It’s the New Year, which means it’s time for the annual human ritual of making personal promises to give up bad habits and commit to living life better going forward. While most people are focused on renewing their gym memberships or cutting out carbs, my New Years resolution is to help make the Internet a safer place. As an industry, our collective security bad habits caught up with us last year, and it’s time for a change. Last year was a very bad year in terms of security. Here is but a small sampling of the headline-grabbing breaches that happened in 2015:
- Toy manufacturer VTech exposed 4.8 customer records, including personal information about kids.
- Security researchers hacked a Jeep Cherokee while in motion.
- Virginia State Police revealed that their police cars could be compromised.
- CIA director John Brennan’s email was hacked by a teenager through social engineering.
- Credit agency Experian lost 15 million T-Mobile customer records to hackers.
- Ransomware became a big deal in 2015 and expanding beyond the desktop to encrypt websites and mobile devices.
- Infidelity match-maker Ashley Madison lost customer records on 30+ million registered cheaters.
- Hacking consultancy Hacking Team was itself hacked, unleashing zero-day exploits into the wild.
- The U.S. Office of Personnel Management suffered a breach affecting 22 million government workers.
- LastPass, a password management provider, was hacked. (Fortunately, the stolen passwords were encrypted.)
The biggest hack of 2015, however, was the security breach of healthcare provider Anthem / Bluecross / BlueShield, which resulted in the theft of a whopping 80 million customer records, and an additional 19 million records of rejected customers. That’s about a third of the entire U.S. population.
2015 was abysmal for security—there is no denying it—but there is a silver lining. I’m hopeful that we’ll look back at 2015 as a watershed moment, the year the industry hit rock bottom, motivating us to get off the couch and start working our infosec muscles again. To that end, I’ve drafted a set of New Years security resolutions to get the ball rolling.
1. No Patch Left Behind
The bad guys are constantly scanning our networks for older software with known vulnerabilities. Even if a vulnerability shouldn’t be exploitable under normal circumstance or it only leaks a little information, it is still one piece of the puzzle that hackers are assembling to gain access. I want to take all of the these pieces off the board. That means maximizing the capabilities of vulnerability scanning tools (e.g. using agent-based or credentialed scans on every host), scanning every node on the network and getting every host to a “green” status. Think of this as the “broken windows” approach to patch management.
The challenge to patch management in the real world isn’t the time it takes to patch hosts (although that’s still a huge hurdle), it’s creating a process whereby we feel safe installing patches with minimal effort and little risk of breaking production systems. Effective patch management is a math problem:
Cost/time of patch management = (# of hosts * time to patch) + (# of hosts * time to fix post-patch problems) + (lost productivity from post-patch problems)
If you feel a twinge of hesitation to install the latest patch on a mission-critical system, that would be you mentally calculating the last two terms of the equation. You need to reduce this hesitation if you’re going to get to “green.” This can be managed by classifying systems into three buckets: 1) systems that result in a call from the CEO if they break, 2) systems that result in a call from a VP if they break, 3) all others. The number of hosts in bucket #1 is going to be small. Focus your time and energy on these patches by running them on test systems first and testing them thoroughly before patching. Or, alternatively, have a good rollback plan if things go wrong. For the systems in bucket #2, do a quick assessment of the latest patches, and run them if there are no obvious breakers. As for the hosts in bucket #3, put those on autopilot, running patches automatically and asking for forgiveness later if they break.
By doing this, you are probably going to break production systems more because you’re going to be patching more. This may sound risky but it is in fact cost-justified. Let’s look at the classic risk analysis equation to see why:
Risk = Loss * Probability
In the past, the Probability
of a security event was very low and the Probability
of a breaking patch was moderate, which meant the
Risk
of a security event was lower than the Risk
of running a non-critical patch. Ergo, it was better to
delay/avoid applying a non-critical patch than risk breaking the system. But the world has changed. The Probability
of a security event is now much, much higher. Furthermore, the cost of a Loss
resulting from a security event is
potentially very high, which means that even a small increase in the Probability
of a security event has a
disproportionate impact on the Risk
calculation overall. Therefore, today getting hacked is a higher Risk
than
breaking a system by installing a patch, which cost justifies more aggressive patching. As IT/DevOps professionals,
whether we are doing this math in Excel or in our heads, we’re constantly weighing the risk of breaking a system
with a patch versus the risk of the system getting compromised. Unfortunately, if we don’t update our mental model
to account for the changing environment, we risk making the wrong business decision.
2. Stop Blaming the Victim and Improve Password Management
Cracked passwords are a common contributor in many security breaches. We know that users tend to choose weak passwords, that they use the same password across applications and that they usually keep track of passwords in insecure places like Excel files or Post-It notes. As IT and technology professionals, we cringe dramatically every time we hear about these bad practices. Silly users: how could you be so careless?
However, the dirty little secret we all know but pretend not to notice is that we are asking our users to do the impossible:
- Passwords should be long, 12 or more characters ideally
- They should contain numbers, punctuation marks, and upper case and lower case letters
- Passwords should be changed frequently, and should never be reused
- Every application should have a unique password
- And the kicker: Don’t write them down anywhere—memorize them all
Come on…seriously? Do we really think this is a reasonable ask in the cloud-enabled world of today? If the only password users needed to remember was their login to the Wang system or the VAX mainframe, this wouldn’t be a problem. But it’s 2016—not 1986—users are logging into dozens of different applications and third party sites every day to get their work done, and it’s ridiculous to expect them to generate and remember a unique, complex password for every system every three to six months. (Unless, of course, having a photographic memory is a condition of employment in your company.)
So let’s own up to the fact that it is our responsibility to provide a safe and secure place for users to store their passwords (preferably one that gives IT some visibility into the strength of the credentials, without giving us access to the passwords themselves). Credential management providers like LastPass, 1Password, Bitium, RoboForm Enterprise, Centify, BeyondTrust and CyberArk, all provide various types of password lockers that enable users to store passwords securely. And yes, these providers are themselves targets of attack (e.g. see above for more on LastPass’s woes last year). However, this is the best, bad-option. It’s better to put all of your eggs in one really, really strong basket than leave a plethora of digital crumbs littered around for hackers to find with minimal effort.
The bottom line is that if you’re not providing your users a safe place to store their passwords, then you are putting them in an impossible position and setting them up to take the fall. This year we need to stop blaming the victim and take responsibility for credential management.
3. M…F…A. All the Way!
Sadly, even when users try to follow the rules and create strong passwords, they can still get cracked. This is a limitation of the technology itself—passwords are an old technology with inherent flaws, invented long before the era of cheap, on-demand computing power. Fortunately, multi-factor authentication (MFA) can give passwords a new lease on life by augmenting them with another piece of data for authentication. With MFA, that weak password composed of your dog’s name plus the year he was born, is no longer enough to gain access to the network. With MFA you must combine the secret “you know” (i.e. your password) with another piece of information “you have,” like your fingerprint or a time-based, one-time password from a FOB or a mobile app. With MFA, your password now has reinforcement.
Many applications are starting to support MFA, and the more it gets used, the less awkward it will feel to end users. This year, I plan to start transitioning to MFA for everything that supports it, and to start looking for replacements for vendors that don’t. My users may hate me at first, but in a few years I suspect it will feel very strange and insecure to login to a system without MFA.
4. Backup the World
Ransomware became widespread last year, and it will continue to grow this year—the ROI is just too enticing. Ransomware is a particularly nasty type of malware that encrypts your computer, mobile phone or website so that you can’t access it until you pay the attacker a few hundred bucks in Bitcoin. The draw for ransomware attackers is that it is an easy way to monetize the hacking of easily-compromised home computers and small company websites. Prior to ransomware, the financial gain of compromising a personal computer wasn’t that much. It could be used as part of a spam botnet or to gain a few credit card numbers. But credit card numbers don’t fetch much more than a few bucks on the open market and computing power is a commodity. Ransomware significantly increases the profitability of hacking one-off computers.
The defense against ransomware is simple: install anti-virus software and have a good backup in place if attackers bypass it. Fortunately, most mid-sized and large companies have strong anti-virus and backup procedures in place. Sadly, many small companies and individuals don’t. The societal impact of this is that the more people who pay ransomware extortionists, the more financial incentive there is for virus writers to evolve the technology, and the greater risk everyone else faces as the attacks become more sophisticated. Therefore, this year I’m on a mission to get everyone to install anti-virus software on their home computers (such as Kaspersky Labs, McAfee, Trend Micro, Norton and use online backup software. Using an external hard drive or cloud drive for backup at home doesn’t always help, because it is typically mounted as another drive which will get encrypted during a ransomware attack. Online backup solutions like iDrive) and Carbonite are the best defense against a ransomware attack.
5. Forced Retirement For Old Internet Technologies
Old, first-generation rich Internet application technologies like Adobe Flash, Microsoft ActiveX and Java applets were developed before the web was such a dangerous place. Now—two decades later—they are the single biggest source of its insecurity. Flash, ActiveX and Java applets are fundamentally flawed technologies that cannot be secured and therefore must be retired. Fortunately their demise has been in the works for quite sometime. Apple’s decision in 2007 not to support Flash on the iPhone was an important first step, and it spurred the adoption of HTML5, a much better and more open technology for developing interactive web experiences. Last year, Google continued pounding the nails in Flash’s coffin by ceasing to support it in new versions of Chrome (which gets updated automatically by default). Even Adobe is distancing itself from Flash by renaming the product and promoting it as a tool to generate HTML5. Nonetheless, many browsers still support these technologies which keeps a big security hole open.
This year I resolve to block all Flash content, ActiveX controls and Java applets from the POP network and devices. This may not sound like a radical concept, but as an agency that develops web and mobile applications as its core business, it marks the first time in the company’s history that any content restrictions have been put in place. This year, the era of unfettered access ends, and the era of a safer web begins.
6. Know Thy Enemy
As the information security environment continues to get scarier, it is increasingly important to see the world through a hacker’s eyes. The more I learn about the tools and techniques attackers use to breach a network, the more motivation and knowledge I gain to shore up my cyber defenses. For this reason, I’ve made a New Years resolution to improve my proficiency with penetration testing tools like Kali Linux and the Metasploit exploit database. Although ad hoc pen testing is no replacement for a thorough third party or automated pen test, I don’t think pen testing should be entirely outsourced either. (Why should professional pen testers have all the fun?) Continually poking and prodding the network yourself gives you critical knowledge and expertise to help keep out the bad guys.
7. Bike to Work
My final New Years resolution is to bike to work more. Is this because security researchers and car manufacturers are finding security holes in automotive systems that could lead to potentially fatal car crashes? No, not really. These are headline-grabbing exploits for sure, but unlikely to pose a major threat that would significantly raise the already somewhat high risk of driving. No, I’ll be riding my bike to work for much simpler reasons: It’s better for the environment, better for my health and it helps reduce the terrible Seattle traffic. Plus, it’s kind of refreshing to know there aren’t any published vulnerabilities for my bicycle.