This is a personal blog. My other stuff: book | home page | Twitter | G+ | CNC robotics | electronics

February 16, 2011

The world of HBGary

I am truly frightened by the emerging picture of a compromise of HBGary Federal. And it is not because the allegation of a disturbing business proposal to, among other things, intimidate a well-known journalist and indiscriminately distribute malware.

It is also not because of the likelihood that a similarly opportunistic and amoral corporate culture is endemic to the entire sector - a suspicion made more credible after noticing that the leaked proposal uses the letterhead of another government-friendly company, Palantir, and generously credits a third one: Berico.

No, that's not it. The reason why I am frightened is the emergence of a new class of government contractors - a class that depends on the perpetration of an alluring, yet completely irrelevant belief: that an incredibly sophisticated and determined adversary is constantly scheming to wage a devastating cyber-war against everything we hold dear.

It is an ugly truth: for the past 10 or 15 years, the security industry has made virtually no progress in helping large organizations deal not with Bond-esque villains, but with the simple threat of bored kids and geeks with an agenda - their most significant, and most unpredictable foe. It is tempting to frame the constant stream of high-profile failures as a proof for the evolution of your adversary. But when you realize that almost every single large institution can probably be compromised by a moderately skilled attacker, this explanation just does not ring true.

The inability to solve this increasingly pressing problem is no reason to celebrate - and even less of a reason to push for preposterous, unnecessary spending on silly intelligence services, or to promote overreaching and ill-defined regulation. If anything, it is a reason to reflect on our mistakes and perhaps go back to the drawing board. But between all the talk of cyber-jihad and APT, this unpleasant message is easy to overlook.

...

On the flip side, the difficulty of securing a complex enterprise hardly applies to specialized, well-funded security outlets: that one problem is easy to fix. These companies should have an abundance of expertise and resources to tightly manage and monitor their relatively small and self-contained networks. Similarly, their employees can be reasonably expected to exercise above-average restraint and a good dose of common sense. It is an uncomplicated matter of living up to your own bold claims.

From this perspective, the purported details of the attack on HBGary - a horribly vulnerable, obscure CMS; unpatched internal systems; careless password reuse across corporate systems and Twitter or LinkedIn; and trivial susceptibility to e-mail phishing - are a truly fascinating detail. These tidbits seem to imply either extreme cynicism of their staff... or an ubelievable level of cluelessness. And from a broader perspective, both of these options are pretty scary.

Oh, the ironic part? Despite all the lofty rhetoric, looks like in the end, they have been undone by just a bunch of bored kids.

5 comments:

  1. I think your posting back on 9/14 pretty accurately hits the real crux of this issue. The fundamental issue is one of humans and human interaction. Until we start finding ways of addressing the human issues of security, I think we are doomed to forever run the same treadmill.

    ReplyDelete
  2. I totally agree on our lack of progress, and i truly believe that we are in poor shape. It seems (to me) a leap though, to suspect that since we are unable to defend, there must not be people wanting to attack. The emails show a ridiculous supply of RE'ers and exploit writers being employed within govt. and semi govt. organizations. Are we to assume that this is a uniquely US govt. trend? (worse.. are we to assume that its ok if its just the US?)

    ReplyDelete
  3. I have to agree on the lack of progress, and thanks for the well put article.

    Companies become enamored with the latest supposed attacker threat and flashy technology, neglecting the most basic risks and boring security controls.

    ReplyDelete
  4. "The reason why I am frightened is the emergence of a new class of government contractors - a class that depends on the perpetration of an alluring, yet completely irrelevant belief: that an incredibly sophisticated and determined adversary is constantly scheming to wage a devastating cyber-war against everything we hold dear."

    Whether or not there's a sophisticated adversary does not really matter in such a case. What one must realize is the type of business model used in the US.GOV. Given all the money being thrown at the "CyberWar" buzz it's rather understandable that bunch of .COMs (.GOV contractors) will try to milk the source for whatever they can. The scarier the picture they draw the higher the bid they stand to win. It's been like this for decades, these days it's in the Information Security realm. Bottom line, it's business as usual.

    PS: It's highly likely though that "sophisticated adversaries" are out there and they are inside "your" network.

    ReplyDelete