Sunday, March 1, 2009

What you don't know CAN hurt you

Computer Security suffers from a massive case of "fog of war" - there's a real problem having a decent level of situational awareness when you're playing defense. This is probably the biggest advantage that the Bad Guys have, because attacks can be successful yet undetected for a very long time. The TJX break-in where 50 million credit cards were stolen was undetected until fraud monitors let the folks at TJX know that something was sideways.

What happened was that the Bad Guys installed a rogue application that captured the credit card numbers as they went by on the network, wrote then to (encrypted) files, and then transmitted them to the Mother Ship collector out on Al Gore's Intarwebz. You'd think that this would be easy to pick up - wierd new application, unreadable files, unexpected network transmission.

You'd be wrong. Chris Byrne has the skinny. He's trying to get a handle on just how many servers his company has. Seems that nobody knows:
Even better, I think 2500 of the ones on my list are actually either already decommissioned, or they SHOULD have been (a lot of stuff just gets left turned on and plugged into a wire, because someone forgot to turn it off, and didn't document that it should have been); representing half of the unaccounted for boxes. Unfortunately, no-one could get me a straight answer, as to who could authoritatively state these boxes could be struck off, so I had to include them.

Note, I didn't say no-one could give me an authoritative answers; I said no-one could even tell me who COULD give me an authoritative answer; so next week I'm going to have to escalate that one issue to the enterprise CIO, who will have to devolve it down to the CIO covering whatever division supports those boxrs... but at the moment we can't even figure out which division that is.
This is typical of large enterprises. Nobody really designed the network, it just sort of grew organically over the years. People who used to know where servers were and what they did have moved on to new jobs, maybe at another company. Why's that server over there? Nobody can remember. Is it doing anything important? We'll have to ask. Who do we ask? Dunno.

This is a massively target rich environment. In many ways, it's like the "Happy Time" in 1942 when five U-boats sank 150,000 tons of shipping off of the American coast. The only thing that kept them from sinking more was that they ran out of torpedos. New to the war, shipping wasn't in protected convoys, and seaside towns didn't follow blackout procedures.

Now imagine trying to go back into a high tech environment that has been built out over 20 years, by hundreds of people, and get an accurate inventory of systems and applications. So a new application shows up, writing to files that nobody can read, and communicating to outside addresses. How on earth would you tell?

And we haven't even started thinking about how many need security patches. This is a good time for me to roll out Borepatch's Third Law:
Everything's vulnerable. You may know what some of these vulnerabilities are, and which systems have them. You will never know all of them.
Now add in new technologies that are being deployed faster than we can understand the security implications. Here is an example, about people attacking databases across Al Gore's Intarwebz:

Here's another, about how on earth do you protect credit cards when everything is running on virtual servers:

I wonder if you might help me.

I operate an e-commerce Internet-based business that processes and stores cardholder data.

I need a QSA [security auditor - ed.] to assess my infrastructure and operations for PCI/DSS compliance.

Oh, I forgot to mention. All my infrastructure is in the cloud. It's all virtualized. It runs on Amazon's EC2. All my data is hosted outside of my direct stewardship. I don't own anything.

Since the cloud hides all the infrastructure and moving parts from me, I don't know if I meet any of the following PCI requirements:
Techno-geek security stuff deleted, because you don't meet any of the requirements, Scooter.

It's because you not only don't know where your problems are, you don't know who to ask to find out. It may be that by the time you get the information collected, verified, and prioritized into a Get Well plan, the information is out of date. Chris again:
All told, it'll probably end up costing us about $5 million in labor, and we'll end up having to completely rebuild from the ground up about 2000 of those boxes when they blow up horribly. Security software is like that: Once you've got the process and package down (a chore in and of itself), either it works immediately; or it fails completely, killing everything within sight.

Ahhh the glamorous world of large enterprise ...
Another analogy: In Band of Brothers, Stephen Ambrose writes about how thinly spread the 506th's men were at Bastogne, and how porous the front line was:
"Think of this," Winters commented. "Here is a German soldier, in the light of early dawn, who went to take a crap, got turned around in the woods, walked through our lines, past the company CP and ended up behind the Battalion CP! That sure was some line of defense we had that first night!"
We're all doing our cyber lines of defense like this right now. I have this filed under ur doin it rong not as a statement about what Chris is trying to do - he's in fact doing precisely what's needed. It's filed under this because everyone is doing it wrong.

That may - may, not will - be changing, but that's a topic for a later post.

1 comment:

ASM826 said...

Those are the funniest comics. Here's one of my favorites:

http://xkcd.com/364/

Good post.

ASM826