This post is also available in: עברית (Hebrew)
By Joey J Peleg
ICDI-Israeli Cyber Defense Institute
Today’s mobile services or solutions have added the amazing capabilities for users to always stay in touch with other people, homes or organizations. On another front Cloud computing has given us the ability to have and save our information, be it music, work products, pictures and so forth, with just a few clicks with no geographic restrictions .In the last two years there has been an avalanche of applications, products, solutions and in general it has been fun and interesting to see how far human innovations can take us in this digital realm. Today Cloud and mobile services and products are merging into even better solutions and probably higher productivity.
As a security professional and looking at this tsunami of services of cloud and mobile invasions all that I could do was teach Cloud and mobile security to professional, to show the hidden dangers to organizations and its impact.
Can we or should we even try to mitigate cyber security dangers that this impending avalanche shall bring?
As we are seeing every day in the press and our own experience, these platforms are fast becoming the most attacked platforms for cyber criminals, rogue governments and not so rogue as an intelligence gathering tools. The truth is that cyber-defense or infosec is at the stage of asymmetrical warfare, between security professionals vs. cyber-criminals, where cyber criminals have the upper hand and in general, the later encounter very few restrictions. There are many reasons for this, as we will see here, this brings us to the question: “Can we or should we even try to mitigate cyber security dangers that this impending avalanche shall bring?” I’m sure that the “should we” part of the questions will raise some eyebrows, but as I will clarify , this is a legitimate question.
What or who do we secure?
What or who do we secure? Before we can even start answering this question we have to differentiate between whom or what are we going to defend or mitigate. I have taken part or heard discussions or debates on cyber-defense and it has become clear that most people or experts talk from their point of view from where they stand or what their duties are. As an example, sometimes you hear security expert speaking about the dangers of this or that in televised interviews or closed circles, cyber-criminal on organizations and the interviewer only asks about his or hers personal digital security and how it might affect her laptop. As you can see each person is talking about digital security from their own “point of view”. As we know, each “Point of view” are mitigated in different ways. So the first issue that we must address is how to differentiate and categorize these infinite amount of smart device features, and a never-ending battle between anti-virus providers and hostile individuals and organizations often causes continues security breaches, damage or unwanted exposure of allegedly protected organizational data and IP “points of view, so we can talk about security from the same place. Categorizing “points of view” have a deep impact on mobile or cloud security.
1. Personal use.
2. SMB- Small medium business
(A) sub category: SOHO- Small office home office.
(B) Infrastructures(Governmental, private or hybrid of both)
The main 5 Categories of ranges to defend, We abbreviate it as “PSEMG”. Security controls, mitigating threats and policies for each range is different. We will start with Personal user, surprisingly this has the biggest impact on Enterprise security. Today the digital security situation for personal users is in a dismal place. Smart phones and tablets have become globally ubiquitous as our mobile partners that seem to have become an extension of our bodies. We use the smart phone to record a major part of our daily dealings and events, to this we have integrated cloud services that enable us to access our information without any geographical restrictions. Most security reports from leading security firms and our own experience show us that mobile platform are massively attacked or breached at an alarming rate. It seems that all mobile OS are targeted for financial reasons or intelligence gathering. I won’t mention proprietary mobile platforms, as all are being breached, some more than others. Even closed OS are being specifically targeted or jailbroken by its owner, rendering the minimal security null and void, as long as user can download any application for free.
Personal user security
As any security expert can tell you, the majority of mobile devices have no security system in place or have a free anti-virus. Most personal users have minimal security knowledge or expertize. To compound the problem, infinite amount of smart device features, and a never-ending battle between anti-virus providers and hostile individuals and organizations often causes continues security breaches, damage or unwanted exposure of data and personal information. The truth is that most personal users just don’t care or don’t understand the risks involved. As this is a short lecture I won’t run the almost endless threats to Mobiles devices and trust that most of you are familiar with most of these threats.
One point that I do want to make about these threats is that during my career I seen what a large number of users keep in their phones and the sites that are accessed. As you can imagine porn and gambling sites for adults and social sites for the younger crowd. These watering holes are usually used by cyber criminals to pound on the non-expectant user.
As we have shown most personal devices are virulent –ridden and infectious. For the foreseeable future private users are sitting ducks or easy prey for cyber criminals. Analogous to shooting fish in a barrel and should be kept as far away from any organization. From my point of view granting access to organizational assets is irresponsible, irrational and just borderline criminal. To this we have to add the loss of privacy, mostly by companies over accessing personal information that have no correlation with the actual use the application.
After saying all this, there is a light at the end of the tunnel. Especially in the last two years, many new solutions have appeared in the market and show a lot of promise, but only time will tell if they are mature enough for the current dangers that we face. This is not only a technical problem; raising awareness will help mitigate some of these issues. On a personal note, in the last few months I have been invited to review several new Israeli solutions that look very promising, as it has been taken as a challenge by former cyber security experts formerly from the military and should be in the market towards the end of this year.
The digital situation with SMBs and its sub-category SOHO is mostly the same as for private users. Most SMBs have heard from the press about digital threats and buzz words, but believe that they are immune as small businesses (Security by obscurity) and don’t really understand or can afford the additional expenses for safeguarding their intangible assets. The best that they can hope for is that their network administrator has the security knowledge and funds needed to safeguard their business. More and more SMBs are using cloud services, SaaS, PaaS and IaaS, without really understanding all the repercussions of using cloud services. An example is : One of the main security issues is the transferring IP (Intellectual property) remotely in some cases securely (SSL) to an unsecure site, who’s jurisdiction is unknown and accessible to unknown personnel. In many cases this information in sold to third parties. If the SMB is lucky, the Admin may have integrated an anti-virus/Firewall solution, but as you can ask any botnet herder and script-kiddy hacker, this isn’t much of a hurdle to overcome, especially as the application level is usually forgotten. Here in Israel there is a plague of ransom-ware and massive attacks from around the world, especially during conflicts with our neighbors. Until SMBs start adding security controls and policies as part of it’s business model, this category is also a lost cause. This is a very dangerous position to be, as SMBs are the biggest part of most national economies and the catastrophic impact on our lives is already starting to be felt and will increase in the near future. As I like to state: WWW, stands for “ the wild wild west” as governments cannot implement security measures or controls or have the necessary resources, so the digital defense falls on each and every business. I would advice that at least governments start national awareness programs by mass media or even in extreme cases, subsidize security controls. (Maybe as tax returns)…
The enterprise range we can subcategorize into private and National infrastructures or a combination of both. As we have seen in the past year, there have been massive breaches to private companies, just to mention a few: Amazon, Twitter, Google, RSA, Sony, Bank of America and so forth. These are just a few and there is an understanding between infosec experts that over 80% of breaches are not reported so as not to undermine the company’s reputation. Even at this Enterprise category we are seeing use of mobile and cloud platforms in the workplace and it has become a sticking point between management and security officers, in many cases we are losing the battle, even integrating security controls has become an uphill battle.
Unlike the two previous categories, here most of the enterprise level organizations have the resources to mitigate internal and external digital threats. Most Enterprise sized organizations have difficulty integrating digital security measures because of their size or postpone security for more profitable business based endeavors. Here it’s easier to see cause and effect of losing intangible assets, patents, R&D and so forth. Companies that lose these assets will not be able to compete in the market as before and will close departments if not all the business. It’s easier and cheaper to steal research than to invest in R&D. This is one of the reasons that rogue governments invest so heavily in acquiring these assets. This will have an immense impact on a nation’s economy. But, here there is a ray of hope, as governments and interest groups are starting to understand this danger and are forcing companies by regulatory compliance to mitigate these threats, ISO 27001, SOX, HIPPA, PCI-DSS as examples. The sub category of “National infrastructure” in most western countries, have started to be regulated by Governments – Military- Law enforcement and in most cases have CISOs that are implementing security measures. This will be an ongoing process as we are seeing more and more APTs- Advanced persistent threats, on the rise that are targeting by industry. At the end of the day the enterprise range category is the main price for cyber-criminals and rogue countries.
In general the military category is divided in three subcategories (This may change for different countries).
I would say that most militaries do not or should not integrate mobile or cloud platforms, but here in Israel mobile devices have been given to officers since last year and there was an article that stated that some high ranking officers where using “Whatsapp” to communicate between themselves. This seems irresponsible as most mobile security controls still haven’t proven their level of maturity. There are militaries that are recoding new OS with security in mind. Last year the Israeli Prime minister initiated what is called “Cyber branch” that is responsible to safeguard Israeli assets. This took a while until it was decided “what to safeguard” and after Israel according to the Israeli finance minister with over 44 million cyber-attacks on February of 2012, during the Gaza conflict. As we are talking about mobile and cloud security I won’t get into military offense and intelligence, but suffice to say that many military units around the world gather intelligence called OSINT that usually mean social sites and improperly guarded cloud services.
To summarize The military range, introduction of mobile cloud platform security is taken very seriously and should overcome in time most cyber threats.
Governments and it’s sub category “ Law enforcement” (In most countries), are serious about introducing secure mobile and cloud platforms but find it difficult to deny functionary’s requests and demands to use these platforms. We have also seen the “Red October” attacks on governments for over 5 years. What the impact on nation states we can only speculate on.
As we have seen, some categories cannot at this time get the necessary digital security that is needed and some categories are still in the initial stages of finding the technologies and policies needed to defend its digital assets. So using mobile and cloud solutions is just adding gasoline to an already raging fire, but who can stop technological advances in this day in age. At least give us some time to find proven solutions.
As we already started to see, many services that we got used to will be unavailable for longer periods of time and some may even disappear. We have seen advance technology that took decades to develop fall in the hands of rogue nations.
A good example, would be stealth technology that developed by the U.S since the 1950s with a cost of billions of dollars and millions of man hours. Last year the Russians and Chinese presented their own versions of stealth technology. Any advantage that the U.S has disappeared, the same with any derivative from said technology.
To answer our initial question: At this point we are far from being able to secure our digital assets and we should try to mitigate these threats but, everything will get much worse before it gets better and I can only hope that in the aftermath infosec or cyber defense incidents, safeguarding digitals assets will be part of every business model or project from the beginning and not as an afterthought.
What can we do?
As I stated before the Personal and SMBs categories are going to suffer in myriads of ways. What the social or/and financial impact will be, we can only guess.
The only solution that I can see is if Governments start with mass media campaigns on safeguarding digital assets and privacy including legal repercussions.
I don’t believe that this will happen any time soon, as many industries are based on user’s personal information including their behavior online and offline. To compound this issue, users don’t care or understand these dangers. Another danger that is growing exponentially is “Human engineering” attacks that have become extremely efficient and professional (Phishing and spear phishing)
The only effective mitigation is based on nature’s biological mass numbers defense similar to herds of massive numbers that survive because of its size. The sad part is that we do have very effective technological solutions that can minimize the impact of these cyber threats, but we can’t force them onto users.
Last week I was at a hi-tech convention and one of the speakers was the CEO of a globally popular geolocating application for mobile use, at the Q&A, I had the nerve to ask why their application needed our contact lists and access to all corners or our mobile devices. He answered that it was a question for his tech people. This isn’t the important part, even though, this application gives the parent company real time location, listening options, access to the ROM and RAM and we do not really know what happens to our information and under what jurisdiction the data rests or even if it’s sold to third parties.
At this point the people in the crowd started yelling at me for bringing up nonsense and if I don’t like it that I should stop using it. This is a good example for the mind set of most personal users and SMBs. After the speech, some people asked about the issue that I brought up.
Unfortunately I have encountered many users that are in financial tribulations after being breached or excessively charged by service companies. The enterprise range category, financial institutions, Utilities and so forth, this is the goose that lays golden eggs for cyber criminals and rogue nations. Even though, this range has the financial resources to mitigate the majority of digital threats if not targeted attacks.
As information security or cyber defense is not a business, it is very difficult for the stakeholders to understand the financial incentive to integrate rapidly security mitigation controls or even more difficult to implement security policies. The ever expanding cyber-crime as a service becomes even more ubiquitous and the effectiveness of spear phishing like the RSA breach or DDOS, it will become very difficult for enterprises to defend themselves effectively.
In my last speech I was asked about transportation. As there have been POC breaches on medical devices, for instance: Attacks on Insulin pumps, Heart pacemakers or any device that has a beacon or wireless access.
The same goes for any device that has a computer or processing power with integration with any code, like cars or airplanes. A few years back there was a media report that a Spanish passenger airplane crashed because of a viral infection that compromised the navigation controls. If we continue with this logic, car, marine or airplane manufacturers should implement a secure code review of each piece of software or code before installing them into any vehicle. If this process is not properly implemented, this will lead to loss of life and reputation.
Not to be conspiracy theorist, but who knows how many accidents can be attributed to infested vehicles and have not been reported. As not to leave on a negative note, we must remember that awareness is 50% of mitigation, so talk about these threats with your peers.