Wait! What! There’s no spell for that?
This tongue-in-cheek post was written to point out that one should consider preparing for worst case scenarios. We can’t talk ourselves secure, and it doesn’t look like it’s going to be business as usual. This week saw the damage caused by Petya/NotPetya, a widespread attack that appeared at first to be ransomware. Upon analysis, it’s now generally concluded that Petya appears actually to be malware crafted to cause chaos and destruction to targeted systems. This time the damage was primarily in the Ukraine. Next time, who knows? Beware of copycats!
When it comes to the defense of systems and the data they hold, wouldn’t it be so much easier, not to mention fairly cool, if cyber defenders were wizards who could use magic to protect them?
If you or your kids were a fan of the Harry Potter series, or still are, remember the disarming spell? If you didn’t catch either the books or the films, one could disarm an adversary with a spell. Seemed pretty darn effective too.
If defenders were wizards, the magic they would need would be a cross between the magical dome-shield that protected Hogwarts against Death Eaters and whatever, and the Patronus Charm, a Dementor’s worst nightmare.
(Pro-tip: positive security models seem to work universally!)
A wave of your wand, recite a quick spell, and let one of these beauties rip…
Your network defending troubles would be over! That might be perimeter security that actually worked!
Magic would probably be so much better than the peddled security pixie dust and snake oil that has caused customers to suffer “buyer confusion” in a market for lemons, for so long. Sadly, in real life we don’t have magical forces at our disposal.
Super Powers, etc.?
And you probably shouldn’t go thinking that you might have some kind of super power because,
“I must be invincible – I never get hit.”
Sorry, not unless super-denial is a super power, or unless you happen to be super Patch Man! You may want to buy a lottery ticket though, because you may just have been lucky, and that could run out – at any time! Besides, recall something about,
… absence of evidence, is not evidence of absence.
What about psychics or pre-cogs?
Nope. No manner of fortune telling, psycho-babble works either. If someone predicts you’re going to suffer some form of cyber incident in future, that’s just a an educated guess and a probable event, not anything mystical.
Back to reality – Dark Forces
Isn’t all of this human resistance to change? Fully revved up human lizard brains at work? It’s always easier to fall back on wishful thinking, ignoring the problem, hoping it goes away, or waiting for someone else to fix it.
This is all sort of too bad actually, because defenders must now contend with dark forces and the black arts that are all around us, in the escalating threat environment. (It’s ironic that for many legislators who don’t understand the technical issues, much of “hacking” is perceived as black magic.) The infosec version of the Dark Arts, or perhaps we should refer to it as the Dark phArts, since phishing plays a huge role in many of the insidious attacks we’re witnessing, appears to be thriving.
What am I getting at here? We’re moved well beyond the point of basic cyber crime and data theft, where,
… the goal of adversaries could be “to take you down!“
For examples of what may lay ahead, you might read the article, “The ultimate cyberattack is on the horizon“, which offers this view;
As DDoS attacks grow stronger, ransomware attacks become more frequent, and modern warfare moves into the cyber arena, the potential for cyberattacks of nightmare proportions seem even more likely.
Data poisoning, distributed volumetric attacks capable of shutting down critical networks, and insider threats have always been serious issues, but some researchers fear these kinds of attacks may be used to shut down critical infrastructure and wreak havoc on their victims outside of the cyber realm that have lasting impacts.
The problem with attacks on critical infrastructure is that members of the everyday public will be innocent victims
That’s Gotta Hurt!
In case you’re a politician, a bureaucrat, or you’ve been in a cave for a while, consider a few of the following accounts. (You can skip down a bit if this doesn’t apply to you.)
The article, “How hackers are making the worst-case security scenario ever worse” informs us,
” disruption even resulted in the lost of capability to function as a business due to what’s described as “the crippling loss of critical systems“.
“public events over the last few years have altered the notion of what comprises a worst-case scenario“.
Just ask Sony!
This type of damage was inflicted on a victim who became the ultimate poster child of malicious attacks, as described in, “Sony, hack of the century pt 1“.
“Before Sony’s IT staff could pull the plug, the hackers’ malware had leaped from machine to machine throughout the lot and across continents, wiping out half of Sony’s global network. It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. To make sure nothing could be recovered, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data seven different ways. When that was done, the code zapped each computer’s startup software, rendering the machines brain-dead.
“… it took just one hour to throw Sony Pictures back into the era of the Betamax. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.”
Sony’s CEO described living through this in, “They Burned the House Down”: An Interview with Michael Lynton“
“The bigger challenge was that the folks who did this didn’t just steal practically everything from the house; they burned the house down. They took our data. Then they wiped stuff off our computers. And then they destroyed our servers and our computers.”
The article, “Sony’s Big Takeaway” tells us the lesson is for the typical enterprise;
“That anything they do, or say, that upsets and motivates a group (or nation) with enough skills to lash out can and may do exactly that. And companies need to know how to prepare and respond to these types of attacks. Enterprises can’t assume that it’s just money or the theft of assets of monetary value that attackers will seek. They have to prepare themselves for the possibility of revenge attacks. These attacks will be a lot less business-like than is common with traditional attacks. And they’ll be much more public, vindictive, and potentially much more damaging when they do occur. And the motivation for, and the delivery of, these types of attacks can come unexpectedly and from anywhere.”
Other large corporations, notably Saudi Aramco who was knocked off-line for 5 months, were hit as well. We saw that a “Cyberattack on German steel factory causes ‘massive damage’“
” … hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report … revealed one of the rare instances in which a digital attack actually caused physical damage.”
Shade of Stuxnet! The Sands Casino was hit to the tune of $40 million in damages in what appeared to be a revenge attack.
“Adelson’s comments soon sparked outrage in Iran, and on February 10th the Las Vegas Sands Corp was targeted for retaliation by who are believed to be Iranian hackers.”
No segment is immune to malice. After J.P. Morgan was breached, people really began to worry. The article, “If Financial Systems are Hacked” says,
“Recent attacks give a glimpse of the sort of cyber-assault that could bring the world economy to a halt. Better defences are needed.”
“We’re not keeping up, we’re losing,” says one insurer, who thinks most people remain blind to the real-world damage such assaults could do.”
Whether financial systems are taken off-line for some period of time, or whether public loses trust in financial institutions, the repercussions could indeed be devastating.
I said that ransomware is the first perfect storm of infosec. In 2015, Richard Clarke said here;
“Ransomware is increasingly common… Actual destruction where everything is wiped out on a network is not, – yet.”
Examples of this now happening, see here, and in an article this week, “KillDisk Ransomware Targets Linux; Demands $250,000 Ransom, But Won’t Decrypt Files. There’s always a chance your data will be gone with ransomware, and if attackers can load a ransomware payload, they can hit you with destructive malware to also be used for either extortion or destruction, at the same time.
The Trouble With Normal, is it Always Gets Worse!
Infosec is always playing catch-up in a world where it’s constantly falling further behind. Adversaries aren’t standing still; they’re constantly innovating. We’re likely heading to even more malicious ransomware targeting everything, data tampering, AI and automation used in attacks, and cyber terrorism possibly becoming the more convenient weapon of choice. Right now, everything is adding more attack surface. What’s more, once an attacker is in your network, how do you know when your environment is ever safe again?