Protect Your Business From State-Sponsored Attacks

It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs. The result; a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right. After all, each appliance needs and produces its own unique type of coffee.  And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralized Coffee Management) system is essential.

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety.  The result is more management systems than the average household’s coffee machines.

Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.

The Dark Side

And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.

But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.

The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.

So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest).  No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.

Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.

Can we still protect critical infrastructure from attack in the digital age?

If malware is the Cyber-terrorist weapon of the 21st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.

So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it

According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”

The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” – and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!

So my advice is, as George Orwell wrote in “1984” –  “If you want to keep a secret, you must also hide it from yourself.”

Calum Macleod Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.

www.venafi.com

(2022)

Share

Digital Forensics Capability Analysis

The ICT KTN, on behalf of the Forensic Science Special Interest Group (FSSIG), is conducting a survey of the UK’s Digital Forensics Capability. This work is being managed by Angus Marshall, of n-gate ltd., to whom any initial queries should be directed. The project team also includes the CyberSecurity Centre at De Montfort University.

To download this survey please visit the following links:

Word format
PDF format

Background

Traditional Digital Forensics activities involve the recovery and investigation of material found in digital devices. Such data is at rest on static devices such as hard drives and in solid-state memory on camcorders, mobile phones, GPS navigation devices etc. The market for this activity was driven by Law Enforcement and other public sector organisations, hence it was necessary for all activities to be conducted in line with UK evidential criteria so that it was admissible in a court of law.

Our digital age has seen requirements evolve. With the ubiquitous use of email came a requirement for a new field of expertise – that known as “e-discovery”. E-discovery refers to discovery in civil litigation, which deals with the exchange of information in electronic format (electronically stored information or ESI). This data is subject to local rules and processes and is often reviewed for privilege and relevance before being turned over to opposing counsel, where the burden of proof rests on the balance of probability.

However our digital evolution has not remained static. The growth of cyberspace, the trend towards mobile devices (BYOD) and cloud services has seen data take on a far more transitory nature, and the physical location of data at rest can be difficult if not impossible to determine. Data is versioned, distributed and stored across differing networks, devices, borders and boundaries.

The traditional digital forensics practice of imaging and extracting information from disparate physical devices no longer suffices for incident investigation in cyberspace. There is an increasing requirement from businesses in the private sector, and emerging capabilities are required to keep pace so that these requirements can be met.

The team will produce a report detailing the current stakeholders, existing capabilities and challenges. This will enable the identification of areas in which there are capability gaps. Attention will then be paid to how these gaps may be reduced and any specific challenges which will need to be overcome in order to do so. Further, a glossary of terms of key digital forensics concepts with simple definitions will be produced to assist with knowledge transfer both within and outside of the FoSci community.

Your involvement

You can assist with this first stage of the survey by completing the attached questionnaire and returning it to DFCA@n-gate.net no later than Monday, 4th March please. All responses will be treated in strictest confidence and your answers will be anonymised before they are included in the report(s).

Digital Forensics Capability Analysis – Questionnaire

If you are willing to assist with this phase of the project, please complete and return to DFCA@n-gate.net by Monday 4th March 2013

1) What do you understand by the term “Digital Forensics”. (one or two sentence answer)

2) In which context do you use digital forensics (e.g. law enforcement, civil law, criminal law, private sector, internal investigation, information security)

3) What types of technology do you deal with in the context of digital forensics ?

4a) What is the single greatest DF challenge you, personally,  face in your everyday activities ?

4b) How do you think this challenge could be addressed ?

4c) What is the single greatest DF challenge that your organisation faces in its everyday activities ?

4d) How do you think this challenge could be addressed ?

5a ) What challenges do you think you will face in the near (1-2 years) and medium-term (2-5 years) future ?

5b) How do you think these challenges could be addressed ?

6) When you are looking for solution to digital forensics problems, who do you turn to for

a) off-the shelf solutions ?

b) bespoke solutions/product customisation ?

7) Who would you consider to be the key people or organisations relevant to your experience and usage of digital forensics ?

8) What other innovations, relating to technology, services or any other issues affecting digital forensics, do you think would be beneficial ?

9) May we contact you again for more information ?

(If “Yes”, please also provide your name and a contact phone number or email)

 

SIG Forensic Science

Forensic Science Special Interest Group

For more information about the FSSIG, and to get involved in the community, please see https://connect.innovateuk.org/web/forensics

(%count%)

(11635)

Share