On the Sony hack, a CTO speaks

Reader Jonathan F. writes in response to John’s post on our pathetic response to the Sony hack. Having worked in IT since 1996, Jonathan is the Chief Technology Officer at his company. He has been involved in the security side of IT at least part time since 2000. He is a Certified Information Systems Security Professional, the certification bestowed by (ISC)2. He also has a CompTia Security+ certification. His corporate responsibility includes cybersecurity for his company, and also as a contractor for some government projects. He is therefore focused on the defense side of cybersecurity. I think his comments add a context to events in the headlines that is worthy of consideration. He writes:

You raised a lot of questions in your post. Most of your questions can be summed up as “How bad is the cybersecurity situation?” and “What are we doing to prevent these attacks?” I am not going to delve into the political aspects of the “proportionate” response. I will leave that up to you.

The answer to the first question is as depressing as it is easy. We are under pervasive and constant attack. According to GAO testimony to Congress in April this year (GAO-14-487T), there were 61,214 cyber incidents, of which 46,160 were deemed cyberattacks (GAO-14-354). The remaining were not considered cyber-attacks. For instance, losing a PC would be an “incident,” but not an “attack.” Note that these are only the incidents that were noticed and reported to the government for tracking. Some incidents are unreported and others are unknown. So, these numbers are considerably lower than reality. Additionally, per the same reports, the attacks are rapidly increasing in number, rising over 100 percent between 2009 and 2013.

As for what we are doing, the answer to that question is more complicated. It also is somewhat depressing. The simple fact is, we can harden networks against most attacks, especially the amateur script-kiddies, but a really determined professional attacker likely will find a way in. To really secure your network, you need to disconnect from the Internet. Unfortunately, this isn’t an option for most entities.

Due to the above reality, really critical infrastructure (like nuclear power plants) is supposed to be completely disconnected from the Internet. I worked for a power company for several years and from personal experience I can tell you that they took this very seriously. I can also tell you that it is very easy to run a cable from one network switch to another and that this can be very hard to spot. In other words, while they are not supposed to have any critical infrastructure on the Internet, and there is a real effort to ensure this is the case, accidents can (and do) happen.

This Sony hack has been widely reported as the “first cyberwar,” which we have supposedly lost. This is utter nonsense. Has everyone already forgotten Stuxnet and Iran? You mentioned the Executive Office hack and Target. This is merely one more skirmish, one which was dealt with very poorly (or pathetically, as you suggest). Everything I have read about the Sony hack leads me to believe that they did not take security very seriously to start with, and they responded poorly. It’s always easy to be an armchair quarterback, especially with little information, so I will refrain from saying more about that.

The truth is that the black hats are winning right now. The white hats are playing a defensive game. We do what we can, but mostly it is monitoring the networks to hope we spot something in time. If we don’t, things like Target and Sony happen. Things like the White House attack (and thousands of others you are not even aware of) happen. For instance, did you know that 48,000 Federal employees recently had their information stolen?

Anti-virus software is no longer nearly as effective as it used to be. Why? Malware writers now have their programs modify themselves when they install. This means that the old method of running a static check (usually using something called an MD5 checksum) no longer works. It’s like a bank robber wearing a disguise – if it’s good, no one can tell the real identity of the perpetrator. While heuristic algorithms that can see through this disguise have been developed, they are still a few steps behind and tend to turn up false positives.

The Federal Government is better at cyber-security than most private enterprises, but even they admit that they are not well prepared for a full-scale cyber-attack. I recommend reading the entire article, as it is not technical, and provides some additional insights into the preparedness of our government for similar attacks. It also contains this gem, which I find very interesting; in light of the whole Lois Lerner lost emails farce: “Federal auditors have uncovered one bright spot in resiliency — at the Internal Revenue Service. The tax agency has processes in place to recover data, including up-to-date contingency plans it has rehearsed, according to an April Government Accountability Office report.”

As for your questions about how the White House and State department tried to suppress information on the breach in November, it probably wasn’t just politics. Indeed, it is easy to argue that it wasn’t even primarily politics. It is a good method for handling breaches like that, especially when you are able to glean useful information from them – or feed false information to the attackers. When a security breach happens, and is caught, a good practice is to isolate the breach, and then carefully monitor the hackers, their tools, and their methodologies. Then, when you have the information you want, you close it down.

If you suspect that the attackers are politically motivated (e.g., foreign government, espionage, etc.), you can also feed them false data, effectively turning your breach into a sort of double agent. It is also possible to present vast quantities of worthless information, thus slowing the hackers down. Their search goes from “needle in a haystack” to “sand grain in the Sahara.”

This article presents more information on the rationale behind delayed (or very subdued) reporting of incidents, and how they can be used against the attackers. It is presented in non-technical language, and provides a good overview of the issues involved in the decision of whether and when to go public with breach information.

I trust that other knowledgeable readers will weigh in in the comments.

Responses