domingo, 26 de mayo de 2013

Espionaje industrial y ciberseguridad (Dos artículos en habla inglesa)

Por su interés vamos a recoger dos artículos que se han publicado recientemente.

I) The Economist: Enlace al artículo original.
Industrial espionage
Unusual suspects
Cyber-spying grows bigger and more boring
May 25th 2013 |From the print edition

BIG firms that lose data to cyber-spies normally know whom to blame. “It’s always the Chinese”, says Snorre Fagerland of Norman Shark, a security firm in Oslo. Yet on May 20th it revealed that a recent attack on Telenor, a Norwegian telecoms firm and one of the world’s largest mobile operators, was probably directed from India. Though South Asia boasts plenty of troublemakers, says Mr Fagerland, no one had yet caught Indian hackers in such a well-planned assault.
The Telenor attack is one of several which security experts are pinning on a single Indian group, provisionally named HangOver. Most of the other assaults targeted computers in Pakistan. Since 2010 these hackers have hidden malware in documents that purport to contain Indian government secrets, presumably hoping to infect systems run by Pakistani military or intelligence services. Separatist groups within India are a target, too.
The scope is widening. On May 14th a researcher at a human-rights conference, the Oslo Freedom Forum, found malware produced by the same gang hidden on the laptop of an Angolan anti-corruption campaigner (it was capturing screenshots). Though trivial in itself, that file had slipped through Apple’s normally sturdy defences. As well as Telenor, the group appears to have targeted firms in more than a dozen countries, across industries as diverse as mining, engineering, carmaking and hospitality. Such clues suggest a spy-ring that steals secrets to order—with governments just one sort of customer among many.
Other hackers are getting bolder, too. Mandiant, a security firm, said this month it had spotted an Iranian group sizing up American targets. In April experts noted a spike in cyber-spying from internet addresses linked to North Korea. Some wonder if Syrian hacktivists, who have recently hijacked the social-networking profiles of several Western news outlets (including the Financial Times, part-owner of this paper), are harvesting data as they go.
Chinese cyber-attacks dipped in February after researchers traced more than a hundred incidents to a building in Shanghai. But they are returning to full strength, and more is being learned about the skill of past assaults. On May 20th the Washington Post said that Chinese cyber-spies who attacked Google in 2009 may have rummaged around the firm’s servers for a year. It appears that among the data they collected were details of users under government surveillance. These could have shown, damagingly, if any Chinese spies in the West were under scrutiny from spycatchers.
Some of the Indian hackers’ methods look basic by comparison. The group mostly seizes on known weaknesses in old and unpatched computer software, rather than exploiting novel flaws. Their Mac malware was not cleverly concealed, and relatively easy to detect. Some sloppy errors have helped investigators spot links between disparate attacks.
But style matters little if targets take the bait. Norman Shark’s report depicts a cautious and competent operation that manages its operations professionally and secures cheap but able recruits from freelancing sites. Hacking is easy to demonise, but for many it is just a job.

II) Blog “Bit 9”: Enlace al artículo original.
“10 Dangerous cyber-security oversimplifications”

Humans are generally bad at assessing risk realistically, and their tacitly held security models are often skewed. Oversimplification is often the cause. Challenging some of these assumptions may invite controversy, but mindlessly accepting the conventional wisdom is far worse. It may be worthwhile to think about whether the following defensive assumptions would fit equally well in the offensive column and vice versa.

Defensive Oversimplifications
1. Attackers Have Infinite Resources
This is an oft-heard mantra, but “that way madness lies.” If attackers have infinite resources, there is no obscure nook or cranny in your defenses through which they have not yet wormed their way. Basically they’re the Matrix, and there’s nothing you can do to get out. Taken to its logical extremes, it would lead to defeatism, but most often it leads us to spend resources fighting attacks that are unlikely at best, and completely unrealistic at worst. Attackers’ resources are finite, and we absolutely must exploit this fact if we are ever to turn the tables. The sad reality is that currently we make it so easy for them, that it makes them appear to be almost omnipresent.

2. Security Control ‘X’ Will Make My Organization Secure
Controls do not provide security. They provide tools through which security gaps may be more readily addressed. Humans are the cause of most security gaps, but humans are also the best weapon we have to address these gaps. All controls can be deployed well or poorly, monitored sufficiently or insufficiently, and interpreted correctly or incorrectly. Humans make the difference.

3. Security is a Goal to be Reached
Security is not a goal to be reached. At any time, choices can be made that undermine the state of security in which you believe your organization to be operating. Security is better thought of as an infinite series of forks in the road; a never-ending set of choices to be made, each either incrementally addressing or causing security gaps. Security is about making the right choices more often than the wrong ones.

4. Security can be “Bolted On”
Security is a fundamental consideration in information systems. Adding layers of security on top of systems that are fundamentally insecure is doomed to failure. An important corollary is one that Dan Geer references in his talks, which is that even just composing two secure systems may result in a system that is insecure. Certainly then composing an insecure system and a secure system is at least as likely to result in an insecure system.

5. My Organization is not at Risk
This is the most dangerous assumption of all. While attackers do not have infinite resources and are not omnipresent, they are sophisticated and have very good intelligence capabilities. If your organization has something that would be of value to an attacker (and most do), it is far safer to assume you are at risk than to ignore that risk.

Offensive Oversimplifications
6. Security through Obscurity is Worthless
This is one of the most pernicious assumptions on the offensive side, most often espoused by those in the business of finding exploitable software flaws or penetration testing. Those put in the position of having to defend organizational networks understand that the practice of security is more nuanced. Using an ad absurdum argument, if security through obscurity were worthless, there would be no point in patching vulnerable software. It costs time and budget to find software flaws. This is evidenced by the fact that we see far more exploitation of known vulnerabilities than unknown ones. If we were, today, to eliminate all known vulnerabilities in one fell swoop, such that the only opportunity to exploit software was through new 0-days, successful incursions would immediately drop precipitously. Discussing how significant obscurity is to virtually all of security could be a blog topic in itself.

7. A Single Vulnerability = All Your Base are Belong to Us
I saw a prominent industry spokesman espouse this position in a recent list email, calling attacker access to security control software “game over.” This is closely related to the previous point and this assumption is hinted at by contests at industry conferences to “own” endpoints with competing endpoint products. If the security of your critical assets hinges on the non-existence of flaws in software on your endpoints, then this assumption may be true. But real-world attacks have to operate across multiple phases of the kill chain. Modern security practice aims to characterize and prevent or detect attacks at multiple points of the kill chain. Some organizations even go so far as to allow attacks, drawing attackers into traps where their tactics, techniques, and procedures (TTPs) can be better observed and recorded.

8. The Universality of Attack Techniques
This assumption is not one that is stated, it is perniciously implied at many conference talks. When a new attack technique is presented, the flaw is discussed as if it has wide applicability despite having only been demonstrated in one particular context. The possibility that the technique works only in very limited circumstances, against particular software or systems, is often glossed over. The danger arises when defenders spend unwarranted resources in defenses against such attacks.
9. Humans make Security Impossible
It’s almost a truism that humans are the weakest security link. That may be its own assumption, but it certainly seems that mistakes made by humans are the root cause of most security gaps in an organization. That said, in most cases, these mistakes are made possible by broken or missing processes, insufficient oversight and auditing, or failure to put appropriate controls in place that mitigate vulnerabilities in the form of security-ignorant end users.

10. User Education is a Failure
This may largely be true for the most often cited use case for user education. Many organizations try to thwart attacks such as spear-phishing emails by educating users to only recognize and avoid such emails. The evidence so far suggests that this approach hits diminishing returns so quickly as to make the practice almost worthless. However, if instead of trying to prevent attacks in this manner, the users are asked to report emails, the practice can be quite valuable. In the former case, if one-out-of-10 employees falls for the phish, the endpoint is compromised and the organization compromised. In the latter case, if one-out-of-10 employees reports the phish, the attack can be detected and (hopefully) thwarted, effectively turning the end user into a sensor instead of a firewall.

Si la materia es de vuestro interés, podéis seguir otros enlaces similares con las etiquetas que constan al final del post o usando el buscador que aparece en el lateral derecho. También, si es de vuestro gusto y deseáis estar informados al instante sobre las novedades de este blog, podéis seguirlo suscribiéndoos en el lateral derecho del blog, o en
o en como @EnOcasionesVeoR.

No hay comentarios:

Publicar un comentario en la entrada