What Businesses Can Learn From the CIA Data BreachJust because threats like malicious insiders, zero-days, and IoT vulnerabilities are well-understood doesn't mean organizations have a handle on them.
Like other major data breaches, the one that allegedly exposed the CIA's entire arsenal of malware tools has raised familiar concerns about vulnerability stockpiling, insider threats, and the importance of a robust breach detection and response capability.
The fact that many of these concerns are familiar and well-understood has only served to highlight the continuing challenges that organizations across the board still face.
Here are the four most important takeaways from the CIA leaks:
Insiders Are Hard to Catch
The sheer scope of the data theft from a supposedly super-secure network deep inside the CIA's Center for Cyber Intelligence facility has prompted speculation that the heist was pulled off by a Snowden-like insider, or at least abetted by one.
It hammered home once again how difficult it is, even for a technologically sophisticated organization like the CIA, to police the actions of insiders with privileged and legitimate access to enterprise systems and data.
The primary issue for organizations is that the insider threat represents a multi-competency problem, says Jeff Pollard, an analyst with Forrester Research. It is a multi-stakeholder issue that affects everyone from IT, security teams and app developers to business unit leaders, human resources and general counsel, he says.
"An [organization] has to know what their sensitive data is, who has access, how data is used and stored and how data flows through their own environment and partner environments," Pollard says. In addition, there also must understand how data is used normally, so that they can begin to identify anomalies. "It's a tremendously complicated endeavor to pull data from all those systems together, define a baseline, and then begin policing usage," he says.
Insider breaches highlight the constant struggle within enterprises to choose between what is most secure and what is most productive, adds Tim Condello, technical account manager for RedOwl, a vendor of an insider threat platform.
Based on the fact that most of the leaked information involved mobile and hardware exploits, chances are that whoever stole the data worked for the group that collaboratively supported this effort or had access to systems used by the group, Condello says.
"Looking at the information available on the CIA data leak, it is apparent that either there were no proactive measures in place or the ones that existed could be circumvented," he says. "The lessons that can be learned from this are to have a layered approach to controlling access and movement of data in their environment while also monitoring employee behavior."
Don't Get Too Fixated on the Zero-Days
As with the Shadow Brokers leak of NSA data last year, many of the CIA exploits that were leaked on WikiLeaks this month involved previously unknown zero-day flaws in technology products from major IT companies.
Zero-day flaws have the potential to cause big problems if attackers find a way to exploit them before a patch becomes available. Security researchers often urge organizations to prioritize patching of such vulnerabilities.
But instead of getting fixated on them, focus on the ones you do know about, says Ilia Kolochenko, CEO of Web security firm High-Tech Bridge.
Gartner predicts that 99% of all vulnerabilities exploited through 2020 will continue to be known security vulnerabilities for which patches are already available, for at least a year, Kolochenko points out.
"A 0-day is a sort of cherry on the cake, for very important targets that cannot be hacked by other means," he says. "Otherwise, why spend on it, if a public exploit can bring the same results?"
What breaches such the CIA's really highlight is the need for organizations to do a comprehensive and continuous inventory of all digital assets. Rather than worry about the potential for a zero-day exploit to be used against them, organizations are better off ensuring their assets are protected against the known ones. "By keeping all our devices and software up to date, we can avoid 99% of problems," Kolochenko says.
Pay Attention to Those IoT Devices
Among the many CIA exploits that were leaked was one named Weeping Angel, which essentially turns a Samsung smart TV into a silent audio-recording device capable of listening in to conversations even after the device had supposedly been switched off. The exploit garnered attention not because it was particularly sophisticated, but because it demonstrated how trivially easy it is to hack many of the so-called smart "things" that are being connected to the Internet these days.
For enterprises, the exploit should serve as a warning of the potential for attackers to increasingly target vulnerabilities in industrial and commercial IoT products in order to then gain entry into the enterprise. Many IoT vulnerabilities stem from Web and Web-based interfaces that are riddled with issues like remote code execution bugs and hardcoded passwords, Kolochenko says.
The goal should be to try and secure the IoT environment as much as possible to prevent it from being a launching pad into the enterprise - or the source of data leaks and disruptions.
"Because an attacker has to get inside the network to accomplish any other goal including surveillance, IoT as an entry point is the place to start," Pollard says. Obviously, not every firm has to worry about being snooped on via a rogue TV, he says, but some do.
"That's why having a risk assessment that incorporates geopolitical threats or concerns is important," Pollard says. Also important are practices like threat modeling: based on how the organization makes money, geographies in which it operates, sensitive intellectual property, and even potential clients that may make the organization a target.
Vulnerability Stockpiles Merit Another Look
The CIA's stockpile of malware tools including several that take advantage of undisclosed flaws in widely used technology products once again stirred debate over responsible vulnerability disclosure by US intelligence agencies.
Some have argued that agencies like the CIA and NSA whose mission it is to develop offensive cyber-capabilities have a responsibility to disclose 0-day flaws to vendors so that the vulnerabilities get patched before adversaries use it against them.
In a report released after the CIA leaks, the RAND Corporation provided some perspective on this hot topic. RAND's study of more than 200 zero-day flaws showed that the benefits of disclosing such flaws were not always as great as assumed. The report argues that most zero-days tend to remain hidden for years and the chances of two people finding same flaw are remote. So, sometimes it actually makes sense for agencies like the CIA to stockpile vulnerabilities.
But Daniel Castro, vice president at the Information Technology and Innovation Foundation, argues that such reasoning is dangerous. "Without comparing the actual stockpiled zero-day exploits of countries like China and Russia we do not know how much overlap exists here," he says.
So the best approach is to disclose and patch zero-days as they are found. "Practically speaking, responsible disclosure is the only way to keep Americans secure," he says.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio