So I watched Neil Blomkamp’s CHAPPiE on a plane last week and one thought is stuck in my mind: The entire story would not have happened if nice folks at the company producing police robots had simply followed few really trivial security practices…

chappie

(I’ll try to avoid any spoilers in this post. CHAPPiE definitely reminds of good old RoboCop: post-industrial setting, street gangs, good robots, bad robots, and a lot of shooting… On top of all that, the movie raises questions about soul, humaneness, family values – in the coming age of AI. It’s not a bad movie and definitely helped me to bide my time on a long flight.)

So, here’s my list of poor security practices at Tetravaal (a fictitious company that develops, produces, and controls heavily armed robots) that got the city of Johannesburg into all the mess:

  1. Role separation does not exist or isn’t enforced. Lead research engineers that work on new robot models also operate, troubleshoot, and update robots that are already in the field. Even worse: engineers from a competing project also have full access to all projects within the company. Actually, this one alone was enough to set the plot in motion- but there’s more!
  2. Network segmentation and isolation, anyone? Same access keys and permissions let you into test environment, robot-controlling network in the field, and even the manufacturing lines! All of these are accessed and controlled from the same computer – actually, any computer, as soon as you insert a special highly secure USB stick.
  3. One-and-a-half-factor authentication. Now, that thumb drive is the core of their security. Only one copy exists and it is required to make any major changes. They just share it. The USB stick is stored behind a locked door that requires physical key and a code to get thru. Once you have it, you can log in and do whatever you want with your password and this shared thumb drive.
  4. No change control process. Seriously. The guy just walks up to the CEO’s office and asks “can I borrow the key to make changes?”. Once she verbally approves, he just walks to grab the thumb drive and gains full access to all these deadly weapons carrying robots in the streets. Actually, they did not even ask most of the time.
  5. Lack of audit process and policy enforcement. I have to admit it, they have some audit. Two days (!) after the good engineer guy took that super-critical USB stick (without any authorization), someone from security called him on the phone. But these naive security people just asked the engineer to return the thumb drive by “end of day tomorrow”, otherwise they would “have to inform” the CEO…

Obviously, I understand this is fiction. Lack of security processes and awareness may be okay in the movie if it’s needed to justify the rest of the story. But think about it: the very same mistakes lead to the huge data breaches we’ve been hearing on the news all over recent couple years. Target, Sony, Anthem, you name it. Luckily, life is not a movie where these mistakes led to much destruction and violence in the city streets – it’s mostly financial and reputation losses in real life. Still, maybe we should pay a bit more attention to this security thing after all?

Comparison of cyber security world to the Wild West sounds a bit too obvious. But I can’t help thinking of it, sorry.

The analogy came to mind as I was catching up on the recent news: data breach at the US Office of Personnel Management and Duqu 2.0 malware in Kaspersky’s network. Over 4M records stolen from the government of one of the most technologically advanced countries. Malware has been stealing data from one of the top cyber security firms for months. Wow. Do you still think any rules exist, or anybody’s data is safe?

"Them Three Mexicans Is Eliminated" by Frederic Remington

The real Wild West – was it safer back then?

Now, these news may not really change the game, but there are few things they help to highlight:

Malware and spyware evolve really fast. What we call malware is not coming from cyber-criminals only. There are serious government funds. There are bright minds working on destructive tools with good intentions, such as keeping their nation safe and secure. That is, the malware evolves at a faster pace. Kaspersky Lab engineers describe Duqu 2.0 as being “generation ahead” of anything they’ve seen to date.

I am neither a government nor a cyber-security giant. Am I safe? – NO, sorry. It’s just a question of time before the cyber-crooks get access to more advanced tools. They are well motivated to understand and use whatever helps bypass traditional security measures. They are probing all doors, enterprise, non-profit and small business alike. The goals may differ, but ultimately anyone can become a target: harvesting personal data to sell; going after specific trade secrets; building botnets; trying to gain access to your bank account. If you really want to know their motivation, Spam Nation by Brian Krebs is a pretty good window into that side of the world.

Can I prevent them from getting into my network? – Again, the answer is NO. Assume you’ve been breached already. What you can do though is maximize the costs for the adversary and minimize the damage for your business. (It’s that easy, eh?) There’s nothing new and this is all common sense. Evaluate the business risks and adjust your IT processes and policies to them. Put most of your efforts on what presents the highest risk for the business. Isolate and protect what’s most valuable. Consider tools that allow you to detect an intrusion as early as possible. Consider processes and tools that give you continuous feedback on how security controls and policies work. Patch your systems regularly. Trivial. Details and costs vary greatly, but overall approach is similar regardless of what environment we are looking at.

Stay safe and have a good weekend.

 

It’s curious how sometimes things you’ve just talked about start showing up on the news. Few weeks ago we had a discussion about trends in the IT security space with my colleagues here at Netwrix. We talked about number of things, how user habits and new technologies will require the IT security industry to come up with new and creative solutions in previously untouched spaces. Following that discussion Michael summarized and posted security predictions for 2015 on Netwrix blog.

As Niels Bohr said, “Prediction is very difficult, especially if it’s about the future.” Many of Michael’s predictions are about the trends we already see now, extending into the next year. Still if was exciting to see his blog post co-inside with some of the industry news that perfectly illustrate some of the points. Below are just two examples, and I am pretty sure we can expect more to come!

Here’s what Michael writes about cloud adoption:

The security of cloud technologies will continue to develop, focusing on the following three tendencies: improved data encryption; the ability to access audit trails for configuration management and the secure accessing of data; and the development of security brokers for cloud access, allowing for user access control as a security enforcement point between a user and a cloud service provider.

Well, what we see in the news seems to highlight exactly that. Amazon announced their new AWS key management service and enhanced visibility into configuration changes with AWS Config service at the re:Invent conference in November; then Dropbox launched new Dropbox for Business API last week; and couple days ago Box CEO Aaron Levie announced the new Box Trust security partnership to build up enterprise customers’s confidence in cloud solutions.

Another quote from Netwrix blog is about Internet of Things (IoT):

The IoT is likely to play a more significant role in business innovation in 2015 and beyond. The devices and systems that connect to it, meanwhile, require proper management, as well as security policies and provisions. The security ecosystem that has not yet formed around many of these devices will continue to develop.

Once again, the news that came out earlier this week is the perfect illustration of this growing trend: Belden to acquire Tripwire press release. Frankly, I did even hear about Belden before, but they are well-established in networking and operational technology. If you look at Belden’s investor summary presentation, the primary goal is to set the foot in the industrial side of the rising IoT space.

Interesting times. The IT security industry is evolving rapidly, and the future literally is now. Once again, you can read Netwrix predictions for IT security in 2015 here.

%d bloggers like this: