But They Have E-Weapons of Mass Destruction!

2010 February 22
tags: ,
by aeon

Over at Forbes they posted an article[1] documenting how “dozens of defense contractors” for the United States government were compromised and have been getting compromised since 2003. Since the article mentions the year, I’ll use that same year as a starting point; however, other articles point to infiltration much earlier. After reading much of the same, I pose the question: “What keeps going wrong and why don’t they just minimize the compromise?” There will be those in many large companies – especially those in the defense industry – who will spurt “we can’t! It’s too sophisticated! You don’t know Jack!” It’s to IT professionals making those wild claims (we can’t) that I say: “You shouldn’t be in this industry.

Looking at the explanation given by administrators and managers in response to WHY they were compromised is outright disgusting and disappointing.

  • “Almost every breach his agency investigated, Shirley says, began when an employee was sent a highly targeted and convincing phishing e-mail that spoofed a trusted sender. When the recipient opened a file attached to that message, it used a flaw in the target computer’s software to invisibly plant malicious software on the machine and give it access to the user’s network. (Finnish cybersecurity firm F-Secure recently found one such booby-trapped PDF intended to infect an Air Force computer using a vulnerability in Adobe Reader.)

  • But the large majority of those attacks, Shirley says, didn’t use new, previously unknown software vulnerabilities. Instead, they exploited old software bugs that IT administrators had failed to patch, configuration errors and even poor password practices.”
I know I know...

I know I know...

Excuse me?! I have a tendency to use analogies from time to time and with that said, I’d like to share which goes as follows: Imagine having a friend or relative come to you stating they got burned because they placed their hand on the stove. Caringly you tell them: “Be careful the stove is hot, don’t place your hand on it again.” The relative or friend comes back to you: “I got burned again!” This continues on. At what point do you simply turn away after exhausting “I told you so!

Companies in all industries have been affected by horrible practices, lack of training and similarly horrible managers and guidance. This misguided and insecure trend will continue as these companies don’t change their practices. An issue seen with defense contractors and the military mindset is one of authority: the “chain of command.” In the “chain of command” realm, many employees of these companies are well aware of the threats, trends and attack vectors however, when they’re brought up to superiours, they’re likely shot down immediately. This was visible with Shawn Carpenter of Titan Rain fame [2]. In large corporations, managers shun on talented staff “stepping on toes” and it’s not uncommon for “trouble makers” to have their employment terminated.

After reading dozens of articles similar to the Forbes article – companies getting compromised – I still scratch my head wondering why “whomever” is in charge is still at the helm. It is puzzling to read that a security manager and or security architect isn’t held accountable for allowing the attacks to occur. How many frameworks and guidelines are available for security the architecture. Makes me wonder if high level managers even have a clue or are they solely focused on bogus “risk metrics.” [3] I will now explain my views on this.

“Almost every breach his agency investigated, Shirley says, began when an employee was sent a highly targeted and convincing phishing e-mail that spoofed a trusted sender.” I seriously can’t help but shake my head at statements like these. This attack vector could easily be defended against using S/MIME or PGP plus some training. Now again, there will be those who will “chest thump” and shout “you don’t know what you’re talking about!” or “do you know how expensive that would be!” To those I say, go back to IT school and and or take some art classes while you’re at it. It’s all about creativity.

There is little cost associated with developing a training video using say Camtasia[4] and deploying S/MIME[5] or PGP[6] enterprise-wide as opposed to the cost of a compromise. Someone is likely thinking: “PGP!? S/MIME!?! for 30,000 users! You’re insane!” to them I say do your research.[7] There is no reason outside of horrible managers and horrible practices that the attacks mentioned in the Forbes article occur. No reason whatsoever.

Here is potential cost to a company using the Camtasia suggestion for training. Cost of Camtasia (5 licenses) $1,245.00. Cost of 5 employees spending one week to develop a training video using Voltage. For the employees, I averaged them at $100,000.00 per year salary – which is a little obscene but I’ll stick with it. At that salary we yield $1,923.00 per week per employee developing the video. Total cost in salary: $9,615.00. To be fair I’ll make this $25,000.00

    Camtasia:	$1,245.00
Salaries:	$25,000.00
Voltage:	Unsure - Let's say $2,000,000.00 (million) for appliances, training, etc.
Total:		$2,026,245.00

Being that I’m generous with other companies’ money, I’ll double this cost and make it an absurd $5,000,000.00 solution. Still a small price for a defense contractor to pay in order to train staff and purchase the appropriate controls to greatly reduce spear-phishing attacks AND protect data (encryption).  Note that this absurd amount that I’ve come up with is peanuts compared to the amount of money these companies make. Not only that, the amount the could be saved by NOT getting data exfiltrated CANNOT be measured.  In my sample model, a security video is produced and employees can this video on demand explaining how to properly use e-mail, Voltage, PGP or any other product for that matter. Employees can then sign the “Acceptable Use Policy” … Case closed. Dot dot dot – “nothing to see here move along

Any spokesperson, manager or security professional that wants to counter any of these statements with relevant discourse, please feel free to do so however please take note: I receive who knows how many e-mails telling me “jump off a roof! It doesn’t work that way!” and to those I say: “Sure it does. Maybe it’s time you step on toes to accomplish what you need to accomplish. If your manager is an “unretirable” of the military mindset, maybe its time you explain to them about the ever-changing threats and attacks. Perhaps they’re truly under-clued.”  Shape up or ship out. There is no reason – outside of horrible practices – that the attacks mentioned on Forbes have occurred and are occurring as we speak.

JO
blogs at theaeonsolution.com

[1] http://www.forbes.com/2010/02/17/pentagon-northrop-raytheon-technology-security-cyberspying.html
[2] http://www.time.com/time/magazine/article/0,9171,1098961,00.html
[3] http://taosecurity.blogspot.com/2010/02/thor-vs-clown.html
[4] http://store.techsmith.com/
[5] http://en.wikipedia.org/wiki/S/MIME
[6] http://na.store.pgp.com/
[7] http://www.voltage.com/products/securemail.htm

from → News

No comments yet

Leave a Reply

You must be logged in to post a comment.