For years there has been discussion of “hacking back”, using active measures to deal with attacks, including striking back at the systems used to launch attacks. Indeed, CrowdStrike raised eyebrows back in 2011 with statements that many read as being in favor of hacking back or retaliating against attackers.
More recently, Randall Fort, director of programs security at Raytheon was quoted as saying “…why aren’t we enabling the people that are getting attacked and robbed to defend themselves actively, dynamically, and to go after the people that are stealing their information…. A commercial bank can shoot the robber that comes in to steal their money. Why can’t companies that are having their information stolen go out and do something dynamically to the very entities, the individuals, who are doing that?”
Tempting, but a lot of things are tempting. That doesn’t mean that they are the right way to go. At some point the righteous vigilante, repeated often enough, could turn the internet into a cyber Somalia. As we have seen with things like Universal Pictures and their recent DMCA takedown request for http://127.0.0.1:4001, companies are not always entirely clueful with regards to things cyber and widespread hackback could result in a lot of collateral damage.
Yet, something must be done as it is becoming increasingly clear that traditional approaches aren’t working. Recently, at RSA 2015, Amit Yoran, president of RSA said “we are losing this contest….what we’ve been doing for decades isn’t getting the job done.”
Looking at the evidence, it is hard to disagree. Cupid Media hack exposed 42M passwords. iThemes, a company offering WordPress security plugins, compromised about 60,000 passwords. 2.4 million customer account records including bank account numbers were exposed at Carphone Warehouse and we are still trying to quantify the damage caused by the OPM breach.
What’s the common thread between all of these breaches? APTs using advanced zero days and tricky spear phishing? Sure, there may be some APT mischief in there, but the single thing share by all of those breaches is simple – a failure to comprehensively encrypt all valuable data. Yes, the bad guys got the data because the good guys left it in plaintext.
To be clear there is significant security fail here, but it is not that purely defensive tools like encryption don’t work, because they do work and are highly effective in protecting data even when a host has been breached. Indeed, the US Department of Health and Human Services, the folks who brought you the HIPAA and HITECH rules, make it clear that breach notification is not necessary for patient records (ePHI) that have been properly encrypted (NIST 800-111 for data at rest and NIST 800-52 and 800-77 for data in motion).
No, the problem is not defense not working when used, the problem is that in far too many cases effective defense mechanisms like encryption exist but simply are not used. Obviously the deadbolt that is not locked is not going to be of much help.
Anyway, for those looking for help getting their shields up, our DataControl encryption product can help you ensure that your private, public or hybrid cloud remains securely encrypted. I invite you to learn more here on our website or check out the brief video on Youtube here.