Was this predictable: probably
I would be surprised if the PCI assessors (and therefore leadership) didn't
know about some of the control environment deficiencies. Typically you get -
"that's not a priority", "it was designed that way", "we need to update to the
next version first", or even "we don't have the budget to fix that". In some
cases, if you think it's an issue - you have to rationalize, push, and play
politics to get it addressed. Maybe even threaten to escalate the issue. I've
had IT VPs that I worked with refuse to fix something because it was a revenue
generating system and they didn't want to risk business objectives.
Was it preventable: unlikely
I think based on historical trends and what we see in the wild, we can predict
with confidence that many companies are and/or will be at risk for compromise.
IT environments were complicated 18 years ago when I first got into security
and they've become even more complicated with the evolution of technology.
Do we know who did it: maybe
Mandiant is very good at what they do but sometimes attribution just isn't
possible because of all the hops the attackers may have taken to get to their
final target. The other compromised systems sometimes live in countries that
won't help us investigate cyber crimes.
Did they do anything to new to attack or defend: unlikely
As you point out above, there are many vulnerabilities that go unpatched and
unaddressed. Combine that with IT operational mistakes and you may have have a
large environment susceptible to compromise. This could be a misconfiguration
(TFTP with / access, world readable/writeable cron scripts owned by root),
purposeful change that introduces a weakness (open NFS shares combined with
availability of r-services, open X display), trust relationships, shared
passwords across the environment- you name it.
My rule is if all you're doing are the bare minimums and/or you have leadership
pushing back in the form of not providing executive level support, determining
your strategy or tactics, or limiting your budget - you are unlikely to have an
effective security program.
By the way - I think you're right. We focus way too much on claiming these
compromises are caused by nation states. It very well could be one person or a
small team of opportunists.
No, I have no clue how or the frequency of their penetration testing.
Considering that it's been reported that web portals with easily guessable
usernames/passwords were used for data exfiltration, their competence is
questionable.
Kind regards, ~steve
On Wednesday, September 27, 2017, 10:15:12 AM CDT, dave aitel
<[email protected]> wrote:
So I assume most people skim any news reports of big breaches in the same way
these days. Was this predictable? Was it preventable? Do we know who did it?
Did they do anything new to attack or defend?
In Equifax's case, the reportable information clearly is the alleged trading
anomalies, rather than the hack itself. But the third question is interesting
to a point. I've been trying to write a keynote for T2 for the past few weeks,
and while my muse is clearly on an extended vacation, there are some
interesting generational changes afoot with regards to these questions.
At some level, in a world where vulnerabilities are super rare, governments
dominate the discussion of malicious actors. I think there's a lot of news
chaff about every little 20-something hacker or aspiring malware businessman
who gets caught. Filtering those out, there are relatively few reports of
hacking groups with high skills levels. And because of our assumptions that
"Governments" are behind everything now, I think we naturally err towards
flinching at boogeymen who...wield SQLi and Phishing with .jar files.
But when you look at the accomplishments of truly skilled hackers, they're
amazing. And the environment we live in is not one where major vulnerabilities
are rare. The environment is such that any specialized extremophile can
penetrate and persist all of cyberspace. In a sense, the entire bug bounty
market is a breeding ground for a species that can collect extremely low impact
web vulnerabilities into a life sustaining nutrient cycle, like the crabs on
volcanic plumes in the depths of the Pacific. Likewise, learning everything
about RMI is enough to be everywhere, or .Net serialization, or CCleaner. In
cyber, where there's a way there's a will.
It used to be we would be more afraid if it was China or Russia or Iran or
whoever. But these days I like to annoy people by asking what if it's not?
Also, does anyone know how often Equifax did their penetration testing? My new
rule is that if you only do it in Q4 you are unlikely to have a mature security
program. :)
-dave
_______________________________________________
Dailydave mailing list
[email protected]
https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
[email protected]
https://lists.immunityinc.com/mailman/listinfo/dailydave
