Security Intelligence and the Rise of the Unknown Vulnerability

Published on June 17, 2013

We spend a great deal of time talking about how to secure the Enterprise Compute and Communication environment. We talk about insider and external threats, malware, applications and risks. We talk about the importance of prevention and the necessity of real time detection. We talk about collecting and analyzing network, system, application, user and activity information to get a real-time view of activities and transactions. We often emphasize how important it is to address information security concerns holistically, understanding that the complex interactions across the environment are often the source of the greatest vulnerabilities. But sometimes it’s important to consider specific technologies at a much finer level of granularity. This week saw three stories that highlight the importance of thinking about the use and implications of specific, especially emerging technologies.

First, the FDA issued a warning about network-accessible healthcare and health monitoring devices. This is an area that’s exploding, with many companies releasing devices from Pedometers to Blood Glucose Meters to Pacemakers and even implanted defibrillators that either connect to the internet directly or can be accessed wirelessly for historical data collection and programming updates. The safety notice from the FDA is pretty generic, but it does point out the critical if not obvious problem that these are embedded computers with network connectivity and little in the way of hardened security. If you thought the destructive capacity of SCADA-type vulnerabilities made for a worrisome future, think about extortion-ware infecting pacemakers or even surgical robots.

Second, in something that sounds more like the plot of a second-rate thriller than a real-world security threat, researchers in the UK have discovered that there is a fully configured back door built into Actel/Microsemi FPGA programmable ASICS. The back door is built into the silicon itself, and can be triggered by the use of a secret key that allows the attacker to decrypt, modify or even disable the chip while in operation. These sorts of customizable microprocessors are used in everything from missile guidance and seekers to encrypted communications, and the idea that untold thousands of them might be vulnerable at the moment they are most needed is mind boggling.

Finally, we have a thought provoking discussion around the careless management of SSH key pairs. Everyone needs SSH. Everyone uses SSH. But it’s important to realize that, no matter how much time, money and effort you spend on Identity and Access Management, no matter how good your systems and policies, SSH allows anyone with a valid key to bypass it all. The SSH user is authenticated without ever being subject to IAM best practices – or any practices at all, for that matter. In a sense, it’s another challenge around users with Highly Privileged Access, but depending on how lax your key management standards (assuming, that is, there ARE standards in place), you might actually have a condition where a user has privileged access to systems and resources without anyone knowing they are a part of the HPA peer group.

What can we learn from these stories? A key takeaway is nothing more than a reminder of how complex a modern digital network environment is and how we have to think about non-obvious connections and pathways in order to have any hope of securing our data and our customers. But even more than that, it’s a reminder that there will always be holes, open attack vectors waiting to be created or discovered, and that determined attackers WILL successfully gain access to the network. At that point there is no Identity Management suite, no authentication tool, no SIEM that is going to help us stave off a catastrophic breach. We need enough data, enough intelligence, to be able to recognize and flag in real time behaviors that are suspicious, and we need a set of tools for investigating those suspicious activities immediately, while they are ongoing. Securonix provides that layer of intelligence that works in conjunction with the rest of your security stack, acting as a last line of defense when all the other security systems fail.