A top US counterintelligence executive says (http://www.cnn.com/2007/US/10/19/cyber.threats/index.html) that US networks are far too easy to hack into, and that nearly 140 intelligence agencies are trying to get in illegally.
First of all, how do they KNOW it's exactly 140? Maybe it's just the top 5 trying 28 different ways; possible isn't it?
Top 5 in my opinion? China, Iran, Pakistan, Saudi Arabia, Venezuela.
My wild guesses, needless to say. Most probably I'm wrong, or most probably I'm right. NSA is not talking.
Humor aside, the threat is very real - and not just to the US, of course. UK has also been reeling under similar threats. I blogged about this earlier on how China was using its extramilitary agency to do its dirty work. Conveniently you can then deny any responsibility for a 'renegade' organization's crazy plans. Too convenient.
What are the chances and what would be the impact/result of such an action taking an evil course, where the motive is not just to break in and snoop around a little but actually DO something?
Before we get into that, let's see what the current setup is.
a. Security awareness is pathetically low. People can be 'social-engineered' - if you have to Google the term to know what it means you're vulnerable already.
b. Security implementation is even worse; people pay very little attention (and respect) to physical security. If you have a sensitive server you want to lock it down OS-wise and physically as well so nobody can just push a button or disconnect cables.
c. Knowledge of key security concepts is woefully lacking. Most people wouldn't be able to tell you what encryption means (technical answers only).
d. Attitudes are also a problem -- people don't seem to appreciate what it means to be secure and what could happen in a non-secure environment in case of a threat. Further, they tend to treat security as an inconvenience than a safety measure (think seat belts in the 60s).
I'd like to stop here with the first part, and proceed to what connectivity means.
Connectivity means you place a call from your cell and turn on your microwave. It means watching a program recorded on a SlingBox-like machine, from across the world. It means paying your local Texas utility bills from Nigeria. It means logging in to work from an airplane. It also means the ability to get into someone else's computer without their permission. And do it anonymously, leaving no traces or leaving confusing, contradictory traffic patterns.
Therefore, when hackers penetrate a network and get into a sensitive machine they have the ability to shut down the entire water supply to/of, say, LA. They have the ability to shut down entire grids and freeze a country to death in the winter or boil a country alive in the summer. In essence, connectivity is a fantastic enabler of technology-based synergy, and it's also a huge liability when it comes to destructive ideas.
Like a row of dominoes, it's possible to take over all the computers of a company by logging on to the weakest one and going from there. As they say, a chain is only as strong...
What is the current threat level? Answer: VERY high.
Being ultra-secretive by nature, unnamed govt organizations that don't have an abbreviation or an address, and whose budgets are unlimited and oversight equally limited or nonexistent, but whose responsibility it is to protect the nation's security interests - may not always come clean.
A simple conjecture on my part with no facts: If they bet on security via obfuscation, everyone is in deep trouble. Security gets stronger by spreading knowledge of its existence and not by hiding it.
Consider an example: There are 2 houses, one with an electrified fence that says so boldly outside, and one with an ordinary fence that says "Beware of dog."
Honestly, which one would you pick if you were up to no good? I'd pick the one that says "Beware" because while I don't know what kind of a dog it is, it's a living thing, and all living things are mortal and also vulnerable to temptations of many kinds.
I'd avoid the electrified fence because while it's a known entity, it's also obviously dangerous. There are people that might say - you can cut off the power to the fence but you never know what the dog can do. However, which is easier: hunting for an electrical connection to mess with, or throwing a bone in the direction of the threat?
Anyway, I don't want to extend the example too much, but you get the idea.
In encryption technology, the key is the key and not the algorithm. The algorithm is public but the key is private, much like every home has a lock that is visible to the world but only the owner has the key to it. Therefore, security by obfuscation is a patently insane way to think about protection and safety.
What should the government do?
a. Hire the best security experts - with the highest clearances - and let them run amok. Get them to hack into whatever system they want (read-only activities, please) and document all moves. Identify with their help the best way to stop such threats
b. Hire white-hat hackers to do the same job in the most unorthodox ways possible - including social engineering - and again identify weak spots and fix them ASAP
c. Institute STRONG security measures throughout: No USBs, no portable drives, no cameras, no cell phones, no pagers, no electronic equipment at all in sensitive zones
d. Implement signal jamming - so that cell phones do not work inside and also no signal (such as keyboard/console) leaves the perimeter
e. Strong physical controls - use of biometric authentication methods for all systems
f. Auditing at every level for every phase of the working of the organization
g. Strong firewalls and private VPNs with absolutely no access to the Internet at any time
h. Logging of all incoming and outgoing packets for disassembly and analysis later on
i. Forbid the idea of remote office (no 'working from home' business)
j. No laptops - and if any issued, with self-destructing and beaconing software, with AES 256 or higher (it's the govt - they're bound to have the best already, unreleased) encryption
k. All desktops completely encrypted; all internal network communication also encrypted
l. Use of client certificates to be enforced
m. Multifactor authentication at remote sites also - syncing with the mothership for every change within a few seconds for maximum protection
n. Logging of all login/logout/download activities and cross-check immediately with employee if they are indeed performing this operation
o. Quadruple existing security budget, hire the best and pay them very well
p. Bonus based not just on performance but security proficiency and level of the department
q. Continual training on the latest threats, hacking methods, and countermeasures
r. Punish any lapse immediately, with severity going up exponentially with each recurring lapse (first probation, second suspension, third termination)
s. Reward good security practices by recognizing the person, and publicize as much as possible
t. Random deep-dive audits
u. Keep all software patched (incl and esp OS), and ban all external, uncertified software (glue up the CDROM, USB, and floppy drives if they exist)
v. Keep a record of all software deployments and have a plan B and a plan C in case deployment fails or a problem is found and so on.
I really doubt that foreign agencies will stop trying, and I really doubt the US is keeping quiet, either. I'm sure it's checking out the checkers as soon as it detects any penetration attempt and maybe does so even proactively.
Ultimately, security is not just about installing the latest patches or using the latest encryption techniques (like Quantum encryption methods used in Sweden for voting integrity), but it's about a mindset; it's an attitude that asks fearlessly, "What's the risk in doing this and how can it be done in a more secure way"?
Be safe!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment