In his new book Cyber Attacks: Protecting National Infrastructure, Amoroso takes a hard look at common information security practices that have failed to protect individuals, organizations, and ultimately US critical infrastructure.
Amoroso offers a new way of looking at information security and some “common sense” strategies to thwart cyberattackers, who are becoming more sophisticated, organized, and advanced.
In an interview with Infosecurity, Amoroso said that many of the suggestions in his book make information security professionals “uncomfortable.” He wants to “shake things up” to improve defenses against attackers.
Based on his experience at AT&T, Amoroso said that diversity of infrastructure provides a buffer from serious cyber attacks. Contrary to the trend in large organizations, governments, and the military, where common infrastructure and interoperability have become the watchwords, Amoroso said that infrastructure diversity helps to prevent attacks from spreading.
“Serious attacks are not stopped by running an anti-virus program, they are not stopped by having people change passwords, they are not stopped by firewalls, they are stopped by other means….The first and foremost thing is that diversity is good….From a network and systems perspective, I get a lot of sleep at night when there is an attack on an IP-based system knowing that it is not going anywhere near our TDM circuit-switched infrastructure; they are just separate. The technologies are different, the systems are different, and they are non-interoperable”, he said.
Amoroso commented wryly that he is not aware of any chief information officer (CIO) in business or government who is promoting non-interoperability of systems as a priority. While interoperability helps save money and improves ease of use, “it might need to be revisited” from a cybersecurity perspective, he said.
The AT&T chief security officer said that infrastructure diversity does not mean that systems cannot communicate with each other. “People should be able to talk to each other. But is there any reason the underlying control systems need to be same? The first responder needs to be able to pick up the phone and make a phone call”, he said.
But a CIO at a first responder agency, for example, would likely recommend using the same system throughout the agency because the costs are lower, the training requirement is less onerous, and implementation is simpler. “But you are then more vulnerable to attacks that propagate from one system to the next. The trick is to make sure that essential services are not affected [by infrastructure diversity]; that is the whole point.”
In addition, the traditional method of incident response is “wrong”, Amoroso opined. “The way incident response works is that you wait for problems to pop up….By the time the problem has exposed itself, you’ve waited too long. Something happens before that….There are always indicators that precede the user-visible element. The reason we don’t respond to those indicators is because we are too lazy. The feeling is it’s too much work.”
One problem that arises from looking for indicators is that there are a lot of “false positives.” Amoroso said that 99 times out of 100, the indicator is going to be benign. “In order to get the 1 out of 100, you have to check all 100. Most people would never make that investment….We need to completely rethink the way incident response in done.”
He added, “if you are going to run a network that touches critical infrastructure, then you have a responsibility to completely rethink the way incident response is done. The way it’s done now is wrong. You are not going to stop an attack by waiting until the attack occurs.”
Another strategy to thwart attackers is to use “honeypots” to track and trap attackers. A honeypot is fake infrastructure constructed to mimic real infrastructure, but with vulnerabilities to attract attackers. The honeypots need to appear exactly like the real infrastructure so that attackers are not sure whether the infrastructure is real or not. Once in, the attacker’s every move could be monitored and recorded, Amoroso explained.
“What security teams do this now? Practically none. But my argument is that critical infrastructure deserves it. And I don’t think it breaks the bank. We just need to start doing it”, Amoroso said.