My last post
was prompted by a Wall Street Journal
article on the Capital One breach that pointed out that Paige Thompson –
according to prosecutors – stole “multiple terabytes” of data from 30 companies.
It also pointed out that Ms. Thompson “displayed a high level of technical
knowledge of the inner workings of Amazon’s cloud”. And I had already pointed
out (based on the first WSJ
article on her, which was the main inspiration for this
previous post), that she stated in an online forum that lots of Amazon
customers make mistakes in configuring firewalls, and specifically pointed to
misunderstanding Amazon’s “metadata” service as a root cause of most of those
mistakes.
My last post
ended on a pretty pessimistic note, suggesting that probably the only way that
Amazon could completely prevent technical staff who leave on bad terms from
taking out their frustration on Amazon’s customers (and Capital One is now the poster
child for this) is to kill them all (i.e. “terminate with extreme prejudice, as
the CIA agent told Martin Sheen at the beginning of Apocalypse Now). As we all know, this is frowned on as a poor practice
in most business schools, and also could land Amazon in some legal hot water -
so this really isn’t a good option. I came to the conclusion that there is no
other good option based on the following considerations:
- This isn’t an insider problem, of course. Ms. Thompson was
no longer an insider when she perpetrated her attacks, having been fired
by Amazon in 2016. I’m sure her credentials had been thoroughly revoked,
etc. It wasn’t for lack of following normal best practices that Amazon
allowed this to happen.
- In attacking these 30 Amazon customers (and I’ll admit
that the more recent WSJ article
didn’t say these were all AWS customers, probably because the prosecutors didn’t
say so, either), she exploited the inside knowledge she gained while working
at Amazon (that was definitely true for the Capitol One breach, as well as
at least the two others mentioned in the first WSJ article).
- You might be tempted to say “Well, IT staff are fired from
companies all the time, and they often take with them insider knowledge of
those companies’ security controls or lack thereof. Some of them probably
do use that knowledge to hack into their former employers, but this
doesn’t seem to be an unmanageable problem. We’ve been living with it for
years.”
- That’s true, but what’s different when you’re talking
about someone who was fired from a cloud provider is that the knowledge
they have can be used to attack many customers of that provider, since
they all have to configure their defenses in the provider’s environment,
and they may not understand the environment well enough to do that safely.
If Paige Thompson had worked for Capital One and been fired, whatever
knowledge she had about C1’s defenses would be highly unlikely to be
useful in attacking any other reasonably well-defended company, let alone
30 of them. That’s what makes the fact that Amazon is a cloud provider so
significant.
- And even if Ms. Thompson gets thrown into the deepest
dungeon in Seattle for life plus 50 years as a deterrent to other cloud
ex-insiders who would like to follow in her footsteps, that doesn’t stop
those ex-insiders from monetizing their insider knowledge by selling it.
I’m sure the various hacking groups (some government-sponsored) in places
like Iran, North Korea, Russia and China would pay good money for that
knowledge (and the price they would pay has now gone way up, given that Ms.
Thompson has shown how it could be applied to reap big rewards – although she
didn’t choose to go that route).
In other
words, this is a potential problem on a scale not seen before in the cybersecurity
world. Compared to this, ransomware hackers who make maybe a few thousand (or a
few hundred thousand if they’re lucky) on each score are playing penny-ante poker.
Ms. Thompson seems to have been uninterested in monetizing the data she had
stolen, so it’s possible the impact of her exploits may be fairly limited.
However, others who come after her will be much more interested in the filthy
lucre side of things, and therefore much harder to detect (presumably they
won’t brag about what they’re doing on online forums) and stop. How can this
problem at least be controlled, if not solved?
The reason
there were at least 30 Amazon customers (and definitely many more who Paige
just never had the time to get around to hacking, there being only so many hours
in the day for a busy hacker) who were such easy prey for Ms. Thompson isn’t of
course that their security staff members were without exception complete
idiots, but that the Amazon network environment is clearly far less
understandable than it should be, for people with reasonably good security
chops who are assigned the task of configuring their organization’s firewalls
in the Amazon cloud. And as I pointed out in my last post, Amazon – after first
putting the entire blame for the Capitol One breach on C1 – now seems to be
admitting that they have to educate their customers better, as well as make
changes to their “cloud subsystems” that will make these breaches less likely
to happen.
Which brings
me to Tylenol. I’ll forgive those of you who weren’t avidly reading the papers
(and especially in the Chicago area) in 1982 if you don’t know much about this crime, in
which someone spiked a number of bottles of Tylenol capsules in stores in the
Chicago area with cyanide, killing seven people, but I can assure you it was a
very big deal back then. Of course, the perpetrator of these murders was a
piker compared to present-day mass murderers, but hey – he just didn’t have the
tools that guys (and they’re all guys. I have yet to hear of a female mass
murderer in the US, although there have been a number of female suicide bombers
in other countries) have nowadays.
However, the
bigger story wasn’t the crime itself, but Johnson and Johnson’s reaction to it.
Even though it was clear that there was nothing they’d done wrong, other than
not anticipating that someone would do such a thing, J&J responded in a way
that has made it a textbook example of how to respond to a security threat that
could potentially send your whole business down the tubes. They halted all
production and advertising of Tylenol and recalled all 31 million bottles that
were in circulation. Then they advertised by media and loudspeakers (in
Chicago) that nobody should consume any Tylenol products they had in their
possession, and they would replace any capsules with solid Tylenol pills.
J&J didn’t start selling the product again until they had developed
tamper-resistant bottles like the ones we’re all familiar with today.
In other words,
J&J decided to treat this as the maximum problem that it could have been,
even though another manufacturer might have moved heaven and earth to show this
was just a local problem (only eight bottles were ever discovered that had been
tampered with, all in the Chicago area. Several other people were killed in
copycat attacks). Those manufacturers would probably have told people outside
of Chicago that the products they currently had were safe (as they indeed were,
with 99.9% certainty), and they would have probably moved with much less
alacrity to provide tamper-proof bottles.
J&J
realized that, while the alternative approach might have worked, and would
certainly have been far less costly, there would probably always have been a
cloud (no pun intended – OK, not intended until half a minute ago, anyway)
hanging over Tylenol. By taking this action, they ensured that Tylenol remained
the huge seller that it is today. In fact, they probably ultimately increased
their sales, because there was widespread public approval of J&J and
admiration for their actions.
OK, by now
you’re saying “Yeah, we get it. Amazon needs to act like J&J. But they can’t
put tamper-proof packaging on the cloud, so what can they do to emulate what
J&J did?”
Here’s what
I think Amazon should do. This is really far less radical than what J&J
did, but it might possibly be enough to decisively address this problem:
- Even though I’m sure they’ve always offered an option for
customers to pay them to handle security, they obviously didn’t warn them
sufficiently of the dangers they might face if they handled security for
themselves. They now need to come clean and admit that. What they did was
something like what Boeing did – although on a very different scale, of
course - when they assumed, in designing their MCAS system for the 737
MAX, that pilots would always know exactly what they had been trained to
do in every emergency, even when a bunch of different emergency lights and
sirens were going off at the same time. Amazon has the chance to keep this
problem contained to Capital One, and that should be their goal.
- They should offer free security consulting to every one of their customers –
going over the configuration of their firewalls and other security
measures, to make sure they are properly configured.
- They should provide training – for free, of course – to all
of their customers, covering the intricacies of their infrastructure (or “cloud
subsystems”) - and especially the metadata system - inasmuch as that can
have an effect on the customers’ security measures.
- Most importantly, they need to re-engineer those
infrastructure systems with the objective that, as much as possible,
securing customer cloud networks won’t be very much different from
securing networks installed at their customers’ own data centers. And any
differences should be thoroughly documented, rather than being left to the
Paige Thompsons of the world to smirk about online, then use to exploit
the very customers they once were charged with protecting.
Of course, this
isn’t a prescription for Boeing. A course of action something like this won’t
fix Boeing’s problems. I can’t begin to prescribe what they should do, although
I know that what they’re doing now won’t be enough. Their problems are just
beginning, because they continue to follow the “too little, too late” playbook
(for example, where’s the chairman’s resignation? How could somebody possibly
have presided over such a debacle and remain at the helm?). Amazon could
possibly end their problems in the near future, or at least get them to the
point where they’re manageable, as J&J’s problems ultimately were. But they
need to do a lot more than they’ve done so far.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. To discuss this, you can email me at the same address.
Kevin Perry, retired former Chief CIP Auditor for SPP Regional Entity, wrote in to me a couple of days ago to point out that there have been at least a few female mass murderers in the US (he orignally started out with female serial killers, but I pointed out that's really different. Of course, serial killers have been around for centuries).
ReplyDeleteThree he pointed out are:
In 2018, 26-year-old Snochia Moseley shot three people and wounded three more before fatally shooting herself at an Aberdeen, Maryland, Rite Aid support facility. She was a temporary employee at the facility.
The same year, Nasim Najafi Aghdam shot and wounded three people and took her own life at YouTube's Northern California headquarters. Police said she was upset with YouTube's practices and policies, but she had no connection to the three victims.
On January 30, 2006, Jennifer San Marco visited her former place of employment, a postal distribution center in Goleta, California, and fatally shot six employees after killing a one-time neighbor. She then killed herself.
Kevin also pointed out this case:
A married couple, Syed Rizwan Farook, and his wife, Tashfeen Malik, massacred 14 people at a holiday party in 2015 in San Bernardino, California. Farook had worked with the San Bernardino County health department, which was hosting the party when the attack took place. They were both killed in a shootout with police.
However, I had to draw the line there. From the descriptions of the event at the time, it really seemed to me that the husband was the perpetrator in this case - after all, it was his former workplace. So I don't count this one. In any case, this is 3 more female American mass murderesses than I thought existed, so I stand corrected.