Jingle Bugs - How to Rock in a Hard Place
- December 26th , 2014
A Look at 2014, Recommendations and New Year’s Resolutions for Security in 2015 and Beyond
With the end of 2014 dashing to a close and 2015 just over the hill, let’s take a moment to look at the ghosts of bugs and breaches past. Vulnerability coordination, disclosure, and incident response have never been more important to get right. What could happen if we make adjustments in the way we approach security and how could that impact the bugs that will inevitably be delivered to both the naughty and nice in the future?
2014 in Review - The Bugs and Breaches that Stole Our Attention from Cat Pictures
We’ve unwrapped big bugs in 2014, requiring new levels of coordination and cooperation between security researchers, vendors, and organizations, along with a flurry of breaches that are expected to continue into the new year.
Notable bugs and breaches still ringing in our ears
- Heartbleed - A vulnerability was hiding in critical Internet Open Source software for two years. This was the first vulnerability that was disclosed with a fancy logo (instead of the traditional hacker ASCII art), setting in motion the trend of branding each major vulnerability. The issue and advisory art resulted in broad and prolonged mainstream media coverage that engendered widespread hysteria even among non-technical friends and family. But it did get your uncle-in-law to change the password he had been using since his first email account, so perhaps the hype-driven awareness did some good.
- Shellshock - A bug in bash, which was serious if you were configured to accept environmental variables from just anyone. This was further complicated due to the initial fixes being bypassable, and the whole thing being largely unpatchable in embedded systems. This was also the next bug that spawned another vulnerability logo frenzy, as the security and IT world raced to name it. We’re not even sure if this is the right name, but you know which one we mean.
- Misfortunecookie - The Bad Web Server Thing found in Many Embedded Things that can be used to Hack All Your Things if your Router Thing is vulnerable. Even if your refrigerator is Internet-enabled, it cannot likely be used to Drink All Your Booze (unless you are the kind of hipster with a Lockitron). However, you may come home to warm beer and other unintended uses of your home technology, like your printer running DOOM. We’re going to bet this could be used to do other bad things as well, and we recommend you put some opaque tape over the camera in that Smart TV in your bedroom now.
- Staples, JPMorgan, Home Depot, Apple, and many more - Attacks that compromised user data and financial information, spawned new privacy debates including, reasonable expectations of it, celebrities’ rights to it, and whether or not it is even possible in the current increasingly cloud-stored Internet of Convenience to have privacy at all. Finally, a public discourse about the important topic of privacy that wasn’t about governments, but actually about private parts.
- Sony Pictures - Attack that nearly led to the release cancellation of a major Hollywood film, and whose aftershocks are still being felt as IT, business, and government leaders ponder the best response. “The Interview,” whether it was the spark that ignited the original breach, or if it was co-opted for symbolism, drama, or lulz later in the attack, this film will forever be remembered as the motion picture worth at least a thousand words from pundits, politicians, and IT practitioners looking for motives, meaning, and ways to manage an onslaught from a determined adversary. The truth is likely stranger than fiction.
...and all the other bugs and breaches that didn’t make headlines or get cute names or bleeding logos.
Predictions & Resolutions for 2015 and Beyond
As much as we’d like to say that 2015 will be different in terms of blizzards of bugs and breaches, we know deep in our heart(bleed)s that the inevitable Internet storms will keep battering our defenses. All software contains bugs. Given enough time and resources, all systems can be breached. Organizations can choose to prepare for the inevitable when it arises - bracing for the landslides of vulnerability logos - in part by hearing the hackers when they come to warn of the impending storms.
Vulnerabilities will be found - criminals see you, whether you’re sleeping or awake
Vulnerabilities in widely deployed or otherwise critical software will continue to be found by both good folks and bad, and inevitably they will be exploited.
- Nice versus naughty: How organizations react to hackers who try to report security issues to them will separate the vendors into those who are prepared to accept these warnings graciously (nice) and treat them as gifts from the hacker world, and those who engage with hackers adversarially and end up with lumps of coal (naughty), wishing they had made allies with the hacker community instead.
- How hackers approach organizations that have never dealt with the security community before will also determine how well the message about security is received. Researchers with the best reputation scores on the HackerOne platform achieve this by providing as much useful information as possible and working collaboratively with vulnerability response teams, which in turn gets their reports evaluated faster on average. Being near the top of the leaderboard also gets them invited to private bounty launches. Organizations on the other hand benefit by being able to receive quality reports from the best hackers.
No network or service will be impervious
On Breacher, on Patcher! On Malware, on Victim! Just as no software will ever be 100% free of security bugs, no network or service will be immune to breaches. Changing the security culture of an organization from compliance-driven minimum efforts to one of readiness, vigilance, response agility, and overall security resilience will be key to surviving every incident, whether they are targeted attacks run by organized adversaries, or run of the mill phishing by online criminals. Strategic planning of how an organization responds to breaches, and recovers - from potentially many simultaneous issues - is going to have to be part of the new normal for surviving and doing business in 2015 and beyond.
Internet of Things will raise the same security challenges, in new and improved buzzword form
The Internet of Things is just the next buzzword term that really means “ubiquity.” Technology pervades the modern world, and now more and more of this technology is interacting over the Internet without human intervention. Most of it is being built without security in mind, just like every other wave of technology that came before, and the lessons are the same.
Welcome Yule! Sometimes, it has to get really dark before a wake up call is heard by a new industry when it comes to security. We are in the middle of what feels like the longest night of security, in the darkness before the dawn of our collective enlightenment on how best to meet the coming challenges. Let’s hope that the “Age of the Great Worms” that forced many older software companies into taking security seriously does not have to be repeated in the form of automobile or medical device safety issues causing harm to human life before someone in charge decides to build security in from the ground up, and feed back what friendly hackers tell them to make the most secure products they can.
Make security part of your organizational culture for Auld Lang Syne
Ask not for whom the bug jingles - it jingles for thee. Mature organizations are aware of the threats to their operations, data, and customers and take steps to protect themselves. If your organization is on the Internet, you’re being tested for vulnerabilities constantly - so you had better watch out, you’d better not cry, but instead be prepared to hear from the hackers who would like to help you improve your security.
Whatever 2015 brings, we hope that thinking of security as an integral part of organizational culture, including responding to the inevitable mistakes that will lead to vulnerability exploitation and breaches, is part of our collective future. Let’s learn from bugs and breaches past, and ring in the New Year with a resolution to plant ourselves firmly in the “Acceptance stage” of the 5 Stages of Vulnerability Response Grief, and share warm tales of coordination and collaboration over next year’s fire(s).
– Katie Moussouris, Chief Policy Officer