One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 3067990 |
| Date de publication | 2021-07-14 20:49:05 (vue: 2021-07-15 01:05:29) |
| Titre | Ransomware: Quis custodiet ipsos custodes |
| Texte | Many claim that "ransomware" is due to cybersecurity failures. It's not really true. We are adequately protecting users and computers. The failure is in the inability of cybersecurity guardians to protect themselves. Ransomware doesn't make the news when it only accesses the files normal users have access to. The big ransomware news events happened because ransomware elevated itself to that of an "administrator" over the network, giving it access to all files, including online backups.Generic improvements in cybersecurity will help only a little, because they don't specifically address this problem. Likewise, blaming ransomware on how it breached perimeter defenses (phishing, patches, password reuse) will only produce marginal improvements. Ransomware solutions need to instead focus on looking at the typical human-operated ransomware killchain, identify how they typically achieve "administrator" credentials, and fix those problems. In particular, large organizations need to redesign how they handle Windows "domains" and "segment" networks.I read a lot of lazy op-eds on ransomware. Most of them claim that the problem is due to some sort of moral weakness (laziness, stupidity, greed, slovenliness, lust). They suggest things like "taking cybersecurity more seriously" or "do better at basic cyber hygiene". These are "unfalsifiable" -- things that nobody would disagree with, meaning they are things the speaker doesn't really have to defend. They don't rest upon technical authority but moral authority: anybody, regardless of technical qualifications, can have an opinion on ransomware as long as they phrase it in such terms.Another flaw of these "unfalsifiable" solutions is that they are not measurable. There's no standard definition for "best practices" or "basic cyber hygiene", so there no way to tell if you aren't already doing such things, or the gap you need to overcome to reach this standard. Worse, some people point to the "NIST Cybersecurity Framework" as the "basics" -- but that's a framework for all cybersecurity practices. In other words, anything short of doing everything possible is considered a failure to follow the basics.In this post, I try to focus on specifics, while at the same time, making sure things are broadly applicable. It's detailed enough that people will disagree with my solutions.The thesis of this blogpost is that we are failing to protect "administrative" accounts. The big ransomware attacks happen because the hackers got administrative control over the network, usually the Windows domain admin. It's with administrative control that they are able to cause such devastation, able to reach all the files in the network, while also being able to delete backups.The Kaseya attacks highlight this particularly well. The company produces a product that is in turn used by "Managed Security Providers" (MSPs) to administer the security of small and medium sized businesses. Hackers found and exploited a vulnerability in the product, which gave them administrative control of over 1000 small and medium sized businesses around the world.The underlying problems start with the way their software gives indiscriminate administrative access over computers. Then, this software was written using standard software techniques, meaning, with the standard vulnerabilities that most software has (such as "SQL injection"). It wasn't written in a paranoid, careful way that you'd hope for software that poses this much danger.A good analogy is airplanes. A common joke refers to the "black box" flight-recorders that survive airplane crashes, that maybe we should make the entire airplane out of that material. The reason we can't do this is that airplanes would be too heavy to fly. The same is true of software: airplane software is written with extreme paranoia knowing that bugs can l |
| Envoyé | Oui |
| Condensat | yet 1000 able about access accesses account accounts achieve across active addition additional address adequately admin administer administrative administrator administrators admins and admins into advice securing airplane airplanes all all cybersecurity allowing already also analogy analysis another answer any anybody anything applicable are aren around attack attack this attacker attackers attacking attacks attitude authority authority: back backups basic basics basket because been being best better between big biggest black blaming blogpost blue box branch breached break broadly bug bugs businesses but can careful cases cause change claim common company compromised computer computers considered control controller controllers controllers controls core costly couple crashes credentials current custodes custodiet cyber cybersecurity danger dcs defend defend against defender defenders defenses definition delete designed desktop detailed devastation directive directory disable disagree doesn doin doing domain domains don done due easy eds eggs elevated elevation enabled encrypt enough entire even events everyone everything everything possible example executive exhorting experience exploited exploiting extreme failing failure failures falling famous federal feel files find first fix flaw flight fly focus follow found framework frequently fulfill full gap gave general generic get gives giving good got government greed groups guardians hacked hacker hackers hacking had hand handle happen happened happens hard has hash have heavy help helpful here highest highlight hijacking hope how however human hygiene identify illustrative improvements inability including indiscriminate inertia: injection instead internal internet invites ipsos isolation issue issued its itself joke kaseya key killchain killchains know knowing known lack large larger last laziness lazy lead least less level like likely likewise little load login long look looking lot lots lust major make making managed managing many marginal massive material maybe meaning measurable medium microsoft might military mission mitigate moral more most msps much need needed network networks never news nist nobody non normal not once one online only operated opinion organization organizations other out outdated over overcome overlapping paranoia paranoid particular particularly pass password patches pentester people perform perimeter person phishing phrase place point port poses possible post practice practices printer printernightmare printing privileges problem problems produce produces product protect protecting provide providers public putting qualifications quis ransomware ransomware: rarely reach read really reason reasonable reasons recommends recorders red redesign refers regardless rest restricted reuse running sadly same saw security see segment segmentation segments separate separating seriously server server/domain servers service services several short should single sized sky slovenliness small software software: solutions some something sort speaker specific specifically specifics splashed spooler sql standard start steal stupidity such suggest summary sure surface survive suspect take taking target team technical technique techniques tell telling tells terms than that them themselves then theory there these thesis thing things this: those threats thus time too tools tradeoffs true try turn typical typically under underlying unfalsifiable unfortunately unrestricted upon use used users using usually various vlans vulnerabilities vulnerability wait want wasn waving way ways weakness weeks well what when where which why will windows words works world worse would wouldn write written you your |
| Tags | Ransomware Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.