1

In an interview with NPR's Steve Inskeep that is airing Friday on Morning Edition, Obama said, "I think there is no doubt that when any foreign government tries to impact the integrity of our elections ... we need to take action. And we will — at a time and place of our own choosing. Some of it may be explicit and publicized; some of it may not be." - Source

What will cyber-security professionals, working in the civilian world, see as a result of increased tension between these two major powers?

Are there any actions that a reasonable practitioner should take now in order to prepare for a foreseeable cyber conflict? How do those actions differ what should be done in the absence of this conflict?

Anders
  • 64,406
  • 24
  • 178
  • 215
J Kimball
  • 2,137
  • 1
  • 13
  • 19

3 Answers3

2

any actions that a reasonable practitioner should take now

Generally speaking you should secure the systems you are responsible for so that they cannot be hacked. (but DoS would still be possible)

How do those actions differ what should be done in the absence of this conflict?

If you were in a government position, or had government client (military, etc.), your services may be used more frequently.

But, generally speaking, systems are either secure, or they are insecure. So if you are successful at securing your systems then there's not much else to do.

Some security angles may not be receiving sufficient attention. For example an employee may bring in a foreign flash drive that installs a virus on his/her Windows machine. You should have solutions to prevent such attack vectors from being successful.

But just understand, it is possible to 100% secure a system (except from DoS).

Personally, I see successful & significant attacks as showing two issues:

  1. The attacker is doing an unlawful act and should be prosecuted.

  2. The developer provided weak software.

    (security is by design, not an after-thought or patch)

A couple other thoughts:

  • Counter-attacks (as in traditional warfare) do not solve the problem.

  • Stopping the attacks from being attempted is not nearly as practical as securing the system in the first place.

  • Security is not a matter of 'strength', as it is about 'mistakes'. In traditional warefare you need a gun that is stronger than the armor. However, in cyberwarefare (again, refering to theft and hacks, not DoS), strength does not matter. It's just a matter of whether the attacker can find a hole.

Note: This answer does not address human factors. (trickory, phishing, etc.) That's a lot more detailed than I want to get in to right now.

DoS can be explained in a separate question since it is handled differently from software secure design.

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • 1
    Nice answer. However, it does not consider zero day attacks, which are likely to be a major part of a cyber war. – paj28 Dec 16 '16 at 17:11
  • Thanks for the compliment. Regarding zero-day that I would initially say that well-designed software should not have vulnerabilities. (not even zero-day) At least that's the way it works in theory. Software that is likely to have such vulnerabilities (Windows, or any highly complex system) should not be directly exposed. (minimize attack surface) However, this only goes so far. – 700 Software Dec 16 '16 at 17:20
  • In this quote, substitute *"deficiencies"* for *"vulnerabilities"* and it still holds true: *“There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.”* ― C.A.R. Hoare. – 700 Software Dec 16 '16 at 17:20
  • I'd be interested in seeing a more 'practical' answer. I have a tendency to think of IT Security in absolutes. My primary profession is actually as a developer, not as a security consultant. – 700 Software Dec 16 '16 at 17:26
  • IT Security is certainly not absolute. With time new technologies appear and new attack vectors become posible. Today AES is considered by most experts strong enough to not be posible to bruteforce and has no known vulnerabilities, maybe in a few years a flaw in it's design is discovered or computing power grows enough to bruteforce it, making it insecure and therefore, every system that uses it – Mr. E Dec 16 '16 at 22:17
  • @Mr.E, Yes there is an above-zero possibility, but looks like nothing practical for that example attack vector, given AES has had 18 years to be vetted already. – 700 Software Dec 19 '16 at 14:32
0

Warning: this answer is speculation

I believe a cyber war would have two distinctive features:

  • Widespread use of zero day exploits
  • Activation of back doors that were embedded years ago

A typical home or business IT environment is completely helpless against these attacks. While we could do a lot more to defend such systems, I can't see this happening in a timescale that would help once a cyber war has started. A typical cyber security professional would be able to do very little that had any effect on state-sponsored cyber attacks. In fact, we do sometimes see these attacks already: advanced persistent threats (APTs).

Some government systems (and a few commercial) can credibly resist such attacks, mostly by using air-gapped networks. Most of the military/intelligence effort in a cyber war would be launching attacks and defending these critical networks.

In a Western country, a lot of the critical national infrastructure (banks, utilities, communications, etc.) is in private hands. Most have programs, such as the CPNI in the UK, where the intelligence agencies keep an eye on the security of these systems. In the case of a cyber war, I expect the cyber military would want to install a number of "black boxes" on their networks. These would probably function somewhat like an IPS, but would be remotely managed by the military/intelligence agencies. Again, your typical cyber security professional would have very little to do with them.

paj28
  • 32,736
  • 8
  • 92
  • 130
0

How to prepare? First, if you don't have one already, establish a security policy for your organization. This is a big undertaking that covers a lot of ground - you'll need to consult with a security expert, or at least a book. If you already have a policy, this would be a good time to review it, update it, and get your organization's head to approve it.

Look at your defense in depth - are you trusting a DLink router to keep your entire small business safe? Do you have an Intrusion Detection System, like snort, and are the rules up to date? Have you reviewed the security on each of your systems? Does the receptionist really need to have an administrator account on his or her PC? Are the PCs up to a current patch level? Do they have anti-virus software? Are they automatically updating? Make sure that the day-to-day mechanisms of security are working.

Look at your Incident Response Plans. Planning to be attacked may not seem to make much sense because every attack is different, but at least you'll have thought about who you would contact for assistance, how you would recover from damage, and how you would restore functionality.

Go through your Disaster Recovery plans. Ensure that if you plan to restore from a backup that you're actually making backups. Test the backups. Regular backups are the only defense against the increasing threat of ransomware. Update your emergency contact info for everyone involved.

Do you have a relationship with local or federal Law Enforcement? It may be a good time to check in with them, or at least introduce yourself. Ask who and how to contact them in case of an attack, and update your response procedures.

Check with your vendors and suppliers. Are they prepared for attacks? Will they continue to serve you if you or they are attacked, or will they drop you due to a lack of resources? How will you contact or use them in an emergency?

Do you have security audits done? Nobody likes them, but this might be a good time to run one. External opinions are valuable, because they aren't blinded by all the shiny good work you've done. Also, consider hiring a security team to penetration test your organization.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 1
    While these are all good precautions to take, this is more day-to-day security rather than cyber war defences. – paj28 Dec 16 '16 at 20:00