The “Good Enough” strategy in Cyber Security is not going to cut it any more

I happened to watch the Netflix documentary on 911 and its aftermath last week together with my teenage daughter at her request.   She had been learning about it in school but wanted to go beyond what you can get from books.  

The 2nd episode, titled “The System is Blinking Red” focuses on the clear warning signs that were publicly communicated and widely known prior to those attacks.  The parallels to the state of affairs in cybersecurity today is very sobering.  While it seems obvious, we do think it is worth stating plainly:  what we are doing is NOT working.  

• No device, data or digital asset of value is safe from criminals and hackers.
• Authoritarian governments and hostile state actors around the world can spy upon and sabotage companies and organizations, infrastructure and individuals with unprecedented ease and efficiency.
• Defending against this threat matrix has become too complex and costly for average users and SMBs, so they just give up.
• Even large enterprises and organizations continue to fail spectacularly in their cybersecurity defense, with spectacular consequences (the Change Healthcare hack with shut down half to the US Healthcare claims & payments system for nearly 6 weeks is just the latest example).

The current approach to cybersecurity is based on a “good enough” mind set based on 30 years of experience with the Internet, which does not take into account 3 converging forces:

1. IOT.  Everything is getting connected and embedded into every facet of our economy, lives and even our bodies.
2. AI.  is exponentially increasing the scale, breadth & sophistication of attacks and poses its own direct risks.
3. Cyber Warfare.  A new era of cyber warfare and terrorism is upon us where massive societal and economic disruption are the objectives.

The time frame here is anybody’s guess. 3 months? 3 years? But it is clear and obvious that massively disruptive cyber attacks await us unless we change our mindset and approach.

The Public Warnings are Dire

Here are just a few similar ‘public warnings’ – that echo those we heard in the summer of 2001 – that should get serious people to sit up and pay attention. Alas, not so much so far. 

FBI Director Christopher Wray testifies before Congress about threat of Chinese hackers 

China Could Threaten Critical Infrastructure in a Conflict, N.S.A. Chief Says

Gen. Timothy Haugh, who is also the head of the U.S. military’s Cyber Command, said Beijing was “sending a pretty clear signal.”

But What’s Happening Every Day Under the Radar is Even Worse

It’s easy to dismiss such prognostications in Washington DC as just inside the beltway chatter to justify budgets. It’s wrong, but its easy.

What is less easy is to dismiss the overwhelming variety, frequency and severity of exploits that show a clear pattern that once again says: what we are doing is not working.

Fuxnet: Stuxnet on Steroids

Yes – the Ukrainians got the first ‘win’, but the Russians will study and learn . . . as well the bad actors that only have criminal intentions . . . 

This backdoor almost infected Linux everywhere: The XZ Utils close call

The recent XZ Utils exploit almost opened every linux server in the world to level 10 compromise – complete take-over.   The net from analysts is this was a sophisticated operation sponsored by the Russian GRU.

Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks

Perimeter devices ought to prevent network hacks. Why are so many devices allowing attacks?

Hackers backed by a powerful nation-state have been exploiting two zero-day vulnerabilities in Cisco firewalls in a five-month-long campaign that breaks into government networks around the world, researchers reported Wednesday.

The attacks against Cisco’s Adaptive Security Appliances firewalls are the latest in a rash of network compromises that target firewalls, VPNs, and network-perimeter devices, which are designed to provide a moated gate of sorts that keeps remote hackers out. Over the past 18 months, threat actors—mainly backed by the Chinese government—have turned this security paradigm on its head in attacks that exploit previously unknown vulnerabilities in security appliances from the likes of Ivanti, Atlassian, Citrix, and Progress. These devices are ideal targets because they sit at the edge of a network, provide a direct pipeline to its most sensitive resources, and interact with virtually all incoming communications.Ars Technika, Dan Goodin – 4/24/2024

Or if you video is your preferred media vector, check this one:

Oh, look.  Dropbox got owned.  

This disclosure with the SEC was so ho-hum it wasn’t even worthy of news coverage!

On April 24, 2024, Dropbox, Inc. (“Dropbox” or “we”) became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation.

When we became aware of the incident, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users. We have notified and are working with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

DropBox SEC Disclosure, April 24, 2024

Why Does This Keep Happening?

What all of these attacks all share in common is that they exploit the fundamental vulnerabilities of the centralized architectures of Internet infrastructure that we have today – the root causes of Internet Insecurity.

1. Centralized servers, with human access and control. There is always somebody – and now an AI ‘non-body’ that has the keys to the kingdom.
2. Everything is visible for study and attack. With Internet Protocol, network addresses and traffic are visible, and connections are insecure by default. So the Bad Guys always have the advantage.
3. Data is Vulnerable. Because it is either:
   • not encrypted or someone else has the access to and control of the keys; and
   • encryption UX is too complex and painful so it is rarely used.

What we are doing – adding layers upon layers of active defenses over a flawed foundation – is not working.  

That’s why Faction is built upon a completely new approach that addresses these flaws to restore a solid foundation for cybersecurity that is, crucially, low cost and easy to use so that the individual and SMB users of the world can take security and privacy into their own hands.

Will this stop every attack out there? No way. But it will for the first time give the defense the advantage versus where we are now – which is the opposite. It’s a new approach – some would say radical. But it is clear and obvious – for anyone that is paying attention – that the times call for exactly that.