A review of The Fifth Domain by Richard A. Clarke and Robert K. Knake
Both of these authors have strong backgrounds in cybersecurity as it applies to government and the military. Hence the focus of this book. Security of these institutions also carries over into the private sector. The Pentagon buys from private firms as do all branches of the US government. For this reason, total security from foreign intervention must extend to all sectors of the economy. Much of the book is about domestic security, protection from foreign interference to U.S. cyber systems. It does not mean that there are not application all companies can use to increase their own security.
The title of this book is a military term referring to the areas where they have a presence. The other domains are land, sea, air, and space. The fifth domain is cyberspace. An area of conflict that has taken on new significance as it is being used by Russia, China, The United States and other countries to further their interests. Although it presents a military point of view, knowledge of how cyberspace is being maliciously used is helpful to the private sector. Mostly, how companies can protect themselves against this threat.
Cybersecurity must be taken seriously. If you read the book for this reason alone, it is worth the time. It will also provide important information as to what is happening and how to protect yourself. One distinction of this domain from the others is that, while protection of the others are government responsibilities, cyberspace is shared by the private sector and government. This raises ideological questions. Afterall, Walmart does not need to install missiles on the roofs of its stores to protect the air domain. So why does it need to expend money to protect its data? It also means that, whereas no one questions the need to protect a country’s air, land, and seas from foreign interference, cyberspace security must be justified. It is subject to budget reviews and cost cutting.
From the start it is important to realize how much our modern economy depends on cyberspace. Banking, communications, transportation, utility systems and much more all depend on a functioning internet. Damage not only affects national security, but also personal safety. Identity theft and ransomware are now all too common. It is estimated that the cost of a data breach is $141 per record. This is an enormous cost for government and companies to bear. Cyberspace has become part of our infrastructure, just like roads and communications. There is a place for more government involvement to ensure the integrity of this vita sector.
The National Institute of Standards and Technology (NIST)
NIST is an attempt by the US government to prod private companies into improving their security. It started when an official read the book Nudge: Improving Decisions About Health, Wealth, and Happiness by Thaler and Sunstein.
Many officials in the US are reluctant to introduce and enforce new regulations. The solution was to nudge them in that direction. The intent was to publish guidelines on what cybersecurity measures to implement. You can find these at www.nist.gov/cyberframework. Some people find the framework overwhelming. A shorter checklist can be found in the Verizon Data Breach Investigations Report (VDBIR). I recommend reading both of these.
What is obvious from reading the Fifth Domain is that Advanced Persistent Threats (APT) are hard to fend off. Especially if someone at the American NSA or Russia’s GRU is interested in your activities. In which case you have more problems than just cybersecurity. These people have the resources to overwhelm any system. However, most people are not in that state. Instead their situation is that of running from a hungry bear. In this case you do NOT have to run faster than the bear, you just have to run faster than other people running away from the bear. Eventually the bear will catch the slowest runner. Make sure it is not you. To put this in a more common perspective, you lock your car doors after you park and secure your home when you leave. That is because there are people who try car and house doors just to see if any are unlocked. If not, they move on to the next. The same applies to your computer. You make your own system difficult to access in the hope that cyberthieves will move on to an easier target.
The Kill Chain
The kill chain is taken from an Air Force concept and, for our purposes, consists or reconnaissance, planning, weaponizing, and attacking. To most people defense is a matter of watching and waiting while the attacker has the initiative. Afterall, offense chooses the target, the manner, and the time of an attack. It is like the final season of Game of Thrones when the women, children, and the old hid in the Castle dungeon while the young warriors maned the walls and all of them waited for the army of the dead to charge. In fact, an attack is much more involved. During medieval times an attacker had to scout the castle, find weaknesses in its fortifications, accumulate weapons and siege engines, then march an army into unfriendly territory. At any point the defenders could thwart their enemy and make the siege much more difficult. If you read War and Peace, remember that the Russian army never engaged Napoleon directly. Instead they burned fields and homes.
This denied the attackers (as well as their horses) food and shelter. Then the Russian winter set in and finished the job. Now to break down the kill chain.
1) Reconnaissance. In the start of the chain an attacker will search for vulnerabilities in your computer system. They will start with Google and LinkedIn to learn as much as possible about your organization. To thwart them at this stage, limit the information you publish, including on your own website. What is good marketing is terrible security. Some companies will publish false information like fake employees. This way, if you get an email directed to someone who does not exist or someone who has long since retired, there is a good chance that you are being probed and can react accordingly.
2) Planning. At this stage an attacker decides what he wants from your company. It could be to steal information, to hold you hostage for payment (ransomware), permanently delete all your software (wiper), or flood your network to a point where it cannot operate (DDoS – distributed denial of service). The defense at this stage is to publish very little, or false information, about your company and not make it a prime target.
3) Weaponize. At this stage an attacker assembles what he needs. Unfortunately, these are available on the dark web. Remote access tools sell for as little as $500. A kit to engage in ransomware can be had for $5,000. I do not know the legality of these but find it odd that in Canada, where assault rifles are illegal and handguns and tightly regulated, being able to buy cyberattack tools has slipped under the radar.
4) Attack. At this stage the aggressor will begin to probe or launch and all out attack. This is usually done by spear phishing. Here good defensive tools are available. FireEye can quarantine suspicious emails then detonate them, much like the bomb squad. Other software can isolate emails until you determine they are safe. Watchguard does this very well. On your home computer, use Gmail or yahoo. Your mail will reside on a distant cloud server and only downloading an attachment will infect your computer.
Defense can be improved by training employees. There are people who used computers all their lives but still don’t know what to watch for when confronted with suspicious emails. Senders of malicious messages know this and have become sophisticated in disguising their messages. To keep their people alert, some employers use simulated attacks.
These force employees to be more watchful, but then, there is a type of person who never learns. The authors refer to them as the office Dave. Dave represents any employee (male or female) who is careless, trusting, curious and is the one who opens any email, no matter how obvious that it is malicious. He/she has a “let’s see what happens” attitude and is beyond help. This person must rely on coworkers to “have his back.” One company has a cofense button on all computers. This button automatically alerts IT of anything suspicious and they decide what to do. There are also sandbox techniques where emails can be isolated until they are deemed safe to open. Software such as Cylance or CrowdStrike monitor activities within the computer and block any that the model deems to be suspicious. Thus, if employees missed it on arrival, it can be detected by how it behaves.
This illustrates that all employees must work together. Suspicious emails are often targeted to more than one employee in the hope that one of them turns out to be a Dave. Thus, a more alert employee will notice that an email that is suspicious and inform IT in time to have it blocked from the network, hopefully, before Dave noticed it. Employees must have a team attitude. The worker who says: “Yah, I saw it, just deleted it, no big deal” failed to tell the rest of the company about a potential attack.
Information sharing is also important at the corporate level. The Cyber Threat Alliance (CTA) was formed with this idea in mind. Symantec, McAfee, and Fortinet have combined to share information about new threats. Their goal is that any new malware, once discovered, will only be used once. This because, after it is found, all anti-virus companies will update their data bases and block that particular signature from computers using their software.
On the topic of anti-virus providers, their focus is narrow. The five functions of a cyber framework includes: identify, protect, detect, respond, and recover. The five asset classes are: devices, apps, networks, data, and users. Most cybersecurity systems are narrowly focus on devices and recovery. Many are still in the mindset of the late 20th century, believing that if a good firewall, up-to-date anti-virus software, and a proper backup system are all installed, then the job is done. This ignores recent developments and how quickly cyber attackers can adjust to new situations.
Security companies should not focus on one or two problems. Instead they should first focus on resilience. That is, the rapid adaptation to emerging threats. Furthermore, security should be built into software at the start of development and not bolted on afterwards. To many software developers rush their products into production and patch later. If you recall the kill chain, this becomes and exploitable weakness of the system.
Second, security companies should offer a platform on which various software performing different functions can be combined and integrated. They don’t because these companies are predominately private seeking to maximize their profits.
Recovery has progressed. It is no longer a matter of restoring data using backups. Recovery now is a matter of resilience. Examples:
• Content distribution networks like Akamai
• Docker containers that allow applications to be spun up and spun down securely.
• Serverless architecture.
• Immutable infrastructure
• The cloud
Advantages of Using the Cloud.
There are several reasons why using a cloud service is more secure than an inhouse server. The first is that all cloud providers employ a high level of security measures. They have to, any susceptibility to malware is bad for business. The common mind set now is that the office network is more secure. There are even laws that discourage the use of foreign servers for sensitive data. An important reason to enforce security is that a compromise in one area will affect others. For these reasons cloud providers take security very seriously.
Another advantage of the cloud is greater automation. Tasks like securely configuring devices can be done automatically. New security patches can be done immediately and not wait for a scheduled upgrade.
The cloud is also self-tailoring. This means that selected services automatically work together. One can also choose the services and programs one needs. Startup organization like the cloud because it can be expanded as the business grows.
The cloud is self-healing. When things go wrong, it automatically switches to backups. Customers never notice. To make sure that a breach in one area does not affect the entire cloud, containers such as Docker or Kubernetes are used. Thus, applications and organizations on the same machine do not interact.
Implications of 5th Generation (5G) Technology
5G has been in the news lately. However, few people know how it will affect security. People will know that it has arrived by the many relay boxes that will appear on city streets. The band width of 5G does not travel very far, hence the need for the boxes. These will resemble the ones used by the postal service. One important thing this technology will enable is the Internet of Things (IoT). Ordinary devices like your TV or your refrigerator will have access to the internet. So will devices installed on the electricity grid and the gas network. This will enable them to work rapidly but will make them more vulnerable.
Power and Gas companies believe their networks are secure but an incident in Lawrence, Massachusetts shows how vulnerable they really are. In 2018 several fires started all at once in local homes. Some actually exploded. The problem was traced to the gas distribution network which was over pressurized. Utility companies argue that they are safe because they are not directly connected to the internet. However, they neglect the fact that their systems are monitored by a series of gauges and meters. The people who operate them can get incorrect readings which, if unchecked, will result in the wrong responses.
Even if the results are not as catastrophic as what happened in Lawrence, MA, there is always the danger that an area can be sabotaged for ransomware.
Malicious use of IoT can include:
• Seizing control of IoT devices and causing serve damage.
• Using these devices to attack the network
• Using a devices to launch attacks that are now being done by computers.
• Store illicit data. Think child porn or the black web.
• Employ excess computing. People with access to your computer can “free ride” on your system.
Security on a Personal Level
All of this covers what one must be aware of, but what can an individual do to avoid compromising the system. The first thing to keep in mind is that 80% of data breaches are the result of poor or stolen passwords. So, we must discuss good password use. They are the most common access to computers. Biometric security such as fingerprints, retinal scans, and facial recognition are being increasingly used, but passwords still predominate.
To remember, passwords are like underwear,
• Other people should not see them
• They should be changed often
• They should never be shared.
A password should not be used on more than one site. This makes it difficult to remember, so people tend to record them. Writing them down is a bad idea. Hiding them underneath your mouse pad is also bad since this is the first place that strangers will look. Password management software such as Passportal is the best idea. Most of them will help you generate a secure password. If you make up your own, remember that the best passwords are:
• 8 to 10 characters long
• Use upper and lower case letters
• Use keyboard symbols like: !@#$%&
Increasingly, two factor or even trifecta authentication is being used. The latter is based on:
• Something you have, like a cell phone
• Something you know, like a password.
• Something you are, like biometric ID.
Some final thoughts. The first concerns security questions. Do not be obvious. If you are from Edmonton, then most of the world can guess what your favorite hockey team is. Better to use a fake information that only you know. Your favorite hockey team can be the Battleford Grey Geese. Anyone pretending to be you will not find this team on any league table.
Use the most current software. If you are still using Windows XP, like some military branches still do, then get rid of it and upgrade immediately. The vulnerabilities of old software, including Windows 7, are known. Only Windows 10 is safe, for now.
Do frequent backups. Keep several generations. People who deal in ransomware, wait a few days before activating their software. Thus, recent backups will also have an unactivated version. Remember, just like locking your car doors and securing your home will protect you from most break-ins, observing basic computer protection, password management and backups, will protect you from most data breaches.
William Petryk is the resident resource reviewer here at TheGAAP.net. A graduate from the Schulich School of Business at York University and designated CMA, William Petryk is an accomplished accountant with years of experience.