NMI LLC — Information About NMI

Is Your Head in the Cloud?

Whatever the cloud services vendors want you to think, "the cloud" is not a new concept or even new terminology. The cloud is simply re-invented marketing term for external centralization. Historically the IT world has swung back and forth between more and less centralization over the past 50 years. When someone says "cloud computing" I think "service bureau," because there are many parallels.

• Both concentrate resources with a central provider

• Both offer cost benefits by allowing subscribers to avoid, reduce, or eliminate internal infrastructure

• Both offer improved performance because the concentration of resources allows the provider to develop far more robust infrastructures than most companies can afford

• Both limit subscribers to the provider's service model and application design (i.e., the subscriber adapts to the provider instead of vice versa)

Let's rewind the clock about fifty years and see how the pendulum has swung with respect to resource centralization.

In the 1960s, almost no one could afford a computer, so service bureaus were common (external centralization).

By the 1970s, midrange and mainframe systems became more cost effective, and the service bureaus started to dwindle (internal centralization).

In the 1980s, the PC provoked a spasm of hard IT partying because everyone felt liberated from the tyranny of the mainframes (internal distribution).

In the 1990s, the hangover set in as executives realized that huge departmental server farms were far more expensive than the old mainframes. Companies fell back on mainframes as "super servers" and concentrated server farms under the IT department (internal centralization).

In the 2000s, served applications (aka cloud applications) became more and more common, and finally in the mid-to-late 2000s some bright spark revitalized the old networking term to turn "cloud computing" into the next big thing (back to external centralization—but with a twist).

Usually I use the term "bright spark" ironically or sarcastically, but this was truly marketing genius: knowing that people are always attracted to new and shiny things, something that has existed in one form or another for fifty years was reinvented with a new and shiny name.

Of course there are fundamental differences between a 1960s service bureau and a cloud application provider. First, the cloud provider is connected to the Internet. Everyone is connected to everyone, so the cloud provider doesn't have to build a delivery infrastructure. But there's the rub: "everyone" includes threat agents of all means and motivations. The cloud provider can be taken out if it is even a few seconds behind the curve on patching a vulnerability. Cloud providers actually compound this risk every time they try to add more layers of technological security (I will talk more about the relationship of complexity and security in the next issue).

Second, the cloud provider may outsource or offshore its business functions ranging from its call center to its actual IT infrastructure (the irony is hard to miss). However, the ways in which these outsourcing and offshoring arrangements affect "the cloud" is not always clear, raising significant governance, risk management, and compliance issues.

My point is not that the cloud is bad. There are many applications ideally suited to the cloud model—most specifically those applications that are not not part of an organization's core business. Concentration of resources always improves economy, but it also always increases risk. Considering the number of compromises (including availability issues) that have afflicted cloud providers over the past three years, you should perform a comprehensive business impact assessment before trusting a core business function to the cloud. It's not a matter of if the cloud provider will suffer a confidentiality, integrity, or availability compromise—it's a matter of when.

The Advanced Persistent Threat - Why Worry>

Recently, the RSA division of the EMC Corporation announced that it had been compromised. The announcement states that "certain information" regarding RSA's SecurID token authentication product was stolen as the result of an Advanced Persistent Threat ("APT") attack. This attack will have ramifications for the many organizations that use SecurID—but the more important issue is awareness of the APT.

Should you be worried? APTs target large organizations, government agencies, and organizations of any size comprising the nation's "critical infrastructure." Critical means that the loss of an organization, institution, or industry will have crippling financial, social, and even military effects on the nation. Some organizations, institutions, and industries that should worry about APT are:

• Banks, credit unions, and other financial services
• Public utilities including electricity, water and gas
• Mobile & land-line phone providers, media outlets, and other mass communications companies
• Healthcare providers, especially those providing emergency care
• Public services including public safety and firefighting
• The military and organizations that provide critical supplies to the military
• Any government organization that is closely associated with other APT targets
• Organizations that produce, transport, or sell food and support other vital human requirements
• Large organizations with valuable intellectual property
• Gambling operations and the organizations that support them

There are many excellent definitions of APT, but I'll provide a brief description here.

• Advanced
  • Resources of large organizations, institutions & nation-states
  • Utilize reconnaissance & infiltration techniques, not just attacks
  • Expertise & technology out of reach for most threat agents
  • Sophisticated and coordinated
• Persistent
  • Carefully orchestrated over weeks, months and years
  • Object is not immediate financial gain or disruption
  • Avoids most detective controls (SEIM, IDS, IPS)
• Threat
  • Human coordination & involvement
  • Highly skilled
  • Significant financial & technological backing
  • Target entire critical infrastructure segments
  • Attempt to implant logic bombs, back doors & Trojan horse programs
  • Simultaneous activation may cripple targeted CIP segment

APT attacks are almost guaranteed to succeed over time. The attackers are in no rush, and are ready to exploit any vulnerability quickly and efficiently. Once "inside," the attackers may not take any overt action for some time. The exploit code used may be very sophisticated, to the point where it can intercept commands and operating system functions that might disclose it and return "I'm OK." In that case, virus scanning, change detection, and intrusion detection and prevention will not detect the compromise. Since APT attacks may target an entire industry, the size of your organization is irrelevant. For example, an APT against the financial services industry would target all financial institutions to have the maximum effect on the attack's "zero day."

This is not to say that there is no defense against APT attacks. The threat of APT may be ameliorated by:

• Following basic information security principles
• Applying secure software life-cycle principles to reduce vulnerabilities in purchased and internally developed software
• Include security training in all business and information technology educational programs
• Encourage organizations to disclose attacks as soon as they are detected, and to provide details to responsible entities
• Demand that security vendors cooperate to prevent and recover from APT attacks
• Form APT teams at the organizational, regional, and/or national level that carry out APT activities for the benefit of business and the public

Applying security architecture principles to your entire organization is the best long-term defense against the APT. Unfortunately, security remains primarily an information technology issue in the minds of many Boards and senior executives, and a hindrance to those who want to put their projects in production. Security must be treated as a fundamental business concern, and should be as much on the mind of every person in an organization as cost or time-to-market.

In summary, the Advanced Persistent Threat ("APT") is real, and you may need to consider this threat even if you are a relatively small organization. APT attacks are likely to succeed over time, but applying basic information security principles and cooperating with others within and without your industry can reduce the threat and the impact of a successful APT attack. In the long term, security must become second nature in all areas of business operation—not just information technology.