When is an outsider cyber threat worse than the worst-case insider threat?

by Norman Johnson

The one home-team advantage that cyber-defenders have over advanced outside cyber threats is that external cyberthreats are limited to the cyber-nervous system of the organization, as we concluded in our last blog that compared advanced cyberthreats to insider threats:  “...physical access enables insiders to circumvent perimeter or point defenses, exploit conversations with other employees for information or social engineering, observe when facilities are unwatched, or simply map the physical layout of the facility and resources.”  The bottom line is that an external threat, even with advanced resources like Stuxnet, has core obstacles that limit their access to a facility and resources, which in turn limit the possible threat missions.  Even Stuxnet had to be initially transported into the Iranian facility by an insider and then relied on the internal facility network to complete its mission.  All of this is good news for the defender because it forces the external threat to use networks that can be monitored and limits the options of the threat mission.  To illustrate the insider advantage, an insider could have accomplished the Stuxnet mission without ever having to use the organization’s network.  An outside cyberthreat could never achieve this level of stealth.

Or could it?

What if the outside attacker could bypass all organization’s perimeter defenses and still have large bandwidth and real-time transfers?  What if an outside attacker didn’t have to use the organization’s internal network to move around?   What if the outside attacker had full physical access to the facility, conversations of all employees, and do all of this real-time?  These all sound impossible, but if all of these were true, then the outside attacker would essentially have all the capabilities of an insider threats and, with full access to facility resources and employee conversations, could have the equivalent of insider information on the organization’s defenses and vulnerabilities.  There would be no difference between the stealth and effectiveness of the external and internal threat.  Luckily for the defender, these capabilities are out of reach for the external threat.  

Or are they?  

Another home advantage is that insider threats can only achieve their mission with significant personal risk – a direct consequence of physical presence.  The absence of direct personal risk has always been the main advantage of an external threat: detection of the external threat puts only the mission is at risk (although some advanced threats have survived long after detection!), with minimal likelihood of direct attribution and with almost no possibility of personal risk.  The more damaging insider threats are less frequent because of this defender home advantage: the personal risk of being caught is a deterrent for insider threats.  Lucky for the defender, the high frequency of external threats –due to the lower personal risk and of the greater numbers of outside perpetrators–is offset by the inherent limitations of the outside threat.  

Or are they?

Many of the above disturbing questions about a new level of threat arise each time a new information technology is introduced.  For example, air-gapped security barriers between networks stood unchallenged for decades (except for insider threats) until the USB thumbdrive arrived and opened up a major vulnerability.  Each time a new technology is introduced, a major vulnerability is often exposed that the developers of the technology could not have foreseen. Then, the defenders or developers attempt to close the window of opportunity. This punctuated advancement of cyberthreats is part of the landscape of innovation in information technology, and will not likely change any time soon because new technologies offer attractive benefits. The list of past disruptive but beneficial technologies is long, for example, wireless networks, bluetooth devices (e.g., keyboards), programmable embedded subsystems (e.g., ethernet subsystems),[1] programmable routers/switches, and smart peripherals (e.g., printers).  For each of these, a tension occurs between the defender that is trying to limit the new technology to protect the facility and the users/managers that want to use them to make their work more efficient and/or more enjoyable.  We have all experienced this tension, and more often than not the facility security survived the introduction of the new technology.  Certainly, the introduction of personal smart devices (PSDs) in to the workplace will not be different.

Do you really think so?

The tension with PSDs appears to have passed the crescendo in the last year, and the Bring-Your-Own-Device (BYOD) to work has won.  BYOD is an acceptable and even encouraged policy. For example, Cisco’s Internet Business Solutions Group reported that of the 600 businesses included in its study that: 1) 95% allow BYOD into the workplace, 2) 76% of the IT leaders in these companies categorized BYOD as somewhat or extremely positive for their companies, with annual benefit ranging from $300-1300 per employee, and 3) 83% of IT leaders see BYOD growing in the future.  The Cisco Global study of BYOD found that 1) BOYD is a global phenomena with 89% of IT departments worldwide enabling BYOD in some way, 2) 69% of IT leaders are “positive” about BYOD and 3) the U.S. is the overall leader in BYOD adoption and policy.  The global study found in 2012 that the number of BYOD per employee ranged from 2-4 devices depending the country, with the U.S. currently at 2.9 devices and expected to increase to 3.2 by 2014.  Not surprising, these studies also capture that IT leaders have security concerns about the presence of PSDs within their organizations, but remarkably only 19% of companies in the U.S. find security as the top BYOD challenge, with the average being 26% globally and with Russia at the highest at 38%.  Do the Russians know something that we don’t?

Could be.

A 2013 prediction of mobile threats globally show that malware on PSDs is on the rise, with the highest incident rate in 2012 in Russia (34.7%), a whopping 87 times that of the incidence in the U.S (0.4%).  Why should IT leaders be concerned about malware on PSDs?  The obvious answers are the loss of function of the PSD if infected, the loss of business data on PSDs, and the injection of malware into internal networks.  But equally obvious is that the PSD threats are not of sufficient concern to make IT leaders put security at the top of the BYOD challenges.   Apparently IT leaders think the BYOD security risks are being managed, and we don’t have to worry.

Or should we?

Returning to our opening question about “Can an external cyber threat operate at the stealth and effectiveness of a worst-case internal threat?”  The collective wisdom is that this is not technically possible.  But if it were true, then it would greatly change the security assessment of organizations.  Consider the following threat scenario using PSDs in an organization.  

While an employee is getting coffee at a nearby coffee shop, malware is injected into her PSD.  The employee enters the facility with her infected PSD and during the next few hours the malware is spread to PSDs of other employees. Soon, the infected PSDs communicate with each other via bluetooth or wireless, establishing a peer-to-peer (PTP) network across the facility, completely independent of the facility’s internal network, creating a mobile botnet, and essentially avoiding all facility’s perimeter and network defenses.  Because the coffee house is nearby, the PTP network has continual connection to the outside at wireless data rates.  Once the independent PTP network is established and connected to remote malware command-and-control, the malware can be updated for specific missions.  The first mission might be to physically map the facility and its resources, a simple task given the PSD’s GPS, video and audio capabilities. The next mission might be to capture all the personal and business data on the PSDs, including emails, contacts and schedules, which can in turn provides all employees’ job titles, interests and social network for targeting certain assets.  Then the mobile botnet is tasked to spy on all the activities and meetings of a key employee or to provide real-time access to one targeted host deep in the organization to an attacking remote team, without ever using the facility’s network or triggering any intrusion alerts.

Has your security light bulb lit?  At this point the malware is functioning like an insider threat that can watch and listen to other employees, move around without being noticed, take information into and out of the facility, and inject malware into specific equipment without using the facilities network.  And the mobile botnet can do some things that even an inside threat can’t, for example, monitor the entire facility at once, be a real-time high-bandwidth connection to the outside, do a distributed DoS on any internal group of hosts/servers, and use collective detection ability to amplify conversations in restricted areas where PSDs are not allowed.  Certainly, these are not possible.

Are you sure?

Whether or not the above mobile threat scenario and capabilities are possible depends on many factors, such as the density of PSDs in the facility and ability to spread from PSD to PSD.  What do you think, is it possible?  How hard would it be to create and support such a threat? What other missions are possible?  What defenses to this type of threat are possible?  Consider in your reflections that in summer of 2010, a proof of concept for mobile botnets was presented, and earlier this year an Android-based botnet of 100k devices was documented. And think about this next time you take your PSD into your organization. Observe how you connect your PSD to your workstation or wireless network. Look at how many colleagues have the PSDs nearby.  And how you take your PSD almost everywhere you go.  And how existing restrictions of PSDs in secure areas may not be enough. Finally, try rereading the opening paragraphs of this blog again, and see if the above scenario hasn’t changed your view of facility security and particularly the possible naïveté of BYOD policies. 

Based upon the above arguments, the BYOD threat is underestimated by most facility security managers, possibly because our addiction to our PSDs blinds us.  Has the current situation enabled the cyber-defender’s worse nightmare:  having an outside threat with the better access, capabilities and stealth than the previously, worst-case insider threat?

Could be.


[1] For an excellent summary of embedded systems and their security, see: Grand, Joe and Grand Idea Studio. "Introduction to embedded security." Black Hat USA, Las Vegas, NV (July 2004). Download here.