According to the National Security Agency it is only a matter of time before critical infrastructure is attacked. Think about the Internet of Things, the web of interconnected-ness that we live in, and how many systems controlled by computers. Let’s make a short list of things that would really be ‘not fun’ for us if they were compromised and rendered inoperative or just forced to be completely reset and rebuilt:
Nuclear Reactors, Electric Power Grids, Traffic Signals, Road Signs, Shared Direction HOV Lanes, Criminal Justice Records, Prison Systems, Healthcare Clinical Systems, Water and Sewage/Waste Disposal, etc, etc…
Talk about a target rich environment! Any one of these would be newsworthy in a really big and rather horrid way for the people who it affects. These are all under the control of State and Local governments. I can accept that in certain circumstances our Federal Government does a pretty good job of protecting itself – the IC at least, unless you count their personal email accounts of the CIA Director, the complete breach of personnel records at OPM, and the JCS Email network. On second thought, let’s just state that the Feds are probably the biggest target in the world and do a pretty good job of keeping the lights on. But do we really think the state and municipal governments are doing that good of a job protecting the assets they oversee?
The problem in today’s cyber-defense world is one of architecture and fallibility. It only takes one person, making one innocent mistake, and the door is open just a little bit. If the bad guy finds that hole before it is patched and closed – a compromise can happen. The compromise can be so deeply rooted into the systems that, like one government agency recently experienced, when they sold their old servers to a third-party the third-party found that they were rooted (had a low level rootkit installed that survived a disk wipe.)
The question we have to ask is – is our state and local government’s IT perfect? Is it funded adequately? Do they hire top personnel? Are they given the time and resources to do everything perfectly every time?
See the problem with IT security today is not one of detection, prevention, segmentation, micro-segmentation, nano-segmentation, firewall, IDS, or any point technology… it is a problem of architecture. In every example of security architecture I can find on the web by any vendor or consultancy they are all trying to improve the security posture of compute systems by layering security around the server, operating system, etc.
One of our more enlightened employees said simply, “So you’re putting a big lock on a tent… smart…”
Servers are open to running anything put on them with no checks. The BIOS is usually not signature signed and can be reset in the field. Then the server vendors enhance the attack surface by putting on a host of insecure connections to ‘simplify management’. (By ‘simplify management’ they inadvertently mean ‘give hackers a huge revolving doorway of awesome access’). Here is a quick pic of the back of a server to illustrate this point…
As you can see there are console ports, KVM ports, out-of-band Ethernet IPMI interfaces, etc.
When I say this is a problem of architecture, that the server is a lightweight fabric tent that you are attempting to put a lock on, I am saying in short – give up. This strategy will not win. It’s time to change the game.
If you are playing a game you can’t win you need to rethink your strategy: How can I get a new team? How can I assemble a team of players that are stronger/faster/smarter/better than my competition? How can I change the rules of the game to benefit me (we see this in the America’s Cup all the time – a game won by lawyers…) Do I need a new coach?
My view is that the IT security architecture widely deployed today is inherently flawed. As an example I give you the most secure computing system I own – my Xbox. Yes, I can more or less guarantee that the video game system in my living room is inherently more secure than almost any enterprise computing platform deployed in every state and local government and most every business I have met with in the past few years.
I like my Xbox. But what is amazing to me that there are over 20 million Xbox-1s on the Internet that are NOT behind firewalls, don’t have IDS/IPS systems, do not use fancy micro/nano/pico segmentation, have no OS agents installed, no passive taps and packet capture, no honeypots, no advanced persistent threat monitoring systems… and yet have you heard of an external breach of the Xbox-1? Twenty million Xbox’s turned into the world’s most awesome game-playing botnet? Or just an aimbot installed so everyone racks up sick kills on Call of Duty: Advanced Warfare? No? Not one? Hmmm…
Again, the reason is architecture. The Xbox uses a combination of hardware and software to verify the software that is running on it. When it connects to the Internet it calls home and checks in to verify the software and firmware images it has on it. Every application is signature signed and verified before allowed to execute. They are also never allowed to make core filesystem changes.
This is fundamentally the model we have brought to enterprise computing – one with a zero trust model that enables foundational protections by changing the computing architecture in the enterprise and mid-market to one that is secure and manageable and frankly economically approachable.
If you want to win, change your game.
TL;DR: Quit trying to put a bike lock on your tent. If you need to secure your IT systems start with a secure foundation/architecture.