Last Day to Save $400 on SANS Tysons Corner 2016

Conversations About Cybersecurity

Alan Paller is director of research for the SANS Institute, a provider of security training and certification.

A few Sundays ago, the managing partner and IT partner from a large law firm in New York came to my home for a visit. It wasn't just for coffee. They had flown down to Washington to discuss what they might do in the aftermath of a troubling visit from the FBI.

Here's how the conversation went.

Conversations about Cybersecurity (Part 1):
The FBI Just Told You All Your Proprietary Files Were Stolen by the Chinese

Alan: What exactly did the FBI agents tell you?

Attorneys: They said that our files had been found on a server in another country. The server was used as a way station for sending data to a large Asian country. Off the record they said it was China.

Alan: Did they tell you which files?

Attorneys: They showed us a listing of what they had. It was all our client files.

Alan: What would you like to know?

Attorneys: We understand we cannot get the files back, but we would like to know why and how they were stolen and how they are likely to be used. And then we hope you'll tell us how we can stop those attacks in the future.

Alan: The first part is straightforward; the second is very hard. The Chinese People's Liberation Army (PLA) runs a very active industrial espionage program because it has the joint mission of ensuring both military and economic security. So when companies from another country attempt to do business with a Chinese company or agency in an important area of technology, the PLA helps give its side an advantage by stealing data from the other side. They use the same targeted cyber-intrusion techniques they use to steal military secrets. They are after the "play books"--the documents that tell what the company is willing to give up and where it will hold the line. That data gives their side an advantage in negotiations. Sometimes, as in the Google case, they just steal the technology they want.

Attorneys: How do you know that?

Alan: Because Jonathan Evans, Director General of the British Security Service (MI-5), sent a private letter to the managing directors of the 300 largest companies in the UK telling them that this was happening. [At the time of the conversation I was unaware that Bear Bryant, the U.S. Counter Intelligence Executive in the Office of the Director of National Intelligence, would say the same thing in the United States at a press briefing not long after.]

Attorneys: That makes sense, but what does that have to do with us?

Alan: What the MI-5 director told the managing directors was that their information was as likely to be stolen from their attorneys and international consultants as from their own computers. Most law firms have very weak security, attorneys often don't pay attention to security notices and guidelines, and the important files relating to clients' international activities are usually much easier to find in a law firm's files than in the corporate files. So the question is, do you have any clients doing business in China?

Attorneys: Sh*t.

Alan: So now I have a question. What are you planning to tell your clients?

Attorneys: Telling them anything would be crazy! Can you think of a better way to destroy their trust in us than informing them that all the documents they gave us under attorney-client privilege have been stolen?

Alan: So let's talk about how the attackers find you and how they get in. That may help you in stopping future intrusions.

To be continued in the next installment.

Conversations about Cybersecurity (Part 2):
Don't Let Them In

When we left the attorneys in the last installment, they were wondering just how the cyber industrial spies had gotten into their computers.

Alan: I don't know how your particular intruders got in, but I'll show you how an average intruder gets in. His first step would be reconnaissance. He uses the Web to find your IP addresses - the electronic tags that allow other computers to send information to your computers - as well as the names of the managing director and other senior partners and the structure of email addresses (for example, First.Last@lawfirm.com, or FLast@lawfirm.com). That information would probably allow the would-be intruder to send a spoof email - that is, send mail to other people in the firm that appears to come from the managing partner.

Attorneys: Slow down! Too much jargon.

Alan: Ok, let's go back up to 10,000 feet. The intruder wants to get someone in your firm who has powerful access to your computers - either a senior partner or the system manager or administrators - to open a back door for him through which he can steal all your data. Does that make sense?

Attorneys: Yes. But none of our people would do that.

Alan: Not knowingly. I agree. But the intruders fool them into doing it.

Attorneys: How?

Alan: They would send a spoof email - it might be one that looks like it came from either of you and is sent to your IT system manager saying something like, "I am a little concerned that if an attorney leaves the firm, we might not be able to tell what files he copied or emailed out in the weeks before he left. I've attached a description of a product that one of our clients told me about that purports to protect against just such unauthorized data leakage. I want you to take a look at it - download it and try it - as well as other products that may do the same thing. Then come back to me in a couple weeks with an assessment. I don't know much more about it than I have told you, so thanks in advance for a solid analysis."

Attorneys: Ah. The product you are pointing him to is actually a virus. Right?

Alan: No. It's a simpler attack, although the one you describe is very common - a lot of the anti-virus ads, emails, and pop-ups get people to download and install malicious software masquerading as antivirus software and make them pay $39.95 for the insult and injury. But your attackers are in a hurry and they don't need to get you to download any software. The document attached to the spoof email has hidden codes that cause your computer to open a back door. Just opening the Word document or PDF will do it.

Attorneys: That doesn't make sense. Word documents aren't programs, are they?

Alan: Every character in a Word document is an instruction to a very complicated and powerful piece of software called Microsoft Word. So yes, they are programs. I can go deeper, but it gets really arcane. Trust me. Many flaws have been discovered in Microsoft Word that allow an attacker to use it to open a back door. In 1995, Microsoft Word had about 2 million lines of code. Now it has many millions more. No one can write that big a program without errors, and it is those errors that that are exploited. It is not just Word. It is Microsoft Excel and Media Player and Adobe Flash and Reader - pretty much every program that displays content in text or video or sound.

Attorneys: You make computing sound dangerous.

Alan: I don't like being all gloom and doom, and there are some things you can do to protect yourselves. But let's finish how they steal your documents. I'll go over it quickly. The extra codes in the PDF or Word document causes the system manager's computer to run a tiny program that makes his computer connect across the Internet to a "mother ship" and say, "I am in and ready for instructions." The mother ship provides the instructions and the infected computer collects data and sends it out. You system manager has no idea any of this is happening.

Attorneys: No idea! This is really frightening. But you said there are ways to protect yourself. Do you mean training people not to open attachments and to keep their computers updated with patches? We tried that. The attorneys wouldn't sit through the training.

Alan: There are new awareness programs that are much better, and attorneys do sit through them. Still, user training alone is not sufficient. It's like training kids in defensive driving and then sending them out in a Volkswagon to compete in a demolition derby for trucks. They would need a lot more protection in that situation than just defensive driving skills. It's those other protections that you'll need to deploy. The Australian government discovered that four simple protections are surprisingly effective against targeted intrusions like the one that hit you and the ones I've described. They were deployed last year very successfully.

Attorneys: Wow that sounds promising, but are those protections available here?

Alan: The U.K. and U.S. are following suit with these protections on their important computers. In October, White House Cyber Coordinator Howard Schmidt gave the Australians a U.S. National Cybersecurity Innovation Award for their breakthrough. I am hoping the tools needed to implement the Australian innovation will become available from enough vendors and at cheap enough prices by the end of the year that even law firms will be able to afford them. I'll tell you what the Australians found in the final installment. But first, I think it prudent that you know why the tools that security vendors are selling today don't protect you against these targeted attacks. That will help explain why what the Australians found is so important.

That's in the next installment.

Conversations about Cybersecurity (Part 3):
Think You're Protected? Think Again...

When we last left the attorneys, they had learned who attacked them and why, as well as how the attackers got into their systems. They were waiting to learn why the tools that security vendors had sold them didn't protect their computers against the targeted attacks.

Attorneys: We hired a consultant a couple of years ago to do a security assessment, and we put in the defenses he prescribed: automatic updating for Windows, antivirus on every computer, and firewalls between our systems and the Internet. He said that was "best practice."

Alan: Those moves are valuable, but they don't protect you against targeted attacks. In order to get around your defenses, the folks doing targeted attacks exploit your need to have your computers useful in your line of business. Does that make sense?

Attorneys: [Looking confused...]

Alan: Guess not. Let's take the targeted attack one step at a time and see how each step evades your defenses. First they get your e-mail addresses. You have no defense against that because as a going concern you need to receive e-mails, and that means your e-mail addresses need to be available at least to some people. And since most e-mail addresses use one of a few common forms like first-dot-last-name @ your-company-dot-com, it's not hard to guess them.

Attorneys: But wait, how do they know which of the many forms we are using?

Alan: They search for several names using different forms in Google until they find some notes your partners have posted. Or failing that, they send innocuous e-mail to each form of address at your organization and the form that doesn't get rejected is the correct one. Let's move on. Their second step is to send a spoof e-mail (one that looks like it comes from a trusted friend or client) to one of your key employees or partners. The e-mail includes an infected attachment. Here's where your firewall, anti-virus, or fully patched operating system would be expected to help. But they don't. The firewall doesn't stop the spoof e-mail because it looks just like every other e-mail you get. If the firewall were to stop this one, it would have to stop them all, and that would disable your business. So it's not the firewall but rather the antivirus tools that are supposed to strip the infected attachment. But the increased sophistication of modern attackers overwhelms your antivirus tools. An arms race between attackers and antivirus researchers is being won by the attackers. They write a new exploit; the antivirus guys write a defense; and then the attackers reverse-engineer every antivirus company's defense and change their attack to evade them all. So that's how infected attachments get through firewalls and past antivirus systems.

Attorneys: Before you go on, does that mean we should throw away the antivirus tools? They sound useless. Their marketing people never let on that they are losing the so-called arms race.

Alan: No, you need antivirus to block old attacks, but lower-cost, second-tier tools usually outperform the high-priced ones from the big-name vendors in head-to-head tests measuring which tools find the most infections. You ready to go on?

Attorneys: Yeah. We turned on automatic patching, why doesn't that stop the infected attachment from working on our system?

Alan: I am impressed. You get an A for knowing how the attack works. Microsoft updates don't protect you because most successful infected attachments are not going after flaws in Microsoft products. They are going after flaws in applications like Adobe Reader or Flash. Many people do not update those applications. Adobe Reader displays PDF files and Flash shows videos and animated advertisements. Huge numbers of flaws have been found in them.

Attorneys: Why didn't our consultant set us up to automatically patch those?

Alan: Probably because when he came several years ago, most of the attacks were not targeted, and the ones that were targeted usually focused on military and defense contractors, and used flaws in Microsoft products like Word, Excel, or PowerPoint that are patched automatically along with the operating system if you set it up correctly. This is the arms race made real. We patch the Windows operating system, they go after Word and Excel. We patch the flaws in Word and they go after Adobe Reader and Flash.

Attorneys: Is there any way out of this maze?

Alan: The Australian Defense Signals Directorate has found a surprisingly effective formula for dealing with these targeted intrusions, and it seems to work in all kinds of organizations.

So hang in there, because their innovation will be the topic of the final installment in this series.

Conversations about Cybersecurity (Part 4):
Protect Yourself

When we last left the attorneys, they had asked what they could do to stop the targeted attacks that the Chinese and other competitors used in industrial espionage.

Attorneys: You said that the Australian Defense Signals Directorate (DSD) has found an effective way to fight off these targeted intrusions? But who are they?

Alan: DSD is the Australian equivalent - but with far fewer employees - of a combination of the U.S. National Security Agency and the cybersecurity component of the U.S. Department of Homeland Security. DSD has responsibility for helping protect both military and civilian government agency computers and networks.

Attorneys: And how do you know what they developed actually works?

Alan: Because Ian Watt, the Australian Secretary of Defense, ordered all government agencies in Australia to implement the plan. The first two agencies that completed the task found that low- and medium-sophistication intrusions completely stopped.

Attorneys: What about high-sophistication attacks?

Alan: They're still hard to stop, because nation-states willing to spend unlimited amounts of money for technology, intelligence gathering, and bribery can overcome just about any defense. The smart strategy for businesses that want to defend themselves as comprehensively as possible is to build defensive walls that force adversaries to spend a very large amount of money and effort to overcome them. That way the potential economic benefits for the attacker become unattractive.

Attorneys: Got it. Nothing's perfect. So what do we need to do and how much is enough?

Alan: At the very least, let's start by talking about the defenses suggested by the DSD, because without them, it is so easy to steal your documents that, as the head of the U.S. Secret Service cybercrime fighting group said, any economic espionage group not using these intrusion techniques "should be sued for malpractice."

Attorneys: Okay, we're all ears.

Alan: The Australians call it the "sweet spot." It includes four continuous actions your firm would take to keep your systems maximally able to withstand attacks. Two of the four involve patching and two are more sophisticated. The Australians published documents describing the actions and how to implement them. They're posted at http://www.dsd.gov.au/publications/Top_4_Mitigation_Strategies_to_Protect_Your_ICT_System.pdf. Specific implementation advice for Windows systems is available at http://www.dsd.gov.au/publications/Implementing_Top_4_for_Windows.pdf.

Attorneys: Can you tell us a little more? This is really important.

Alan: Sure, two important actions are application white listing and minimizing administrative rights. "White listing" means allowing your computers to run software only if it is on a list of approved programs. Any other programs are excluded. That means that even if an attacker gains control of a senior partner's or system administrator's computer, he cannot put software on that computer that would collect data and send it out. "Minimizing administrative rights" is similar. Key partners and system staff are most vulnerable to malicious software when they are using the Internet or e-mail. Ensuring that their systems are set to operate as simple users - rather than their having the powerful administrative rights of system administrators - while browsing or reading email - keeps attackers from running malicious software on their computers and stops the attacks.

Attorneys: Sounds pretty easy. It's not, is it?

Alan: You are correct. If it were easy, most organizations would have done it. The principal problem is that software packages are written by programmers who often ignore the fact that other programs also run on people's computers along with the one they are writing. As a result, when you set your computer to run with normal user rights, rather than administrator rights, some programs just won't work. The programmer had administrator rights when he was developing the program, and so he expects every user to have those rights. Similarly, sometimes just installing new patches can cause programs to misbehave. And some programs change so often that white listing cannot keep up with them. When a user tries to start one of those fast-changing programs, the white listing program stops it.

Attorneys: You're not painting a very pretty picture.

Alan: Nope. It isn't pretty. The programmers who wrote most of the software you purchased simply never considered that they would have to operate in a safe environment. They should have, but they didn't.

Attorneys: So we just give up?

Alan: If you had asked me that last year, I would have said yes, because a business below a billion dollars in revenue does not have the resources and staff to implement the level of security required to fight off these attacks. And I would have told you that the people promising these companies confident and safe computing were selling snake oil. But now it can be done. Having said that, security needs to be implemented by people who have done it before, seen the problems, and know what works in fixing them. Several consulting companies are starting to train their staff, mostly by allowing them to implement the four controls of the Australian "sweet spot" on their own systems. They expect to build a substantial practice around implementing the "sweet spot" for mid-sized and large companies. I don't think any of them are operational in the U.S. yet. When they are, we will interview their users and see how well it seems to be working. We'll publish a list of the ones that seem to know what they are doing and keep it up to date. We'll also keep track of the ones that are claiming expertise but have no demonstrated successes.

Attorneys: We have already lost the current crown jewels - or at least a copy of them - but that's just our secret. We'd like to cut the risk that it will happen again. Will you keep us informed of the progress of those companies?

Alan: Absolutely, that's a big part of what we do here at SANS...