Steve R. Smith
steve_smith1999 at yahoo.com
Wed Sep 27 16:00:21 UTC 2017
Was this predictable: probably
I would be surprised if the PCI assessors (and therefore leadership) didn't know about some of the control environment deficiencies. Typically you get - "that's not a priority", "it was designed that way", "we need to update to the next version first", or even "we don't have the budget to fix that". In some cases, if you think it's an issue - you have to rationalize, push, and play politics to get it addressed. Maybe even threaten to escalate the issue. I've had IT VPs that I worked with refuse to fix something because it was a revenue generating system and they didn't want to risk business objectives.
Was it preventable: unlikely
I think based on historical trends and what we see in the wild, we can predict with confidence that many companies are and/or will be at risk for compromise. IT environments were complicated 18 years ago when I first got into security and they've become even more complicated with the evolution of technology. Do we know who did it: maybe
Mandiant is very good at what they do but sometimes attribution just isn't possible because of all the hops the attackers may have taken to get to their final target. The other compromised systems sometimes live in countries that won't help us investigate cyber crimes.
Did they do anything to new to attack or defend: unlikely
As you point out above, there are many vulnerabilities that go unpatched and unaddressed. Combine that with IT operational mistakes and you may have have a large environment susceptible to compromise. This could be a misconfiguration (TFTP with / access, world readable/writeable cron scripts owned by root), purposeful change that introduces a weakness (open NFS shares combined with availability of r-services, open X display), trust relationships, shared passwords across the environment- you name it.
My rule is if all you're doing are the bare minimums and/or you have leadership pushing back in the form of not providing executive level support, determining your strategy or tactics, or limiting your budget - you are unlikely to have an effective security program.
By the way - I think you're right. We focus way too much on claiming these compromises are caused by nation states. It very well could be one person or a small team of opportunists.
No, I have no clue how or the frequency of their penetration testing. Considering that it's been reported that web portals with easily guessable usernames/passwords were used for data exfiltration, their competence is questionable.
Kind regards, ~steve
On Wednesday, September 27, 2017, 10:15:12 AM CDT, dave aitel <dave at immunityinc.com> wrote:
So I assume most people skim any news reports of big breaches in the same way these days. Was this predictable? Was it preventable? Do we know who did it? Did they do anything new to attack or defend?
In Equifax's case, the reportable information clearly is the alleged trading anomalies, rather than the hack itself. But the third question is interesting to a point. I've been trying to write a keynote for T2 for the past few weeks, and while my muse is clearly on an extended vacation, there are some interesting generational changes afoot with regards to these questions.
At some level, in a world where vulnerabilities are super rare, governments dominate the discussion of malicious actors. I think there's a lot of news chaff about every little 20-something hacker or aspiring malware businessman who gets caught. Filtering those out, there are relatively few reports of hacking groups with high skills levels. And because of our assumptions that "Governments" are behind everything now, I think we naturally err towards flinching at boogeymen who...wield SQLi and Phishing with .jar files.
But when you look at the accomplishments of truly skilled hackers, they're amazing. And the environment we live in is not one where major vulnerabilities are rare. The environment is such that any specialized extremophile can penetrate and persist all of cyberspace. In a sense, the entire bug bounty market is a breeding ground for a species that can collect extremely low impact web vulnerabilities into a life sustaining nutrient cycle, like the crabs on volcanic plumes in the depths of the Pacific. Likewise, learning everything about RMI is enough to be everywhere, or .Net serialization, or CCleaner. In cyber, where there's a way there's a will.
It used to be we would be more afraid if it was China or Russia or Iran or whoever. But these days I like to annoy people by asking what if it's not?
Also, does anyone know how often Equifax did their penetration testing? My new rule is that if you only do it in Q4 you are unlikely to have a mature security program. :)
Dailydave mailing list
Dailydave at lists.immunityinc.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dailydave