<html><head></head><body><div style="font-family:verdana, helvetica, sans-serif;font-size:16px;"><div><div>Was this predictable: probably</div><div><br></div><div>I would be surprised if the PCI assessors (and therefore leadership) didn't know about some of the control environment deficiencies. Typically you get - "that's not a priority", "it was designed that way", "we need to update to the next version first", or even "we don't have the budget to fix that". In some cases, if you think it's an issue - you have to rationalize, push, and play politics to get it addressed. Maybe even threaten to escalate the issue. I've had IT VPs that I worked with refuse to fix something because it was a revenue generating system and they didn't want to risk business objectives. </div><div><br></div><div>Was it preventable: unlikely</div><div><br></div><div>I think based on historical trends and what we see in the wild, we can predict with confidence that many companies are and/or will be at risk for compromise. IT environments were complicated 18 years ago when I first got into security and they've become even more complicated with the evolution of technology. </div><div> </div><div>Do we know who did it: maybe </div><div><br></div><div>Mandiant is very good at what they do but sometimes attribution just isn't possible because of all the hops the attackers may have taken to get to their final target. The other compromised systems sometimes live in countries that won't help us investigate cyber crimes. </div><div><br></div><div>Did they do anything to new to attack or defend: unlikely</div><div><b><br></b></div><div>As you point out above, there are many vulnerabilities that go unpatched and unaddressed. Combine that with IT operational mistakes and you may have have a large environment susceptible to compromise. This could be a misconfiguration (TFTP with / access, world readable/writeable cron scripts owned by root), purposeful change that introduces a weakness (open NFS shares combined with availability of r-services, open X display), trust relationships, shared passwords across the environment- you name it. </div><div class="ydp4fc0f9ccsignature"><div style=""><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;"><br></div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;"><span style="color: rgb(0, 0, 0); font-family: verdana, helvetica, sans-serif; font-size: 16px;">My rule is if all you're doing are the bare minimums and/or you have leadership pushing back in the form of not providing executive level support, determining your strategy or tactics, or limiting your budget - you are unlikely to have an <b><i>effective </i></b>security program.</span><br></div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;"><span style="color: rgb(0, 0, 0); font-family: verdana, helvetica, sans-serif; font-size: 16px;"><br></span></div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;"><span style="color: rgb(0, 0, 0); font-family: verdana, helvetica, sans-serif; font-size: 16px;">By the way - I think you're right. We focus way too much on claiming these compromises are caused by nation states. It very well could be one person or a small team of opportunists. </span></div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;"><span style="color: rgb(0, 0, 0); font-family: verdana, helvetica, sans-serif; font-size: 16px;"><br></span></div><div style="">No, I have no clue how or the frequency of their penetration testing. Considering that it's been reported that web portals with easily guessable usernames/passwords were used for data exfiltration, their competence is questionable. </div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;"><br></div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;">Kind regards, </div><div style="font-family: verdana, helvetica, sans-serif; font-size: medium;">~steve <br></div></div></div></div>
<div><br></div><div><br></div>
<div id="yahoo_quoted_6725602346" class="yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Wednesday, September 27, 2017, 10:15:12 AM CDT, dave aitel <dave@immunityinc.com> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="yiv0097424817"><html>
<head>
</head>
<div>
<p>So I assume most people skim any news reports of big breaches in
the same way these days. Was this predictable? Was it preventable?
Do we know who did it? Did they do anything new to attack or
defend?</p>
<p>In Equifax's case, the reportable information clearly is the
alleged trading anomalies, rather than the hack itself. But the
third question is interesting to a point. I've been trying to
write a keynote for T2 for the past few weeks, and while my muse
is clearly on an extended vacation, there are some interesting
generational changes afoot with regards to these questions.</p>
<p>At some level, in a world where vulnerabilities are super rare,
governments dominate the discussion of malicious actors. I think
there's a lot of news chaff about every little 20-something hacker
or aspiring malware businessman who gets caught. Filtering those
out, there are relatively few reports of hacking groups with high
skills levels. And because of our assumptions that "Governments"
are behind everything now, I think we naturally err towards
flinching at boogeymen who...wield SQLi and Phishing with .jar
files. <br>
</p>
<p>But when you look at the accomplishments of truly skilled
hackers, they're amazing. And the environment we live in is not
one where major vulnerabilities are rare. The environment is such
that any specialized <a rel="nofollow" target="_blank" href="https://en.wikipedia.org/wiki/Extremophile#/media/File:Grand_prismatic_spring.jpg">extremophile</a>
can penetrate and persist all of cyberspace. In a sense, the
entire bug bounty market is a breeding ground for a species that
can collect extremely low impact web vulnerabilities into a life
sustaining nutrient cycle, like the crabs on volcanic plumes in
the depths of the Pacific. Likewise, learning everything about RMI
is enough to be everywhere, or .Net serialization, or CCleaner. In
cyber, where there's a way there's a will. <br>
</p>
<p>It used to be we would be more afraid if it was China or Russia
or Iran or whoever. But these days I like to annoy people by
asking what if it's not? <br>
</p>
<p>Also, does anyone know how often Equifax did their penetration
testing? My new rule is that if you only do it in Q4 you are
unlikely to have a mature security program. :)<br>
</p>
<p>-dave</p>
<p><br>
</p>
</div>
</html>
</div>_______________________________________________<br>Dailydave mailing list<br><a ymailto="mailto:Dailydave@lists.immunityinc.com" href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target=_blank>https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br></div>
</div>
</div></div></body></html>