Sony, Physical Access and the Insider Threat
If you haven't already heard, Sony Pictures has experienced a massive and debilitating breach of their computer and network systems. Last week several employees reported that they were in the middle of a "security incident".
"We are investigating an IT matter."
And then later followed up by indicating they were:
“Working diligently to resolve a system disruption”.
That "IT matter" turned out to be a significant breach of their systems, resulting in Sony Pictures shutting down their networks.
Absolutely terrifying for Sony Pictures, but the scariest news to come has revealed that the adversaries had physical access to systems, which resulted in the theft of PII (Personally Identifiable Information), financial documents, password files, source code, inventory lists, network maps, as well as production outlines, schedules and notes.
In other words, they were compromised from the inside out.
Cyber Security in an Unfriendly Environment
Sony’s compromise is unfortunate, but it brings up something that Guardtime feels very passionate about: the security of critical infrastructure components in austere environments, data centers, and carrier neutral facilities.
Insider threats are very often overlooked by traditional security systems. Adversaries leverage plain old social engineering to worm their way into facilities, or steal passwords from employees, to gain unrestricted system access. The question becomes, how do you enforce security when your systems are essentially in hostile territory, where the adversary is at the box, and is intent on violating your security protocols.
The traditional approach of trusting insiders and systems administrators is fraught with risk, and we believe speaks to a weak cyber security defense-in-depth strategy. To put it bluntly, we're tired of living in a world that is inherently untrustworthy. Integrity from the inside out is needed to trust all assumptions about what is actually true, versus what you believe to be true about your security posture and the integrity of your data and systems.
As Dan Geer states:
“Any security technology whose effectiveness can’t be empirically determined is indistinguishable from blind luck.”
If you’re into blind luck, you can stop reading now and go hit the casino. Otherwise, we encourage you to really look at how we can instrument our systems to support empirical, and forensically sound, evidence. We think about this a lot, because it’s our core business.
It’s About the Data
Traditional security systems have focused on perimeter defense, firewalls, intrusion detection, anti-virus, deep packet inspection, and so on. None of these technologies can stop an adversary that has physical access to your systems. Sure, canned attacks from market friendly tools like metasploit are detected, but today’s systems are rarely capable of detecting anything new, let alone an attack that has even a modicum of sophistication.
At Guardtime, we believe – to our core – that integrity and truth are virtues that should be afforded to every enterprise and citizen in our flourishing networked society, and this integrity must be infused into the computing substrate.
By instrumenting systems with a provable integrity model, it suddenly becomes very difficult for trusted insiders to cover their tracks or otherwise manipulate systems or configurations without detection.
It’s time to change the security game, by changing the rules.
The Recipe for Insider Threat Protection
It’s impossible to totally prevent cyber crime, as adaptive adversaries will always find new techniques and tactics to exploit endpoints within your network, however, it is possible to have 100% detection and real-time incident response to protect your critical assets.
Changing the security game requires changing what you are protecting, and how you are protecting it.
We suggest a three-pillar approach:
- Moving the focus from perimeter-centric security to data-centric security
- Designing security appliances which are hardened and designed to deter, delay, and harass adversarial attempts, such that it becomes economically prohibitive to attack and defeat
- Instrumenting critical assets (database, file system, transactions) with Native Forensics (and our vote is KSI)
A KSI Primer
KSI is a technology invented by Guardtime to provide massively scalable strong data integrity, tamper evidence and backdating protection for literally any kind of digital asset. By contributing data signatures as a source of entropy to a global blockchain, KSI provides independently verifiable guarantees that data has not been tampered with since it was signed.
A Guardtime signature provides proof of time, integrity, and identity without the reliance on cryptographic keys and secrets, or trust anchors like systems administrators or Certificate Authorities. Guardtime signatures can be verified in real-time, providing continuous integrity monitoring for literally any kind of digital asset or data object, and affords data portability so tagging, tracking, and locating data within 3rd party infrastructures becomes an easy task.
KSI refocuses the security perimeter on data, data integrity, and systems integrity. It’s not subject to the noise of what’s happening in your network, and is not based on any type of probabilistic mathematics. It’s based on hard truth, and backed by an Incident Response system that immediately identifies tampering or corruption, even by insiders.
For service providers and data centers this ultimately leads to indemnification as one of the core benefits of KSI, providing definitive proof of activities and chain-of-custody that holds up in a court of law. This should be music to many ears, as the legal apparatus is still learning how to investigate cyber breaches, and KSI can significantly help in cases where insurance companies are vying for Cyber Loss Subrogation.
Conclusion – Changing the Protection Paradigm
KSI is not a cure all. It’s a technology that can have a dramatic effect on cyber security, if it is implemented properly.
For Sony Pictures, we believe that a forensics investigation to find those responsible would be dramatically easier with KSI instrumented systems, data stores, and audit logs. Remember, adversaries do not want to get caught, so their biggest focus is on covering their tracks. KSI makes this impossible, and provides the means to identify the source of attack, which can typically lead to a successful legal action.
We believe this changes the protection paradigm, and is a massive leap forward for cyber security.
For this exact reason, Ericsson, the worlds leading provider of communications networks, has teamed with Guardtime to help them protect the $69 Billion Data-Safety market.
Sony Pictures, if you’re reading this, we would be thrilled to discuss how we can help protect your digital assets and data from insider threats.