This page contains a Flash digital edition of a book.
Aviation Security is No Joke: but is the industry’s IT security being taken seriously enough?


t’s 4a.m Sunday morning and the telephone rings. My wife answers and duly informs me that she has a drunk on the line. Three similar calls are received within the space of ten minutes. Eventually we establish that the mysterious caller is the Alarm Centre! Apparently they’ve just received a message from our security system telling them that someone is trying to sabotage our front door. Turned out to be a fault in the system, but who knows what my wife might have found when I sent her downstairs to check it out! And if that’s not enough, airliners are reporting cracks in the wings,


I batteries


exploding, leaking fuel and engines blowing up. In fact not a day goes by without us receiving security warnings, and we respond appropriately. Of course not all make sense, so for example a nasal spray at airport security is a WMD if it’s not in a plastic bag – place it in the bag and it’s instantly neutralised! But in general we tend to adopt a common sense approach, with one glaring omission.


SEEMS LIKE IT SECURITY IS A JOKE According to reports in the press, less than 50% of enterprises are taking seriously the warnings from organisations, such as the UK’s Government Communication Headquarters (GCHQ), that “real and credible threats to cyber security of an unprecedented scale, diversity and complexity,” exist. Add to this the warning in the World Economic Forum’s Global Risks Report 2013, that technological risks are one of the five major risk categories, along with economic, environmental, geopolitical, and societal. So it would be safe to assume that every


large airline is ensuring that they are taking appropriate steps to ensure that technology will not be their downfall. Wrong, after all only 35% of enterprises plan to address key and certificate management in 2013. And this in spite of the fact that digitally signed malware presents probably the biggest single attack vector today. Over a year ago, McAfee reported that they detected over 350,000 unique pieces of malware that incorporated digital certificates – in one month! Add to this the admission by the antivirus industry that they are no longer able to provide the protection that is needed. Leading antivirus experts such as Mikko Hypponen, and Roel Schouwenberg, have publicly stated that the failure to detect malware is “a spectacular failure for the antivirus industry in general”, and "if Flame [espionage malware] went on undiscovered for five years, the only logical


36


conclusion is that there are other operations ongoing that we don’t know about."


“…the way to a man’s heart is through his stomach, diamonds are a girl’s best friend; and, those targeting you with malware know that if there is a soft underbelly in any organisation, it’s their keys and certificates…”


WHY IS TRADITIONAL SECURITY TECHNOLOGY PROVING SO INEFFECTIVE IN SLOWING THE AVALANCHE OF BREACHES? The Stuxnet worm not only opened the floodgates when it came to recognising the power of malware, but it also brought the use of stolen digital certificates into the spotlight. The digital signing of malware had been a common practice but this had generally been perceived to use invalid certificates, relying on the carelessness of users and administrators to simply trust “untrusted” sources. But increasingly the key objective was to avoid detection, and with Stuxnet, Duqu, Flame, and probably Red October and hundreds of thousands of other pieces of malware, it has become clear that valid certificates, either stolen or maliciously issued, are needed to get under the radar. And the result is that there is no technology today that can distinguish between a valid certificate residing in malware, and the same valid certificate residing in valid code. How many enterprises have for months been happily allowing malware, masquerading as Windows Updates, to have access to their systems? How many are still allowing it? How can a few security staff protect your


organisation against this malware army consisting of millions of soldiers, most of whom cannot even be identified? The answer: by limiting the points where they can attack you. Each and every system in your infrastructure trusts hundreds and most likely thousands of Certificate Authorities (CAs). And most, if not all, of these CAs are unregulated. And today you simply allow any code signed by any of these CAs to enter your infrastructure unchallenged. Imagine boarding an aircraft with absolutely no security scanning, or having no border control in your country! For example, my browser trusts some Certificate Authority called ‘POSTArCA’


Download your FREE ASI "iPad/iPhone APP" NOW


from a country known as SI, and also trusts ‘China Internet Network Information Center EV Certificates Root’. It also trusts something with the ‘friendly name’ of ‘AC Raíz Certicámara S.A.’ It’s not that I’m casting aspersions on these


organisations or countries but should malware arrive in my system using a certificate issued by any of these, or thousands of others that I never work with, my system will simply trust it! At this point, we should all be experiencing chest pains, the telltale signs of a heart attack. So if you want to take effective action


to reduce the risk of attack, then manage your trust authorities across your entire infrastructure. For example internal systems in 99% of organisations only need to trust internal CAs, and possibly a handful of external trusted parties. If you don’t need it, it shouldn’t be there.


ARE HACKERS SIMPLY SMARTER THAN IT SECURITY STAFF?


Common sense demands that if I’m going to attack you, then I target the weakest point. Whether in the field of sports, love, or whatever; we naturally choose the path of least resistance. We all know “the way to a man’s heart is through his stomach”, “diamonds are a girl’s best friend”; and those targeting you with malware know that if there is a soft underbelly in any organisation, it’s their keys and certificates. IT staff generally don’t understand them, nobody knows where they are; in fact with virtually every organisation we deal with, we discover that 60% of all keys and certificates are unknown; what we refer to as “unmanaged and unquantified risk”. It is believed the market for stolen SSL certificates is worth billions annually. How much would your competitor pay to have one of your certificates in order to infiltrate your organisation?


CAN WE STILL PROTECT CRITICAL AVIATION INFRASTRUCTURE FROM ATTACK IN THE DIGITAL AGE? I believe so, if you take the necessary precautions to manage your keys and certificates. It’s time to starve malware of its essential ingredient. In fact enterprise wide key and certificate management may just be the ‘kryptonite’ you need to stop malware in its tracks! And as for my alarm system, I think my wife should sleep downstairs. There’s no need for me to get woken up if the front door is sabotaged!


Calum MacLeod is EMEA Director, Venafi. www.venafi.com


April 2013 Aviationsecurityinternational


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48