Network Security Consulting Blog

The U.S. Department of Justice recently charged a 23-year-old Nigerian with trying to blow up a Northwest Airlines airplane as the plane was close to landing on Christmas Day. The suspect, Umar Farouk Abdumutallab, reportedly claims to be an al-Qaida agent. The suspect allegedly went to a bathroom in the plane because he claimed he was sick. When he came back to his seat, he allegedly pulled a blanket over himself and then pulled out a syringe and used it to ignite explosives that he had in his underwear. According to accounts of the incident, the man’s pants and the side of the plane’s wall next to him caught on fire, but passengers and flight crew held him, took away the syringe and extinguished the fire.

The story of the attempt to blow up an airplane really has nothing to do with information security per se. Still, I chose to write about this event because it could and should have been prevented in the first place, and the lessons learned are very relevant to information security. What is incredible to me is that a little over four months ago the U.S. Central Intelligence Agency (CIA) had become aware that a Nigerian was possibly involved with terrorist circles in Yemen, although the man’s name was unknown at the time. Then three months ago Abdumutallab’s father went to the U.S, Embassy in Nigeria to report that his son was missing and to request help in finding him. The father also said that he believed that his son had ties to al-Qaida in Yemen. The CIA never put two and two together, so to speak—it was unable to correlate pieces of information that proved to be critical. President Obama reacted by saying:

“There were bits of information available within the intelligence community that could have and should have been pieced together.”

The fact that the CIA was unable to correlate the information it had received is not unique to the government arena. Organizations constantly receive fragments of information—that reconnaissance scans and probes from certain IP addresses occur, followed by attempts to exploit vulnerabilities, followed by unusual patterns of connections and/or anomalous system behavior. These organizations too often rely on point solutions such as individual firewalls, intrusion detection systems, and intrusion prevention systems to monitor network activity. In so doing they are unable to determine the context of events that occur. Dave Shackleford sums up this problem nicely in a SANS white paper available at http://www.sans.org/reading_room/analysts_program/adaptiveSec_Dec08.pdf:

“In today’s dynamic threat and network environments, standalone Intrusion Detection/Prevention Systems (IDS/IPS) cannot protect against the ever-changing attacks and vulnerabilities. The reason: Standing alone, IDS/IPS lacks the context it needs to reliably distinguish an event from a non-event and prioritize protection based on business-critical rules. Context can be helpful in determining when an event indicates a security incident, such as a deliberate remote buffer overflow exploit attempt, as well as when events are nothing more than false positives, such as poorly configured applications sending out broadcast packets.”

Perhaps even worse is the fact that the CIA kept the information about the suspect that it obtained completely to itself. Had the CIA shared this information with the Department of Homeland Security (DHS), the State Department, and other U.S. government entities, the fact that the suspect had an active U.S. visa and that he was on the passenger list for an upcoming flight to the U.S. almost certainly would have been discovered, in all likelihood leading to a precautionary cancellation of his visa and/or including him on a no-fly list. Additionally, the probability that somebody in other agencies or departments would have correlated the various bits of information obtained about the suspect would almost certainly have increased substantially.

The problem of lack of information sharing within government circles is anything but a new problem. But lack of information sharing is by no means limited to within the government. Commercial and other entities also fail to share critical information about cyberattacks that they have experienced, thereby depriving other organizations of the ability to recognize and defend against new as well as persistent types of attacks and hampering law enforcement efforts. The creation of numerous Information Sharing and Analysis Centers (ISACs) within various verticals has helped some, but has by no means solved the lack of information sharing problem.

Stating problems without solutions is a poor practice, so I’ll propose a solution to one major problem that I have discussed in this posting. How about a Presidential edict that mandates firing any government employee who is the head of any government agency or department that fails to share critical information affecting U.S. interests (such as countering terrorism) with other agencies and departments that need this information? If such an edict were put in place, I’d bet that heads of agencies and departments would do everything they could to ensure that critical information was shared. President Obama, are you listening?

It’s 2010 now, and as I’ve done in the past, I’m going to make a few predictions concerning information security-related events and changes that I believe will occur in 2010.

First, I predict that at least one data security breach that is bigger than the Heartland Payment Systems incident in terms of the amount of personally identifiable information (PII) compromised and money lost will occur in 2010. Financially-motivated perpetrators know that there is far more money to be made from their sordid activity then they have been making (and many of them are already making millions of US dollars annually). They have been advancing and perfecting their attack methods for years. In contrast, most organizations continue to devote pathetically few resources to mitigating security-related risks. Worse incidents than the one Heartland experienced are thus inevitable.

Second, I predict that blended threats will continue to increase in prevalence and magnitude. The train bombing in Madrid several years ago was a classic example of a blended threat where the phone system and explosives were used in conjunction with each other, resulting in massive loss of human life. Lamentably, the Internet will increasingly be used in connection with terrorist activities and ironically, terrorists will use better security practices (e.g., data encryption, strong authentication, and so on) than will governments and commercial organizations. This trend will persist well beyond 2010.

Third, I predict that the Obama administration will, like the administrations before it, continue to pay lip service to cybersecurity, but will not do much about it in 2010. I am not really criticizing the current administration. It is impossible to launch and sustain too many initiatives simultaneously, and initiatives such as rescuing the economy and fighting terrorism have a much higher priority than fixing the cybersecurity problem that exists in the U.S. right now. If and when some of the major initiatives succeed, the likelihood that the President will turn more attention to cybersecurity will increase substantially, but I do not expect this to happen in 2010.

Fourth, I predict that people and organizations will continue their current trend to rush wildly into “cloud computing” and social networking without much if any thought about security considerations. Massive security incidents such as compromises of entire customer databases, prolonged disruption of critical business processes, and worm outbreaks on major social networking sites such as MySpace and FaceBook that make these sites unusable or shut them down entirely will occur in 2010.

Fifth, I predict that in 2010 the music and film industry will continue to make major advances in their war against piracy. Court rulings and legislation will give them greatly expanded power to snoop on users and force Internet service providers to turn over information about users’ usage patterns. Privacy advocacy groups will react by raising more money to fight music and film industry-initiated court cases and by increasing public awareness of excesses by these industries.

Sixth, I predict that in 2010 the PCI Consortium will tighten the PCI-DSS requirements to address current gaps resulting from the Consortium’s very information-centric approach to cardholder data security. I am not being critical of this approach—it is, after all, the most logical approach when information is the “crown jewel” that needs to be protected. But in focusing on information per se, less attention is paid to other threat vectors such as hosts that do not store, process or transmit cardholder data, but which nevertheless could be used as a pivot point to attack hosts that do. Additionally, the Consortium will mandate continuous rather than annual compliance with the PCI-DSS.

Finally, I predict that the information security job market will start to improve in 2010 primarily as the result of senior management within organizations either directly experiencing or reading about the huge and costly incidents that will occur. The improvement in the job market is likely to be preceded by increased demand for information security consultants to fill specific needs. Money for permanent hiring will then become available as the economy starts to improve. I also foresee that information security management skills and experience will be particularly sought-after; good information security management is the critical differentiator between an effective and ineffective security practice.

I could make more predictions, but after all, psychologists say people can hold only five plus or minus two chunks of information in their short term memory, and I’ve presented seven predictions. And if nothing else, I really hope that my predictions will fare better than the Gartner Group’s predictions have over the years! Only time will tell, however.