This week, Will from Cassandra Security steps up on the Fudsec infosec catwalk for some aurorasomeness (sorry, couldn't resist).  I've got three words for you: data, data, data.  I'm done.  Thanks a lot Will!

By Will Gragido

The Danger of Allegations

Mob mentality is a scary and dangerous thing.  History has proven that time and time again.   Our industry is not immune to this.  In fact, in many respects, it is quite good at perpetuating the madness.   Understanding the interplay of fear, uncertainty and doubt within the cultural zeitgeist and attitude is not only important, but critical.  As a result, we must strive to prevent errant thought and irresponsibility within our profession and industry without sacrificing our ability to think critically.   Avoiding sensationalistic allegations pertaining to cyber-boogiemen—real or imagined, is of paramount importance in order that we not be perceived as a collective body of ‘chicken littles’.  Sensationalism is fine for carnivals and circuses, allegations the tabloids, but not an industry where the lines between logical and physical threats are blurring on an ever increasing level.  

Examples of Allegations in Recent History and Their Importance Influencing FUD in Matters of Information Security

Several powerful examples can be drawn from recent history that articulate and underscore this point.  Allegations are often made in the absence of comprehensive data.  Disturbing yes; unrealistic no.  With enough circumstantial evidence arguments can be made with respect to onus and responsibility for events of interest in almost all circumstances.  This is true whether one is speaking of fiduciary malfeasance, large scale cyber criminal cabals, state sponsored activity or what Aunt Sally said to Uncle Phil.  In some cases this is necessary misdirection; in other cases, it is simply irresponsible and Barnumesque.   Regardless, it is vitally important that a clear understanding of the word ‘allegedly’ exists in your lexicon in order to avoid pitfalls.  Understanding it will aid you in your daily and professional lives.  The word ‘allegedly’ can be defined in the following way:

•    A declaration made that cannot be proven or substantiated; a claim with questionable supporting evidence.  

The ‘Aurora’, attacks or ‘Operation Aurora’ (named by Dmitry Alperovitch of McAfee) of recent history are excellent examples of the power of allegation wielded in the absence of irrefutable evidence.   Beginning in mid-December 2009 this event of interest colloquially referred to as ‘operation aurora’ took on a life of its own.  The first to publicly (and this is important folks) address and speak about it was Google (blog post made in mid-January).  It should be noted that Google stated that the attack ‘originated’ in China  and that though U.S. Secretary of State, Hillary Clinton issued a brief statement condemning the attacks and requesting a response from China, neither she nor Google blamed the Chinese Government nor accused them of being responsible.  That is of paramount importance.  Why?  In part because there was not sufficient evidence to suggest or warrant such allegations yet sensationalism (and the media momentum associated with it), built like a tsunami.  Over time the attack was said to have targeted several organizations including but not limited to:

•    Adobe
•    Juniper Networks
•    Rackspace
•    Yahoo!, Inc.
•    Symantec, Inc.
•    Northrop-Grumman
•    DOW Chemical

Researchers the world over exhaustively poured over the Microsoft IE zero day vulnerability used in the compromise  in order to analyze and assess the possibility of derivative exploitation .  Commentary on the levels of sophistication ranged from ‘very’, to more ‘elementary’.  Media figures, industry pundits and people the world over who previously assumed that concepts such as advanced persistent threats and subversive multi-vector threats (the author is of the opinion that these threats are absolutely real but that they are non-trivial in terms of architectural intent), were the stuff of which the cyber-boogeyman were made of, began changing their tunes.  Unbridled allegations and assertions were being made even in light of the fact that on almost a day-to-day basis more information was coming to the surface.  Onus and responsibility were shifted away from the Chinese Government and re-focused on two universities within China.   Some argued that this could be a cleverly devised diversionary tactic of the Chinese while others entertained other, equally and, in my humble opinion, plausible explanations having to do with China being effectively ‘framed’ for this event of interest.

Wake Me When It’s Over: Reality Checks in the Midst of Chaos 

The reality is that without careful intelligence gathering, application of analytics and thorough vetting out of data, we are left to speculate, arrive at best guesses and thusly produce statements which include – for better or worse allegations.  Put another way, unless we have a need to know (and there is something to know), we most often don’t know what we don’t know.  We need to understand as information security professionals that there is a danger in mad speculation.  It more often leads to a state of imbalance rather than control. We must think more clearly so as to avoid mistakes from extraction could prove difficult at best.  China is an easy target.  We do know they are active in the proliferation of cyber-warfare tactics, methodologies and strategy, however we must be careful to avoid throwing the baby out with the bath water so as to avoid finding ourselves being the accused as opposed to the accuser. 

Closing Thoughts

The world and our interactions within it are changing; as such, the ability to approach these challenges dynamically while presenting the appropriate mindset is critical.  The ability to think and consider things in an asymmetric fashion in a symmetric world is of the utmost importance and influences non-repudiation greatly.

1. The threats are real, but we need to assess the data carefully and in a manner not driven by hysteria
2. In the absence of irrefutable proof, we risk much when we make allegations; we need to be careful
3. As a colleague of mine Josh Corman and I were discussing this, it occurred that we always will lack 100% irrefutable proof but that we must make decisions for the greater good predicated on the best intelligence we have at the time
4. As a result we must be more highly attuned to FUD and its impact on tactical and strategic information security as it is easy to be misled

Your thoughts?