Make no mistake, everyday people are all at war. Not with guns or bombs, but with keyboards and mice. Servers and personal computers. Smartphones and iDevices. And when it’s practically impossible to go 24 hours without hearing about another major data breach or virus running rampant, one has to wonder – can the good guys win?
Coincidentally, that was the name of a talk given at Chaos Communication Congress in 2006 by Joanna Rutkowska
We’re still breaking things faster than we can fix them.
So why, then, do we continue to arm students like the ones in this Washington Post article  with an expert level of offensive hacking tactics? And if we’re already lost the war, why do we bother continuing to fight?
Here’s why. Because the best way to determine an effective defense is by gauging the offense’s capabilities. Because the only way to escape the fight is to renounce civilization and disappear into the woods. And because our finances, our businesses, our identity are all on the line if we allow complacency to get the better of us. In the words of Lao Tzu: “there is no greater danger than underestimating your opponent.”
So let’s revisit this concept that Joanna introduced in 2006 of the verifiably secure system. Even 8 years after her presentation, it’s still a myth. You cannot practically verify that your system is not compromised. You just can’t. End of discussion. In a lab under highly controlled circumstances, maybe. But in the real world, no way. If you’ve been hacked by an expert, chances are you’ll be clueless.
But your consolation is that you can verify that you weren’t negligent in managing your computing environment in the event of a compromise. You’ve ticked all the boxes, you put your name on a document saying you’d notify your patients and that you have put up reasonable defenses to prevent data leaks, and someone still got in. Now you need to prove that you did the best that you could do, or else you risk a per-record fine of $240, not including regulatory fines, which can go as high as $1.5 million annually. Ouch.
But how do you figure what a “reasonable defense” is if you have never looked at it from the perspective of a motivated attacker? What tools does s/he have that you can’t defend against? How valuable is the information you have to warrant her/his time? This is where penetration testers come in – offensive hackers whom you give permission to be the bad guy and to try their damnedest to break into your systems, lock picks, social engineering, exploitation modules and all. If a kitchen sink would help them break into your system, I’m sure they’d employ it.
The point of this often costly exercise is to get a little closer to a verifiably secure system. You can tick a box that few do – you’ve proactively tested your system from the viewpoint of a motivated attacker, and it failed. But you fixed all of the issues you discovered that you could afford.
So when the Department of Health and Human Services comes knocking, what would you prefer to say?
“We had no idea this was possible!”
“We identified this as a potential threat, and we took the best measures we could, but they still managed to get in.”
Six months ago on April 8th, Windows XP lost official support from Microsoft. They have not sent a security fix to XP (save for one critical exploit in Internet Explorer that Microsoft patched out of its “goodwill”) since April 9th of this year. Yet there have been no less than a dozen documented security advisories for supported Windows platforms since then, and unknown numbers of undocumented fixes that were kept out of public view.
How many of you are still using a known-vulnerable operating system? I can tell you from our analytics data – at least 2163 sessions on our sites since WIndows XP lost support from Microsoft. I sincerely hope that you are not one of them.
The threat is real. The risks are real. The fines are real. eMerit engineered our systems from the ground up with security and compliance as a top priority, and now are able to execute Business Associate Agreements with confidence. If we can’t do it securely, we don’t do it. And we constantly re-engineer our systems to fight back against attackers to keep your data and ours safe. We’re not perfect or immune, but it helps us sleep better at night knowing that we took reasonable precautions.
If it helped you sleep better at night, would you hire a hacker?
 23C3: Stealth malware – can good guys win? The Washington Post: The ethics of Hacking 101