There is nothing more scary than the above headline, taken straight from foxnews.com. According to reports a phishing email was sent to a user on the White House computer network, the email was interacted with and at least one system compromised. I read several articles on this story and a few points jumped out at me--and please feel free to agree, disagree or share your thoughts in the comments:
- The new definition of compromise used by the White House
- Attribution of the attack to China/Beijing
- What this all means when we talk about securing our systems
The new definition of compromise
The White House at no point has denied claims that they were breached, but maintained the breach doesn't matter as no sensitive information was compromised. According to White House spokesman Jay Carney the White House computer networks are equipped with mitigation measures that identified the attack, isolated it and prevented its spread. I've said this many times myself, Compromise is inevitable, containment is key. Don't get me wrong, this doesn't mean defensive measures are not needed, when designing security for your systems you absolutely should include defensive technologies to reduce the likelihood of compromise. However you should not assume our responsibility as security experts ends there. Instead you should assume that at some point, due to new vulnerabilities/exploit techniques being developed or (the wonderfully constant) human factor compromise will happen. Then you have to be able to detect and contain the breach as quickly as possible.
Detection is not just the initial machine that was compromised, but every machine that was exposed as a result. This is harder than it sounds, as once the attack gains a foothold inside the network they may never use another exploit, but move around with traffic that is virtually indistinguishable from legitimate traffic. As you know, with Impact when I use a phishing attack to gain access to a user's machine inside a network, I can leverage our Identity Manager to harvest credentials from the compromised machine and then simply reuse those credentials against all the other machines on the network. Now I look like the legitimate user accessing network resources. Ideally, you have the ability to plug in the known information about the breach and produce a simulated path of attack where the attacker is likely to have gone to ensure you have the complete picture.
Once you have detected and detained/quarantined me you need to ensure you completely sanitize the machines. I would like to think in the case of this breach this is done by destroying all machines on the possible attack path and replacing them with brand new machines (but let's not think about where those new machines were made). So perhaps reporters will spend a few days looking in the White House rubbish bins to see if there are some old machines (full of interesting information) there...
Attribution of the attack
The original report of the attack specifically said that this attack was performed by 'Hackers linked to China's government'. Other reports simply attribute the attack to China and often reference the Aurora attacks that Google blamed on China. Assuming this attribution is true, which in itself is a complex area --are these independent hackers based in China, or hackers working on the behalf of the Chinese Government? There is a big difference between an attack (there is no other word for this) against a corporation, and an attack against the government, and against the head of a government at that. A government that appears to be unable to pass bills related to cybersecurity shouldn't be too surprised when their cybersecurity is not what the nation would hope it is.
There has to be some kind of meaningful response to this action by the White House and the US Government, though this close to the election it might be hard to get the united response that people would really want to see. With a breach like this I want to be reassured that the critical systems (the White House Military Office for nuclear commands was cited as the system breached in the initial report) were truly "air-gapped" from systems with internet access.
Securing our systems
With all this being said, we have to remember we never truly secure a system (well, not if we want to keep it in a usable state). Instead, we pick the level of security and usability we are comfortable with for a given system and accept the risk that comes with those levels. The banking system is really the leader in this field, they don't attempt to wipe out credit card fraud, they attempt to contain it to acceptable levels. They have done the calculations and at some point they determine it makes no sense to spend two dollars to prevent one dollar in credit card fraud. They understand the level at which they should strive to maintain the fraud, set aside a provisions for credit losses to account for the acceptable level of fraud, and move on to other risks they are concerned with.
So what does that mean for the rest of us? As people responsible for security risk in an organization we have to do several things:
- Identify what we are trying to protect
- Determine the cost of a breach for those items in 1)
- Implement security measures that reduce the likelyhood of a breach in 1) without costing more than 2)
- Test what we have implemented in 3) to ensure it works
- Repeat 4)
If you don't know what is truly critical for your business to stay in business, then how can you properly allocate your security spending? If you are spending two dollars to protect yourself from a one dollar loss; is that a wise spend? And if you are not testing your defenses (including your users, testing them is a lot easier than you might have realized) then can you confidently stake your reputation on the ability of your defensive systems (especially if someone else implemented them)? Knowledge is power, the knowledge that a foreign country breached the White House does not give me comfort. If what we learn from this is the White House and the Government is taking protection of critical cybersystems within the US seriously and is working on a plan to fund, implement and conduct regular testing of these defenses, then at least something good can come from this breach.