In his Navigate ’17 keynote address today, Gen. Michael Hayden, former director of the CIA and NSA, and principal at the security consultancy The Chertoff Group cited a number of big name attacks that most of us are probably well aware: Target, The Home Depot and others. But do we know what they all had in common?
They all involved identity as part of the initial breach.
How about the U.S. Government Office of Personnel Management breach? Identity was part of their breach as well.
Even the recent massive WannaCry ransomware attacks, if one believes press accounts (Gen. Hayden’s disclaimer) were made possible by an exploit that the U.S. government failed to protect – and also points back to poor authentication, authorization, and auditing, Hayden said.
Throughout his talk, however, Hayden made it clear that the Internet and the “Digital Domain” aren’t all about increased risk. In fact, he spoke to the great opportunity the digital domain creates, and likened that to the global disruption that came with Christopher Columbus’s four voyages across the Atlantic Ocean from Spain: in 1492, 1493, 1498 and 1502.
This connected societies through shipping and created the greatest explosion in human trade and scientific discoveries, said Hayden. It also gave us the global slave trade, he said.
While humanity managed to tame, and governments learned how to reasonably defend, the domains of the sea, air, land and space the same can’t be said for the digital domain, Hayden said. “We know who created the domains of land, sea, air and space and he did a really good job. Cyber is man-made,” Hayden said. “And those who made it really messed up big,” he said, speaking about the Internet’s general lack of security. Hayden joked about how in a conversation with one of those who worked on the creation of the Internet, Vint Cerf, said that when they were given the instructions to create the Internet, “security wasn’t in the statement of work.”
A big part of the insecurity of the Internet is how easy it is for bad actors to fake their identity at will.
Identity was a central theme throughout independent investigative journalist Brian Krebs’ keynote yesterday, too. He spoke about how once a bad guy is on a system in the enterprise – most often today that initial breach occurring with a phishing attack – they are going to steal, or assume, an identity and use it to look like a trusted insider. When that happens, an organization is then really dealing with an insider attack, or what appears to all systems to be an insider, Krebs explained.
That speaks directly to the importance of good identity management. “But doing authentication right, in a way that scales, is hard,” Krebs admitted.
And enterprises are perpetually under such attacks, as Krebs put it colorfully, “Whether you pay for it or not you are being pen tested. Your systems are pen tested and your users are constantly being pen tested by the bad guys,” he said.
And, too often, these attacks are successful.
Krebs cited several things enterprises must do to better secure their systems
- Get beyond compliance
- Invest in two-factor authentication for partners and employees
- Hire, foster more cybersecurity talent
- Drill, baby, drill (practice breach response planning)
- Know your employees
- Assume compromise
“In security there is no substitute for the human, and organizations do need to do a lot more to attract and hire skilled security professionals,” Krebs said. Krebs also recalled a story about a security friend of his who worked at a law firm. “He had a budget to buy more security tools and software, but had no budget for people. That’s just not a fair fight,” Krebs said.