An expert look at cyber security ahead of Dublin Information Sec 2018: Bugs, vulnerabilities and the cloud
Rahim Jina, Chief Operating Officer and co-founder of Edgescan, is a security consultant and Software as a Service (SaaS) specialist. Jina will speak at the third annual cyber security conference, Dublin Information Sec 18 on Monday October 15 at the RDS Dublin.
(Cyber) Security and the Cloud – The Song Remains the Same
It’s all just software. Really, it is. Software runs our applications and software makes our hardware work. Software has always had bugs, due to the fundamental fact that humans, unlike computers, are not finite state machines which follow predictable paths. The human brain is not wired like this, which means that as long as humans write code, code will always contain bugs. This begs the question for the future of Artificial Intelligence, since it is humans that will write the code that creates the intelligence, but that is a discussion for another day.
Where that software runs, does make some difference, but not as much as you might think. It’s funny when an industry can create new markets for itself, just by reusing existing concepts and repackaging them. That’s what cloud is. Cloud is the new Mainframe, back when the paradigm was for computing to be performed centrally and then accessed remotely by a dedicated terminal, sound familiar? The Cloud is simply just another bunch of big computers sitting somewhere else, where that someone else is paying the electricity bill instead of you (well directly anyway).
In fact, cyber security has not changed much in the past 15 to 20 years. It has been rebranded often but the fundamentals are still there unchanged. Security vulnerabilities which give rise to hacking incidents and breaches, can still be largely grouped into three categories; bugs in software (badly written code), misconfigured software (where protections are there but someone did not set them up right), and resource availability (someone else hogs all the resources and the system goes down).
Vulnerabilities still come in three flavours
The first category is where real complexity creeps in. Lots of software bugs can be leveraged to trick the software, that instead of receiving expected data, such as a name or phone number for example, it actually receives new code which effectively re-writes the actual software. While generally the most complex attacks to carry out, the impact of these can be devastating to a system.
Secondly, (Mis)Configuration issues are huge and contribute to about one third of vulnerabilities that we see affecting businesses over a given year. This is anything from leaving a window in your house unlocked to leaving your front and back doors wide open. Some of the most simplest attacks leverage these types of vulnerabilities and although they are generally quick and easy to fix, this assumes that you knew about them in the first place.
Finally, the latter is akin to using a giant loud speaker at a concert, to overpower and drown out the music with noise. It’s not that sophisticated and is a less-than-elegant attack, although the impact can be severe (unless you can do without online banking and streaming TV). The other two categories however, are more Hollywood-hacker and exciting.
There are some cloud-specific issues but they all fit into the above categories. Ever hear of AWS S3 buckets? Well, some organisations were not configuring them correctly and leaving them exposed to the internet. Another common issue is to leave administration services exposed, allowing for easy attacks such as password guessing, which can lead to full compromise of a system. These types of issues have recently become very prevalent in a number of high profile breaches by hacker groups with steam-punk-sounding names. These all generally come down to misconfiguration and even though they might present themselves differently, the issue is the same as exposing any internal system to the internet unintentionally. If only we knew it was there.
Visibility is everything
How can we even start to get a handle on things? Visibility is everything. Visibility of not only what we have, but where it is too. Only then can we get into where our vulnerabilities lie. We need to be able to map our attackable footprint in a meaningful way as vulnerabilities arise in both systems which change frequently and also those that don’t. No software runs in isolation and bugs can be introduced in your software or the multitude of software that is not yours, but which you need in order to make your code work. We cannot test what we cannot see and surely cannot secure that which we do not know about. Visibility is key.
Dublin Information Sec 2018 in an Independent News and Media event. Please visit www.independent.ie/infosec18 for further information and tickets.