Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:10 AM
Connect Directly

What Businesses Can Learn From the CIA Data Breach

Just because threats like malicious insiders, zero-days, and IoT vulnerabilities are well-understood doesn't mean organizations have a handle on them.

Like other major data breaches, the one that allegedly exposed the CIA's entire arsenal of malware tools has raised familiar concerns about vulnerability stockpiling, insider threats, and the importance of a robust breach detection and response capability.

The fact that many of these concerns are familiar and well-understood has only served to highlight the continuing challenges that organizations across the board still face.

Here are the four most important takeaways from the CIA leaks:

Insiders Are Hard to Catch

The sheer scope of the data theft from a supposedly super-secure network deep inside the CIA's Center for Cyber Intelligence facility has prompted speculation that the heist was pulled off by a Snowden-like insider, or at least abetted by one.  

It hammered home once again how difficult it is, even for a technologically sophisticated organization like the CIA, to police the actions of insiders with privileged and legitimate access to enterprise systems and data.

The primary issue for organizations is that the insider threat represents a multi-competency problem, says Jeff Pollard, an analyst with Forrester Research. It is a multi-stakeholder issue that affects everyone from IT, security teams and app developers to business unit leaders, human resources and general counsel, he says.

"An [organization] has to know what their sensitive data is, who has access, how data is used and stored and how data flows through their own environment and partner environments," Pollard says. In addition, there also must understand how data is used normally, so that they can begin to identify anomalies. "It's a tremendously complicated endeavor to pull data from all those systems together, define a baseline, and then begin policing usage," he says.

Insider breaches highlight the constant struggle within enterprises to choose between what is most secure and what is most productive, adds Tim Condello, technical account manager for RedOwl, a vendor of an insider threat platform.

Based on the fact that most of the leaked information involved mobile and hardware exploits, chances are that whoever stole the data worked for the group that collaboratively supported this effort or had access to systems used by the group, Condello says.

"Looking at the information available on the CIA data leak, it is apparent that either there were no proactive measures in place or the ones that existed could be circumvented," he says. "The lessons that can be learned from this are to have a layered approach to controlling access and movement of data in their environment while also monitoring employee behavior."

Don't Get Too Fixated on the Zero-Days

As with the Shadow Brokers leak of NSA data last year, many of the CIA exploits that were leaked on WikiLeaks this month involved previously unknown zero-day flaws in technology products from major IT companies.

Zero-day flaws have the potential to cause big problems if attackers find a way to exploit them before a patch becomes available. Security researchers often urge organizations to prioritize patching of such vulnerabilities.

But instead of getting fixated on them, focus on the ones you do know about, says Ilia Kolochenko, CEO of Web security firm High-Tech Bridge.

Gartner predicts that 99% of all vulnerabilities exploited through 2020 will continue to be known security vulnerabilities for which patches are already available, for at least a year, Kolochenko points out.

"A 0-day is a sort of cherry on the cake, for very important targets that cannot be hacked by other means," he says. "Otherwise, why spend on it, if a public exploit can bring the same results?"

What breaches such the CIA's really highlight is the need for organizations to do a comprehensive and continuous inventory of all digital assets. Rather than worry about the potential for a zero-day exploit to be used against them, organizations are better off ensuring their assets are protected against the known ones. "By keeping all our devices and software up to date, we can avoid 99% of problems," Kolochenko says.

Pay Attention to Those IoT Devices

Among the many CIA exploits that were leaked was one named Weeping Angel, which essentially turns a Samsung smart TV into a silent audio-recording device capable of listening in to conversations even after the device had supposedly been switched off. The exploit garnered attention not because it was particularly sophisticated, but because it demonstrated how trivially easy it is to hack many of the so-called smart "things" that are being connected to the Internet these days.

For enterprises, the exploit should serve as a warning of the potential for attackers to increasingly target vulnerabilities in industrial and commercial IoT products in order to then gain entry into the enterprise. Many IoT vulnerabilities stem from Web and Web-based interfaces that are riddled with issues like remote code execution bugs and hardcoded passwords, Kolochenko says.

The goal should be to try and secure the IoT environment as much as possible to prevent it from being a launching pad into the enterprise - or the source of data leaks and disruptions.

"Because an attacker has to get inside the network to accomplish any other goal including surveillance, IoT as an entry point is the place to start," Pollard says. Obviously, not every firm has to worry about being snooped on via a rogue TV, he says, but some do.

"That's why having a risk assessment that incorporates geopolitical threats or concerns is important," Pollard says. Also important are practices like threat modeling: based on how the organization makes money, geographies in which it operates, sensitive intellectual property, and even potential clients that may make the organization a target.

Vulnerability Stockpiles Merit Another Look

The CIA's stockpile of malware tools including several that take advantage of undisclosed flaws in widely used technology products once again stirred debate over responsible vulnerability disclosure by US intelligence agencies.

Some have argued that agencies like the CIA and NSA whose mission it is to develop offensive cyber-capabilities have a responsibility to disclose 0-day flaws to vendors so that the vulnerabilities get patched before adversaries use it against them.

In a report released after the CIA leaks, the RAND Corporation provided some perspective on this hot topic. RAND's study of more than 200 zero-day flaws showed that the benefits of disclosing such flaws were not always as great as assumed. The report argues that most zero-days tend to remain hidden for years and the chances of two people finding same flaw are remote. So, sometimes it actually makes sense for agencies like the CIA to stockpile vulnerabilities.

But Daniel Castro, vice president at the Information Technology and Innovation Foundation, argues that such reasoning is dangerous. "Without comparing the actual stockpiled zero-day exploits of countries like China and Russia we do not know how much overlap exists here," he says.

So the best approach is to disclose and patch zero-days as they are found. "Practically speaking, responsible disclosure is the only way to keep Americans secure," he says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.