As I write this we are seeing daily reports of hacking and break-ins to commercial and defense enterprises world wide:
- Sony network down for over three weeks with customer passwords, emails and credit card information information stolen.
- Anti-bank Trojans stealing millions of dollars from customers’ bank accounts in Brazil.
- Oakridge National Laboratory was the target of a spear-phishing attack that only compromised a few megabytes of data before it was stopped.
- Millions of dollars being stolen from cell phone users in China by viruses infecting smart cell phones.
- The Stuxnet worm infects Iran’s nuclear program.
But it seems we are not doing a set of straight forward things that we can do to prepare for and mitigate the impact that cyber war is having on this country. We can start with some simple and comparatively inexpensive steps.
First of all, what is the process that we should follow?
- Identify the threats.
- Settle on a policy and do “minimal” legislation to allow us to act.
- Identify funding sources.
- Build a small team to act on the policy.
- Use benign attacks to test without warning.
- Harden US defense and commercial targets against attack.
- Share the policy with our allies.
Here are each of these steps in more detail.
Identify the Threats
This will be a short process. There is no problem coming up with a large pile of documentation about the threats to National Security and Commercial interests in this country. This should take the White House Cyber Czar about 10 minutes because there is no doubt that he already has this document prepared.
Settle on a policy and do “minimal” legislation to allow us to act.
I suggest that the policy should be that:
The a new team for Cyber War Defense is given new powers to attack – in a non-destructive way – the commercial and defense interests of the US to assess the threats and to cause the parties to close the holes that are found.
This process probably requires legislation so that the process is not illegal.
They are not authorized to steal anything to destroy data, only to demonstrate that this could have happened by actually doing a break-in.
The legislation should not and need not give law enforcement any broad powers of search, seizure or traffic sniffing beyond what they already have.
The legislation should require that companies promptly fix problems found in key software. Currently some bugs remain in the wild for many weeks or months before they are fixed.
Legislation should also require that best practices be followed by all commercial and national defense agencies. The best practices themselves are not in the legislation but are developed by a small non-political and fast moving panel of experts.
The legislation identifies a small panel of technical experts that built a standard of best practices. This is not a political document, but a technical standards document. It is free to reference other works rather than incorporate them since there are many sources of best practices available.
These practices need to include standards for the modernization of computer hardware and software as well as the operating procedures of employees and IT departments. It is unreasonable for many large companies to still be using Windows XP and Microsoft Internet Explorer 6 in this day of high threat attacks.
I have recently heard pundits expounding on the spear-phishing attack at Oakridge with the suggestion that training should be employed, with drills, to train people to avoid clicking on emails. Apparently the attack at Oakridge was mounted by sending emails to employees that appeared to have come from Human Resources and that stated that all employees must update their health insurance information. It seems clear that a national laboratory should have a firewall that prevents outgoing links from bringing back any software that will be installed on computers. Training might be well and good, but something more robust is possible and called for in this case, and maybe for all organizations that have anything to lose from a cyber attack. Don’t depend on people when a machine can perform the function. More later about best practices.
Identify funding sources.
Just as the FDA certain powers over commercial interests that sell contaminated food, or drugs, this legislation should give the Cyber War Defense team the power to access consulting fees that will fund this organization. The fees are set based the commercial rate for such consulting, and on the hours to mount the attack plus the hours for the Outreach Team to work with the company to close the breach found and bring the company up to the best practices standard. Only companies where the attack succeeds are charged.
Government organizations pay the going rate for inta-government consulting.
Build a small team to act on the policy.
A small team of 20-50 people is enough to built attacking tools and test the commercial and defense organizations in the country.
The team is organized as follows:
- A subgroup to identify existing tools and build new tools to aid in mounting attacks.Tools like Metaspoit and other hacking tools form a basis of attacking and threat management tools.
- Exploit identification team uses state of the art techniques to identify exploits to be incorporated into the tools and used by the other groups. This process includes active testing of popular browsers, flash, pdf and web server software on all platforms to identify bad file formats and other attacks that cause crashes or other behavior that can be exploited for attacks. This is what the cyber attackers do constantly, we need to be better than they are, at what they are doing.
- Commercial sub-team with expertise in attacking banks, game companies and other commercial interests.
- Defense sub-team with expertise in attacking defense installations and national laboratories.
- Utilities sub-team with expertise in attacking water, power, nuclear installations and other infra-structure targets.
- Outreach team whose job it is to liaison with the exploited enterprise to harden their installation based on the threats exposed, and the best practices identified.
Use benign attacks to test without warning.
The teams above attack the high value targets without warning and when they succeed, the Outreach team notifies the enterprise to quickly fix the problem. No prior notification is required for a company to be tested. DDoS [Distributed Denial of Service] attacks are not typically used for these attacks unless it is shown that a brief DDoS attack will open another vulnerability that cannot be opened in other ways.
The attacks and their results are held in confidence by the Cyber War team. No mention is made of success or failure of any tested organization.
Best practices are used in notifying companies of problems in commercial or open source software. Typically this means that the authors / sellers of the software are notified in private and given ample time to provide a patch before any public mention is made of the vulnerability.
Harden US defense and commercial targets against attack.
Wash, Rinse, Repeat.
By executing the above process continually, and prioritizing the organizations targeted with the benign attacks, the entire country can be quickly brought up to a state of Cyber-War-Readiness.
Share the policy with our allies.
It seems clear that we should share our policy, our tools and our best practices with our allies.
Except for exploits found that others do not yet know about, and the results of attack testing on US targets, it is not clear that any of the tools or methods or information need be secret.
Some Best Practices
Attack surfaces are the places where attacks can occur. The number of instances in an organization, the rate of usage and complexity of a surface, such as Flash, or Windows XP gives a measure of the Area of the surface. The number of exploits reported / fixed per month or per year gives also gives a measure of the Area of the surface.
- Unified Threat Management Software [UTM] at the perimeter of an organization should be employed to filter the outside world from attacking an organization. The UTM should be running on an embedded or Linux OS rather than Windows to eliminate a Windows attack surface from the UTM.
- Eliminate Flash / PDF – Flash and PDF form a large and frequent attack surface. While the browser and email programs used to be the preferred attack point, it is now Flash and PDF files. Every week or month more bugs are found and updates are required. While updating is advised, a “hardened” organization should simply eliminate Flash and PDF files from unknown sources. The UTM can filter out all Flash/UTM from the outside world and replace it with blank images of the appropriate size, or a PDF file that states the policy.
- No downloading via links. With centrally managed IT resources, no company should allow users to install anything themselves on their computers. Again UTM can assure that no programs from outside can be installed, and this includes Browser plugins.
- Eliminate use of Java. Java via the browser can form an attack surface. This surface is probably not far behind Flash and PDF in frequency of use.
- Reduce the number of file formats. Willingness to receive various levels of DOC, Power Point, and other file formats from others is an invitation to break-in. Reduce the number of formats and secure their transmission. Eliminate email as a transmission method wherever possible.
- Smarter Image Scanning can eliminate JPG/ PNG / GIF etc as an attack surface. Modern browsers can process a large number of image types, and the more types, the more vulnerable the browser is to attack. A smart proxy server in the UTM can eliminate many of those types by translating the images and in doing so can process the image so that it is assured there is no hidden payload. If an image is converted from GIF > PNG, then it is clear that no payload will survive. Only JPG / PNG should be supported and UTM should translate everything else and fix up the web page references to reference the correct translated image. This will eliminate images as an attack surface.
- Cross Site Scripting and other Cross Site attacks can be eliminated by the UTM proxy disallowing certain references that might compromise the site or the browser.
Currently, virus detection is performed by looking for signatures of known virus variant. Some viruses can modify themselves, much as HIV-AIDS virus does, to avoid detection. It seems clear that a new non-signature method of detection is required.
As mentioned in the above point on image scanning, it is possible to detect virus payloads in images by processing the image in some way that only a valid image would survive. This type of processing is also possible for PDF files, where a file could be scanned looking for embedded features such as form-scripts and embedded media – images or flash- that form the attack.
By using the UTM to remove advanced features from some files – Flash, PDF and others – the organization is protected from attacks on the surfaces provided by those advanced features.
Maybe these things are quietly happening behind the scenes while we are annoyed by noise from the likes of the “Protect IP” legislation which is an effort of big companies like Sony to protect a questionable amount of revenue from lost sales. It seems they have lost more money recently due to to their own cost cutting in their IT departments by not having appropriate security measures than they can hope to gain by any “Protect IP”, and meanwhile we are all less Cyber-Secure.