Posted by John Kindervag on August 25, 2010
FLASH TRAFFIC: This just in!
The Washington Post is reporting a new wrinkle in cyberwarfare. In the article Defense official discloses cyberattack, the Post reports that “malicious code placed on the [flash] drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.” Perhaps SkyNet has become self-aware, as this malware appears to be able to “upload” itself onto a military network. We ARE nearing August 29th…
Fascinating. Blame the flash drive. Expect the USB bashing to start again soon. SysAdmins all over will be buying up the world’s supply of epoxy and shoving those nasty USB ports full of that goop. Go long on glue manufacturers.
According to Deputy Defense Secretary William J. Lynn III, "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary." This must be one awesome piece of code – sentient, silent, and “poised.”
Lynn goes on to say: "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control." There’s the rub – the “code spread undetected.” This wasn’t some flash drive that suddenly sprouted legs and walked up and plugged itself into some machine. This was a piece of custom malware that someone either maliciously or inadvertently put onto some type of PC. The issue isn’t USB ports or flash drives. We need USB – keyboards and iPods don’t work without USB. And flash drives have their place. The reality is that Central Command appears not to have been watching the traffic traversing their internal network.
This illustrates what we believe to be a central issue in InfoSec – perimeter networks are watched and internal networks are not. The solution isn’t to ban all flash drives or to buy glue; the solution starts with changing our Trust Model. The concept that there are trusted and un-trusted users is errant and dangerous. This is something we call Zero Trust. I recently did a teleconference entitled No More Chewy Centers: The Zero-Trust Model Of Information Security. Some of the key components of Zero Trust are that all users are un-trusted and that all traffic, both internal and external, must be inspected and logged.
I’ll be discussing Zero Trust in more detail at Forrester’s Security Forum on September 16, 2010 from 2:00 p.m. to 2:45 p.m. I hope you will join me!