Cyber-security, cyber-war and cyber-attacks all seem to be making headlines these days, especially in light of the hacker collective Anonymous publicly declaring 'cyberwar' on Israel, and Israel claiming that it has been hit with 44 million cyber attacks in the last week..
While cyber-security is very important, and should be taken seriously, it is imperative to understand the vast difference between simplistic cyber-attacks and sophisticated enterprise-security attacks.
As former Microsoft Program Manager for Active Directory Security, I thought I'd take just a few minutes to share a few thoughts in this regard with you, because undue attention on simplistic cyber attacks may detract organizations from protecting themselves from sophisticated enterprise-security attacks that could be far more damaging than basic cyber attacks.
Anonymous Cyberwar on Israel Seemed Simplistic and Israel's Claim of 44 Million Cyber-Attacks Seemed Overstated
The short of it is that Anonymous's 'Cyberwar' on Israel seemed rather simplistic, and Israel's claims of 44 Million Cyber-Attacks seemed over-stated, and that most organizations worldwide are in fact inadequately prepared to face and combat real, sophisticated enterprise-security threats.
In order to substantiate the claim, I'd like to humbly point out the difference between simplistic Cyber-Attacks and sophisticated Enterprise-Security Attacks, because this difference is rather important to understand, to comprehend just how much damage a real enterprise-security attack could inflict.
(Simplistic) Cyber-Attacks vs.
(Sophisticated) Enterprise-Security Attacks
You might ask - "Aren't enterprise-security attacks the same as cyber-attacks?" Aren't they the stuff we all hear about in the news almost on a weekly basis, when the media sheds light some organization being "hacked"? You might also say, "Isn’t this what Israel’s finance minister Yuval Steinitz was referring to" when he said that Israel has successfully deflected 44 million cyber-attacks on government websites.
The answer is NO. (At least not exactly.)
The answer is NO. (At least not exactly.)
Although one could technically cover enterprise-security attacks under the umbrella of cyber attacks, there is a substantial difference between simple cyber-attacks and sophisticated enterprise-security attacks.
Much of the world populace hasn’t really heard about a sophisticated enterprise-security attack, or its impact, other than STUXNET I suppose, because a largely ignorant media has portrayed simplistic cyber-attacks as the main / predominant IT security threat. The reality however is that a targeted enterprise-security attack could inflict far more serious damage than a simple cyber-attack.
(Simple) Cyber Attacks
Cyber-attacks, generally, are attacks targeted at organizational websites accessible on the Internet and for the most part, try to exploit inherent design deficiencies in TCP/IP, the protocol upon which the Internet runs.
Cyber-attacks, generally, are attacks targeted at organizational websites accessible on the Internet and for the most part, try to exploit inherent design deficiencies in TCP/IP, the protocol upon which the Internet runs.
For instance, the most common form of a cyber-attack
involves sending a large number of requests to an organization’s website
(SYN flood) resulting in a situation wherein the site’s legitimate users are
then unable to access the website, because its resources are being consumed
servicing incoming requests from computers being used to carry out the attack.
This is a very basic form of a DOS attack that could possibly even be launched by amateurs with just a little know-how, and often be enacted using automated programs, from virtually anywhere in the world. A variation of this attack involving the use of bots involves using a large number of hijacked computers from all around the world to attack the same website, and the attack then becomes a DDOS attack, the first D standing for Distributed.
At worst, with such an attack you could bring down an
organization’s website for a few minutes, but other than some downtime for a
website, there’s not much real damage that they could cause. In all likelihood, this may very well have been what Israel's Finance Minister was referring to when he said that a single website was down for about 10 minutes, and then brought back up online.
Most such attacks are mere annoyances, and easy to carry out.
Most such attacks are mere annoyances, and easy to carry out.
I suspect that the attacks alluded
to by the
Israeli Finance Minister are mostly of this kind and that 44 million is merely a count of the TCP SYN requests received by the Israeli government's web servers, I also suspect that these are the same kinds of attacks Anonymous is referring to in their claims to wage cyber-war against Israel.
While many organizations have Internet-facing websites,
whether designed to share information, or enable electronic commerce, the
actual corporate networks of most organizations are largely disconnected from
their websites (, at least to some extent) or to be more specific, from the infrastructure that supports
the Internet facing websites, which is usually placed in DMZs.
A majority of all "cyber-attacks" launched online are merely basic
DOS/DDOS attacks trying to make websites unavailable. A small number of attacks
involve successfully penetrating the infrastructure within the DMZ and could result in the compromise of any information stored in the databases in the
DMZ, such as databases that facilitate the organization’s ecommerce offering, and result in the compromise of information such as credit-card
numbers, and other such information stored in these databases. In comparison, relatively speaking, only a few attacks actually involve a successful penetration of the DMZ and a successful penetration of corporate networks via the DMZ.
In other cases, a cyber-attack might involve a malicious
entity defacing a company’s website’s homepage and claiming that they
“hacked”the organization, but in fact, all they did was go a little beyond a
DOS attack in being able to gain modify access to the organizations’ external
facing web-server. In addition to the embarrassment caused to the
organization, I suppose the only other thing accomplished here is a temporary
boost to the ego of whoever carried out the attack, and
bragging rights for a few hours.
Then you've got the free email (e.g. Gmail, Yahoo, Hotmail etc.), Facebook, Twitter account hacking, but that's relatively easy and inconsequential that almost not even worth mentioning. Why? To begin with, if you're trusting anything in the hands of a free service offered to millions/billions, realistically, you'd have to be really naive' to expect that any of that information you upload to it, or communicate via it, would be completely secure at all times. (At any point, any one of thousands of IT personnel responsible for operating that service could possibly obtain access to your information, plus, a variety of ways designed to help you regain access to your account could be (mis-)used by any one of billions of people to compromise your account.) That's kid-stuff, so I'm not even going to touch upon it.
Then you've got the free email (e.g. Gmail, Yahoo, Hotmail etc.), Facebook, Twitter account hacking, but that's relatively easy and inconsequential that almost not even worth mentioning. Why? To begin with, if you're trusting anything in the hands of a free service offered to millions/billions, realistically, you'd have to be really naive' to expect that any of that information you upload to it, or communicate via it, would be completely secure at all times. (At any point, any one of thousands of IT personnel responsible for operating that service could possibly obtain access to your information, plus, a variety of ways designed to help you regain access to your account could be (mis-)used by any one of billions of people to compromise your account.) That's kid-stuff, so I'm not even going to touch upon it.
(Sophisticated) Enterprise-Security Attacks
Now, contrast such attacks to an attack specifically targeted to
take out an organization’s IT infrastructure.
Such an attack would involve a
digital payload designed by a specialist to compromise one or more critical IT components of an organization's IT infrastructure, such as its IT security infrastructure.
For example, imagine if a payload were written to take out the very foundational systems within an organization's IT infrastructure that provide the means to authenticate an organization’s users and/or that provide the means to authorize secure access to the entirety of the organization's IT assets.
For example, imagine if a payload were written to take out the very foundational systems within an organization's IT infrastructure that provide the means to authenticate an organization’s users and/or that provide the means to authorize secure access to the entirety of the organization's IT assets.
The impact of the compromise of the very systems that provide authentication and authorization services to the entirety of an organization’s IT assets, is that it would instantly expose the entirety of the organization’s IT assets to the risk of compromise.
For instance, if a malicious entity were to build, deliver and have executed a payload to successfully take over an organization’s IT security infrastructure components (e.g. Kerberos KDCs, Active Directory etc.) virtually all of the organization's IT assets, such as its IP, R&D data, financials, customer information, strategic plans etc could all be instantly vulnerable to compromise.
Now, an IT security practioner might say that this is the reason we have layered security and that we deploy multiple layers of security above the platform. Well, the thing is that any layer of security that has a software component is running on the system too, and thus still relies on the system for its own trustworthiness.
For instance, anti-virus protection runs as a service on a computer. If you are an admin, you control the computer's system, and by virtue of that you can disable the anti-virus service on the system. By the same token, software running as system has complete control over the system, and thus on any applications/services running on that system. (Its called the Trusted Computing Base (TCB) of that system.)
Now, an IT security practioner might say that this is the reason we have layered security and that we deploy multiple layers of security above the platform. Well, the thing is that any layer of security that has a software component is running on the system too, and thus still relies on the system for its own trustworthiness.
For instance, anti-virus protection runs as a service on a computer. If you are an admin, you control the computer's system, and by virtue of that you can disable the anti-virus service on the system. By the same token, software running as system has complete control over the system, and thus on any applications/services running on that system. (Its called the Trusted Computing Base (TCB) of that system.)
So, if an attacker could
successfully compromise the system itself, he/she would then in effect be
the system and if you are the system, you, in all likelihood, can now circumvent virtually every other additional control deployed on top
of the system to protect the organization’s IT assets.
An enterprise-security attack also often involves just one payload and a well-crafted payload only needs to be run once on a corporate computer, and there are numerous ways to get one payload to run once on any one computer within the organization.
This is why enterprise-security attacks also do not require that an organization's IT infrastructure necessarily be connected to the Internet, because payloads can be delivered in various forms, ranging from the use of social engineering to have an insider download and execute some code, to the use of legitimate fulfillment of IT needs, such as the delivery of a malicious payload disguised as an unsigned printer driver delivered as a software upgrade.
All in all, a targeted enterprise-security attack designed and carried out to take out critical components of an organization's IT infrastructure can have far greater impact, than any cyber-attack designed to temporarily bring down, deface or break-into and organization's customer-facing website.
An enterprise-security attack also often involves just one payload and a well-crafted payload only needs to be run once on a corporate computer, and there are numerous ways to get one payload to run once on any one computer within the organization.
This is why enterprise-security attacks also do not require that an organization's IT infrastructure necessarily be connected to the Internet, because payloads can be delivered in various forms, ranging from the use of social engineering to have an insider download and execute some code, to the use of legitimate fulfillment of IT needs, such as the delivery of a malicious payload disguised as an unsigned printer driver delivered as a software upgrade.
All in all, a targeted enterprise-security attack designed and carried out to take out critical components of an organization's IT infrastructure can have far greater impact, than any cyber-attack designed to temporarily bring down, deface or break-into and organization's customer-facing website.
Enterprise-security attacks are usually designed to target and take out critical components of the internal IT infrastructures of organizations, not the organization's pretty-looking external-facing websites places in DMZs.
It is such attacks that I am referring to as enterprise-security attacks.
Substantiating the Claim
In light of the above, I should perhaps substantiate my claim that Anonymous's 'Cyberwar' on Israel seemed simplistic, and Israel's claims of 44 Million cyber-attacks seemed over-stated.
If you read what the media has to report, it is virtually apparent that most of the cyber-attacks that were launched against Israel were mere DOS/DDOS attacks targeted at company websites.
As I indicated above, a majority of these attacks would have at most caused a denial-of-service (DOS) when legitimate users would try to browse the websites of the Israeli government organizations, and a minority may have been successful in getting modify access to the root web directory, thus defacing the website. In some cases, in order to bring the website backup online, the admins might have to reboot the systems and that could take a few minutes, so its quite possible that a few websites may have been down for a few minutes.
So, it doesn't seem like Anonymous was carrying out sophisticated attacks aimed at compromising the government's core IT infrastructures, which as I indicated earlier, may not even be directly connected to the Internet, or even so, they might be a few (router) hops out with intrusion-detection systems in place.
Anonymous certainly seems to have a lot of fervor but does not seem to have much in the way of the advanced technical sophistication required to enact a serious enterprise-security threat, at least just yet.
For instance, while they may be very good at good old fashioned network security attacks (i.e. exploiting inherent limitations of TCP/IP carrying out DDOS attacks, engaging in password guessing/brute-forcing etc.), which are an archaic science today, they don't appear to be very good at systems security (attacking Kerberos, engaging in Active Directory Privilege Escalation etc.) yet. Based on what we've seen thus far as a part of their latest performace in waging 'Cyberwar' against Israel, their capabilities seemed rather simplistic.
As for suggesting that Israel's Claim of 44 Million Cyber-Attacks seemed over-stated / mis-represented, well, in light of the nature of attacks that are believed to have been carried out, it appears that the actual number of attack attempts may have been in the 1000s and that 44 million may be the number of TCP SYN packets that their entirety of their government's web servers may have received as a part of these attacks. Alternatively, 44 million may have been the number of computers used as bots to launch these attacks.
So, in all likelihood, its not that there may have been 44 million attacks, but that there may have been 44 million TCP SYN packets received during the course of these few days on their web servers, or that 44 million Internet-connected machines were used (largely remote-controlled) to launch these attacks.
Israel's finance minister said that they are "reaping the fruits on the investment in recent years in the development of computerized defense systems." I suppose they've invested heavily in trying to protect their systems from cyber-attacks aimed at their public websites and the protection of their DMZs.
However, I wonder if they're adequately protected when it comes to protecting critical components of their internal IT infrastructures (e.g. their Active Directory deployments) equally rigorously. Perhaps that's what the finance minister may have been alluding to when he added that "but we have a lot of work in store for us" in a written statement.
All said and done, while the emphasis ad importance given to Cyber-Security is good, it would also be helpful if folks actually understood the difference between simple Cyber-Security attacks and sophisticated Enterprise-Security attacks.
In fairness to them, I suppose they might claim that they include Enterprise-Security when talking about Cyber-Security, and if they do, then I must say, that in the interest of the public service, they need to communicate the vast difference between attacks to organization's websites and attacks to organizational IT infrastructures.
In Conclusion
Imagine a vast land with many fortresses.
Then imagine a little tent in front of each fortress designed to greet visitors to inform them about their fortress, provide helpful information, and possibly sell a few souvenirs.
Now imagine someone trying to shut down the tent, or change the poster that shows the fortress's name on top of the tent, or take the tent down. Doing either or all of the above would not materially impact the fortress a bit.
That is essentially your average simplistic cyber-security threat.
Then, fast forward to the use of advanced attack-vectors, and imagine James Bond skydiving into the fortress at night, then using electro-magentic radiation to disable all the metal locks on all the doors within the fortress and possibly to the fortress itself, making room for an army to invade the fortress overnight.
That is essentially your average sophisticated enterprise-security threat.
So, you see, there is a vast difference between taking the tent-out and taking the fortress out.
Best wishes,
Sanjay
PS: I apologize if this wasn't written perfectly. I only had 15 minutes to put this together, given the sheer lack of time, given my responsibilities at Paramount Defenses. I trust that you'll get the drift.
Substantiating the Claim
In light of the above, I should perhaps substantiate my claim that Anonymous's 'Cyberwar' on Israel seemed simplistic, and Israel's claims of 44 Million cyber-attacks seemed over-stated.
If you read what the media has to report, it is virtually apparent that most of the cyber-attacks that were launched against Israel were mere DOS/DDOS attacks targeted at company websites.
As I indicated above, a majority of these attacks would have at most caused a denial-of-service (DOS) when legitimate users would try to browse the websites of the Israeli government organizations, and a minority may have been successful in getting modify access to the root web directory, thus defacing the website. In some cases, in order to bring the website backup online, the admins might have to reboot the systems and that could take a few minutes, so its quite possible that a few websites may have been down for a few minutes.
So, it doesn't seem like Anonymous was carrying out sophisticated attacks aimed at compromising the government's core IT infrastructures, which as I indicated earlier, may not even be directly connected to the Internet, or even so, they might be a few (router) hops out with intrusion-detection systems in place.
Anonymous certainly seems to have a lot of fervor but does not seem to have much in the way of the advanced technical sophistication required to enact a serious enterprise-security threat, at least just yet.
For instance, while they may be very good at good old fashioned network security attacks (i.e. exploiting inherent limitations of TCP/IP carrying out DDOS attacks, engaging in password guessing/brute-forcing etc.), which are an archaic science today, they don't appear to be very good at systems security (attacking Kerberos, engaging in Active Directory Privilege Escalation etc.) yet. Based on what we've seen thus far as a part of their latest performace in waging 'Cyberwar' against Israel, their capabilities seemed rather simplistic.
As for suggesting that Israel's Claim of 44 Million Cyber-Attacks seemed over-stated / mis-represented, well, in light of the nature of attacks that are believed to have been carried out, it appears that the actual number of attack attempts may have been in the 1000s and that 44 million may be the number of TCP SYN packets that their entirety of their government's web servers may have received as a part of these attacks. Alternatively, 44 million may have been the number of computers used as bots to launch these attacks.
So, in all likelihood, its not that there may have been 44 million attacks, but that there may have been 44 million TCP SYN packets received during the course of these few days on their web servers, or that 44 million Internet-connected machines were used (largely remote-controlled) to launch these attacks.
Israel's finance minister said that they are "reaping the fruits on the investment in recent years in the development of computerized defense systems." I suppose they've invested heavily in trying to protect their systems from cyber-attacks aimed at their public websites and the protection of their DMZs.
However, I wonder if they're adequately protected when it comes to protecting critical components of their internal IT infrastructures (e.g. their Active Directory deployments) equally rigorously. Perhaps that's what the finance minister may have been alluding to when he added that "but we have a lot of work in store for us" in a written statement.
All said and done, while the emphasis ad importance given to Cyber-Security is good, it would also be helpful if folks actually understood the difference between simple Cyber-Security attacks and sophisticated Enterprise-Security attacks.
In fairness to them, I suppose they might claim that they include Enterprise-Security when talking about Cyber-Security, and if they do, then I must say, that in the interest of the public service, they need to communicate the vast difference between attacks to organization's websites and attacks to organizational IT infrastructures.
In Conclusion
Imagine a vast land with many fortresses.
Then imagine a little tent in front of each fortress designed to greet visitors to inform them about their fortress, provide helpful information, and possibly sell a few souvenirs.
Now imagine someone trying to shut down the tent, or change the poster that shows the fortress's name on top of the tent, or take the tent down. Doing either or all of the above would not materially impact the fortress a bit.
That is essentially your average simplistic cyber-security threat.
Then, fast forward to the use of advanced attack-vectors, and imagine James Bond skydiving into the fortress at night, then using electro-magentic radiation to disable all the metal locks on all the doors within the fortress and possibly to the fortress itself, making room for an army to invade the fortress overnight.
That is essentially your average sophisticated enterprise-security threat.
So, you see, there is a vast difference between taking the tent-out and taking the fortress out.
Best wishes,
Sanjay
PS: I apologize if this wasn't written perfectly. I only had 15 minutes to put this together, given the sheer lack of time, given my responsibilities at Paramount Defenses. I trust that you'll get the drift.
No comments:
Post a Comment