Risk Assessment: Exceedingly Vast
Birmingham-based cyber security expert Daniel Clemens weighs in on global threats, the Sony Pictures hack and security practices even small companies should be doing better.
Daniel Clemens, founder of Birmingham-based Packet Ninjas.
Photo by Cary Norton
Daniel Clemens is the founder of Birmingham-based Packet Ninjas, a small cyber security company that counts among its clients Nasdaq, Harvard University, Energen and the Retirement Systems of Alabama.
Clemens, who began as a hacker (“nothing nefarious”) in high school, appears as a speaker at security conferences such as BlackHat, Defcon, DOD DC3 Cyber Conference and U.S. Army Cyber Power. He has been frequently cited as a source in news reports about the Sony Pictures hack, including stories by CNN, Reuters, Bloomberg, CNBC, the New York Times and the Huffington Post.
Most of this interview was done one week before the Sony attack on Nov. 24, but we followed up on that subject in late December.
I’ve looked at the evidence — there are only about three groups that have looked at the evidence — and I can tell you it was North Korea. We analyzed the information, not just providing opinions. We worked with two other companies, and they provided good evidence that backed their theories, and we provided evidence that supports the conclusion that North Korea was behind this.
You need only a team of three or five guys to be sophisticated enough [to accomplish the attack on Sony]. These tools that they used were customized for a team, although it looks like they had a larger amount of people involved than three to five. But you can take over a country with a small amount of people.
Sony had four people in their security department, for a super large organization. They had a CEO who said, “We have good enough security,” which is the common downfall of an executive who doesn’t know what he is doing, who treats security as a checkbox item. You have to have a recursive judging and reassessing of the situation and adapting to security needs, and that’s an ongoing thing, and they could have done a lot of things differently. They could have had better outbound firewall rules, more security around data at rest, they could have not stored passwords on Excel spreadsheets. They did every possible thing wrong.
All businesses need a security policy. It should be part of their business continuity plan. This is somewhat subjective, because security is rarely engineered into a business process. Small, medium and large businesses also face challenges, since they may not have the budget for a dedicated security role in their staff. Because of this, the role is often placed upon someone that has computer skills in their office. Sadly, and more often than not, this scenario fails, because they do not have the ability to place an accurate gauge on the risk. The security policy and practices should be taken as seriously as their other business plans and tested periodically for their effectiveness, just like their accounting functions. If small businesses don’t have the technical ability to address their security needs in-house, it’s a good idea to farm this out to a managed services provider. However, this does not negate the need for testing.
Is industrial espionage being conducted through cyber attacks?
Most definitely. We have been involved in many of these complex attacks internationally since 2006. The mixture of corporate espionage, organized crime and cyber attacks has been our niche for some time. It is a costly thing to respond to — investigation — and provide meaningful strategy.
How can stock markets and other publicly traded markets assure their investors that the systems are not breached or rigged?
I think the greater risk to stock markets is the current manipulation that has been occurring by the Federal Reserve, mixed with a message that lawlessness is ok if one person says it is. Confidence in the markets is more tied to the trust in our currency. Currency security — through the optic of cyber attacks — comes down to timing attacks, which can effectively have an effect downstream. Timing attacks could be placed against network time servers, and GPS time servers, where time/drift is a concern. Think of all the dependencies that go into maintaining an effective currency trading practice. There are programs; who developed them? Who audited the programs? There are networks; who set them up? Who sold equipment to that provider? How was an aggressive penetration test performed for security vulnerabilities applied? Is there any transparency in the process? How are the clocks syncing up? GSM? Satellite?
Is there risk for stock markets from cyber attack? Most definitely. We have helped respond to some of those attacks when Moody’s will downgrade a country, or remote attackers have compromised stock exchanges in foreign countries. We have even helped Nasdaq in some of the attacks they had over the years.
The Achilles heel for assurance lies in having a separate team assess the code quality, implementation, design, logic and configuration of a system, routinely. Brian Snow from the NSA (former National Security Agency technical director), who led the cryptographic design team, wrote a great paper in the ’90s stating, “We Need Assurance.” He just happened to articulate the problem correctly many years prior. The problem we have today is a buzz of “cyber security,” lacking context. For instance, now that the need for assurance or assessment/penetration testing is more mature and understood, it is hard to understand who has depth in the field. Many will offer lightweight solutions, while leaning in on figuring out vulnerabilities, and their exploitability is a hard nut to crack and requires a certain type of person, team, and years of understanding in many areas.
Shifting to a nation state attack, I can only imagine the problems that could occur if a small, dedicated team of less than five wanted to start wreaking havoc on a state-by-state basis. Think of a scenario and it can likely be done. For instance, we believe, with less than 5000/hardware, we could drive around the state turning off power stations. This would be pretty bad. How would someone respond to this type of attack if it was persistent and fueled by a small group?
State-sponsored actors are growing and have been growing for years. In the last 12-16 months we have seen significant changes after the Snowden leaks. Every country under the sun now is trying to meet the NSA’s capabilities or exceed them. Couple this with the reality that you only need a small group of three to five people to run an effective attack team and the return on investment is vast. Exceedingly vast.
Chris McFadyen is the editorial director of Business Alabama.