved, large SaaS providers will usually deploy their own data centers since it's cheaper to do so than to depend on a third party for processing capabilities. Attacks such as SQL injection or a DoS attack could allow one tenant to gain access to another tenants data or deny timely access to other tenants. Then there is issues such as data remenance (i.e. what happens to the tenants data when the vacate?), data backups, Patriot act data confiscation, etc... In a setting where data for multiple tenants reside side by side, compliance management and risk analysis becomes increasingly complex. The threat exposure is also much greater in such an environment.
On the other side of the spectrum we have what I term 'Single Instance SaaS', where a SaaS provider will stand up a single instance of their offering on a per-tenant basis. Each tenant gets their own separate processing domain and their data gets stored within their own separate database. For early to market offerings, this model is very cost effective and offers a lot of benefits, from a compliance, security and management stand point. This model is very popular with small or medium sized providers who rely on public clouds as the foundation for their provisioning (since it's absolutely too damn expensive to host your own data centers). They only need to provision tenant resources during the on-boarding process and are able to decommission those resources when a tenant vacates. At first, this model is very cost effective (since the provider only provisions resources during tenant onboarding), but once a certain tenant population is reached, the model becomes less cost effective. Issues such as data rememance and data backups are more easily managed and secured under that model. Other issues such as those revolving around the Patriot act are also greatly mitigated since there is much less risk that one tenants data will be confiscated should the DOH or FBI server a warrant on another tenants data. This model also offers both providers and tenants with compliance and security options that would not otherwise be possible in a Sales Force model. This is a model that is very popular with legacy software vendors who are able to 'saassify' their legacy applications (there are even companies such as Parallel who specialize in 'saassifying' legacy applications) and offer them through service portals such as Savvis. I personally see a lot of growth in that model since the majority of software vendors will probably end up hosting their offering in providers such as Savvis.
On one side of the spectrum, we have very large multi-tenant offerings like Sales Force where all tenants and all processing is done within one procedural domain and backed by one large ubiquitous database. Data for multiple tenants gets treated side-by-side within the same executable and all tenant data is stored within the same database. In an of itself, this model becomes very efficient from a provisioning stand point when large numbers of tenants are involved, but from a compliance and security stand point, it's a bit of a nightmare. Usually, after a certain threshold is achieved, large SaaS providers will usually deploy their own data centers since it's cheaper to do so than to depend on a third party for processing capabilities. Attacks such as SQL injection or a DoS attack could allow one tenant to gain access to another tenants data or deny timely access to other tenants. Then there is issues such as data remenance (i.e. what happens to the tenants data when the vacate?), data backups, Patriot act data confiscation, etc... In a setting where data for multiple tenants reside side by side, compliance management and risk analysis becomes increasingly complex. The threat exposure is also much greater in such an environment.
On the other side of the spectrum we have what I term 'Single Instance SaaS', where a SaaS provider will stand up a single instance of their offering on a per-tenant basis. Each tenant gets their own separate processing domain and their data gets stored within their own separate database. For early to market offerings, this model is very cost effective and offers a lot of benefits, from a compliance, security and management stand point. This model is very popular with small or medium sized providers who rely on public clouds as the foundation for their provisioning (since it's absolutely too damn expensive to host your own data centers). They only need to provision tenant resources during the on-boarding process and are able to decommission those resources when a tenant vacates. At first, this model is very cost effective (since the provider only provisions resources during tenant onboarding), but once a certain tenant population is reached, the model becomes less cost effective. Issues such as data rememance and data backups are more easily managed and secured under that model. Other issues such as those revolving around the Patriot act are also greatly mitigated since there is much less risk that one tenants data will be confiscated should the DOH or FBI server a warrant on another tenants data. This model also offers both providers and tenants with compliance and security options that would not otherwise be possible in a Sales Force model. This is a model that is very popular with legacy software vendors who are able to 'saassify' their legacy applications (there are even companies such as Parallel who specialize in 'saassifying' legacy applications) and offer them through service portals such as Savvis. I personally see a lot of growth in that model since the majority of software vendors will probably end up hosting their offering in providers such as Savvis.
Wednesday, 15 May 2013
Dealing With Persistent Threats - A cloudy business (Part III)
In my last blog, I discussed some of the broader aspect of
advanced persistent threats and I promised to touch on the subject of these
threats when it comes to cloud computing.
When it comes to cloud computing, there are a lot of
security fears flying around. Some of these fears are well founded while others
are… well… amusing. Some aspects of cloud computing actually offer better
protection than a private onsite deployment. For example, physical security
within a cloud provider is often much greater than what one might find within a
traditional enterprise server room. And IT administrators also receive much
greater scrutiny during the vetting process before they ever get hired. In some
cases, law enforcement organizations will actually make thorough background
checks of prospective employees for cloud providers that deal with government
departments.
However, cloud computing also exposes data to vectors of
attack that would normally not be encountered within private deployments.
Issues such as data remenance (i.e. what happens to a tenant’s data when they
vacate), data backup and multi-tenancy now have to be considered, both from a
compliance management stand point and from a security stand point. When a
tenant leaves a cloud provider, how can they be guaranteed all of their data is
destroyed? When the cloud provider makes backups, where are the backups
stored? Are the backups for a tenant all
destroyed when they vacate? Then of course, there is the whole patriot act
thing where the DOH or the FBI can order cloud providers to hand over data
without the tenant’s knowledge.
If you plan on deploying into a public cloud, you need to
start looking at encryption products. Not only that, but you need to begin
looking at encryption products that give YOU control of the cryptographic keys.
Issues such as data remenance, destruction of backups, etc… should be as easy
to deal with as simply ‘pulling the keys’. From a compliance stand point, it
makes things a lot more manageable and from a security stand point, it
drastically reduces a lot of risk vectors. Obviously, encryption does not eliminate all risks, nothing does, but reducing the surface of attack is the best thing anyone can do. Even stuff like data confiscation
because of the patriot act is a thing that tenants get to keep control off.
These were some of the core values that drove the
development of AFORE’s CloudLink VSA and CloudLink CypherX. We wanted to give
tenants control over their data, regardless of where the data was
stored/handles.Monday, 13 May 2013
Dealing with Persistent Threats (Part Deux)
Most security systems currently deployed within organizations focus on access control, malware/virus detection and network edge protection (i.e. firewalls, DLP, etc…). Unfortunately, none of these security systems is very useful when it comes to dealing with Advanced Persistent Threats. Now I’m not saying that everyone should go off and get rid of these mechanisms since they still play a role in securing your IT infrastructure, they just don’t do much when it comes to APTs.
APTs are usually tailor-made attacks, so malware removal and anti-virus software are ill suited to detect them. Some pundits say that DLP will prevent APTs from exfiltrating data, but that’s a silly proposition. DLP is good at preventing accidental leakage of data, but is totally incapable of preventing data leakage through things like encrypted tunnels, or through more exotic mechanisms such as stenography. Most properly crafted APTs will lie low to avoid detection, waiting for the best time to exfiltrate data or even extract small bits of data over a long period of time.
I could drill down on how APTs get into a perimeter, how they propagate, move laterally from one system to the next, etc…, but these are all academic details. The fact is, APTs will get in and will be in a position to exfiltrate data if they can get to it.
And therein lies the key focus when it comes to combatting APTs. The data! Data encryption is the silver bullet of data security. The problem with current data encryption solutions is that if a user has access to encrypted data on a system, then any and all applications are able to access that data. As such, if Microsoft Excel is able to access that spreadsheet, then so can Internet Explorer and so can that piece of malware lurking in your infrastructure.
This is why AFORE Solutions engineered a solution called CypherX. CypherX is a policy driven security solution designed to allow some applications (let’s call them trusted) access to encrypted data while all other applications (let’s call those untrusted) can still open the encrypted files, but only see encrypted data. The more important thing is that CypherX ensures that all data emitted by a trusted application (i.e. via the file system, IPC, network sockets, etc…) is either encrypted on the way out or is only emitted towards another trusted application (i.e. sockets can only be established between trusted applications). As such, sensitive data is forced to stay within the ‘trusted environment’. This is a powerful paradigm. In essence, CypherX elevates applications to the level of securable objects, just like users or machines. As such, unknown applications (including malware, viruses and APTs) can come along and open all these sensitive data files, but because these applications are not seen as trusted, all they see is encrypted data. So let them exfiltrate your totally encrypted data! Hopefully, they’ll chase their tails trying to make sense of the gobbledygook before realizing they got nothing… And the coolest part is, CypherX is totally transparent to both applications and end-users.
In the next part in this series, I want to continue with a quick discussion on cloud-based attack vectors and risks to data when it comes to things like backups (and how APTs might be able to reach those)…
APTs are usually tailor-made attacks, so malware removal and anti-virus software are ill suited to detect them. Some pundits say that DLP will prevent APTs from exfiltrating data, but that’s a silly proposition. DLP is good at preventing accidental leakage of data, but is totally incapable of preventing data leakage through things like encrypted tunnels, or through more exotic mechanisms such as stenography. Most properly crafted APTs will lie low to avoid detection, waiting for the best time to exfiltrate data or even extract small bits of data over a long period of time.
I could drill down on how APTs get into a perimeter, how they propagate, move laterally from one system to the next, etc…, but these are all academic details. The fact is, APTs will get in and will be in a position to exfiltrate data if they can get to it.
And therein lies the key focus when it comes to combatting APTs. The data! Data encryption is the silver bullet of data security. The problem with current data encryption solutions is that if a user has access to encrypted data on a system, then any and all applications are able to access that data. As such, if Microsoft Excel is able to access that spreadsheet, then so can Internet Explorer and so can that piece of malware lurking in your infrastructure.
This is why AFORE Solutions engineered a solution called CypherX. CypherX is a policy driven security solution designed to allow some applications (let’s call them trusted) access to encrypted data while all other applications (let’s call those untrusted) can still open the encrypted files, but only see encrypted data. The more important thing is that CypherX ensures that all data emitted by a trusted application (i.e. via the file system, IPC, network sockets, etc…) is either encrypted on the way out or is only emitted towards another trusted application (i.e. sockets can only be established between trusted applications). As such, sensitive data is forced to stay within the ‘trusted environment’. This is a powerful paradigm. In essence, CypherX elevates applications to the level of securable objects, just like users or machines. As such, unknown applications (including malware, viruses and APTs) can come along and open all these sensitive data files, but because these applications are not seen as trusted, all they see is encrypted data. So let them exfiltrate your totally encrypted data! Hopefully, they’ll chase their tails trying to make sense of the gobbledygook before realizing they got nothing… And the coolest part is, CypherX is totally transparent to both applications and end-users.
In the next part in this series, I want to continue with a quick discussion on cloud-based attack vectors and risks to data when it comes to things like backups (and how APTs might be able to reach those)…
Dealing with Advanced Persistent Threats
So this is the first of several blogs where I want to write on the subject of advanced persistent threats, or APTs for short. Unlike viruses and malware that are spammed at hundreds of millions of users in the hopes that a few of them will get suckered in, APTs are totally different. Wikipedia defines it very well with:
“Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity”
For the past few years, most targets of APTs have been government and large enterprise, but lately, I’ve come across interesting reports that smaller organizations are being targeted, and that’s an interesting shift in the security landscape. The most interesting case has been of attacks on law firms that specialize in patent law being targeted by foreign interests (starts with a ‘C’ and ends with a ‘hina’) so that intellectual property could be exfiltrated while patents are being authored (i.e. prior to filing). I presume the purpose of this would be to either allow an organization to file a patent before the competition (i.e. beating them to the punch) or to simply publish the intellectual property for all to see, thus establishing ‘prior art’. Either way, I suspect it would give someone a significant competitive advantage.
Unlike regular hacking attacks, APTs are sophisticated multi-vector attacks designed to attack a specific target. The people behind APTs are exceptionally well funded and willing to sustain an attack over a long period of time. In some cases, APTs are designed to achieve a singular hard to achieve goal (i.e. steal that top secret file, acquire this trade secret, etc…), but in many cases, APTs attempt to establish and retain a foothold within an IT infrastructure over an extended period of time, thus allowing the perpetrator of the APT to continuously spy on their target.
The biggest challenge with APT’s lies in the fact that many of them are custom developed. Traditional security systems such as anti-virus and malware removal software as well as perimeter security systems are often useless against such attacks. As one of my co-workers coined the other day, when it comes to APTs, most security solutions out there are not unlike ‘closing the gates after the cows have escaped’… As this is absolutely true. Organizations should accept that they will get breached (or have already been breached) by APTs.
In part 2 of this blog, I want to continue this blog by discussion what is actually effective against APTs. So stay tuned!!!
“Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity”
For the past few years, most targets of APTs have been government and large enterprise, but lately, I’ve come across interesting reports that smaller organizations are being targeted, and that’s an interesting shift in the security landscape. The most interesting case has been of attacks on law firms that specialize in patent law being targeted by foreign interests (starts with a ‘C’ and ends with a ‘hina’) so that intellectual property could be exfiltrated while patents are being authored (i.e. prior to filing). I presume the purpose of this would be to either allow an organization to file a patent before the competition (i.e. beating them to the punch) or to simply publish the intellectual property for all to see, thus establishing ‘prior art’. Either way, I suspect it would give someone a significant competitive advantage.
Unlike regular hacking attacks, APTs are sophisticated multi-vector attacks designed to attack a specific target. The people behind APTs are exceptionally well funded and willing to sustain an attack over a long period of time. In some cases, APTs are designed to achieve a singular hard to achieve goal (i.e. steal that top secret file, acquire this trade secret, etc…), but in many cases, APTs attempt to establish and retain a foothold within an IT infrastructure over an extended period of time, thus allowing the perpetrator of the APT to continuously spy on their target.
The biggest challenge with APT’s lies in the fact that many of them are custom developed. Traditional security systems such as anti-virus and malware removal software as well as perimeter security systems are often useless against such attacks. As one of my co-workers coined the other day, when it comes to APTs, most security solutions out there are not unlike ‘closing the gates after the cows have escaped’… As this is absolutely true. Organizations should accept that they will get breached (or have already been breached) by APTs.
In part 2 of this blog, I want to continue this blog by discussion what is actually effective against APTs. So stay tuned!!!
Subscribe to:
Comments (Atom)