10:10 AM
Connect Directly

What Businesses Can Learn From the CIA Data Breach

Just because threats like malicious insiders, zero-days, and IoT vulnerabilities are well-understood doesn't mean organizations have a handle on them.

Like other major data breaches, the one that allegedly exposed the CIA's entire arsenal of malware tools has raised familiar concerns about vulnerability stockpiling, insider threats, and the importance of a robust breach detection and response capability.

The fact that many of these concerns are familiar and well-understood has only served to highlight the continuing challenges that organizations across the board still face.

Here are the four most important takeaways from the CIA leaks:

Insiders Are Hard to Catch

The sheer scope of the data theft from a supposedly super-secure network deep inside the CIA's Center for Cyber Intelligence facility has prompted speculation that the heist was pulled off by a Snowden-like insider, or at least abetted by one.  

It hammered home once again how difficult it is, even for a technologically sophisticated organization like the CIA, to police the actions of insiders with privileged and legitimate access to enterprise systems and data.

The primary issue for organizations is that the insider threat represents a multi-competency problem, says Jeff Pollard, an analyst with Forrester Research. It is a multi-stakeholder issue that affects everyone from IT, security teams and app developers to business unit leaders, human resources and general counsel, he says.

"An [organization] has to know what their sensitive data is, who has access, how data is used and stored and how data flows through their own environment and partner environments," Pollard says. In addition, there also must understand how data is used normally, so that they can begin to identify anomalies. "It's a tremendously complicated endeavor to pull data from all those systems together, define a baseline, and then begin policing usage," he says.

Insider breaches highlight the constant struggle within enterprises to choose between what is most secure and what is most productive, adds Tim Condello, technical account manager for RedOwl, a vendor of an insider threat platform.

Based on the fact that most of the leaked information involved mobile and hardware exploits, chances are that whoever stole the data worked for the group that collaboratively supported this effort or had access to systems used by the group, Condello says.

"Looking at the information available on the CIA data leak, it is apparent that either there were no proactive measures in place or the ones that existed could be circumvented," he says. "The lessons that can be learned from this are to have a layered approach to controlling access and movement of data in their environment while also monitoring employee behavior."

Don't Get Too Fixated on the Zero-Days

As with the Shadow Brokers leak of NSA data last year, many of the CIA exploits that were leaked on WikiLeaks this month involved previously unknown zero-day flaws in technology products from major IT companies.

Zero-day flaws have the potential to cause big problems if attackers find a way to exploit them before a patch becomes available. Security researchers often urge organizations to prioritize patching of such vulnerabilities.

But instead of getting fixated on them, focus on the ones you do know about, says Ilia Kolochenko, CEO of Web security firm High-Tech Bridge.

Gartner predicts that 99% of all vulnerabilities exploited through 2020 will continue to be known security vulnerabilities for which patches are already available, for at least a year, Kolochenko points out.

"A 0-day is a sort of cherry on the cake, for very important targets that cannot be hacked by other means," he says. "Otherwise, why spend on it, if a public exploit can bring the same results?"

What breaches such the CIA's really highlight is the need for organizations to do a comprehensive and continuous inventory of all digital assets. Rather than worry about the potential for a zero-day exploit to be used against them, organizations are better off ensuring their assets are protected against the known ones. "By keeping all our devices and software up to date, we can avoid 99% of problems," Kolochenko says.

Pay Attention to Those IoT Devices

Among the many CIA exploits that were leaked was one named Weeping Angel, which essentially turns a Samsung smart TV into a silent audio-recording device capable of listening in to conversations even after the device had supposedly been switched off. The exploit garnered attention not because it was particularly sophisticated, but because it demonstrated how trivially easy it is to hack many of the so-called smart "things" that are being connected to the Internet these days.

For enterprises, the exploit should serve as a warning of the potential for attackers to increasingly target vulnerabilities in industrial and commercial IoT products in order to then gain entry into the enterprise. Many IoT vulnerabilities stem from Web and Web-based interfaces that are riddled with issues like remote code execution bugs and hardcoded passwords, Kolochenko says.

The goal should be to try and secure the IoT environment as much as possible to prevent it from being a launching pad into the enterprise - or the source of data leaks and disruptions.

"Because an attacker has to get inside the network to accomplish any other goal including surveillance, IoT as an entry point is the place to start," Pollard says. Obviously, not every firm has to worry about being snooped on via a rogue TV, he says, but some do.

"That's why having a risk assessment that incorporates geopolitical threats or concerns is important," Pollard says. Also important are practices like threat modeling: based on how the organization makes money, geographies in which it operates, sensitive intellectual property, and even potential clients that may make the organization a target.

Vulnerability Stockpiles Merit Another Look

The CIA's stockpile of malware tools including several that take advantage of undisclosed flaws in widely used technology products once again stirred debate over responsible vulnerability disclosure by US intelligence agencies.

Some have argued that agencies like the CIA and NSA whose mission it is to develop offensive cyber-capabilities have a responsibility to disclose 0-day flaws to vendors so that the vulnerabilities get patched before adversaries use it against them.

In a report released after the CIA leaks, the RAND Corporation provided some perspective on this hot topic. RAND's study of more than 200 zero-day flaws showed that the benefits of disclosing such flaws were not always as great as assumed. The report argues that most zero-days tend to remain hidden for years and the chances of two people finding same flaw are remote. So, sometimes it actually makes sense for agencies like the CIA to stockpile vulnerabilities.

But Daniel Castro, vice president at the Information Technology and Innovation Foundation, argues that such reasoning is dangerous. "Without comparing the actual stockpiled zero-day exploits of countries like China and Russia we do not know how much overlap exists here," he says.

So the best approach is to disclose and patch zero-days as they are found. "Practically speaking, responsible disclosure is the only way to keep Americans secure," he says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.