Thursday, February 4, 2010

Understanding the APT.

When guest lecturing at colleges and giving talks on the topic at conferences, I have for some time been describing much of what goes on on the internet today as an extension, or modernization of the clandestine intelligence gathering efforts which have been taking place since people have acknowledged the value of enemy-centric intelligence. While many may accuse me of trivializing the issue, if you consider the intent of the adversary responsible, that's what it really amounts to. This is not to understate the newness of the electronic ('cyber') attack and surveillance technologies which have emerged in recent years; but to more clearly categorize them as a new, and often more efficient means to a common end.

This brings us on to the somewhat-newly defined concept of the 'APT' (Advanced, Persistent, Threat); a term coined by (as far as I am aware) Mandiant - a DC based security firm. Firstly, in all its marketingyness and misconceptions that it has lead to, I think the idea is great - it has drawn some much needed attention toward the problems which many large government, and private organizations are faced with on a daily basis.

Sticking to the theme of what we are trying to describe being a new means to a similar end - it is clear that we are in serious need of new technologies, and new processes for handling the technological aspects of the modern APT; whether those be for purposes of detection, remediation or attribution. To this end, I think firms like Mandiant and Dabala are doing a stand up job of addressing emerging needs and may the best team win.

All of this said, the APT is clearly nothing new and understanding this requires a little lateral thinking. If we think about the APT in more literal terms, it does not differ from the advanced nature of many other modern intelligence related methodologies - many of which may be used in a persistent manner. From telephone trap and trace to satellite imaging and the presence of undercover operatives behind enemy lines, the APT is clearly something which has been around for quite some time; even if it may have only been recently defined in these terms by the mass media and information security community.

So what you might ask. Well this is an issue of perception. A perception that the APT is something new, and that when we discuss the APT, we refer to a specific means to an age old ends. So when we think about the APT in the future, let's do ourselves a favor by not using it synonymously with a specific technology (whether that be a key logger, new flash 0day, or a USB fob virus), and promote a true understanding for the threat that we are really trying to describe, and the technologies that we are promoting to counter it.

Friday, January 22, 2010

Power Grid Security Reporting

The much anticipated white paper entitled "Critical Infrastructure: Attacks, Actors, and Emerging Threats" by the Project Grey Goose team has just been released, and I wanted to spend a moment to discuss some of its content in the context of much of what has been published on the topic over the past year. This is a topic that is near and dear to me due to my daily dealings with many users of industrial control systems; and it was with great hope that the Grey Goose white paper would set the record straight regarding many of the false innuendos that exist in this domain.

To begin, the title of the white-paper (Critical Infrastructure: Attacks, Actors, and Emerging Threats), suggests an exhaustive analysis of the threats posed to the many components which constitute national critical infrastructure. Generally, these include financial infrastructure, the military, transportation, and of course energy. The media (and often even security industry) tend to miss-use the term Critical Infrastructure to refer to what is often a very small component of the nations over all CI. The fact that the authors of the white paper made the very same mistake raises a big red flag, as it demonstrates a lack of understanding on the topic.

Moving past this without prejudice, the introduction posits "whether there has been any successful hacker attacks against the power grid, both domestically and internationally". The answer to this question is possibly one of the most debated, and often heated discussions within the automation security community, and so it is with great interest that many will read this document in the hopes of finding concrete evidence in support of one side or the other.

Unfortunately, the white paper falls far from short on answering this question, and sights mostly existing media references which are widely disputed in regards to their accuracy. The PGG white paper then concludes in its key findings that many nation states (the usual suspects, PRC, RF, Turkey etc) are "almost certainly" targeting and penetrating critical infrastructures (remember, this means a lot of industries, not just power). Further it states that attacks against the bulk power grid will "almost certainly" escalate over the next year.

The remainder of the white-paper sights a number of existing publications regarding power grid security, the so-called 'smart-grid' and the water utility security. It also contains incorrect statements, such as stating that the power industry does not have to comply with NERC/FERC regulations. This is untrue, and anyone working in the IT security space within transmission or generation providers will tell you that their last twelve months have revolved almost entirely around CIP compliance efforts (and associated compliance deadlines/audit activities).

In summary, there is nothing new here, and the document does not answer any of the questions that it asks in the introduction. At best, it is a collection of existing materials and thoughts. Statements such as "almost certainly" in my opinion are a cop-out, and indicate a lack of certainty amongst the authors concerning the conclusions they might otherwise like to draw. This is a great shame, as a concise report backed up by new, and corroborated evidence on the real threats to energy generation and transmission would be a great guide to the many, in and outside of Washington, DC who are trying to figure out where best to spend their security dollars in 2010.

Tuesday, June 9, 2009

The Economics of PCI

According to a Wired online article[1] by Kim Zetter last week, Savvis are being pulled into a law suit relating to their PCI audits of CardSystems Solutions who purportedly suffered a data breach in 2004. Frankly, I'm surprised that this is the first time that this has happened (and perhaps it isn't the first time?), but I think this is a worthwhile topic that is long overdue some attention - especially in light of current dialogues regarding how the new administration can improve cyber security through regulation.

In her article, Kim makes mention of the general costs of becoming a PCI approved scanning vendor (ASV), and likewise a qualified security assessor (QSA). What the article does not mention is the sheer number of security companies, systems integrators, butchers, bakers and candle stick makers that have found their way onto the ASV list, and the automated tools that are often the soul component used to certify clients. There are a few good (bad) reasons that this is happening - and I really do think that the PCI council need to consider how to solve this issue.

1) The cost of licensing most scanners with a "PCI Module" is a fraction (often less than 50%) the cost of employing an entry level security 'consultant'.
2) They can be run by anyone, even butchers

Coupled together - these points drive down the market rate for PCI assessments, and subsequently the quality of the work. This has resulted in a market where most small to medium security boutiques aren't even playing in the PCI space, because the costs of doing a thorough job are just so much more than so many of the ASV community are charging - resulting in a negative margin (unless its part of a much larger engagement). Further, many of the folks that are providing PCI scans are doing so with entry level 'consultants', really not qualified to do the job. For the level one merchants (probably includes CardSystems Solutions) its a similar story - as while audits must be overseen by QSA, may also utilize more junior resources (under the 'subject matter expert' allowance) to conduct actual system assessment activities. As a result, organizations may use lower-salaried, non-QSA certified staff on projects in order to increase margins within their P&L model

This is saddening - I like PCI; it's an evolving standard, which has caused many organizations, both large and small to take a first look at their security posture, where they may have never taken that first step had it not existed. Unfortunately, the market that we have created for ourselves undermines much of the good it's doing; so hopefully some good comes from this lawsuit, and those that really shouldn't have entered into this space in the first place, take a long hard look at their future here.

Security procurement folks really need to remember that they get what you pay for, even in this economy.

[1] http://www.wired.com/threatlevel/2009/06/auditor_sued/