Security = Scrutiny

This is an update of a post that originally appeared on July 22,2015.

There is a myth among administrators and developers that it’s possible to keep a machine free of viruses, adware, Trojans, and other forms of malware simply by disconnecting it from the Internet. I was reminded of this bias while writing Machine Learning Security Principles because some of the exploits I cover included air-gapped PCs. I’m showing my age (yet again), but machines were being infected with all sorts of malware long before the Internet became any sort of connectivity solution for any system. At one time it was floppy disks that were the culprit, but all sorts of other avenues of attack present themselves. To dismiss things like evil USB drives that take over systems, even systems not connected to the Internet, is akin to closing your eyes and hoping an opponent doesn’t choose to hit you while you’re not looking. After all, it wouldn’t be fair. To make matters worse, you can easily find instructions for creating an evil USB drive online. However, whoever said that life was fair or that anyone involved in security plays by the rules? If you want to keep your systems free of malware, then you need to be alert and scrutinize them continually.

Let’s look at this issue another way. If you refused to do anything about the burglar rummaging around on the first floor while you listened in your bedroom on the second floor, the police would think you’re pretty odd. The first thing they’ll ask you is why you don’t have an alarm system implemented into your home. Or if you do have one, wouldn’t it have been a good idea to set it in the first place, so more people would have been notified about this security breach. In addition to alarm systems, some homeowners also have an external security system installed around their homes. They would be able to provide a good image of the burglar. However, it’s still important to try and do something to actually stop the burglar. Whatever you do, you can’t just stand back and do nothing. More importantly, you’d have a really hard time getting any sort of sympathy or empathy from them. After all, if you just let a burglar take your things while you blithely refuse to acknowledge the burglar’s presence, whose fault is that? (Getting bonked on the back of the head while you are looking is another story.) That’s why you need to monitor your systems, even if they aren’t connected to the Internet. Someone wants to ruin your day and they’re not playing around. Hackers are dead serious about grabbing every bit of usable data on your system and using it to make your life truly terrible. Your misery makes them sublimely happy. Really, take my word for it.

The reason I’m discussing this issue is that I’m still seeing stories like, Chinese Hackers Target Air-Gapped Military Networks. So, what about all those networks that were hacked before the Internet became a connectivity solution? Hackers have been taking networks down for a considerable time period and it doesn’t take an Internet connection to do it. The story is an interesting one because the technique used demonstrates that hackers don’t have to be particularly good at their profession to break into many networks. It’s also alarming because some of the networks targeted were contractors for the US military.

There is no tool, software, connection method, or secret incantation that can protect your system from determined hackers. I’ve said this in every writing about security. Yes, you can use a number of tools to make it more difficult to get through and to dissuade someone who truly isn’t all that determined. Unfortunately, no matter how high you make the walls of your server fortress, the hacker can always go just a bit further to climb them. Sites like America’s Data Held Hostage (this site specializes in ransomware) tell me that most organizations could do more to scrutinize their networks. Every writing I read about informed security is that you can’t trust anyone or anything when you’re responsible for security, yet organizations continue to ignore that burglar on the first floor.

There is the question of whether it’s possible to detect and handle every threat. The answer is that it isn’t. Truly gifted hackers will blindside you and can cause terrifying damage to your systems every time. Monitoring can mitigate the damage and help you recover more quickly, but the fact is that it’s definitely possible to do better. Let me know your thoughts about security at [email protected].

Considering Our Future Cyber War

It’s not if a cyber war will happen, but when. Precisely what form such a war will take depends on the perpetrators and their goals. I’ve spend quite of time discussing the relative insecurity of the Supervisory Control and Data Acquisition (SCADA) systems out there. However, I’m only assuming that SCADA is going to be targeted at some point because it’s such low hanging fruit and no one seems to have any interest at all in securing. Plus, the attack would be of the sort that we’d have a hard time defending against (and possibly identifying at first as the hospitals fill with victims of some mysterious problem).

I recently read an article by John Dvorak entitled, “What if Facebook Is Hacked Next?” John makes some excellent points, but probably doesn’t go far enough. Why would an attacker stop with just Facebook? Why not attack all of the sources of social media out there, including places like LinkedIn and Twitter? The confusion created by the loss of all social media would be amazing. It could easily act as a smokescreen for some other activity even more devastating than the loss of data. While everyone is scrambling to fix their social media issues, someone could work in the background to do something truly horrible.

Actually, the attacker might not even have to do anything other than disrupt all online activities. Think about the number of jobs lost, the hit to online commerce, and the other problems that such an attack would cause. Perhaps these people are simply waiting until more brick and mortar stores close that people no longer have local resources to help in such an emergency. For example, think about the problems that the loss of online stores would have to IT professionals who maintain huge networks of computer systems. The potential for truly terrifying results is amazing.

A cyber war is coming. Just when it will arrive is the topic of much speculation, but my feeling is that it’ll come sometime soon. What sorts of security measures do you have in place? Have you done anything else to prepare? Let me know about your thoughts on cyber war at [email protected].