Recently at BSidesDenver 2013, I moderated a panel called ‘Everything is Pwned’. Or at least, that is what I posited. I had loose guidelines to qualify that, and one panelist called me out for not being as specific as I should have been on them. He also called me out because I didn’t have a direction and I wasn’t following a narrative. However, that was for good reason.
While I believe in what I posited, I don’t think it is specifically a new idea, and it doesn’t solve anything. My direction was establishing and agreeing on the fact that everything worth owning is owned, or will be. After some debate over that premise including several points dancing around the issue, Nickerson eventually responded “so what?” and that is where the panel turned around and found direction.
Johnson mentioned the companies he consults for fly under the radar, and believe they are safe through a combination of moderate to good security, along with “attackers not being interested in them”. I don’t doubt that the companies believe that, but otherwise I don’t think that is true at all. There are a metric butt-load of automated scanners and malware that are out there attacking everything all day long. This rogue software doesn’t see “Company X”, instead they see “a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.” Add to that the bad guys that are interested in you. The dreaded “APT1” isn’t just about the big guys, they want other computers to proxy through, other computers that may have a trust relationship they can exploit, or information that may be of some value. Meanwhile, lower end attackers are looking for web servers to deface, servers to host phishing pages, and a wide variety of other shady or criminal activity. I don’t think those companies are flying under the radar; I think they too are owned, and just don’t realize it.
Before the panel, I believed everything is owned. I didn’t know what it meant or the full implications, other than the security industry has failed us. If so many resources have been compromised, and we can’t uproot an embedded attacker even after reinstalling entire networks, what hope do we have? I was already thinking in the direction Nickerson took us on the panel, but he found the words and pushed me over the hill in my own thinking.
So what if everything is owned? Nickerson argued that ultimately, it doesn’t put the company out of business. If it posed a real risk, they would designate resources to fix it. Even after all these breaches, all these loss of credit cards, stock dips, and more, the number of companies that actually go out of business is negligible. Corman reiterated that point when he reminded everyone that a credit card number is of virtually no value on the street, is easily replaceable, bears no liability on the end consumer, and will continue to be that way moving forward.
With the number of breaches and signs of compromise out there, I still believe everything worth owning, is. After the panel and further thinking, I think Nickerson and Corman make good points. If a common target of a breach is credit card data, which is easily replaced and has almost no financial impact on the company or consumer, why does it matter? Hundreds of big companies with incredible security budgets have been popped, it isn’t about reputation any more. If Google and Microsoft can’t keep their networks safe, why would we expect a smaller company with the fraction of the budget and expertise to?
Ultimately, that is about where the panel ended. Operate under the assumption that your network is compromised. Quit spending so much money trying to defend everything; that is like trying to put a fence around a national park. Focus on trouble areas, or those of the greatest concern, or that mean the most impact if something goes wrong. Quit thinking of your network as a castle, when the attacker has mortars and missiles. If you are losing the war, and losing most battles, at least try to protect your most valuable assets as best you can.
One response to “A Directionless Panel Paid Off…”
First, I agree that it’s reasonable to start by assuming that your network has been compromised.
That does not make protective measures useless, but should limit their cost.
But, also, this cost and effort should be complimented by other measures – it’s not impossible to detect such compromises. The fundamental precept is that everything that happens on the internet happens in public. And, so, intrusions are visible if you look at them properly. (A classic example is spam – it is not at all impossible to detect unusual traffic connecting to port 25 tcp.)
Hardware level monitoring is a good first step.
But, also, it’s probably worth noting that participation in public forums is often a good thing. As an analogy: people have sex despite the risk of VD and other problems. Similarly, there are going to be some advantages to working out in the open.
But, also, of course, there are also a variety of reasons for doing things in private. Some good, some bad, some in between (or contextually “good/bad”). And much of this is visceral. People like their privacy – as an example, it’s not hard to find someone that does not want to be seen without their clothes and/or does not want others to be seen that way. (Though many privacy examples are more competitive in character.)
Anyways, the reaction where people want to protect the privacy of others is probably going to be significant, even (or maybe especially) in contexts like the internet which are “sort of everywhere”.