Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.


November 22, 2012

Cyber-Security - Anonymous Cyberwar on Israel Seemed Simplistic and Israel's Claim of 44 Million Cyber-Attacks Seemed Overstated

Folks,

Cyber-security, cyber-war and cyber-attacks all seem to be making headlines these days, especially in light of the hacker collective Anonymous publicly declaring 'cyberwar' on Israel, and Israel claiming that it has been hit with 44 million cyber attacks in the last week..


It seems that Cyber-<anything-to-do-with-IT-security> is getting a lot of importance these days with the likes of Richard A Clarke writing books on Cyber-War, governments setting up special Cyber-Security commands to combat it, security vendors you've never heard of, jumping on the band-wagon, and of course the media making a huge deal out of it without, in my humble opinion, truly understanding the difference between a simple cyber-attack and a sophisticated enterprise-security attack.

While cyber-security is very important, and should be taken seriously, it is imperative to understand the vast difference between simplistic cyber-attacks and sophisticated enterprise-security attacks.

As former Microsoft Program Manager for Active Directory Security, I thought I'd take just a few minutes to share a few thoughts in this regard with you, because undue attention on simplistic cyber attacks may detract organizations from protecting themselves from sophisticated enterprise-security attacks that could be far more damaging than basic cyber attacks.

 
[ For those of you who may not know this, from the United States Government to the Fortune 1000, at the very foundation of security of over 85% of all organizations worldwide, lies Microsoft's Active Directory technology. ]



Anonymous Cyberwar on Israel Seemed Simplistic and Israel's Claim of 44 Million Cyber-Attacks Seemed Overstated

The short of it is that Anonymous's 'Cyberwar' on Israel seemed rather simplistic, and Israel's claims of 44 Million Cyber-Attacks seemed over-stated, and that most organizations worldwide are in fact inadequately prepared to face and combat real, sophisticated enterprise-security threats.

In order to substantiate the claim, I'd like to humbly point out the difference between simplistic Cyber-Attacks and sophisticated Enterprise-Security Attacks, because this difference is rather important to understand, to comprehend just how much damage a real enterprise-security attack could inflict.


 
(Simplistic) Cyber-Attacks vs. (Sophisticated) Enterprise-Security Attacks

You might ask - "Aren't enterprise-security attacks the same as cyber-attacks?" Aren't they the stuff we all hear about in the news almost on a weekly basis, when the media sheds light some organization being "hacked"? You might also say, "Isn’t this what Israel’s finance minister Yuval Steinitz was referring to" when he said that Israel has successfully deflected 44 million cyber-attacks on government websites.

The answer is NO. (At least not exactly.)

Although one could technically cover enterprise-security attacks under the umbrella of cyber attacks, there is a substantial difference between simple cyber-attacks and sophisticated enterprise-security attacks.

Much of the world populace hasn’t really heard about a sophisticated enterprise-security attack, or its impact, other than STUXNET I suppose, because a largely ignorant media has portrayed simplistic cyber-attacks as the main / predominant IT security threat. The reality however is that a targeted enterprise-security attack could inflict far more serious damage than a simple cyber-attack.


(Simple) Cyber Attacks

Cyber-attacks, generally, are attacks targeted at organizational websites accessible on the Internet and for the most part, try to exploit inherent design deficiencies in TCP/IP, the protocol upon which the Internet runs. 

 
For instance, the most common form of a cyber-attack involves sending a large number of requests to an organization’s website (SYN flood) resulting in a situation wherein the site’s legitimate users are then unable to access the website, because its resources are being consumed servicing incoming requests from computers being used to carry out the attack.

This is a very basic form of a DOS attack that could possibly even be launched by amateurs with just a little know-how, and often be enacted using automated programs, from virtually anywhere in the world. A variation of this attack involving the use of bots involves using a large number of hijacked computers from all around the world to attack the same website, and the attack then becomes a DDOS attack, the first D standing for Distributed. 

At worst, with such an attack you could bring down an organization’s website for a few minutes, but other than some downtime for a website, there’s not much real damage that they could cause. In all likelihood, this may very well have been what Israel's Finance Minister was referring to when he said that a single website was down for about 10 minutes, and then brought back up online.

Most such attacks are mere annoyances, and easy to carry out.

I suspect that the attacks alluded to by the Israeli Finance Minister are mostly of this kind and that 44 million is merely a count of the TCP SYN requests received by the Israeli government's web servers, I also suspect that these are the same kinds of attacks Anonymous is referring to in their claims to wage cyber-war against Israel.

While many organizations have Internet-facing websites, whether designed to share information, or enable electronic commerce, the actual corporate networks of most organizations are largely disconnected from their websites (, at least to some extent) or to be more specific, from the infrastructure that supports the Internet facing websites, which is usually placed in DMZs.

A majority of all "cyber-attacks" launched online are merely basic DOS/DDOS attacks trying to make websites unavailable. A small number of attacks involve successfully penetrating the infrastructure within the DMZ and could result in the compromise of any information stored in the databases in the DMZ, such as databases that facilitate the organization’s ecommerce offering, and result in the compromise of information such as credit-card numbers, and other such information stored in these databases. In comparison, relatively speaking, only a few attacks actually involve a successful penetration of the DMZ and a successful penetration of corporate networks via the DMZ.

In other cases, a cyber-attack might involve a malicious entity defacing a company’s website’s homepage and claiming that they “hacked”the organization, but in fact, all they did was go a little beyond a DOS attack in being able to gain modify access to the organizations’ external facing web-server. In addition to the embarrassment caused to the organization, I suppose the only other thing accomplished here is a temporary boost to the ego of whoever carried out the attack, and bragging rights for a few hours.

Then you've got the free email (e.g. Gmail, Yahoo, Hotmail etc.), Facebook, Twitter account hacking, but that's relatively easy and inconsequential that almost not even worth mentioning. Why? To begin with, if you're trusting anything in the hands of a free service offered to millions/billions, realistically, you'd have to be really naive' to expect that any of that information you upload to it, or communicate via it, would be completely secure at all times. (At any point, any one of thousands of IT personnel responsible for operating that service could possibly obtain access to your information, plus, a variety of ways designed to help you regain access to your account could be (mis-)used by any one of billions of people to compromise your account.) That's kid-stuff, so I'm not even going to touch upon it.


(Sophisticated) Enterprise-Security Attacks

Now, contrast such attacks to an attack specifically targeted to take out an organization’s IT infrastructure.
 
Such an attack would involve a digital payload designed by a specialist to compromise one or more critical IT components of an organization's IT infrastructure, such as its IT security infrastructure.

For example, imagine if a payload were written to take out the very foundational systems within an organization's IT infrastructure that provide the means to authenticate an organization’s users and/or that provide the means to authorize secure access to the entirety of the organization's IT assets.
 

The impact of the compromise of the very systems that provide authentication and authorization services to the entirety of an organization’s IT assets, is that it would instantly expose the entirety of the organization’s IT assets to the risk of compromise.

For instance, if a malicious entity were to build, deliver and have executed a payload to successfully take over an organization’s IT security infrastructure components (e.g. Kerberos KDCs, Active Directory etc.) virtually all of the organization's IT assets, such as its IP, R&D data, financials, customer information, strategic plans etc could all be instantly vulnerable to compromise.

Now, an IT security practioner might say that this is the reason we have layered security and that we deploy multiple layers of security above the platform. Well, the thing is that any layer of security that has a software component is running on the system too, and thus still relies on the system for its own trustworthiness.

For instance, anti-virus protection runs as a service on a computer. If you are an admin, you control the computer's system, and by virtue of that you can disable the anti-virus service on the system. By the same token, software running as system has complete control over the system, and thus on any applications/services running on that system. (Its called the Trusted Computing Base (TCB) of that system.)

So, if an attacker could successfully compromise the system itself, he/she would then in effect be the system and if you are the system, you, in all likelihood, can now circumvent virtually every other additional control deployed on top of the system to protect the organization’s IT assets.

An enterprise-security attack also often involves just one payload and a well-crafted payload only needs to be run once on a corporate computer, and there are numerous ways to get one payload to run once on any one computer within the organization.

This is why enterprise-security attacks also do not require that an organization's IT infrastructure necessarily be connected to the Internet, because payloads can be delivered in various forms, ranging from the use of social engineering to have an insider download and execute some code, to the use of legitimate fulfillment of IT needs, such as the delivery of a malicious payload disguised as an unsigned printer driver delivered as a software upgrade.

All in all, a targeted enterprise-security attack designed and carried out to take out critical components of an organization's IT infrastructure can have far greater impact, than any cyber-attack designed to temporarily bring down, deface or break-into and organization's customer-facing website.


Enterprise-security attacks are usually designed to target and take out critical components of the internal IT infrastructures of organizations, not the organization's pretty-looking external-facing websites places in DMZs.
  
It is such attacks that I am referring to as enterprise-security attacks.



Substantiating the Claim

In light of the above, I should perhaps substantiate my claim that Anonymous's 'Cyberwar' on Israel seemed simplistic, and Israel's claims of 44 Million cyber-attacks seemed over-stated.

If you read what the media has to report, it is virtually apparent that most of the cyber-attacks that were launched against Israel were mere DOS/DDOS attacks targeted at company websites.

As I indicated above, a majority of these attacks would have at most caused a denial-of-service (DOS) when legitimate users would try to browse the websites of the Israeli government organizations, and a minority may have been successful in getting modify access to the root web directory, thus defacing the website. In some cases, in order to bring the website backup online, the admins might have to reboot the systems and that could take a few minutes, so its quite possible that a few websites may have been down for a few minutes.

So, it doesn't seem like Anonymous was carrying out sophisticated attacks aimed at compromising the government's core IT infrastructures, which as I indicated earlier, may not even be directly connected to the Internet, or even so, they might be a few (router) hops out with intrusion-detection systems in place.

Anonymous certainly seems to have a lot of fervor but does not seem to have much in the way of the advanced technical sophistication required to enact a serious enterprise-security threat, at least just yet.

For instance, while they may be very good at good old fashioned network security attacks (i.e. exploiting inherent limitations of TCP/IP  carrying out DDOS attacks, engaging in password guessing/brute-forcing etc.), which are an archaic science today, they don't appear to be very good at systems security (attacking Kerberos, engaging in Active Directory Privilege Escalation etc.) yet. Based on what we've seen thus far as a part of their latest performace in waging 'Cyberwar' against Israel, their capabilities seemed rather simplistic.

As for suggesting that Israel's Claim of 44 Million Cyber-Attacks seemed over-stated / mis-represented, well, in light of the nature of attacks that are believed to have been carried out, it appears that the actual number of attack attempts may have been in the 1000s and that 44 million may be the number of TCP SYN packets that their entirety of their government's web servers may have received as a part of these attacks. Alternatively, 44 million may have been the number of computers used as bots to launch these attacks.

So, in all likelihood, its not that there may have been 44 million attacks, but that there may have been 44 million TCP SYN packets received during the course of these few days on their web servers, or that 44 million Internet-connected machines were used (largely remote-controlled) to launch these attacks.

Israel's finance minister said that they are "reaping the fruits on the investment in recent years in the development of computerized defense systems." I suppose they've invested heavily in trying to protect their systems from cyber-attacks aimed at their public websites and the protection of their DMZs.

However, I wonder if they're adequately protected when it comes to protecting critical components of their internal IT infrastructures (e.g. their Active Directory deployments) equally rigorously. Perhaps that's what the finance minister may have been alluding to when he added that "but we have a lot of work in store for us" in a written statement.

All said and done, while the emphasis ad importance given to Cyber-Security is good, it would also be helpful if folks actually understood the difference between simple Cyber-Security attacks and sophisticated Enterprise-Security attacks.

In fairness to them, I suppose they might claim that they include Enterprise-Security when talking about Cyber-Security, and if they do, then I must say, that in the interest of the public service, they need to communicate the vast difference between attacks to organization's websites and attacks to organizational IT infrastructures.


In Conclusion

Imagine a vast land with many fortresses.


Then imagine a little tent in front of each fortress designed to greet visitors to inform them about their fortress, provide helpful information, and possibly sell a few souvenirs.

Now imagine someone trying to shut down the tent, or change the poster that shows the fortress's name on top of the tent, or take the tent down. Doing either or all of the above would not materially impact the fortress a bit.

That is essentially your average simplistic cyber-security threat.

Then, fast forward to the use of advanced attack-vectors, and imagine James Bond skydiving into the fortress at night, then using electro-magentic radiation to disable all the metal locks on all the doors within the fortress and possibly to the fortress itself,  making room for an army to invade the fortress overnight.

That is essentially your average sophisticated enterprise-security threat.



So, you see, there is a vast difference between taking the tent-out and taking the fortress out.


Best wishes,
Sanjay

PS: I apologize if this wasn't written perfectly. I only had 15 minutes to put this together, given the sheer lack of time, given my responsibilities at Paramount Defenses. I trust that you'll get the drift.

November 13, 2012

Providing Thought Leadership in the Global Enterprise Security & Active Directory Security Space Across 100+ Countries Worldwide

Folks,

Today, enterprise security plays a vital role in global security, because in today's digital world, from governments to business institutions, organizations are essentially digital fortresses, and it is enterprise security that enables secure access, both within and amongst these digital fortresses.



Today, there are also 1000+ vendors in the enterprise security space that offer a variety of security solutions ranging from anti-virus protection to biometric authentication, because there are numerous components to enterprise security, such as network security, endpoint-protection, two-factor authentication, mobile device security, secure data storage, secure VPN, identity management, access management, regulatory compliance,  and so on.

However, NONE of them are remotely as important as the protection of the very foundation of enterprise security itself, because if the very foundation of security is compromised, ALL of these instantly become virtually useless.



Active Directory is the Foundation of Enterprise Security Worldwide

Today, at the very foundation of enterprise security in over 85% of these digital fortresses lies Microsoft's Active Directory technology, the bed-rock of the 3As of security, Authentication, Authorization and Auditing, which together enable and facilitate least-privileged access to organizational IT assets/resources.


Thus, the security of the Active Directory itself is of paramount importance, because the compromise of an organization's foundational Active Directory deployment would be tantamount to the compromise of its very foundation of security, and when the foundation of security is compromised, every IT asset protected by the foundation is in jeopardy of being compromised.
 


Providing Thought Leadership in the Global Active Directory Space

At Paramount Defenses, we understand firsthand both, the importance of securing and defending foundational Active Directory deployments worldwide, as well as what it takes to adequately secure and defend them.

We thus develop and deliver the world's most valuable and innovative Active Directory Security solutions to help organizations efficiently and reliably secure and defend their foundational Active Directory deployments -



In addition, we also help organizations worldwide gain a deeper understanding of what it takes to adequately secure and defend their foundational, mission-critical Active Directory deployments.

We do so by operating and leading the world's largest community of IT professionals focused on the vital field of Active Directory Security, the Active Directory Security Professionals Group on LinkedIn.

Today our 1500+ member strong global community is comprised of Active Directory security practioners from 100+ countries worldwide and includes some of the world's finest IT professionals from some of the world's most prominent organizations, such as –
Paramount Defenses Microsoft Goldman Sachs
U.S. Army Boeing Israeli Air Force
Lockheed Martin IBM General Electric
Bank of America JP Morgan Chase Credit Suisse
Wells Fargo Wachovia Bank Bank of Kuwait
Hewlett Packard Dell Siemens
Arcelor Mittal FedEx Brazilian Stock Exchange
U.S. Department of
Homeland Security
Lloyd's of London U.S. Department
of Energy

Together, we help organizations worldwide measurably enhance the protection afforded to foundational Active Directory deployments, and in doing so, we help measurably improve enterprise security across the world.



True Thought Leadership

When it comes to the Enterprise Security space, nothing is more important than protecting the very foundation of security, and based on experienced insight we laid out our vision for trustworthy foundational security half a decade ago, well before the Symantecs and the Dells of the world.



But mere words are cheap, which is why we demonstrate Thought Leadership not in words, but in action.

Best wishes,
Sanjay