5
5
0
This is vol 2 of my Issues with Cyber Security write up please feel free to comment, critique, and share.
issues-cyber-security-vol-2-derek-scheller-jr
Posted from linkedin.com
Cyber
25D: Cyber Network Defender
Cybersecurity
Information Technology
Posted >1 y ago
Responses: 3
0
0
0
It's a good article, but I don't agree that users and their lack of training are the problem, nor do I feel that more training is the solution.
Phishing and Social Engineering work, and they are going to continue to work. People will always /want/ to believe that the email or text or whatever they received, and which looks legitimate, is actually legitimate. It's just psychology. But even that isn't the real problem.
The real problem is that trying to be trained, aware, and able to identify and combat phishing and social engineering is just plain old tedious. People always go for what is easiest and most convenient so it is easier and more convenient to click on that email that arrived from their sister Sally than it is to look at the urls hidden in the links, or to inspect the email header.
As for peripheral devices? Again, it gets back to ease and convenience. Using a USB drive is both easy and convenient. The real irony here is that in the name of security IT organizations have made moving data around so difficult that it actually encourages people to use devices, such as USB drives, to move and carry data around. If you were working on something and had to go home but wanted to continue working, how will you get access to the data you need? Sure, you can email a few files to yourself, which is also frowned upon, but what if you need more? Perhaps you have some data that you may need to reference but you have dozens/hundreds of files and you might need a snippet out of any one of them? What about mailbox limitations and .psts? You need your mail, you can't keep it on the server, you want access to it when not at your work PC--USB drive to the rescue.
Phones? Both a "USB drive" and more. They are entire computing platforms with built-in methods of alternatively reaching, or being reached from, the Internet. But hey, they have to be charged right?
The problem is: 1) assuming that devices (workstations, laptops, smart-devices, etc...) can be secured at all, and 2) human behavior.
1) The average person has how many devices, 5? 10? In a normal government organization or company the employee will have a work provided desktop, probably a laptop, a provided personal device or one which has access to gov/inc data, a tablet of some kind, maybe another laptop of their own, a home PC. That's 5-6 devices a person and half of them are portable. That would mean a small organization of, let's say 10 people, would have to attempt to protect and manage upwards of 60 devices, with almost none of them running the same OS or applications. These devices will be plugged into everything and attached to every possible wifi hotspot available. Kids will borrow these devices. In the end it is impossible to protect them. That doesn't stop people from trying though and billions upon billions of dollars are spent failing to protect the everything from the everywhere.
2) You can't change human behavior. Not rapidly anyhow. The children growing up today may be more diligent and savvy when it comes to IT security, but for everyone else it is a roadblock and impedes their ability to do whatever it is they want to do. They will do what is easy and convenient and they will use whatever device, tool, software they want as long as they can; and when they are blocked from using those tools, they will find another one. Block facebook? No problem, they'll just use a virus laden proxy acting as a man-in-the-middle and injecting malware into everything. Add a host-based agent to disable USB ports? Ok, either figure out how to kill that process, or simply bring in a bootable USB drive, reboot the PC into the new OS that couldn't care less about that agent, and then go get whatever files are needed. TOR, VPN, UDP-based VPN to get around blocks, proxies, side-loaded software, no-install executables, etc.. etc...
The only way to secure things is to simply assume all the devices are compromised. The fallacy of all this security hoopla is that it gives a false sense of security. The organization has a big firewall, a UTM device, they whitelist sites, they run host-based agents for host firewall, AV, IDS/IPS, etc... So, they trust these devices, and that is how they get hacked.
There is no perimeter anymore. It doesn't matter if someone carries a "virus" in on a USB drive or downloads one from a phishing email. As a whole, it can't be stopped.
So, stop trusting those devices. Assume they are compromised and treat every single device on the network as potentially hostile. Don't allow devices to interact carte blanch with one another on the network. Don't allow critical and sensitive data to be download or copied, not even to a local trusted workstation running a million dollars of fail-ware security tools. Look very closely at who has access to what and ensure that no one has access to information they don't "need to know". Implement things such as network micro-segmentation to further isolate systems and services, don't rely on VLANs and ACLs as they are useless (ACLs allow so people/systems can access things and VLANS are routed for the same reason, no one can keep track of thousands of ACLS on hundreds, or thousands, of VLANS).
The problem isn't that the users are bad. The problem is that IT is not solving the problem, because solving the problem is hard. IT needs to provide the people using IT systems/services with something that is secure, but also something easy and convenient to use. The people using the systems/services are not at the office to do IT security after-all. They are there to do accounting, sales, marketing, supply, maneuvers, whatever. They aren't IT people and can't be expected to think and act like one.
So, IT needs to design systems/services in a way that enables those that use the systems/services to do their jobs, without requiring them to also do ours.
Phishing and Social Engineering work, and they are going to continue to work. People will always /want/ to believe that the email or text or whatever they received, and which looks legitimate, is actually legitimate. It's just psychology. But even that isn't the real problem.
The real problem is that trying to be trained, aware, and able to identify and combat phishing and social engineering is just plain old tedious. People always go for what is easiest and most convenient so it is easier and more convenient to click on that email that arrived from their sister Sally than it is to look at the urls hidden in the links, or to inspect the email header.
As for peripheral devices? Again, it gets back to ease and convenience. Using a USB drive is both easy and convenient. The real irony here is that in the name of security IT organizations have made moving data around so difficult that it actually encourages people to use devices, such as USB drives, to move and carry data around. If you were working on something and had to go home but wanted to continue working, how will you get access to the data you need? Sure, you can email a few files to yourself, which is also frowned upon, but what if you need more? Perhaps you have some data that you may need to reference but you have dozens/hundreds of files and you might need a snippet out of any one of them? What about mailbox limitations and .psts? You need your mail, you can't keep it on the server, you want access to it when not at your work PC--USB drive to the rescue.
Phones? Both a "USB drive" and more. They are entire computing platforms with built-in methods of alternatively reaching, or being reached from, the Internet. But hey, they have to be charged right?
The problem is: 1) assuming that devices (workstations, laptops, smart-devices, etc...) can be secured at all, and 2) human behavior.
1) The average person has how many devices, 5? 10? In a normal government organization or company the employee will have a work provided desktop, probably a laptop, a provided personal device or one which has access to gov/inc data, a tablet of some kind, maybe another laptop of their own, a home PC. That's 5-6 devices a person and half of them are portable. That would mean a small organization of, let's say 10 people, would have to attempt to protect and manage upwards of 60 devices, with almost none of them running the same OS or applications. These devices will be plugged into everything and attached to every possible wifi hotspot available. Kids will borrow these devices. In the end it is impossible to protect them. That doesn't stop people from trying though and billions upon billions of dollars are spent failing to protect the everything from the everywhere.
2) You can't change human behavior. Not rapidly anyhow. The children growing up today may be more diligent and savvy when it comes to IT security, but for everyone else it is a roadblock and impedes their ability to do whatever it is they want to do. They will do what is easy and convenient and they will use whatever device, tool, software they want as long as they can; and when they are blocked from using those tools, they will find another one. Block facebook? No problem, they'll just use a virus laden proxy acting as a man-in-the-middle and injecting malware into everything. Add a host-based agent to disable USB ports? Ok, either figure out how to kill that process, or simply bring in a bootable USB drive, reboot the PC into the new OS that couldn't care less about that agent, and then go get whatever files are needed. TOR, VPN, UDP-based VPN to get around blocks, proxies, side-loaded software, no-install executables, etc.. etc...
The only way to secure things is to simply assume all the devices are compromised. The fallacy of all this security hoopla is that it gives a false sense of security. The organization has a big firewall, a UTM device, they whitelist sites, they run host-based agents for host firewall, AV, IDS/IPS, etc... So, they trust these devices, and that is how they get hacked.
There is no perimeter anymore. It doesn't matter if someone carries a "virus" in on a USB drive or downloads one from a phishing email. As a whole, it can't be stopped.
So, stop trusting those devices. Assume they are compromised and treat every single device on the network as potentially hostile. Don't allow devices to interact carte blanch with one another on the network. Don't allow critical and sensitive data to be download or copied, not even to a local trusted workstation running a million dollars of fail-ware security tools. Look very closely at who has access to what and ensure that no one has access to information they don't "need to know". Implement things such as network micro-segmentation to further isolate systems and services, don't rely on VLANs and ACLs as they are useless (ACLs allow so people/systems can access things and VLANS are routed for the same reason, no one can keep track of thousands of ACLS on hundreds, or thousands, of VLANS).
The problem isn't that the users are bad. The problem is that IT is not solving the problem, because solving the problem is hard. IT needs to provide the people using IT systems/services with something that is secure, but also something easy and convenient to use. The people using the systems/services are not at the office to do IT security after-all. They are there to do accounting, sales, marketing, supply, maneuvers, whatever. They aren't IT people and can't be expected to think and act like one.
So, IT needs to design systems/services in a way that enables those that use the systems/services to do their jobs, without requiring them to also do ours.
(0)
(0)
0
0
0
SSG Derek Scheller
Sir, it isn't so much about just showing what right looks like either. I think we need to show why. I don't necessarily mean the reprecussions if you do something wrong but what damage can be caused by using malformed USBs, or having your information widely available in social networking sights.
(1)
(0)
0
0
0
Read This Next
Continue with Facebook 
Continue with Google