top | item 8316991

(no title)

While I believe that nothing is ever 100% secure, I do think it is possible to implement a large range of security layers that protect Infrastructure from all but the most sophisticated attackers (aka state/country funded). The unfortunate truth is that different organizations put different priorities on securing their Infrastructure; Some might be great. Some might be not so great. So in my opinion, it doesn't matter if they have 1000 Engineers or 1 Engineer. If someone puts security higher on the priority list, then things will likely become more secure. The industry as a whole has always seemed to put security on the back-burner. SSL is a good example, released in 1996 (TLS in 1999), but not implemented as an industry best practice (aka standard) until about a decade later. When I watch this video of the Network Engineers (not Sysadmins) reacting to these slides, I get the feeling that security was not a priority. The huge red flag was the password (which was extremely weak, and obviously no two factor authentication), in conjunction with a poor design that would allow a customer enclave to gain access to the providers network (there should have been a DMZ and/or additional security controls). Another red flag; their reaction indicated that they would never have thought that someone would map out their Infrastructure (first slide was their Routing Topology, second was the Network Topology). So I'm guessing they are not security minded, since someone into security would have taken this into account when designing their infrastructure (aka, what data am I letting out of my network?), and expected this to happen. My summary; I see a bunch of Operations guys that got caught with their pants down (no offense intended, I've been there). There is a possibility that this could have been prevented with better policy, stricter policy enforcement, and better infrastructure design. It's also possible there are 10 other poorly implemented aspects of their infrastructure, and if someone wanted to get in, they would. And I guess this is my point; Unless you make it a priority to secure your infrastructure, it probably won't be secure.

discuss

meowface|11 years ago

I fully agree with your assesment, however

>security layers that protect Infrastructure from all but the most sophisticated attackers (aka state/country funded).

I think the OP was specifically talking about defending against highly targeted government sponsored / APT attacks.

shawnreilly|11 years ago

You're correct, but after watching the video and understanding how their network was attacked (all starting with the customer Router), I've attributed this more towards poor policy/design (which can be exploited by a large range of attackers) vice special information and/or capabilities reserved for state/country funded attackers. But even with this said, I think I get your point (I'm going off on a tangent). My opinion on the matter; All bets are off when it comes to state/country funded attackers. These are the organizations that lead me to my "nothing is ever 100% secure" conclusion. What we've seen insinuates that these level of attackers have access to information and capabilities that your average attacker probably does not have (example; vendor back-doors, compromised certs/keys, black rooms, etc). Unfortunately for us, these do a very good job subverting the current implementation of infrastructure security (which for the most part, is/was designed based on certain levels of trust that may no longer exist). I'm sure the industry will adapt and evolve (as will the attackers).