The Whole Chain is Made from Weakest Links!

By Dr. Thomas P. Keenan, FCIPS, I.S.P., ITCP in collaboration with Ron Murch, I.S.P., ITCP – both with the University of Calgary.

In a session conducted by Derek Manky, Chief of Security Insights, FortiGuard Labs, and moderated by Bobby Singh, CTO and CISO for the TMX Group, a group of CISOs tackled some pressing issues in Identity Management, especially as it applies to the Internet of Things and 5G technology.

HOW WE GOT HERE

“Looking back to early 2000s, we saw some early threats,” said FortiGuard’s Derek Manky. “ About 2010 we really started to see more mobile devices on the network, e.g. with the rise of Android. Now we’re in a world of BYOD and IoT devices, and today the problems have risen in number and complexity.”

He cautioned that we now have all of these devices accessing our networks, so we have to think of other IAM (Identity and Access Management) strategies beyond “you can’t bring this device to work.”  We now have to be seriously concerned about what devices are being used, who is using them, where are they located, and are they being properly segmented/isolated in our networks?

INTERNET OF THINGS

Manky reported that “we [FortiGuard Labs] monitor 100 million threat events per day. For the last five years, the top six of ten threats on a daily basis are IoT related – printers, off the shelf routers, IP security cameras, etc. Unfortunately hacking these is still quite easy and they’re used as a springboard for lateral attacks.”

Having secure protocols is not sufficient since “You can have all the secure protocols in the world, but you need to think about analytics from your core network”.  The human factor comes in here because of social engineering — smart people attack people. One participant noted that “the weak link is always the user”. Our biggest risks always come from within, somebody going where they shouldn’t be going, not following process, clicking on an email.”

There are many examples of well-meaning people not thinking about consequences and doing what turn out to be very dumb things. An excellent example involved a prison access control system that was designed to be highly secure and built with no Internet connection. It was completely air-gapped from the outside world. The designer came back three months later and found that a network card had been installed. Prison management had an explanation of sorts: “Well, the prison guards had a lot of time on their hands, so we have them ordering food for the prisoners, but that required them to use the Internet.” The guards also used their new connectivity to watch videos, some of which were in questionable taste. Of course, malware soon arrived, and the “secure” prison system was compromised.

One CISO opined that “I don’t think we’ll ever get back to an air-gap world, but we can do segmentation and use a defense-in-depth strategy.”

SCADA DEVICES

There’s no question that many field devices are being added and they’re generating masses of data.  There’s a disturbing tendency to buy the cheapest gear as opposed to some with more vetted security. This could be costly in the long run.

We definitely need usage analytics from that type of environment.   The bad guys always look for the easiest route to compromise a system. “It’s harder to access microwave transmissions than it is to put malware on a device and collect data from the device directly,” Manky noted.

PUBLIC KEY INFRASTRUCTURE (PKI)

A decade or so ago, PKI was touted as the ultimate solution for identity management. Now we hear about blockchain.  What’s best?

One CISO explained that “Our users don’t want the complexity of PKI for 99% of what they do.  We could be using Signal now and get more security, but it’s not ultimately flexible, e.g. if we wanted to move files back and forth or for regulatory compliance.”  The best answer is to educate the users.

The same participant noted that “We’re allowing remote access to our corporate network. It requires a laptop created by our IT department and then the users need to provide multi-factor authentication.”  If users are now remote and responsible for their own security environments, how can there be confidence that the user has not unwittingly compromised our environment by their actions in their own environments?

5G

When the world fully adopts 5G and uses IPv6 there will be a much different technical security stack built in there.  However, we haven’t test driven this yet in the real world. It’s a double-edged sword. You have devices that connect peer to peer ad hoc, and then it becomes a question of how you inspect that. When we get into the world of 5G, it’s not going to get easier! We are talking about more devices, quicker speed, more vulnerabilities, and, obviously, more challenges.

We couldn’t avoid the question of who should be allowed to build a country’s 5G network. Manky took a neutral position but said “if you think about it, any network could be gamed for malicious use. I can tell you (communications technology hardware) companies like that will have a lot of data so there’s always going to be an arm or a connection.” It was also noted that a malicious actor could conceivably do a remote denial of service attack on a country’s 5G infrastructure. A poll of the group on the question “Should Canada allow Huawei to build parts of its 5G infrastructure?” resulted in 75% of those voting saying “no.”

SWARMBOTS AND HIVENETS

This involves swarms of intelligent bots that communicate with each other in real time to attack systems. They can get information from specialized search engines like Shodan, which looks for open ports and services. It’s definitely a threat on the horizon to worry about.  Defense requires shared, actionable intelligence between security solutions.

Derek Manky’s 2018 RSA presentation on this subject is available at: https://www.rsaconference.com/industry-topics/presentation/order-vs-mad-science-analyzing-black-hat-swarm-intelligence

ZERO TRUST MIGHT BE THE PATH TO FOLLOW

One of the CISOs summed up the situation really well as follows:

“I’ve been pushing zero trust for a couple of years and it’s a challenge to get buy-in at the executive level but now people see what zero trust could do. Now, we have 30 % of our workforce effectively on zero trust because they are using cloud services. It works so much more effectively than having to get them into [our] corporate network.”

The same participant noted that “Travelling people have a radically different experience. I’m trying to get to a consistent experience no matter where you are. As soon as I moved to Office 365, we built in micro-segmentation, and we’re looking at zero trust for everybody.  We’ll be off data centres and I hope also our corporate network in two years.”

Another CISO noted that their company is “cloud native”.

DO WE NEED FIREWALLS ANYMORE?

The problem has definitely shifted towards the endpoint. As one participant said, “What I’m struggling with is device management, you could be using your home laptop, how do I know it’s not hacked because your kid was playing a game on it?  I just have to treat the device as an untrusted device.”

CONCLUSION

The consensus from this session appears to be that technology alone will not fully address our current and future challenges.  Good cybersecurity has a strong social component – we can leverage technological capabilities to help us and our data “stay safe and secure,” but the reality is that each individual needs to have a good, well-informed appreciation of the risks and know how to minimize them.  Constant vigilance is a lot like “looking both ways before you cross the street.”  It doesn’t matter which side of the street the vehicles use or what kind of street you’re on – if you look deliberately, you can recognize a moving vehicle and you know what will happen if you step in front of it.