Thursday, January 20, 2011

Stuxnet and Cablegate - Harry Palmer wins again.

The two biggest data security stories of 2010 (and arguably of all time) are the weaponization of a computer virus targeted at a nuclear plant and the massive, unprecedented theft and disclosure of national security secrets from a secured military network. Under close examination, neither of these; Stuxnet nor Wikileaks/Cablegate, used a particularly exotic attack vector.

They happened because of the failure, again, of the organic component of information security. They happened because a disgruntled PFC, a high school dropout with apparently unfettered access to SIPRNET, brought writable CDs to work and proceeded to copy everything he could lay his mouse on. They happened because some nameless Russian contractor working for Atomstroyexport jammed a USB stick loaded with a worm into an Iranian PC. Yes, the worm was incredibly sophisticated. The method of delivery? Not so much.

Air gap? Meet 'the bridge'.

PFC Manning and 'Ivan Doe' have shown in big glaring headlines, that the best defenses can be defeated by The Gray Man. Harry Palmer, the 'Anti-Bond' spy and prototypical Gray Man, was perhaps the best fictitious example of this, the most dangerous of threats. Harry did not rely on gadgets from Q Branch or Parkour acrobatics, but used the best weapons available to an intelligence operative; he had the ability to blend in and possessed a cold, singular focus.

In retrospect, PFC Manning was the ultimate disgruntled employee. He was ticked off, had recently broken up with his boyfriend and was newly demoted. But he found himself sitting (along with over 3,000,000 other users with his clearance level, yikes!) at a job he hated and staring at the crown jewels of American information security. The unknown contractor was working at one of the most scrutinized construction projects on Earth - the Bushehr nuclear plant. But given an environment where the host nation had to rely almost entirely on foreign nationals to build their facility, it was most likely child's play to bring in an autorun-capable thumbdrive loaded with a viral weapon and find a nice open USB slot or slots to infect.

The successes of Stuxnet and Cablegate are not surprising, nor is the attack vector. Anyone who has done any Social Engineering testing can tell you a myriad of ways to contravene physical and logical security measures. Most of the those techniques involve blending in with the rest of the sheep and taking advantage of the fact that once you get past the perimeter and are a 'trusted' member of the flock, you pretty much have free rein.

It takes a thief...

The way to combat disgruntled employees or hostile intruders from stealing or corrupting your confidential data is by following the old tried and true methods: concrete, realistic security policies and user/employee awareness training. But this needs to be reinforced with something that not enough organizations implement - Regular, unannounced Red Team penetration testing. Penetration testing with a strong social engineering component serves two purposes:

  1. It demonstrates your vulnerability to new, current attack profiles and exploits. That's good, not bad! An experienced and effective Red Team will most likely find holes you never knew existed and will provide you with a detailed After Action Report complete with remediation advice.
  2. It serves as an awareness reinforcement tool for you employees. If they've experienced Red Team attacks, have seen the repercussions and know they are going to be hit again at random times, it tends to make them take all that training a lot more seriously.

Is there is a silver lining to be seen in all of this? Perhaps. Perhaps the high-profile nature of the exploits will finally result in attention being paid to that most dangerous of threats: your very own Harry Palmer wandering around your building.

No comments:

Post a Comment