Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/16/2017
10:10 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

What Businesses Can Learn From the CIA Data Breach

Just because threats like malicious insiders, zero-days, and IoT vulnerabilities are well-understood doesn't mean organizations have a handle on them.

Like other major data breaches, the one that allegedly exposed the CIA's entire arsenal of malware tools has raised familiar concerns about vulnerability stockpiling, insider threats, and the importance of a robust breach detection and response capability.

The fact that many of these concerns are familiar and well-understood has only served to highlight the continuing challenges that organizations across the board still face.

Here are the four most important takeaways from the CIA leaks:

Insiders Are Hard to Catch

The sheer scope of the data theft from a supposedly super-secure network deep inside the CIA's Center for Cyber Intelligence facility has prompted speculation that the heist was pulled off by a Snowden-like insider, or at least abetted by one.  

It hammered home once again how difficult it is, even for a technologically sophisticated organization like the CIA, to police the actions of insiders with privileged and legitimate access to enterprise systems and data.

The primary issue for organizations is that the insider threat represents a multi-competency problem, says Jeff Pollard, an analyst with Forrester Research. It is a multi-stakeholder issue that affects everyone from IT, security teams and app developers to business unit leaders, human resources and general counsel, he says.

"An [organization] has to know what their sensitive data is, who has access, how data is used and stored and how data flows through their own environment and partner environments," Pollard says. In addition, there also must understand how data is used normally, so that they can begin to identify anomalies. "It's a tremendously complicated endeavor to pull data from all those systems together, define a baseline, and then begin policing usage," he says.

Insider breaches highlight the constant struggle within enterprises to choose between what is most secure and what is most productive, adds Tim Condello, technical account manager for RedOwl, a vendor of an insider threat platform.

Based on the fact that most of the leaked information involved mobile and hardware exploits, chances are that whoever stole the data worked for the group that collaboratively supported this effort or had access to systems used by the group, Condello says.

"Looking at the information available on the CIA data leak, it is apparent that either there were no proactive measures in place or the ones that existed could be circumvented," he says. "The lessons that can be learned from this are to have a layered approach to controlling access and movement of data in their environment while also monitoring employee behavior."

Don't Get Too Fixated on the Zero-Days

As with the Shadow Brokers leak of NSA data last year, many of the CIA exploits that were leaked on WikiLeaks this month involved previously unknown zero-day flaws in technology products from major IT companies.

Zero-day flaws have the potential to cause big problems if attackers find a way to exploit them before a patch becomes available. Security researchers often urge organizations to prioritize patching of such vulnerabilities.

But instead of getting fixated on them, focus on the ones you do know about, says Ilia Kolochenko, CEO of Web security firm High-Tech Bridge.

Gartner predicts that 99% of all vulnerabilities exploited through 2020 will continue to be known security vulnerabilities for which patches are already available, for at least a year, Kolochenko points out.

"A 0-day is a sort of cherry on the cake, for very important targets that cannot be hacked by other means," he says. "Otherwise, why spend on it, if a public exploit can bring the same results?"

What breaches such the CIA's really highlight is the need for organizations to do a comprehensive and continuous inventory of all digital assets. Rather than worry about the potential for a zero-day exploit to be used against them, organizations are better off ensuring their assets are protected against the known ones. "By keeping all our devices and software up to date, we can avoid 99% of problems," Kolochenko says.

Pay Attention to Those IoT Devices

Among the many CIA exploits that were leaked was one named Weeping Angel, which essentially turns a Samsung smart TV into a silent audio-recording device capable of listening in to conversations even after the device had supposedly been switched off. The exploit garnered attention not because it was particularly sophisticated, but because it demonstrated how trivially easy it is to hack many of the so-called smart "things" that are being connected to the Internet these days.

For enterprises, the exploit should serve as a warning of the potential for attackers to increasingly target vulnerabilities in industrial and commercial IoT products in order to then gain entry into the enterprise. Many IoT vulnerabilities stem from Web and Web-based interfaces that are riddled with issues like remote code execution bugs and hardcoded passwords, Kolochenko says.

The goal should be to try and secure the IoT environment as much as possible to prevent it from being a launching pad into the enterprise - or the source of data leaks and disruptions.

"Because an attacker has to get inside the network to accomplish any other goal including surveillance, IoT as an entry point is the place to start," Pollard says. Obviously, not every firm has to worry about being snooped on via a rogue TV, he says, but some do.

"That's why having a risk assessment that incorporates geopolitical threats or concerns is important," Pollard says. Also important are practices like threat modeling: based on how the organization makes money, geographies in which it operates, sensitive intellectual property, and even potential clients that may make the organization a target.

Vulnerability Stockpiles Merit Another Look

The CIA's stockpile of malware tools including several that take advantage of undisclosed flaws in widely used technology products once again stirred debate over responsible vulnerability disclosure by US intelligence agencies.

Some have argued that agencies like the CIA and NSA whose mission it is to develop offensive cyber-capabilities have a responsibility to disclose 0-day flaws to vendors so that the vulnerabilities get patched before adversaries use it against them.

In a report released after the CIA leaks, the RAND Corporation provided some perspective on this hot topic. RAND's study of more than 200 zero-day flaws showed that the benefits of disclosing such flaws were not always as great as assumed. The report argues that most zero-days tend to remain hidden for years and the chances of two people finding same flaw are remote. So, sometimes it actually makes sense for agencies like the CIA to stockpile vulnerabilities.

But Daniel Castro, vice president at the Information Technology and Innovation Foundation, argues that such reasoning is dangerous. "Without comparing the actual stockpiled zero-day exploits of countries like China and Russia we do not know how much overlap exists here," he says.

So the best approach is to disclose and patch zero-days as they are found. "Practically speaking, responsible disclosure is the only way to keep Americans secure," he says.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5613
PUBLISHED: 2020-02-18
In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be accepted by the ipsec endpoint. Depending on the higher-level protocol in use over ipsec, this could allow an action to be repeated.
CVE-2020-7450
PUBLISHED: 2020-02-18
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in libfetch with URLs containing username and/or password components is vulnerable to a heap buffer over...
CVE-2019-10792
PUBLISHED: 2020-02-18
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10793
PUBLISHED: 2020-02-18
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
CVE-2019-10794
PUBLISHED: 2020-02-18
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.