> CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.
> Agencies running the affected products must assume domain accounts
associated with the affected products have been compromised.
This looks like a right shitshow.
Ross Anderson did a big group research "The Changing Cost of
Cybercrime" [0]. I forget the number but it came out at several
trillion.
After Solarwinds and the UK Horizon Post Office scandal I am
wondering, how does cybercrime compare against simple incompetence
and hopelessly broken software engineering? How can we measure that to
see just how bad things really are?
Cyber crime definitely exists without incompetence.
Defense is a costly vast landscape compared to attacking. Sure incompetence causes issues and major drives my blood pressure, but the problem doesn’t go away if incompetence goes away.
In the Horizon case, and no doubt in many cases to come, the crime is
committed by a company against the public. They tried to pass it off as
incompetence, and blame "systems" but I expect the public enquiry will
lead to criminal proceedings against Fujitsu now.
Big companies may laugh at fines for treating their customers badly,
but I hope to see many more ruinously brought to book for their
criminal incompetence.
> hence, cost of incompetence = cost of all cybercrime + n.
Where n is at least as large as the other part. Scary!
Someone on Bruce Schniere's site noted that about the Anderson
study... that the increase in cyber-crime perfectly tracks the
decrease in street crime. As online fraud goes up, robberies go down.
If crime remains a constant then having shitty software security
is a safety valve - and fixing computer security means physical
crime would rise again.
I don't think we can ever really "fix computer security" because there's so much software being written all the time by just about anyone and the demand keeps growing.
Hacking computers is usually just a means to an end: fraud or theft. Competence is more than just preventing hacks.
This sort of implies the street criminals become cyber criminals, which seems to not be a matching skill set. Call me skeptical of the study I admittedly haven't read.
You literally wrote "If crime remains a constant then having shitty software security is a safety valve" - so there is some implication otherwise how would that work? Why would crime become constant? If these are two different groups of people, why don't we have increase in both? This explanation seems too simplistic to me.
I can only respond to the part of your question that is coherent to
me. The "how would that work?" part feels ill-formed and something
I've already answered.
But "Why would crime become constant?" is very interesting. For that
we turn to "criminology" [0,1]. Roughly, there are three "layers",
biological, psychological and sociological. All of these are either
fixed, or very slow and hard to change.
Indeed the biggest factors in "how much crime there is" are laws and
reporting, how visible the crime is. Obviously we could make crime
disappear overnight by declaring all behaviours legal. Really, the
justice system can only absorb and respond to what the underlying
social and economic conditions set.
Most crimes are resource motivated [2]. Violent crime makes headlines,
ruins lives, changes votes and is generally undesirable. "Soft" crimes
are less visible and have less impact, especially when they are
against actors that are so immensely wealthy they do not even care
(for example big-tech companies that see huge fines as simply the cost
of doing business as usual)
When we have a fixed pool of criminal potential (set by these
structural conditions), which would you choose as a new criminal
entering the "market"?
And not surprisingly, Pew Research polls showed "violent and property
crimes declined by 51% and 54%, respectively, between 1993 and 2018."
Therefore the hypothesis I was curious about was whether Removing the
opportunity for cyber crime (via better security) would have the
unintended side effect of shifting crime back into physical robbery
and theft with its attendant violence.
If I understand your point correctly (I'm trying to solve the "crime rate is constant but these are not the same people" conundrum), we assume there is a fixed pool of criminal potential, with some of these people inclined more to violent crime and others for soft crime, and today we have more favorable conditions toward the latter. If so, I'd arrive to the opposite conclusion: if, instead of removing the opportunity for cyber crime, we also relaxed laws related to violent crime, cyber crime wouldn't magically dwindle trying to stick to some magical constant, because even though the pool might be more or less stable, the types of people for both are mostly different.
so far no word on ivantis website about the CVE or exploit, or even a fix.
forcing CISA to walk out of the gate with a nuclear-option mitigation is pretty insulting to the corporations/governments that spend millions on this hokum each year to achieve certification or ATO.
then again SolarWinds was effectively crucified before their customers and somehow --unaccountably-- still manages to hold a 4.5 in the gartner ratings and enjoys widespread use still to this day in government and private industry.
it feels like security certification at this level is mostly a performative art.
Most Government and Corporate security / IT just aren't some awesome hacker or security analyst. Most just follow some corporate flow chart for security. I once worked at a company that allowed IE only as a browser for security reasons, eventually they allowed Chrome, but not Firefox again for security reasons, their reasoning was: Microsoft and Google are Billion dollar companies. If you try and bring some solid open source software, well where is the X certification? Even though just from using the corporate certified software for 10 seconds you can tell its not good.
That is a reasonable argument about Chrome! That's not hokum; even some people who have worked on and are invested in the Firefox security and isolation model will concede that Chrome has historically had a material edge there, and it has been reflected in browser vulnerability prices (I don't want to cite the obvious chart here because I think the audience for that thing is message boards and not people working in the field, but it's directionally correct).
There's also the benefit of having one set of controls with respect to profiles and extensions.
You've been known for your hot takes past and present, but this one threw me for a curve.
Is there empirical data on this? I think many in the security industry believe this. I ironically use FF if we can accept personal beliefs since I believe people attack the Chrome sandbox as a badge of honor and I can use containers to isolate state to different personas. That said also anecdata bullshit take on my part.
(1) I think public exploit price lists are bullshit, and mostly about marketing, but directionally they consistently put Chrome >2x of Firefox. You can choose not to take that seriously.
(2) The fact that people attack Chrome as a badge of honor is a reason to use it, not to avoid it. It's why exploits for Firefox would be cheaper.
(3) I don't think my take is spicy at all? I haven't refreshed it in a few years, but when last I did, I don't think I talked to anybody on either side of browser security who felt that Firefox outclassed Chrome (I got a long, valuable Slack thread from a FF security person that I wish I'd saved that built a claim that FF was approaching parity with Chrome architecturally). I have spicy takes, to be sure, but I think I'm giving you a pretty mainstream take from software security land.
(4) Even if you believed Firefox and Chrome (or Chrome and Safari) were at parity, it makes a great deal of sense to standardize browsers, for the reasons I gave previously. The right way to think of your browser "fleet" is as multiple single points of failure; diversity isn't helping you at all. This is one of those "put all your eggs in one basket and guard it" situations.
I don't have any particular personal reason to love Chrome. I'm a Mac person, so I guess the best outcome for me would be for Safari to be perceived as the best browser. Certainly my batteries would last longer! Every couple of years I talk to people about what the landscape looks like; if I ever get different answers, I'll be sure to update my take.
Point made, I meant this take threw me for a curve (not that it this too was spicy), re your point 3. I didn't make that clear. I just know your other takes so I was being cute about it. I don't know you that well so 1-4 are valid, and I am famously not a Mac user in my personal life. I know I am full of anecdata and that shit doesn't matter, but I appreciate the detailed follow up to confirm: 616c, your choices are great but not so empirical, here is what I think.
> their reasoning was: Microsoft and Google are Billion dollar companies.
Did you ever see that written down. Or was it an assumption or rumour?
I ask because I specifically advise against that thinking and debunk
the "big company = trustworthy" fallacy. But what I find is that
actually there is appropriate low trust of US big-tech amongst the C
level, but they are compelled to use Microsoft or whatever for
non-technical/non-security reasons.
The list of 'approved' software vendors doesn't say it's because their billion dollar companies, but if it's from a company on the list that's enough. No further vetting required.
I think where this goes wrong is when Bob in purchasing confuses can
use this approved supplier with must use this supplier and fails to
notice said supplier about to be bankrupted in court over a
multi-billion security scandal, and goes ahead anyway.
Voila! We just bought a couple million IoT bricks and doorstops that
will be in a landfill next week.
We once had a city IT guy block our deployment because we were vulnerable to CVE-whatever - turned out to be a minir vulnerability in the DuckDuckGo browser
Certifications (and specifically paying to get certified) are about legally throwing liability on another party, because nobody wants to end up with the hot ball in their hands.
The assumption is that shit will or already has hit the fan, and the question is how to reduce your own liabilities as much as possible by throwing what you can on someone else.
Certifications were and are never about practical or literal security.
A sound banker, alas, is not one who foresees danger and avoids it. But one who, when he is ruined, is ruined in a conventional and orthodox way with his fellows, so that no-one can really blame him
By definition, everything installed increases your attack surface. The decision to use it or not should be a risk-based one considering the value of what you get from using the product against the additional exposure. Having a single, properly secured and managed VPN appliance is much better than many unmanaged or kinda-managed entry points into a network.
Maybe I've missed it (very likely), is there an enterprise-grade product that allows easy management of WireGuard or OpenVPN for say 20-30k users/endpoints and that integrates easily with Active Directory and a centralized MFA provider? Do these products provide support agreements?
To be fair, I have no love for Ivanti or Zscaler, but I do understand why companies choose them over some standalone, open source products.
My advice tends to be using SASE things like AppProxy - you can have your less-than-stellar enterprise business apps exposed outside of the LAN without putting them up as a target on the public internet
While you are right there is one pretty important additional point: the whole concept of network entry point. Building this kind of security perimeter invariable leads to internal security becoming ignored and everything inside the network having some completely informal and random trust relationships with other devices in the network (and usually when thats get documented for the purposes of setting up internal firewalls you get three versions: what really happens, which is subset of how the firewalls are configured and then how that is documented).
And this kind of Enterprise VPN with bunch of buzzwords products tend to be correlated with exactly this approach of totally ignoring what is inside the perimeter and replacing careful design of that with some other “Enterprise Endpoint Security Non-solution”.
it is where you make administrative changes/adjustments for user access. it sits on your edge and controls what users connect to on the lan. the "ivanti secure access client" is the client-side software used to create a vpn/l4 connection to the corporate network via the appliance (physical or virtual)
> CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.