Bit9

It may seem passé to be discussing an attack from 2008. Two years is an eternity in the cyberworld. But the incident discussed in a recent New York Times article (see also CNN) was a watershed moment worthy of revisiting.

In 2008, a flash drive was plugged into a laptop on an American military base. It contained the Agent.btz virus, and proceeded to propagate from device to device, machine to machine, planting its tentacles across both secure and non-secure networks within the government. Details of what information or what systems were compromised were never made public, but we know the attack was severe enough to warrant a security brief for the President of the United States. The effort to counter this attack was dubbed Operation Buckshot Yankee.

I was there, working with our government and civilian customers, when the DoD ban of all portable devices went into effect (it was later relaxed, but the initial ban was without exception across all their sub-agencies and contractors). All of the computer systems within the Defense Department were running the latest antivirus software with firewalls, intrusion detection, internet filtering, and advanced policy management settings. Millions, if not billions, of dollars had been spent on IT security. Yet one tiny device, with a payload less than 1MB, went undetected and wreaked havoc. All that money, manpower, and technology, and Uncle Sam was reduced to physically banning the use of USB sticks.

It reminds me of a Dr. Seuss story that I used to read to my kids, Yertle the Turtle. There’s a line in that story, “his burp shook the throne of the king”. One tiny turtle, at the bottom of a stack, caused the entire system to collapse. This flash drive “burp” got the attention of the highest levels of government. It’s as if a light bulb went off in the heads of the top brass, “This really happened? How could our cyber defenses be so ineffective? There has to be a better approach.”

I saw two things happen next. First, the collective recognition within the government that traditional “react-and-respond” security was ineffective against today’s cyber threats. New approaches, like the “proact-and-prevent” paradigm of whitelisting, were needed. Bit9 was already successful within the government sector, but this raised awareness to a new level.

The second thing that happened is, when the global ban of all things removable went out, the world didn’t end. It quickly evolved into more relaxed policies and selective/monitored exceptions, and it’s certainly not the ideal way I would recommend transforming a security posture. But under fire, it was necessary. The posture transformed from “let everything in and then see if it behaves badly” to “block everything until it is verified to be good”. That model has always been the way the government approaches personnel security, but it had not been applied to cyber security. People were so used to the old way of thinking about security that they feared change. This incident and the Operation Buckshot Yankee response showed that approval based protection works.

Whether you’re talking about people, or removable devices, or software, positive security is more effective than negative security.

There have been many calls to action over the past few years for government to take a stronger stance in the fight against cybercrime.  While well intentioned, there have been a variety of local and national hurdles to achieving real cooperation, including a variety of extradition laws, varying volume and type of local resources, and tried and true national security concerns.

All that seems to be changing, sparked in large part by Operation Aurora and its impact on large multi-national companies that are at the center of commerce for a number of countries, including rumored defense contractors.  Two recent items in the past week bring this changing reality to the forefront.

     * The East West Institute is holding its first WorldWide Cybersecurity Summit this week in Dallas.  The program is focusing on international cooperation and the need for governments to proactively engage in stronger security laws and technologies, and looks to include countries long considered bastions of cybercriminal activity such as Russia and China.
 
     * The Business Software Alliance on Friday issued its Global Cybersecurity Framework "to assist countries in crafting effective national policies and laws to thwart cybersecurity threats." 
 
What seems to be somewhat new regarding these initiatives is acknowledgement regarding the speed of security outbreaks and issues in today's globally connected world.  A portion of the BSA's framework discusses the parameters and market conditions under which a new framework becomes essential.
 

• Innovation-cybersecurity is a fast-paced race, in which we must stay ahead of cybercriminals who adapt constantly. Cybersecurity policy should maximize the ability of organizations to develop and adopt the widest possible choice of cutting edge cybersecurity solutions.
• A risk-based approach-consumers, businesses and government agencies seek to protect a wide spectrum of targets against a wide variety of cyber threats. Cybersecurity policy should enable them to implement the security measures that are most appropriate to mitigating the specific risks they face.

Industry bodies such as the BSA and the East West Institute are doing their part to bring these pressing issues and needs to light, and Bit9 commends them in their efforts.  The next phase of efforts that will give some of these initiatives real, sustainable momentum is cooperation from vendors and government agencies to help drive actionable solutions forward, be it on the technology or legislative side.  Technology innovation is surely part of the equation, as well as things like tax incentives for going beyond regulatory norms in order to bolster security at high value targets, for example  However there are two approaches and solutions that can bring immediate relief without the red tape and time lag these approaches require. 

1)  Defense in depth and a layered approach can't be given mere lip service.  Yes, it costs more, however the cost of not protecting your IP or vital national secrets is too high given the rapidity, speed and variety of attacks governments and enterprises face to both their networks and endpoints.

2)  "Be proactive" is the rule of the day.  Technologies such as Anti-virus and HIPS have their place, however the reactive nature of these solutions puts at a significant disadvantage and organizations have become too reliant on them.  Embracing solutions that immediately limit access and exposure to known vulnerabilities that are key attack vectors (applications and endpoints) must happen in order to enable security professionals to more easily target additional vulnerabilities in real-time.

It's time for government and industry experts to put stakes in the ground and combine to effect real security change both now and in the immediate future.
 

Criminals are getting smarter and more sophisticated, responsible for security breaches in both the public and private sector that put sensitive information in danger.  Just last month it was discovered that cyber spies repeatedly hacked critical design data in the U.S. Joint Strike Fighter project. Brian Krebs of the Washington Post writes about the Facebook and Twitter attacks  here and the Marines have just banned Facebook.

From state and local government to federal defense agencies, the government seems to be constantly under attack.

Standards such as the Federal Information Security Act (FISMA) were put in place to provide U.S. federal agencies and contractors with a uniform set of information systems processes. But compliance, as we have seen with PCI DSS standards, is never enough. Gaining control over the software that runs on government systems is more than a strategic initiative aimed at compliance; it is crucial to protect against zero day and targeted attacks that are getting past traditional, reactive defenses.

Application whitelisting is emerging as a layer to IT security defenses - to monitor and control unauthorized software, as well as to discover and ban certain hashes automatically.  Whether it's rogue software. Unwanted. Common software, but considered vulnerable. Or malicious.

This approach to endpoint security is fundamentally different from existing anti-virus methods that allow all applications to run and detect malware after it has already executed and potentially caused harm to systems. Application whitelisting lets you create an inventory of ‘permitted' software that is allowed to run and allows unknown software to run in a controlled manner - until it's deemed good or bad.  This lets workers use the real-time tools they need to get their job done, and reduces the burden of false-positives on the IT department.

By having greater visibility into what applications are running on their organization's endpoints (PCs, laptops, servers), IT staff is better equipped to enforce the use of authorized applications, maintain compliance with industry standards and prevent the installation or execution of malicious, illegal and unauthorized software that can create vulnerabilities and enable targeted attacks. In fact, the recently released Consensus Audit Guidelines (CAG) prescribes application whitelisting - defining and allowing only trusted software - as a best practice for achieving FISMA compliance. 

A well-managed application environment is also less expensive to operate, saving valuable taxpayer dollars when it matters most.  According to a recent Gartner study, "A locked and well-managed desktop PC can be 42 percent less expensive to maintain than an unmanaged one." 

We're seeing a fundamental shift in the way government operates, and this requires a more sophisticated, better armed approach to IT security.