35 comments

[ 3.8 ms ] story [ 78.3 ms ] thread
Ransomware is the biggest nightmare I'm seeing. Everything connected to a company network is having to be audited for patches and approved OS installs. IT needs to have root access to every system. Any system not approved to be networked will be isolated at the switch to knock off the network and that team's other IT systems will be knocked off too.

Security just went least privilege for network access where I work.

This is especially prevalent to VMs and containers. Anything with an IP address is being audited. Anything.

Good. We're finally, FINALLY getting some pressure to fix all these broken systems. I was literally losing sleep over some of the crazy shit I saw. It's still a tire fire, but at the very least there is some movement to fix it.
A lot of people don’t understand how much gruft is in IT. While I doubt it, my hope for the new year is that business will slow down and shift focus. Rather than building ever more complex system, for what ever reason, perhaps we can now focus on simpler and more secure solution.

The collective memory of our industry is shockingly short. If Log4J has taught me anything it is that the old meme: “LOL; It OPSs problem now” is very much still all too real.

I'll miss the good old days where our lab environment was never looked at by security or IT.

I was a firewall admin at a F100 bank and we had some linux servers we used to do automation against our production firewall systems. We did some of the best, most secure work we ever did because we had access to scripting systems and Python. We built a host of auditing, ops, and secure automation and cleanup tools. It took months if not literally a year or more to convince all the right "stakeholders" that we need a prod server for such a purpose. Same reason we used Bottle.py for our web GUI: We didn't have to install it; it ran on system Python install.

I also remember standing up Dokuwiki because our company was two years away from deploying Confluence (puke), and remember setting up Gitlab in a lab environment two years before we got Gitlab, because we only had... some IBM version control, all the tooling and regs around it were built around enterprise product development, not backend.

In other words, shadow IT led us to be a more secure organization. It seems IT in the 2020s is getting a clue when it comes to deployment, and now that they have automated everything from deploy to scan, it isn't such a huge ask to get a linux server with which to program. Maybe shadow IT won't be needed anymore.

Then again, perfect enforcement of laws is a dangerous thing in society. Maybe too in cyber?

I don't know much about computer security. Is this a domain where you can fix something that was broken and be okay, or is this a constant race between attackers and defenders? If it's the first, more pressure is great. If it's the second, it's a bit depressing to spend even more time and energy on a zero sum game.
It is a constant arms race that the defender is nearly guaranteed to lose (for a variety of reasons). This is why resilience is incredibly important.

Unfortunately, too often we see M&M security — hard crunchy shell exterior, but once you're in it's delicious sweet chocolate that the business is unprepared for the attacker to start eating.

Well, for many sectors it wasn't even an arms race at all. It was just getting pwnd and not caring because the attackers basically stole the data and it didn't really disrupt your business. Now with ransomware the arms race part has started, and that's a good thing because it means the bar overall is higher.
I don't understand how it is a good thing. Doesn't that mean that more money/time/energy will be spent compared to before for the same results? If that's the case, that sounds worse to me, but maybe I missed something.
> Everything connected to a company network is having to be audited for patches and approved OS installs. IT needs to have root access to every system. Any system not approved to be networked will be isolated at the switch to knock off the network and that team's other IT systems will be knocked off too.

It's not wrong to do any of this (it seems to be the norm, actually) but doing NAC kinda implies you're thinking of your intranet as some kind of perimeter to secure which is ultimately not that helpful and makes people lazy and complacent because "our service is just on the secure network, amirite?".

One can make an argument like this about anything, and it’s just a defeatist attitude. Why bother to do anything then?

The reality is that security should be done in layers, and this is an important layer. The handwavy “and then it causes everyone to become incompetent” type of argument is really just nonsense that needs to go away.

Not necessarily. Your security model should be that any computer on your network could be infected. It’s very likely to happen and if there’s any flaw that allows infection it’s not your whole network that gets compromised.
These things are part of the basic tenets [0] of the NIST's Zero Trust Architecture [1], which has become an important cybersecurity target for enterprises.

0: https://aspsecuritykit.net/blog/7-tenets-of-nist-zero-trust-... 1: https://csrc.nist.gov/publications/detail/sp/800-207/final

(comment deleted)
My experience is companies treating security as if it were a competition where having more "security points" than the hacker means you can't be hacked. Which leads to bizarrely wrong trade-offs like "we don't need passwords on the prod database because it's only accessible through the private network". Even worse is "we're on AWS so we have Amazon-level security".
That's actually anti-ZT practice, which clearly requires that you put maximum security controls you can to protect every resource. especially do not assume trust based on network location/perimeter, is very first tenet. But yeah, security in many orgs (regardless of the size), is another item to be ticked, and thus a false sense of security prevails until an incident happens.

Eventually, only such orgs will survive and thrive which will be able to defend their resources, in the increasingly hostile online environment with state-backed attackers.

Whether this defense comes from individual organizations or their state, or a combination of both, that's something to be seen in the next 5 to 10 years.

Ramsomware has found a business model greatly thanks to cryptocurrency which has removed a lot of friction in the payment process.

You do not have to leave anymore a paper bag full of cash in the park to get your files unencrypted.

A healthy business model helps to attract talent into the ramsomware business, which improves the time-to-market of exploits.

All this helps to increase the need for security and business continuity investments so for 2022 I anticipate healthy growth of that industry.

IMHO, Bitcoin role is not really a mere store of value with built-in inflation protection. Bitcoin is also an enabler for strong growth in the information security industry.

IT having root access to every system is how every system was infected at the company I’m currently working for. And they’re not learning from it.
I work in infosec doing defensive stuff. I am not worried about ransomware in the least, at least not on its own, the thing you have to understand is, when all these companies get a ransomware attack, it isn't always a resuly of the ransomware worming its way through computers. These days operators manually find lateral movement paths and get domain admin and deploy the ransomware using GPO or something. Bare minimim compliance to Microsoft tiered security model prevents most of these attacks and there is a lot you can do to prevent this.

Sabotage attacks don't worry me. I hope the bad guys don't read this but what worries me is targeted intrusions where the bad guys do corporate espionage and IP theft but use ransomware as a smokescreen. 10K filings, product announcements. Heck, sit silently on the right guy's inbox and you can do your own insider trading scheme and it pays more than ransomware.

To me ransomware is like holding up a bank but you only take the cash in cash registers, rob everyone in the lobby and create a commotion and down time for the bank and leave. Don't get me wrong? I think ransomware will continue to be popular, I am just not that concerned because the team i am on takes adequate measures to stop your run of the mill ransomware gang.

Not giving admin accounts to non IT staff goes a hell of a long way
And requiring privileged access workstations for admin account usage, preventing and alerting when admin accounts are used from anywhere else goes a long way too.
On my end the growingest vector is audit remediation. Your cyber insurance providers have noticed that you constructed your environments out of swiss cheese and are now mandating actual pentesting and practical demonstrations of your fixes if you want to maintain your policy. Those self service checklists seem to be going away.

gotta say, audit remediation is a pretty chill field to be in as well. The recent round of 'hackers dont sleep for the holidays' articles made me feel glad to get out of the incident response game.

It's insane they wrote policies without this as an expectation.

I mean, you could write a policy that's essentially LifeLock's "What are the odds someone will actually notice you?" priced, but I feel like market forces would have resulted in drastically under-pricing those premiums (to get sales).

Self-certification has been a big thing over the past few years. It doesn't make much sense to me unless insurers are planning on rejecting claims when previous self-certification claims can't be verified.
Doing incident response was the most stressful job I've ever had. I left it to do security engineering and don't miss it in the slightest. So many nights and weekends blown on calls with lawyers, executives, etc.
What company do you work for (if you don’t mind being asked)? I’m curious about audit remediation, it sounds like a field I might be interested in. I’m currently in an SRE role.
I work for a big4, which is finance's version of FAANG I guess. I don't really recommend it if you are already situated elsewhere, as noob consulting life is a real drag if you are used to being an FTE.

However, all of these financial audit firms are beefing up on tech staff right now. This is one of the better non-developer IT jobs in the midwest.

They just so happen to see a lot of challenges that their software is well suited to resolve... no surprises there.

My predictions for 2022: An awful lot of work to be had before you go insane.

I'd expect the trends of "massive complexity causing problems solved by more complexity" to continue, because that's literally the only thing the hardware and software industry seems capable of doing anymore. Stacks of complexity that then require more complex hardware to run, and the cycle continues. Nobody understands the whole stack anymore, except perhaps the malware authors who freely move up and down the stack to accomplish their goals. Those writing the software and, theoretically, auditing the software don't seem capable of finding badness hidden in it - and decades of experience says, "Humans can't find suitably stealthy badness hidden in software, intentional or not." Look at how long some of the really nasty bugs have been floating around (exploited or not, we don't know) before someone finally got around to noticing them. I mean, how long was Debian only generating one of 32k SSH keys?

I don't see a good path forward for "connected, computer based, all the things." If we were willing to consider dumping, say, 80% of the features of modern computing, we could probably do a pretty good job securing the other 20% (the commonly used ones). But at too many places, payment and promotion is for features, not bugfixes, not security patches. So new features just keep getting released, old stuff gets abandoned, and the cycle of promotion goes on. The incentives are simply wrong to create anything faintly resembling secure software.

And I expect a continuing wave of people who've been doing security for 20-30 years just... quietly retiring to a life of not much consumer tech. The joke in my circles is that we'll be goat or llama farmers, and I'm not sure it's too far from the truth. I expect a large collection, in decades to come, of "You clearly enjoy this farming thing, I don't think you care a bit about making money, and why is the most advanced bit of technology on this place a couple Arduinos?" You'll find them run by former low level security types.

I don't know how much runway is left in the current trends of tech, consumer and enterprise, but we're clearly at a point where nobody can reason about the stuff anymore, and even if you're using all the patches, all the best practices... you can still have your whole company shut down by ransomware and such. It's less likely, but still far from impossible, when we see things like former NSA 0days used to deploy ransomware. Pretty hard to defend against 0days.

Were I to do a business these days, I'd probably take a serious look at doing things like "Training employees on Qubes" (and buying hardware that can run it). You may not be able to make things impossible for an attacker, but you can sure make them want to go somewhere else for easier pickings (if they're not targeting you, specifically - if they are, you're probably screwed). The whole "Giant Windows Domain" thing repeatedly proves impossible to secure in practice.

Or maybe just go back to typewriters and a good secretary or two.

Thank you, I wouldn’t say I enjoyed it, because that is a dark future you’re painting. The point on complexity is spot on with the trends I’m seeing.

Simple projects are increasingly solved by systems growing in layers and complexity, all in the name of making things easier to the developers that sits at the tips of the complexity and does see the horrors of the lower layers, and to pump out a ever growing bundle of features that shouldn’t be. We write more and more code, to avoid changing broken procedures. A broken world is painted over with shiny code, which few truly understand, all because we don’t want to fix the underlying problems.

> ... because that is a dark future you’re painting.

I'd argue, but I can't...

When a basic "cross platform application" now has 1-1.5GB of build directory for all the 50,000 nested Node dependencies that allow you to not have to write your own left pad, you can't know what most of the code is. It's simply not possible.

Windows 95 was about 50MB installed. A modern chat client is a couple hundred meg, because it's a web app, carrying it's own browser around, running in Javascript, and... etc. A quad core 1.5GHz CPU will struggle with it (source: I run Rpi4s for desktops and Element really, really tends to lag on text input if you type fast).

I don't see how it gets better when these are the trends. New frameworks, new libraries, new UI toolkits, more complexity, less understanding, and ever new and shiny security bugs.

But those bugs aren't a problem, because nobody is punished for them. Whoopsie daisy, giggle, my logging function allows for remote code execution! I'm not saying that individuals should be jailed for bad code, but if you're a company and you ship a product, "Oh, well, that open source part we used was bad..." shouldn't be a good excuse for why someone with your product installed can be pwned from across the internet.

Yes, that implies lower complexity of software, and, yes, that's my exact point.

I use a computer in 2021 for a lot of the same stuff I used a computer for in 1997. Writing documents, writing code, chatting with people, visiting websites, sharing photos, editing photos, etc. The difference is that now I need a 6-core processor and 32GB of RAM to do it sanely, when I could do roughly the same stuff in 1997 on about 32MB of RAM and a single processor, running at sub-100MHz.

I don't see a good path forward regarding computer security, which is part of why I've been starting to use computers less and less, and finding other ways to accomplish things that aren't internet-vulnerable-to-everything. I just don't see a way out when all the incentives are wrong.

> You may not be able to make things impossible for an attacker, but you can sure make them want to go somewhere else for easier pickings (if they're not targeting you, specifically - if they are, you're probably screwed)

True but this is how all security works. Not just in IT. Nobody has perfect physical security either. We just use the best lock on our door or bike to make the thief move to the next one over, or in some cases to a different type of crime entirely (for example bank robbing and kidnapping seem to be much less popular than in the 80s)

Even something like Fort Knox can be robbed but it would require a party with state-level resources and there's much more valuable things than lots of gold that you can obtain more easily.

Having security has never been perfect but always a matter of "most likely good enough for the expected threats".

This is also why mitigation and planning is so important in security. Not just to focus on preventing the hack ever happens, but to have good plan of what to do if it does.

And no it'll never be possible to relax and consider security "solved". It'll always be a cat and mouse game. Also applies to all forms of security. Even physical locks still get new exploits found like the bump key and computer based picks.

So I'm pretty sure we'll just keep going as we are. We'll never achieve perfect security but we won't go back to goat farming either. It won't even solve our problems because there'll always be criminals ready to steal our goats.

The real problem is human nature. Or even nature in general: whatever weakness turns up a predator will step in to exploit it. We're just moving the battlefield.

The importance of the pervasive use of stronger multi-factor authentication and a good patching policy to mitigate against the vast majority of current and emerging risks.
This just seems like a rehash of old themes and a bit of blogspam. Is there an original idea in here?