What If Cyberweapons Are Not Stored Securely?

Transcript

Opening

Hello, everybody and welcome to What's the problem, the show that explores problems, situations, scenarios, issues, and more in the world of cybersecurity today.

Today, we are fortunate enough to have Shearyar Kahn joining us.

Conversation

Mike Krass: Shearyar, say hello to our listeners.

Shearyar Kahn: Hi, all. Wonderful to meet you. Thanks for having me.

Mike Krass: We're glad to have you, sir. Now tell our listeners, why are you qualified to talk about security?

Shearyar Kahn: I have about four years of experience in cybersecurity: three years on the software engineering side, where we work on cybersecurity products, and one year as a sub-analyst. Cybersecurity has been a passion of mine and I've been researching its history, all the technology, and where this technology is leading us.

Mike Krass: I love the background stock analyst building products with security components. You are an awesome background to bring to our listeners. And usually, in our second question, I ask our guests what the problem they want to explore with our listeners is. But today, actually, you and talk in advance. And I know exactly what you want to talk about. We talked about this concept of mutually assured destruction in the world of cybersecurity or like a cyber-geddon. Let’s talk about that a little bit. What does cyber-geddon mean? Is this even realistic, or are you and I just inventing something big and scary for listeners?

Shearyar Kahn: Cyber-geddon is the idea that the United States and other countries like Russia and China have cyberweapons that can deal a huge blow to the cyber infrastructure, electrical infrastructure, or anything digitally related that will have a devastating impact if they go offline for months or a year.

Now, this might sound like a work of fiction, but no, these weapons do exist. What happened during the Cold War was that the United States, Russia, and, to some degree, China all had nuclear weapons, and the release of one of them would cause the release of all nuclear weapons. During the destruction of the countries and the conflict with cyberweapons. The issue there is that one. It's easily reproducible.

If you can also steal the source code of the cyberweapons, it costs no money to engineer the attack or release the code. It's infantry reproducible, so that's one thing that's even scarier than nuclear bombs. Nuclear bombs take an entire nation's resources to invest in a cyberweapon. Maybe ten, twenty, or a hundred people at most engineering on it. And then, if it's locked behind the wall, it's safe at the moment. But if it ever gets released, devastating attached.

Now, you might think, "Okay, so what?" There are these types of weapons that don't mean anything. We've never really heard of one we have. One cyberweapon did get released around 2014 or 2015. What happened was that one security group managed to release the NSA's tropical secret cyberweapons. One of them was Eternal Blue. Eternal Blue was an exploit that allowed viruses and worms to traverse networks, in fact, windows computers that were in patch through the SMB portal. And this allowed these worms to rapidly spread and affect millions of computers within days. The famous WannaCry ransomware type, one of the first ransomware coming into the mainstream, was based on Eternal Blueprint. This was the first case of a cyberweapon being used in action that got released accidentally. Now, this WannaCry ransomware attack was the basis of another weapon attack that has been used in more recent times.

Mike Krass: I was going to say, tell me, allow me to reflect on what I just heard. In reading between the lines, I heard safeguarding cyberweapons is a serious thing that sounds silly to sell out, but it is a serious business in and of itself. Not just because of that exact weapon, their safeguarding, whether it's the NSA or another state-run organization or group, but it's actually what can be created off of that. It's almost like if I can make up a term like a hop weapon; you're probably familiar with the hop. Let's take Eternal Blue, and then let's just make some adjustments. Voila! We have a brand new weapon. Do I hear that correctly? Am I reflecting that back accurately, too?

Shearyar Kahn: No, you're right. That's exactly what happened. From the WannaCry ransomware, many more ransomware attacks based on Eternal Blue were created and exploited in the wild. One major cyberweapon used in a conflict in 2017 was the Ukrainian NotPetya ransomware attack. This was an actual cyber war happening.

NotPetya ransomware attack, which was a region of Russia at the time, happened on June 27, 2017. And this ransomware attack afflicted banks, ministries, newspapers, and electricity firms, pretty much took all of them offline, and they were all fine for days. People couldn't access ATMs, and banks couldn't access their own credit cards. They couldn't access the Internet. We’re offline, their doctors couldn't access their patient's charts, and that was for a couple of days. And a few hundred people died because of it, because of lack of access. If that happened over months to a year, the casualty could go into the millions easily because people need access to medical care, and many medical cares is online.

If you can't get access to care or help immediately, as we are interconnected today, you will have a lot of casualties very quickly. And the worst part about these weapons is just like nuclear weapons, where the effect of us lingers in that area, it spreads. The same thing happened with this NotPetya ransomware attack, to be more specific. Basically, there was this accounting software called M.E. Docs that almost all their accounting firms used and most companies in Ukraine. It's like the Excel of the United States and European countries. And what happened was that the update server got infected. This update server got infected and infected the newest update package, and that malware quickly spread through eternal blue through internal networks. And then, at the end of it, what happened was that it didn't stop at Ukraine. It went towards, in fact, 27 other countries like France, China, and international airports, and it even cost the United States companies like FedEx $300 million at the end of it.

So what started from a localized just one country started affecting major shipping industries and other companies in other countries. At the end of it, Russia or whatever organization was in Russia decided to stop the attack because now starting to affect Russian companies. They couldn't control it because the worm just did what it did the best spread. So, what's more dangerous to target a cyberweapon is a cyberweapon used without knowing what the consequences could be. We saw almost a billion dollars in loss for only about three days worth of effort.

Mike Krass: Now, last question on this topic before we transition to the end of our show. All these examples make me immediately go. What can I do to protect my organization? Are there any action items, checklists, or little information nuggets you could share with our listeners so that they can think about how to protect themselves against somebody's very serious cyberweapons?

Shearyar Kahn: Sure. What makes these cyberweapons so dangerous is their capability to spread. There's a very easy method to stop the spread of these worms or viruses. Have separate VLANs and different levels of access in your internal networks. Many of these companies don't have separate VLANs protecting their most secure or necessary servers and their least needed resources. They were on the same network. Because of that, the virus more easily able to spread. A lot of times, companies need to implement the necessary defensive procedures to stop spreading. Think of it as a well, I guess, in terms of the pendant we're currently living in of a virus, like an actual biological virus, you want to separate it so it contains it so that you can deal with it.

If anything is affected, you can remove it from the network and slowly bring things up online. And that's one thing you can do. The other thing is to make sure you're always updating to the newest versions for your patches, as long as they don't affect your business. It's very important always to be updated with the newest versions of patches.

Mike Krass: I do have one follow-up question here. What about the business? They might listen to this business owner or leader and hear all this patching. I can get down with that. I can get on board, separating and instructing our IT department to separate bits of our network. What are the questions if you were to call somebody at Google My Business apps or at Microsoft Office 365? What questions would you ask to determine some of their security protocols and whether they would help your business or not?

Shearyar Kahn: Am I asking for a security vendor how they would help me?

Mike Krass: Yes, for example, in our business here at MKG, we use all of the Google Business apps. And so a lot of times they have some basic documentation about security protocols. But if I wanted to know more about them, about my vendor, what would be the question or questions if I was really worried about some of these more serious cyberweapons?

Shearyar Kahn: What's the least number of ports I need to open on my server to conduct my business? What can I do to harden my infrastructure? How much privilege do I need to give you to do their everyday jobs? What assets are on my network? Anything that I can do to limit access to users, to myself, just to perform the necessary functions of my business.

That's what I want to ask because that's most of what cybersecurity is. If you know what's on your network and what ports are needed to conduct your business, if you know what you need to do every day to get things done and there's nothing else you need, shut those things down. You can focus your attention just on that. You just need to have knowledge of what your business needs fully and then just go after that and shut everything down, and you'll be much safer than many other companies.

Mike Krass: That's a great checklist of sample questions, and I can even hear it. As Office365 might say, “Hey, we provide up to 100 quartz.” But asking the question, “How many of these do we need? and “These are the types of business activities we do.” We might need not need all 100 open. It's great that you've got them if we need them, but I'm not asking you for 100 a day. I'm just making up the number 100.

Of course, that seems like such an easy way for the listeners to think about the right questions to ask and then have right sized products or solutions provisioned from our vendors. Seems like just real easy wins. You can give me 100, but I don't need them. So let's shut these unused ones down and keep them shut unless I tell you otherwise.

Shearyar, I appreciate you dropping some of this knowledge on our listeners. The final question of every episode is to tell us about a terrible haircut you've had at some point in your life.

Shearyar Kahn: Sure. One time when I was about 10th grade, I had bushy curly hair. They're my sideburns, and I said I don't want anything off the top. But I forgot to tell them only to take a little bit off the side. And because of that, I came out with a haircut looking like Marge Simpson. It's a short version of Marge Simpson's haircut. So that was an annoying time for a month. I thought it was pretty funny at the end. I guess that's a great visual.

Mike Krass: I can see it. Shearyar, I appreciate you stopping by the show and sharing your background and knowledge with our listeners. Often, listeners will tune into an episode and hear something they want to know more about. If somebody wanted to reach out to you professionally, what is the best way for them to get in touch with you?

Shearyar Kahn: They can reach out to me at my email, shearyarkahn.cybsec@gmail.com, and I’ll definitely reply immediately. I'm always on my phone. I'll see your email right then and there.

Mike Krass: Awesome.

Outro

We appreciate you tuning into What's the Problem, the show that explores problems, situations, concerns, and scenarios—apparently cyber-geddon in today's episode.

Thank you, listeners, for tuning in, and we'll see you on the next episode.