When it comes to taking the security biscuit for 2015, I believe the recent discovery of a security flaw in FireEYE deserves the award for bringing the matter of Security Complexity to our operational attention. However, I do wish to clarify up front that this is by no means a dig at the product in question. In fact I would congratulate the company for getting a patch out to mitigate the exposure in such a very tight window of just 2 days, so hats off to the FireEYE team [let us hope more learn a lesson from the FireEYE response to a reported exposure].
First of all, the reason why I feel this exposure is so very interesting is, what was referred to as “666” was dubbed as “Ultra Critical”, bringing a whole new meaning to the threat landscape of security patches and fixes – but then I can see why “Ultra” is so very appropriate for the following reasons:
1. This is a security flaw in a product that is actually deployed to defend the operational environment – yet can be exploited to circumvent security, and act as a potential launch pad to compromise assets.
2. That here we are considering an appliance which needs to face the Internet – and so makes it even more critical when it comes to any active, or Ultra security exposure which is facing the Red wire on the Firewall.
3. The fact that the attacker only has to send an email to a user to gain access to a persistent network tap is alarming [as reported by Googles Project Zero] – and as the recipient would not even have to open it to accommodate the hack, for me is the true nightmare scenario.
4. That the persistent issue of Admin/Privileged Access being used every day by multiples of users to conduct their BAU activities, would seem to add to this this security flaw, and to play into the hands of the attacker by offering up the opportunity of an extended logical path of inter-cooperation connectivity.
5. That this discovery also implicates users with out of service devices, but which may still be resident on the network
The bottom line here is, it is not that the FireEYE appliance itself is the real issue. It is the combination of the current complexities of network security management, multiples of devices which need patching, bad end-user practices, and the breakdown in what we call Security Education and Awareness – which for most of the time pays lip service to the real Cyber Threats.
Many of us will also be able to attest that there are multiples of organisations today who are hosting out-of-service/patch appliances and applications on their operational/production networks, which nevertheless are still open to the odd ping of two.
It is thus my humble opinion that it is not so much about FireEYE has fallen foul to a security flaw – it is the everyday expectation that exist in multiples of organisations who rely so very much of appliance and equipment to do their dirty work, and defend their network from those internal bad practices we tolerate – which when such critical devices fail, we can see that situation of the Perfect Storm coming to pass at the open red front door facing the Internet.
For 2016 and onward, I believe the answer to the Cyber Security Challenge is still that old concept of Defence in Depth – and then, and only then when we have a high security dependencies fail at the front door will we be in a position to have a higher degree of security, knowing that the element of total reliance has been removed from our landscape of security expectations. In fact, whilst we are on that note, I pose one question “Have you risk assessed the probable impact on the improbable occurring to one of your High Security Dependence Devices?” – remember there is no such thing as a Silver Bullet!
To close, may I thank you to all who have read my articles over this last year – and may I wish you one and all a very Happy Christmas Holliday, and a Secure 2016.