Skynet Closer Than You Think: Protecting Users and Humanity Against Themselves
There is a running joke around the office that running the world’s most enormous security cloud carries its share of responsibilities. Updating it with 120,000 new security updates per day and augmenting it with Artificial Intelligence and Machine Learning will cause it to become self-aware somewhere around the year 2022, where it will realize that humans are the weakest link in security and take appropriate steps. This joke is not too far from the truth and studies, surveys, and postmortem analysis have shown that humans are still the most vulnerable and therefore, the most targeted by attackers. With many of the headlines regarding hacks and breaches strewn across our headlines, many can be attributed to a user’s lapse in judgment or lack of security training.
A police officer in Florida clicks on a link in their inbox and all of the county’s computers are locked out with ransomware. A corporate controller receives frantic wire transfer instructions from someone posing as the CEO and companies lose millions of dollars through business e-mail compromise. An employee of a value-added reseller (VAR) has their credentials stolen through a phishing attack and now attackers have access to their customers’ Office 365 and Azure environments. A user believes they are downloading the latest version of the mobile game Fortnite, but instead downloads and installs a trojaned version which allows attackers to completely take over the phone and use it as a beachhead to access the user’s corporate network.
All of these scenarios are not only plausible; they happened when attackers took advantage of human nature. Humans inherently want the most natural and most straightforward solution to their problem and that often overrides good security practices. This phenomenon was observed in Ukraine, where employees put state secrets at risk for compromise.
Officials in Ukraine report that some nuclear power plant workers with idle time and looking for some extra side cash connected an air-gapped network of the plant to the internet to mine cryptocurrency. After an investigation, authorities seized several crypto mining computer rigs from the nuclear power plant placed there by workers who wanted to use the plant’s power instead of their own to mine cryptocurrency. With the recent run in cryptocurrency prices, it has once again become profitable for people to use powerful computing machines such as high-end gaming graphics cards (GPUs) or dedicated mining rigs (ASICs) to mine cryptocurrency. The major drawback for cryptocurrency miners is that in addition to the expensive hardware, it requires enormous amounts of electricity to mine the coins.
Some bright or bored workers figured that they could hook up their cryptocurrency mining rigs to their work’s power system to necessarily generate the coins for free. A problem arose when they found that their administrative computers were air-gapped and not connected to the internet. Cryptocurrency mining works by downloading a complex problem from the internet, using high-power computing infrastructure to solve that problem, then uploading the solution. When multiple people work on solving that problem, they join a pool and each worker receives a proportion of the reward following how much work they contributed. The plant employees looking to capitalize on the recent uptick in crypto prices found a way to connect their air-gapped machines to the internet to utilize their mining rigs’ computing power. When doing so, they put Ukranian state secrets at grave risk.
Air gapped networks typically house vital information or run critical infrastructures such as power or water. After China allegedly hacked into Lockheed Martin and stole plans for the next generation F-35 higher jet, Lockheed took the extraordinary step to air gap its networkfor the F-35 project. There have been countless talks and techniques for exfiltrating data from air-gapped systems, including utilizing hard drive vibrations, ultrasonic sounds, and strobing LEDs.
Why would attackers go through all that trouble when the users are doing the work for them? By connecting the air-gapped network to the internet, the employees exposed the nuclear power plant’s network to the outside world and made it vulnerable to attack. Industrial control systems and SCADA systems are not always designed with security in mind since they are typically only used in air-gapped networks where an outside attack is not possible. The cryptocurrency mining rigs were also not hardened against attack and could have easily been used to act as a pivot point for attackers to gain access to other systems in the plant. Russia allegedly successfully attacked the Ukranian power gridmultiple times and despite all of the efforts to secure their networks against further attack, the end-user has destroyed years worth of work and hundreds of millions of dollars in security controls.
The operation in Ukraine would not be the first time that employees abused their employer’s resources (power and internet) to mine cryptocurrency. Last February, Russian police arrested several employees of the Russian’s Nuclear Center who used its supercomputer not to study nuclear fission reactions further but to mine cryptocurrency. A month later, Australian officials discovered employees at the Bureau of Meteorology were abusing its state-owned supercomputers also to mine cryptocurrency. Not to be outdone, an employee of the Romanian National Research Institute for Nuclear Physics and Engineering brought a cryptocurrency mining rig to work and plugged it in to supplement his state-backed paycheck.
Organizations need to understand that they need to secure a network they do not control. All of the perimeter firewalls, DLP, and IPS devices will not be enough once the internet becomes the new corporate network. With 5G coming on the horizon, employees may choose to tether to their wireless hotspot instead of their corporate network because it is faster or lacks security controls preventing them from doing their jobs more efficiently. Protecting users by building a perimeter around the internet is the most efficient way of securing the new corporate network while maintaining or improving the new corporate network. With users typically being one of the weaker links in security, it is often necessary to implement security controls that protect users against themselves. When security organizations assume that users will forget or disregard all of their security training, they can build systems that are user behavior-resistant. Utilizing an always-on security service with SSL-inspection, enabled whomever the user connects from, and connects to the nearest security data center will significantly improve security and user experience. Perhaps protecting users against themselves will stave off Skynet for a few more years and save humanity. If we do not, we will need to find and secure John Connor before the rise of the machines.
Cross-posted to: https://www.chrislouie.net/
Originally published here: https://www.linkedin.com/pulse/skynet-closer-than-you-think-protecting-users-against-louie-cissp/