Schneier on Security

Clive Robinson • July 6, 2017 6:27 AM

When are people going to wake up to the basic facts?

The current spate of malware is presented as “Ransonware” but… There is no real backend for payment let alone actually getting the money out. Likewise there is no system set up for sending out a decrypt key to those who have been hit and payed. So you have to ask if this is realy ransomware put together by incompetents, or something else.

If the latter you have to ask to what effect. Like it or hate it the most likely reason is politics at some level. One argument is it’s anti-USA IC entities, another it is the work of USA IC entities, making use of the malware while it’s still usable. The list goes on but eventually you get to one that it’s anti USA Software Corp such as MicroSoft.

Which ever way you argue it the USA does not come out smelling of roses, more like the fresh organic material you feed to roses by the pitch fork full from the farmyard/stables.

Thus the pertinent questions are “Why?” followed by “What are we going to do about it?”.

I’ll leave the political / economic argument of the “Why?” to others, but note it’s an endemic problem that appears to be building up to a perfect storm, that has an increasing probability of going kinetic which falls fairly well in line with US Foreign Policy this century.

The question those who want to look after their own patch of cyber-space need to answer is the second “What are we going to do about it?”.

The simple answers are “Don’t play the high risk game” and “Don’t believe that one solution will save you”. But in many peoples eyes that is not very helpful as it’s general not specific.

But to understand why general advice is actually more useful than specific advice you have to understand the problem from the general to the point where specifics can be seen as what they are which is out of date reactions to past events being reused, thus frequently “to little to late”. A situation that for political and economic reasons is not going to change any time soon[1].

So the first generality you have to understand is appart from a little lipservice in effect “You are on your own”.

The second generality is almost always you pay for the actions of others. That is the profit in pushing shoddy goods is way way higher than not. Especially when there is in effect no comeback for those that do.

Which moves onto the third point the idea of a fair market does not apply, there is realy no choice in the market, it’s thus not open, no informed choice by customers is possible. Infact when seen in the general it’s a series of near monopolies working overall as a cartel.

But a fourth problem that few consider is where the problem actually is in the majority of cases. Outside of DoS attacks the problem is in your little patch of cyber-space. That is it’s your systems, your reaources that are attacking you because you don’t have control over them. Yes read that again, you do not control your systems, somebody else does to the extent you realy should not call them “our systems”.

An oft stated but ill understood generalism boils down to “IT soulutions are of no use without connectivity”. Whilst true there are degrees of connectivity and it is the degree you have more control over than any other aspect of your resources.

Whilst you can find more very general problems those five should make you realise that you have a serious risk on your hands and little you can proactively do about it other than limit connectivity…

The NSA et al sure know this, it’s why they put so much energy into developing attacks that usurp control via connectivity. It’s also what the smarter cyber-criminals know as well. If you control access to your resources correctly they get forced from low risk cyber attacks into either very high risk physical attacks or going to find easier systems to attack.

Once you understand that being proactive means you have to stand on your own two feet and control connectivity you are ready to get a little less general.

The next thing you need to understand is that there are “instances” of specific attacks, that fall in general “classes” of attacks. Fighting instances is a reactive behaviour, whilst fighting classes is proactive behaviour.

To understand this you need to think about the physical world not just of security but safety. In the main they are about controling access (the physical version of the information connectivity). Not just to humans but things like fire. The physical solution is to create physical zones and control the access points via the likes of doors. In general security doors are also safety doors and have not just security ratings but fire, smoke and similar safety ratings.

History has taught us that you design such physical control resources not for an “instance” of security or safety but “classes” of security and safety. If you don’t it will fail not just for known specific attacks but just about every other unknown attack. It will also be inordinately expensive not just fragile. You can see this if you consider “fire drills” they are designed to get people away not just from the specific instance of a fire, but any class of localised danger. So bomb threat, hostile intruders, chemical spills, building collapse etc etc. And as we know from 9/11 aircraft being flown into buildings which was not on the majority of “considered threat lists” prior to that.

Untill people get to grips with these underlying generalities they will fail in their attempts to protect their little patch of cyber space.

But another important asspect to remember is from the Process Control Industry and the ideas that go behind “Intrinsic safety”. The most important of which is “systems fail” and most often it’s neither “fail safe” or “fail with warning” unless specifically designed to do so. But as importantly even protection mechanisms fail. Thus you need to design in multiple protection systems so that you do not have “A single Point of Failure”.

As I’ve pointed out once or twice before people can learn a lot from studying the early history of boiler safety. Just one lesson is the safety systems. Not just that there were various types such as spring operated preasure relife valves but that there were secondary and tertiary systems that were there to protect in case other systems failed to work. Thus if the spring preasure relife valve failed to work, a soft metal and moderatly easily replacable plug would blow out at a higher preasure, and if that failed there were deliberate weak spots that would burst out in a safe manner, which were not replacable, thus the boiler would be considered scrap. Further there was legally required testing of the boiler at regular intervals introduced, which also gave rise to the idea of “Preventative maintenance”.

Many people in ICT security talk about the value and importance of “backups”. But how many talk about the need for multiple backup systems and regular testing?

The point is it is known that attackers for ransom in the past have also attacked the backup system by the use of encryption, so that after a few months even the backup tapes were encrypted.

There are ways to protect against this but you have to take active steps to do so. In the past many considered this not worthwhile on the assumption it was an “insider only” attack. Thus not realistic to protect against because the only person capable of doing it was also the person who could hide it. Thus the idea of legal remedies as/and insurance.

Unfortunately people are being reactive not proactive with that idea. The data will be lost and no amount of money will bring it back. What people are not asking is,

What will happen when APT and Ransomware are joined together?

It’s not a question of “If” but “When” it happens. A proactive approach wilst not stopping it will alow you to recover.

And that is you need to have a weather eye for what is heading over the horizon, and put prevention / recovery processes in place and not be reliant on others, otherwise there is a probability you will be a victim without a future.

You can not have a weather eye without understanding the general lay of the land and how classes of attack can be prevented.

[1] For instance politicians want to be seen as “hard on crime” however that is realy “conventional crime that effects the voters”. Thus cyber-crime is not just low on political agenders, but actually to be encoraged by some politicians. The reason is simple, the smarter criminals see that there is considerably less risk from cyber-crime than conventional crime. Thus the problem criminals who are smart and thus hard to catch move out of conventional crime leaving those that are, opportinist idiots, not smart or trapped economically, thus easy to catch and imprison. Which is manner from heaven for politicals, conventional crime rate drops, convictions go up and they can thus cut spending on police etc so win, win, win. This is very similar to the CCTV issue, it works well at first, but the criminals quickly evolve around it and crime continues, but that’s OK it gets the politico back in office as the blowback effect takes longer than the election cycle…