Por su interés
vamos a recoger dos artículos que se han publicado recientemente.
I) The Economist: Enlace al artículo
original.
Industrial espionage
Unusual suspects
Cyber-spying grows bigger and more boring
BIG firms that lose data to cyber-spies
normally know whom to blame. “It’s always the Chinese”, says Snorre Fagerland
of Norman Shark, a security firm in Oslo. Yet on May 20th it revealed that a
recent attack on Telenor, a Norwegian telecoms firm and one of the world’s
largest mobile operators, was probably directed from India. Though South Asia
boasts plenty of troublemakers, says Mr Fagerland, no one had yet caught Indian
hackers in such a well-planned assault.
The Telenor attack is one of several which security
experts are pinning on a single Indian group, provisionally named HangOver.
Most of the other assaults targeted computers in Pakistan. Since 2010 these
hackers have hidden malware in documents that purport to contain Indian
government secrets, presumably hoping to infect systems run by Pakistani
military or intelligence services. Separatist groups within India are a target,
too.
The scope is widening. On May 14th a
researcher at a human-rights conference, the Oslo Freedom Forum, found malware
produced by the same gang hidden on the laptop of an Angolan anti-corruption
campaigner (it was capturing screenshots). Though trivial in itself, that file
had slipped through Apple’s normally sturdy defences. As well as Telenor, the
group appears to have targeted firms in more than a dozen countries, across
industries as diverse as mining, engineering, carmaking and hospitality. Such
clues suggest a spy-ring that steals secrets to order—with governments just one
sort of customer among many.
Other hackers are getting bolder, too.
Mandiant, a security firm, said this month it had spotted an Iranian group
sizing up American targets. In April experts noted a spike in cyber-spying from
internet addresses linked to North Korea. Some wonder if Syrian hacktivists, who
have recently hijacked the social-networking profiles of several Western news
outlets (including the Financial Times, part-owner of this paper), are harvesting data as they
go.
Chinese cyber-attacks dipped in February
after researchers traced more than a hundred incidents to a building in
Shanghai. But they are returning to full strength, and more is being learned
about the skill of past assaults. On May 20th the Washington Post said that Chinese cyber-spies who
attacked Google in 2009 may have rummaged around the firm’s servers for a year.
It appears that among the data they collected were details of users under
government surveillance. These could have shown, damagingly, if any Chinese
spies in the West were under scrutiny from spycatchers.
Some of the Indian hackers’ methods look
basic by comparison. The group mostly seizes on known weaknesses in old and
unpatched computer software, rather than exploiting novel flaws. Their Mac
malware was not cleverly concealed, and relatively easy to detect. Some sloppy
errors have helped investigators spot links between disparate attacks.
But style matters little if targets take the bait. Norman
Shark’s report depicts a cautious and competent operation that manages its
operations professionally and secures cheap but able recruits from freelancing
sites. Hacking is easy to demonise, but for many it is just a job.
II) Blog “Bit 9”: Enlace al artículo
original.
“10 Dangerous cyber-security oversimplifications”
Humans are generally bad at assessing risk realistically,
and their tacitly held security models are often skewed. Oversimplification is
often the cause. Challenging some of these assumptions may invite controversy,
but mindlessly accepting the conventional wisdom is far worse. It may be
worthwhile to think about whether the following defensive assumptions would fit
equally well in the offensive column and vice versa.
Defensive Oversimplifications
1. Attackers Have Infinite Resources
This is an oft-heard mantra, but “that
way madness lies.”
If attackers have infinite resources, there is no obscure nook or cranny in
your defenses through which they have not yet wormed their way. Basically
they’re the Matrix, and there’s nothing you can do to get out. Taken to its
logical extremes, it would lead to defeatism, but most often it leads us to
spend resources fighting attacks that are unlikely at best, and completely unrealistic
at worst. Attackers’ resources are finite, and we absolutely must exploit this
fact if we are ever to turn the tables. The sad reality is that currently we
make it so easy for them, that it makes them appear to be almost omnipresent.
2. Security Control ‘X’ Will Make My Organization
Secure
Controls do not provide security. They provide tools
through which security gaps may be more readily addressed. Humans are the cause
of most security gaps, but humans are also the best weapon we have to address
these gaps. All controls can be deployed well or poorly, monitored sufficiently
or insufficiently, and interpreted correctly or incorrectly. Humans make the
difference.
3. Security is a Goal to be Reached
Security is not a goal to be reached. At any time,
choices can be made that undermine the state of security in which you believe
your organization to be operating. Security is better thought of as an infinite
series of forks in the road; a never-ending set of choices to be made, each
either incrementally addressing or causing security gaps. Security is about
making the right choices more often than the wrong ones.
4. Security can be “Bolted On”
Security is a fundamental consideration in information
systems. Adding layers of security on top of systems that are fundamentally
insecure is doomed to failure. An important corollary is one that Dan Geer
references in his talks, which is that even just composing two secure systems may result in a
system that is insecure. Certainly then composing an insecure system and a
secure system is at least as likely to result in an insecure system.
5. My Organization is not at Risk
This is the most dangerous assumption of all. While
attackers do not have infinite resources and are not omnipresent, they are
sophisticated and have very good intelligence capabilities. If your
organization has something that would be of value to an attacker (and most do),
it is far safer to assume you are at risk than to ignore that risk.
Offensive Oversimplifications
6. Security through Obscurity is Worthless
This is one of the most pernicious assumptions on the
offensive side, most often espoused by those in the business of finding
exploitable software flaws or penetration testing. Those put in the position of
having to defend organizational networks understand that the practice of
security is more nuanced. Using an ad absurdum argument, if security through
obscurity were worthless, there would be no point in patching vulnerable
software. It costs time and budget to find software flaws. This is evidenced by
the fact that we see far more exploitation of known vulnerabilities than
unknown ones. If we were, today, to eliminate all known vulnerabilities in one
fell swoop, such that the only opportunity to exploit software was through
new 0-days, successful incursions would immediately drop precipitously.
Discussing how significant obscurity is to virtually all of security could be a
blog topic in itself.
I saw a prominent industry spokesman espouse this
position in a recent list email, calling attacker access to security control software “game over.” This is
closely related to the previous point and this assumption is hinted at by
contests at industry conferences to “own” endpoints with competing endpoint products. If the security of your
critical assets hinges on the non-existence of flaws in software on your
endpoints, then this assumption may be true. But real-world attacks have to
operate across multiple phases of the kill chain. Modern security practice aims
to characterize and prevent or detect attacks at multiple points of the kill
chain. Some organizations even go so far as to allow attacks, drawing attackers
into traps where their tactics, techniques, and procedures (TTPs) can be better
observed and recorded.
8. The Universality of Attack Techniques
This assumption is not one that is stated, it is
perniciously implied at many conference talks. When a new attack technique is
presented, the flaw is discussed as if it has wide applicability despite having
only been demonstrated in one particular context. The possibility that the
technique works only in very limited circumstances, against particular software
or systems, is often glossed over. The danger arises when defenders spend
unwarranted resources in defenses against such attacks.
9. Humans make Security Impossible
It’s almost a truism that humans are the weakest security
link. That may be its own assumption, but it certainly seems that mistakes made
by humans are the root cause of most security gaps in an organization. That
said, in most cases, these mistakes are made possible by broken or missing
processes, insufficient oversight and auditing, or failure to put appropriate
controls in place that mitigate vulnerabilities in the form of
security-ignorant end users.
10. User Education is a Failure
This may largely be true for the most often cited use
case for user education. Many organizations try to thwart attacks such as
spear-phishing emails by educating users to only recognize and avoid such
emails. The evidence so far suggests that this approach hits diminishing
returns so quickly as to make the practice almost worthless. However, if
instead of trying to prevent attacks in this manner, the users are asked to report emails, the practice can be quite
valuable. In the former case, if one-out-of-10 employees falls for the phish,
the endpoint is compromised and the organization compromised. In the latter
case, if one-out-of-10 employees reports the phish, the attack can be detected
and (hopefully) thwarted, effectively turning the end user into a sensor
instead of a firewall.
Si la materia es de vuestro interés, podéis seguir otros enlaces similares con las etiquetas que constan al final del post o usando el buscador que aparece en el lateral derecho. También, si es de vuestro gusto y deseáis estar informados al instante sobre las novedades de este blog, podéis seguirlo suscribiéndoos en el lateral derecho del blog, o en
o en
www.twitter.com/ como @EnOcasionesVeoR.
No hay comentarios:
Publicar un comentario