Killer Apps or Apps that Kill? How the “Soft War” is replacing the Cold War in 2013

Last night, the Wall Street Journal ran a story around the Food and Drug Administration’s (FDA) warning to makers of medical devices that the gear they’re producing is at risk of being infected with computer viruses that can endanger patients.

With each passing day it becomes more and more apparent that we have ushered in the age of a software-based war or as it is more commonly known – a Cyber War. This “Soft War” has many elements to it, but with the rash of new attacks focusing on producers of electricity, healthcare providers and emergency broadcast and response systems, it won’t be long before this war claims its first real casualty. Similar to severe weather events, it’s possible that these cyber attacks will lead to the loss of life as a result of complications arising from the adverse effects of a “soft attack”.

It doesn’t take much to imagine the following scenarios arising from a system or power outage as a result of a cyber attack:

• Infirmed individuals struggling to maintain continuity of care during either a power or system-level outage
• Emergency responders unable to gain valuable information about the nature of a fast-moving disaster because of a system level hack or outage
• People falsely directed to take specific action as a result of cyber attack on the emergency broadcast system
• Extended outages of power, oil and gas production and communications and/or water services

However, with attacks happening on a daily basis we have become numb to the depth, breadth, speed and efficacy of cyber attacks and systemic breakdowns occurring all around us. Let’s look back at a few that we witnessed over the past year:

• The longest continuous DDoS attacks in history: Operation Ababil against US Commercial Banks
• The first “in-the-wild” encrypted DDoS attacks: Operation Ababil
• Politically motivated cyber attacks: Operation Israel, Operation USA, Operation Turkey
• The first systemic outage of a tier-one telecommunications provider by a cyber attack: AT&T DNS attack(s) around Aug. 15th, 2012
• Largest oil production cyber attack in history: Oil fields in Saudi Arabia stop producing for two days and thousands of PCs are infected with malicious viruses

Confronted with these events, information security professionals can respond in one of two ways:

The first option is to wave the proverbial “white flag” and rack up the well-heeled excuses for not getting the hard work that information security requires done.

The following is a list of justified reasons often cited by security professionals in response to failing to adequately protect an enterprise:

• Lack of resources including time, money and available people
• Identified risks accepted by the business
• Lack of knowledgeable people
• Lack of access to key technologies/vendors

The second option is to recognize that the sky is falling, sound the trumpets and head to the “high-ground”. Yes, sometimes that happens – even if it should rarely be talked about. How else can we explain why the US commercial banks, the largest, most well-resourced and well-staffed companies in the world, are struggling with the current threat landscape? After all, if these strong and heavily fortified institutions fell victim to DDoS attacks, how in the world can more ill-prepared industries such as government agencies, healthcare providers, educational institutions as well energy and manufacturing, be prepared without dramatic and quick change to their security programs?

If, like me, you are among the group of paranoid security professionals that make up the second category, how do you go about battening down the hatches and building a much more effective security program?

While it is difficult to say with certainty how these changes in the cyber security landscape will play out, we can make certain assumptions based on the frequency, effectiveness and directed nature of the attacks:

• Cyber Attacks will Become ‘Normal’. That is, we will come to expect an attack whenever the slightest grievance is encountered in our business and daily duties. These attacks will result from macro-level political motivations, like the Middle East conflict, to micro-level grievances such as a quarrel with your next-door neighbor and everything in-between. Bottom line: Cyber attacks are not a fad. As long as they are effective, they will NOT just go away.
• Common and Not-So-Common Criminals Will Get in on the Cyber-Attack Act. Cyber attacks started out as largely ideologically or politically motivated in nature. However, since the start of 2013 we’ve seen a significant increase in common criminals who are leveraging effective attack techniques to either make money or increase competitiveness. Bottom line: Cyber attacks focused on “Hacktivism” will be joined at a massive rate by “Financially Oriented” attacks. Perpetrators will become more brazen as they realize how inept the legal system is in dealing with these attacks.
• Attacks will Get Very Technical and Encrypted. Taking lessons learned from the US banks attacks, perpetrators understand that systemic technical weaknesses such as SSL-DDoS attacks do exist. Bottom line: If the security model your enterprise is deploying hasn’t materially changed since 2005, your organization will be utterly ineffective in fighting today’s cyber attacks.
• Laws will fail to Meaningfully Address the “Flat Cyber Battlefield”. Unfortunately, laws built around a paradigm of domiciles and nation-states don’t work well for a world in which these constructs have lost their efficacy. As a result, all of the laws in the world won’t address the problem unless the issue is addressed globally and systemically. Bottom line: Help from law enforcement will not be available; organizations have largely been left to fight this battle alone.

Countermeasures are needed! Defense mitigation strategies are also evolving and now include active counterattack strategies. Bottom line: organizations will become more aggressive in fighting DDoS attacks amidst the increasing need to leverage counter attacks to mitigate threats.

What security changes are you making to effectively deal with the evolving threat landscape?