2

The Perimeter Is Dead

For the past 30-plus years, the overarching plan to secure networks and digital infrastructure was one that was predicated on the concept of perimeter-based security. Most organizations across the globe subscribed to the concept and plan that if the walls were high enough and the outward boundaries of the network were hard enough, then the enemy would not be able to "get in." Entire global architectures have been built and deployed to leverage that concept and billions of dollars have been spent to engage in "defense in depth" and the "castle and moat" methodology of security. It has all been for naught.

The perimeter-based model of security has categorically failed to keep pace with the evolution of the internet, the proliferation of devices and accesses, and the explosion of cloud computing and an increasingly mobile and Bring Your Own Device (BYOD) workforce. There is no perimeter anymore. The moment a user can take home a laptop, log in from a home PC, or use a mobile device or app to access a component of the network, that defensible perimeter is essentially cut to pieces.

In this chapter, we will delve into the details that show how systems have been built to enable failure and data breaches:

• We will detail how the perimeter-based model of security is fundamentally flawed.
• We will discuss the limitations that the current technology places on infrastructure.
• We will analyze the proliferation of breaches and failure thanks to the interconnected nature of networks.
• We will provide insight into how enemy nations and adversaries exploit these failed architectures.

First, we'll consider a scenario that aptly demonstrates the death of the perimeter.

A scenario detailing holes in the model

Consider the following scenario. A user who works from home and has administrative rights on their machine (as most do, especially when it is their own personal device) allows their child to use that device because they need it for homework. The little tyke jumps on their parent's overly powerful, overly app-heavy, non-managed device and, instead of going to a safe homework site, they maneuver to what they thought was a seemingly innocuous site that they heard about at school.

This young user wants to see whatever this site has to offer, but in order to do that they must download a plugin on their parent's browser and an app that the site says they need to use the content on the site (remember the child can execute this operation because they have administrative privileges on this machine) – so they do.

Everything on the site works fine, no malware alerts are noted (because the malware they downloaded is new and has no known signature to trigger, and it is operating in non-specific memory space on the target machine), and the young user sees whatever they were interested in and jumps off their parent's machine and all is well. Or so they thought.

The now installed and fully operational malicious piece of software waits for the machine to go online again and with clandestine operations in the background, it downloads a keystroke logger and a follow-on malicious application that looks for VPN logins and credentials as well as administrative passwords and hashes.

The next workday, the actual business user fires up their work machine solely for the purposes of their work, and as they connect to the corporate network they introduce a direct pipeline, with full administrative privilege and control, for the now-installed malware to tunnel into their business infrastructure. Once the connection is made, the malware works to establish a beachhead into the network, and it can do this because that authenticated user has excessive privileges and is therefore an authenticated user. The program that is now maliciously moving within the network shares those same privileges.

The cross-connection between virtual LANs and network subnets and the usually weak authentications that are present on internal systems for users help to facilitate the now proliferating malware. Simply because they are inside the trusted perimeter zone, the network and its control apparatuses allow the malicious software to maneuver almost unimpeded.

This malicious software continues its tunneling into the network with the aim of finding the most valuable connected application, data resource, or critical asset it can locate. Then, with a low-and-slow data exfiltration protocol, it will extract information of value from the network towards the command and control for the malware operation. This extraction will be used for the purposes of extortion or sale, or to simply cause the system to lock up and become a victim of a ransomware exploitation that may follow.

If nothing of real value is found on the machine, its connections, or the network itself, the accesses and connections within that now compromised network will be resold on the underground or dark web to enable follow-on malicious actors to leverage that control point to enable their clandestine operations in the future. That network will at least become a jump host for criminal actions because of this compromise. No matter what, this is a failure that was not only helped but enabled by trusted zones within networks and a reliance on an outdated strategic implementation of perimeter-based security.

This scenario demonstrates that the security perimeter established by organizations or governments can be blown wide open simply because a user happened to take their device home with them. In the real world, organizations and governments have witnessed the consequences of this firsthand. In the next section, we'll look at a real example in which a company fell victim to what should have been a relatively contained ransomware infection.

A global perimeter falls

Another example of how the technical alignment of the perimeter-based model helps proliferate exploitation and is woefully ineffective at combatting current threat actions comes from an analysis of what happened to the shipping giant Maersk.

In 2017, a Ukrainian company with software used for accounting – the Linkos group – was operating as normal. Unbeknownst to the IT leaders and users at this company, the servers that were connected to hundreds of clients and responsible for updating their accounting software were the launching point for the initial proliferation of the NotPetya ransomware attack.

The Linkos group, which did nothing "wrong" other than be located in a country that was actively being targeted by the military wing of the cyber operations branch of the Russian government, had been the victim of months of covert exploitation conducted to gain a military advantage in the region.

The Russian cyber warfare group had cobbled together a first-of-its-kind piece of ransomware that was an amalgamation of the NSA tool EternalBlue, leaked in 2017, and the usually standard administrative password auditing tool Mimikatz, which has been in use since 2011.

The Russian cyber operations group combined these tools into a rapidly propagating tool solely for the purposes of locking down victim machines while spreading like wildfire throughout the network of the target. Excessive user privileges, combined with password reuse, simple passwords, and shared network resources, were the perfect breeding ground for this cyber weapon.

When directed, the malware (or in this case ransomware) launched. Within hours, the connections from the Linkos group servers to each and every connection that they supported for business operations would be afflicted, and thanks to the interconnected nature of those follow-on entities and networks, the attack would continue to propagate.

Microsoft had released a patch for the EternalBlue exploit earlier that year, but yet again the interconnected nature of the networks across the globally-connected internet, combined with failed business processes for managing updates and a lack of mandated patching protocols, helped to enable the flight path of NotPetya as it maneuvered towards Maersk. In other words, the very interconnected nature of those networks and the combination of shared technical aspects within the network, human, and business failures all combined to make a perfect breeding ground for this infection.

The proof of the use of NotPetya as a weapon, not an extortion tool, came as the victims realized that the ransom notice was a lie. The malicious software exploited the deepest parts of the infected machine, its master boot record: the very areas where every machine has its core operating system. All ransom payments were useless and did not resolve the issue; the machine was essentially now an overpriced paperweight.

The exploit did not even contain an actual decryption key that could be used; it was a weapon built solely for the purposes of degrading system usability by those that became infected, and Maersk was about to become part of that global group of victims.

The initial infection for Maersk came via common business practices, not especially technical ones. In a remote office for Maersk located in Odessa, Ukraine, an IT administrator had been tasked with installing business software M.E.Doc on one computer so that the accounting user could do their job. That software was sold and managed by the Linkos group, and the infection had all the ground it needed to activate.

Once the NotPetya worm entered the Maersk network, the ease with which the infection spread was shocking in its speed. In hours, the entirety of a billion-dollar network, with millions spent on security tooling and technology, fell like a house of cards in a stiff breeze to the power and focus of the malicious tools used by NotPetya.

Coupled with the misery of the infection was the realization by the Maersk IT staff that their practices for the command and control of that vast infrastructure had enabled a follow-on failure to respond to their Domain Controllers; following common industry best practices, the IT staff at Maersk had configured their worldwide Domain Controller configuration to essentially operate with a shared configuration model as they are the brain for all authentication across segments of the Windows enterprise. This, however, meant that the infection spread almost simultaneously to each interconnected Domain Controller, which helped to facilitate the blast radius of the attack and systematically "bricked" each of these critical pieces of Maersk's own internal command and control infrastructure.

It would only be because of a power outage prior to the attack in a remote Maersk office in Ghana that any of that infrastructure would survive. Were it not for that twist of fate, the likelihood that the company could have recovered from this attack would have been almost zero.

Almost every port terminal for the shipping giant would become infected and rendered useless, affecting logistics and shipping across the planet. Operators were forced to rely on paper spreadsheets, Gmail accounts, and personal mobile phones to keep the company above water. Thousands of machines and endpoints on the corporate network would become nothing more than bricks, and the worldwide network of Maersk's logistics providers, suppliers, truckers, and users would be hindered for weeks to come.

The total cost for Maersk alone was estimated to be roughly a quarter of a billion dollars or more, and that was before the costs of remediation and resolution were ultimately realized. In totality, the costs for Maersk are estimated to be close to a billion dollars (Greenberg, 2018). All because of one piece of software that needed to be installed for accounting on a system was connected to external customers and clients.

Across the planet, the costs were in the billions. Thousands of businesses, hospitals, and civilian organizations were affected. Patients and ambulances were turned away for treatment as hospitals succumbed to the infection. Even the US DoD networks were afflicted. If ever there was an indication that the globally adopted practices of the past have failed us, guaranteeing collective future failures and exponentially increasing the power of cyber weaponry, NotPetya is the perfect case study.

We've seen how a global giant, and other organizations across the world, suffered severe losses due to the failures of old practices. In the next section, we'll see how evenly the seemingly air-tight perimeter of a security-compliant organization failed due to the inadequacy of old practices.

Even compliant organizations' perimeters fail

The Equifax breach offers yet another case study in the dissolution and ineffective nature of the current state of security practices for enterprises. Even those that have spent millions on security and are fully aware of both the location of and the implications of their data security plans will fail epically when any instance of weakness is found in their perimeter-based security model.

Consider the technical and managerial aspects of the Equifax breach. The company had a large budget for their security team, all required and compliance mandated solutions were in place, and broad scope security monitoring and analytics were in place. And yet the entirety of the data repositories for the company, and more than 140 million Americans and over 800,000 UK citizens, was exploited over the course of a near year-long incursion.

The initial impetus for the infection occurred thanks to a vulnerability in the public-facing web server that was responsible for handling disputes in credit cases. This server was running a slightly outdated version of the Apache Struts framework, but a patch had been released for this item by the US CERT team within the same week that the initial exploitation occurred.

The attackers in this instance simply leveraged the exploit, which was publicly available, gained access, escalated their privileges, and then moved deeper into the network. This is an extremely common and well-known practice within exploitation operations, and one that was well-known to the security leaders and team at Equifax, yet it was successful, nonetheless.

Attackers then leveraged the credentials they had gained and escalated administrative control capabilities to establish accesses that would remain in the system for months. Equifax had firewalls and an intrusion monitoring and network analytics capability; however, thanks to an expired certificate, the system was not functioning optimally and the indicators that should have prompted remediation actions were never seen.

The certificate for this critical piece of monitoring had been expired for over 10 months and would not be fixed until long after the breach had been detected via manual means. What had initially begun with relatively localized access to a few limited servers had spread to more than 50 databases containing valuable personally identifiable information for hundreds of millions of people (Ng, 2018).

Added to the failure of monitoring and segmentation was the use of basic data governance practices. There was no multi-factor authentication configured for the administrators of the systems, and records indicated that a database containing unencrypted usernames and passwords was in use by administrators (Schwartz, 2018). Once discovered, this mismanaged and ill-advised administration tool rapidly empowered and expedited the attack on the company data stores.

Finally, the attackers were able to query the databases and data stores over 9,000 times during their exploitation operation (Government Accountability Office (GAO), 2018). This over-allowance on queries alone should have been more than enough to trigger an analysis of the activity, but thanks again to the certificate issue and the overly connected data infrastructure within the network, the activity was missed.

On the managerial side of this epic failure of security practices, it was noted that the leadership within the company tried to blame a single employee for the failures related to this breach (Brandom, 2017). While surely someone was responsible for the management of the devices used for patching and updates to software, the reality is that it was thanks to systemic technical failures, combined with a lack of realization that the system was literally built to allow exactly this type of malevolent action to occur, that was the reason for the breach.

Again, excessive privileges, bad segmentation, overly permissive accesses, and failed data security governance combined in a model that allowed movement within the perimeter were what ultimately doomed Equifax.

While the monetary and personal impacts of this massive failure are still to be seen, to date nearly every person in the US has had their credit information compromised and their ability to apply for credit has been impacted. Estimates are that 15 million UK citizens and tens of thousands of Canadian citizens were affected as well. The company, which is responsible for the credit rating information for almost half of the American population, now estimates its losses at $1.3 billion, and that does not include total costs for upgrades and changes to the corporate network.

As has been noted in the previous section, corporate organizations have been built to fail. Even with supposedly secure government organizations, this same paradigm exists. In the next section, we will detail how prevalent this approach of a failed model of security is in giant government organizations and discuss the impacts that have been seen thanks to the resulting breaches of those networks.

Governments' perimeters fail

Even governments can fall victim to the scourge of this failed approach to security. The US Office of Personnel Management, or OPM, is one of the most critical agencies within the US Federal system. This entity is basically responsible for housing the total collection of all human resource records for every person that is employed by the US Federal Government. This includes millions of current and past Federal employees' and military members' personal information, as well as the results and data for every security clearance investigation that is used by the DoD to validate access for its most secretive agencies and programs. One would think that with this type of data, and knowing the extreme value of this data, the agency would be one of the most secure within the DoD. Not so.

As with Equifax and Maersk, the OPM breach was architected from the start, decades ago in OPM's case, to be unprepared, and built to fail should an intrusion past the "high fences" of their perimeter ever occur. For OPM, this pinhole came in the form of a phishing email that contained a malicious PlugX remote access trojan that had been unknowingly introduced into the network.

Once the malicious attachment in the email was opened, the user had no knowledge of the nefarious activity that was occurring because the malware, which had been slightly modified in order to avoid anti-virus systems, bifurcated itself and began dropping malicious DLL files. Additionally, tooling was deployed, which included a follow-on binary file filled with explicit commands for the trojan to use.

As with every other exploitation scenario in the past, the malware did what any typical malware does and leveraged the users' accesses and the weak internal segmentation to tunnel further into the network until a more valuable target was found. In OPM's case, this was a "jumpbox" (Koerner, 2016), also known as a PAM tool or privileged access management tool for administrators. In lay terms, this is a machine that contains the administrative credentials for every user who can manage or control assets within the infrastructure.

A follow-on analysis and traceback of the likely original activator of that first malicious email attachment was traced to a third-party contractor that had been working as a system administrator on OPM's network. That provider's network had been targeted and breached at least a year before the follow-on incursion into OPM's network took place.

The threat actors had worked silently and diligently to cover their tracks, and had deleted log files and even worked to parse useful data files into small chunks that would evade detection by OPM's data exfiltration tooling. The patience and cunning that were used in the OPM breach allowed the attackers to make off with copies of some of the most critical and most focused data that is used by the federal government across the entirety of its many agencies.

In none of the cases we've discussed was there any use of a marvelous super tool or technology that had massively innovative technology powering it. In every instance of exploitation and hacking that has occurred over the last four decades, the reason that the systems failed was that they were entirely reliant on perimeter-based security tooling, technology, and planning, combined with failed or at best ineffective managerial practices.

It was due to lateral movement within the network, excessive user privileges, and a failure to be able to "see" what was taking place in those dark corners of the infrastructure that what should have been a nuisance became a failure of epic proportions. The perimeter-based model of cyber security has categorically failed in its most basic premise: to defend the borders of the infrastructure.

But there is a larger and even more confounding issue that will plague enterprises, small businesses, and even nations in the future. BYOD raises new challenges that open the doors wide for exploitation. In the next section, we'll discuss the implications of this.

Users, BYOD, and the obliteration of the perimeter

The power that is afforded to users, devices, and applications has exponentially increased over the last half-decade and with the proliferation of that power comes an ever-increasing multi-faceted patchwork of potential future failures for all infrastructures. Add the increasing complexity and reliance that the cloud offers and the problem of maintaining control and management of all those moving parts, which all exist by default outside of the boundaries of any perimeter, and things go from bad to worse at light speed.

In the past, it was a necessity for users to physically be present at their place of employment for them to have any connectivity or access to network systems, and in many cases, even computer technology. Over the last two decades, the reduction in cost of personal computing devices, and the power that those devices wield, has benefited the user population but has confounded infrastructure security. The need for enterprises and governments to embrace a culture that essentially lives in an increasingly mobile, geographically diverse, and transitory stream offers additional problems for those that are tasked with deciphering how to control those disparate work streams.

In most circles the VPN, or virtual private network, is the preferred technical method of securing remote access for those users that are on BYOD devices, in remote locations, or do not physically work in a corporate-controlled office or on a corporate machine. This solution has been available since the early 1990s, and while it can be beneficial in minimizing overt security misconfigurations, it is also known to facilitate attacks.

VPNs used by enterprises and commercial users are not much more than simple applications that leverage tunneling protocols to establish connectivity. This happens via a variety of methods. Most VPNs, corporate or commercial, use a specific protocol to transmit and encrypt data. Each protocol exchanged for VPN connections is the result of an agreed-upon set of rules for data transmission and encryption between the two endpoints. Many commercial VPN providers provide users with the option to choose from several different VPN protocols based on the users' security needs, while most assigned corporate or government-mandated solutions do not. The most common protocols for VPN are typically:

• Point-to-Point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol (L2TP)
• Internet Protocol Security (IPSec)
• OpenVPN (SSL/TLS)

A VPN's primary function is to leverage encryption tooling and connection protocols to render data unreadable. This happens as plaintext data streams are encrypted and turned into unreadable ciphertext. Each VPN solution uses a specifically chosen algorithm combined with a cipher to encrypt and decrypt those data streams. Individual VPN protocols have their own strengths and weaknesses. The power of the protocol is based on the cryptography that is enabled via the algorithm.

Hacking into a VPN connection involves one of two tactics. A hacker can either break the encryption through known vulnerabilities or steal the key through unethical means. Cryptographic attacks are used by hackers and cryptoanalysts to recover plain text from their encrypted versions without the key.

However, breaking encryption is computationally demanding and time-consuming. It can take strong computers years to break encryption (although that time can be reduced substantially by using cloud computing or quantum computer technology). Instead, most attacks tend to involve stealing keys. Given that the math behind encryption is computationally complex (and quantum and cloud computing resources are often limited resources), stealing a key is a far easier task. The success of compromising a VPN solution comes from a combination of successful trickery, computing power, cheating, and social engineering.

All that is needed for a malicious actor to begin the exploitation of a VPN connection is a simple port scan against the target infrastructure. The majority of VPNs in use by enterprises and consumers give themselves away because of the ports they use for connectivity. A port scan against a target network discovers these following ports:

• For OpenVPN:
  • UDP ports 1194, 1197, 1198, 8080, 9201
  • TCP ports 502, 501, 443
  • L2TP uses: 1701
  • UDP ports 500, 1701, and 4500
• IKEv2 uses:
  • UDP ports 500
• PPTP uses:
  • TCP ports 1723 or Protocol 47 (GRE)

These scans immediately indicate to a threat actor that a VPN is present and will guide them to begin the work to obtain the keys in some manner. An even easier method for VPN exploitation that commonly occurs is simply to observe a targeted corporate user in a public place, such as a coffee shop, see that user activate and log in to their VPN, and then simply misdirect their attention and steal the actual physical machine while the VPN connection is still active.

In most cases, if the user is not logged off, or the machine locks, the connection remains live, and the malicious actor can leverage that resource at their leisure.

VPN providers can be targeted as well, such as the exploits against Avast and NordVPN in 2019. In those attacks the malicious actor was able to leverage temporary credentials, thanks to a vulnerability in systems within a temporary data center provider's remote management tool. That access provided the threat actors unfettered access within the data center connections to the servers that manage encrypted communications for those VPN providers.

During that exploitation phase, a Transport Layer Security (TLS) key was stolen, which could have allowed the follow-on exploitation of any of the company's 12 million mostly commercial users via cryptographic man-in-the-middle methods (Kan, 2019). However, how many of those commercial customers also have business-related interactions on those same devices, and share or reuse the same passwords for access to corporate resources?

Research from a variety of sources that have scanned and probed thousands of VPN providers note that:

• The majority of Secure Sockets Layer (SSL) VPNs still use the old SSLv3 protocol, which is more than two decades old and is no longer supported.
• Many SSL VPNs use an untrusted, unverified SSL certificate, which allows a possible man-in-the-middle attack.
• Insecure SHA-1 signatures are also prevalent.
• Almost 50% of SSL VPNs use insecure 1,024-bit keys for their RSA certificates. RSA key lengths below 2,048 are noted across the industry as being insecure because of their weaker cryptographic security.
• 1 in 10 SSL VPNs still rely on OpenSSL, and most of them are still vulnerable to the Heartbleed exploit, which is nearly half a decade old.
• Only about 5% of SSL VPNs are compliant with PCI requirements.
• Not a single VPN provider was found to be within the standards for NIST (the US government organization that provides standards and regulations for enterprises) guidelines.

Based on those statistics, it can be determined that there is a very high likelihood that most of the very tools many users, enterprises, and even governments rely on to allow BYOD and remote work to take place are basically fundamentally insecure.

Applications add to insecurity

When one realizes the flaws that VPN technology introduces to the enterprise perimeter security model, one can see there are certainly issues with that approach. Adding to that issue, but also closely coupled with remote work and the BYOD movement for the workforce, is the issue of application security. Applications are what everyone, everywhere, on every device, uses to interact with and access the tools they need to do their jobs and conduct tasks in their daily lives. These applications are in many cases built with a focus on speed to production in mind, not security. That fact means that many of those applications that are used are basically built to be insecure.

According to a study jointly conducted by the Ponemon Institute and IBM, more than 50% of enterprises have 0% of their security budget aimed specifically at application security (Ponemon Institute, 2016). Over 40% of enterprises do not scan the code that runs their applications for security issues prior to placing them in production, and roughly a third of enterprise applications that are in production have never been tested for known security flaws. According to a Hewlett Packard Enterprises (HPE) report from 2016, roughly 1 in 10 applications have hardcoded insecure passwords noted within their configuration (HPE, 2016). Lastly, almost half of all applications in production operate within enterprises that have admitted to having no vulnerability management program.

In other words, those organizations have openly admitted to research organizations that they have no plans for how to identify vulnerabilities within applications, and most do not have concrete plans for how to deal with the already insecure applications they have actively deployed.

So, the applications that are being used by users in their daily lives across enterprises, governments, and in personal consumer applications are almost all, at some level, insecure. This means that sooner or later a user will interact with or leverage an application that has an inherent flaw within that will lead to some form of compromise. That compromise can come in a variety of ways, from man-in-the-middle attacks thanks to Transport Layer Security (TLS) issues, binary handling issues, password security issues, or many other potential compromise actions, all of which will lead to further security issues that introduce flaws further into that perimeter-based security approach.

While applications are essentially being built with hardcoded flaws, there is a more overt issue that plagues security practitioners: the password. The next section will delve into the basic failures that are prevalent with this oldest model of authentication and secure access that man has used.

Authentication methods failed

The password: the single most prolific means of authentication for enterprises, users, and almost any system on the planet is the lynchpin of failed security in cyberspace. Almost everything uses a password at some stage. Basically, every application that is used, as well as every VPN, and even every machine on the planet uses a password for its means of authentication, as do administrative tools and internetwork shares and firewall systems. Everything, everywhere, has a password.

While that seems like a relatively simple and useful means of implementing security via authentication, passwords are only secure if they stay unknown to those who aren't the user of that password.

Over the past half-decade, almost every major instance of repository for usernames and passwords has been breached at one time or another. In 2019, an independent researcher released a list of over 700 million known breached emails and usernames that could be combined with over 20 million compromised passwords.

Those usernames and passwords came from breach postings related to Yahoo, Equifax, OMB, Target, Home Depot, and hundreds of other instances of breaches of usernames, passwords, and authentication-related information. The Have I Been Pwnd or HIBP service claims to have more than 8 billion total records available that are the result of more than 400 worldwide data breaches.

Thanks to all those compromised credentials, there is literally a nearly 100% certainty that each person on the planet has at least one compromised account. The fact that there are not 8 billion users on the internet, and there certainly aren't 8 billion users on any one corporate system, exponentially increases the likelihood of a multitude of those credentials being viable for an exploitation operation.

Using the tactic called credential stuffing, wherein a malicious actor simply uses a brute force attack on a target system to attempt to gain access via compromised credentials is exceptionally easy for threat actors. Many applications do not limit login attempts, or if they do, simple scripts can be used to wait for the timeout to pass, which allows threat actors to continually hammer away at a target asset until a valid set of credentials is found.

The criminal underground, as well as nation state threats, are known to possess vast troves of compromised password and username sets and have been observed "in the wild" repeatedly trying to gain access to systems via those simple means. In most cases, it is nothing more than a matter of time before some set of valid credentials is found.

Over a 17-month period, the security team at Akamai, which has security intelligence assets deployed globally, recently detected over 50 billion credential-stuffing attacks against a variety of targets (Constantin, 2019). Any one of those billions of attempts could have, and in some cases did, result in access to networks and infrastructures that maintain sensitive corporate or government data. One valid credential pair out of billions of attempts and an entire enterprise perimeter begins to crumble.

Consider also the typically abysmal construction of passwords by most users. In studies published as recently as 2019, two of the most prolific passwords in use globally were "password" and "123456." SplashData, an independent data research firm, conducted a study that noted the following as the worst to use, but those worst passwords have not changed in the same study conducted annually over a period of 4 years.

Rank	2018	2017	2016	2015
1	123456	123456	123456	123456
2	password	password	password	password
3	123456789	12345678	12345	12345678
4	12345678	qwerty	12345678	qwerty
5	12345	12345	football	12345
6	111111	123456789	qwerty	123456789
7	1234567	letmein	1234567890	football
8	sunshine	1234567	1234567	1234
9	qwerty	football	princess	1234567
10	iloveyou	iloveyou	1234	baseball
11	princess	admin	login	welcome
12	admin	welcome	welcome	1234567890
13	welcome	monkey	solo	abc123
14	666666	login	abc123	111111
15	acb123	abc123	admin	1qaz2wsx

So, while users are intimately aware of the power of the password, that is, the accesses that are afforded that point of control, they continue to use those same easy-to-guess, blatantly ignorant passwords in all manner of their daily lives.

Added to the failure of users to adequately design their passwords are those other instances of failed perimeter-based security practices, namely that everything revolves around the use of a password for access and control, and that in most small and mid-size organizations those terribly insecure passwords are not blacklisted from use. As noted, even an organization as large as Equifax had "admin" as a password on networked assets.

Even members of Congress and famous media personalities have been found to be using weak and insecure authentication methods and passwords. Representative Lance Gooden of Texas, who co-sponsored a bill titled "Cybersecurity and Financial System Resilience Act of 2019," was seen accessing his phone during a congressional committee hearing with the passphrase "7777777." Kanye West's phone passcode was seen to be "0000000" during a televised meeting with President Donald Trump. One would think that those high-profile individuals, especially one that is literally drafting legislation for cyber security in banking, would be focused and educated on using solid passwords and authentication methods, but obviously they aren't.

Logic would suggest that if any password would be impossible to crack and composed of intricate schemas to prevent the asset misuse, it would be in the US Minuteman Nuclear Weapons program. In a 2004 memo, Dr Bruce Blair, a former Minuteman weapons officer, stated that "the U.S. Strategic Air Command (SAC) once intentionally set the launch codes at all Minuteman nuclear missile silos in the U.S. to a series of eight zeroes."

In 1962, President Kennedy ordered his Secretary of Defense, Robert McNamara, to have a system called PAL, or Permissive Action Link, installed on all Minuteman nuclear weapons in the US arsenal. However, thanks to the sloth of the US Air Force in implementing those controls, and a general hatred within the US Air Forces leadership for McNamara, those changes took more than two decades to be deployed.

Dr Blair said in his memo that the standard operating procedure for US Minutemen officers was to be sure that "our launch checklist in fact instructed us, the firing crew, to double-check the locking panel in our underground launch bunker to ensure that no digits other than zero had been inadvertently dialed into the panel." In other words, the weapons team was told to make sure the "00000000" passcode was hardcoded into the sequence for the command and control of the 50 Minuteman nuclear missiles.

While this did not mean that it was any easier for an inadvertent launch to occur (there are many other checks that must be performed), it does mean that a very critical component of the launch sequence for the US strategic nuclear weapons was reliant on a simple 8-digit passcode comprised entirely of zeros.

While the anecdote on the Minuteman program is slightly tangential, the point is that even in an organization as strictly structured and disciplined as the US Air Force, password management is usually a woefully inept practice. If an organization with that much power and that much responsibility can ignore a best practice in password management for 20 years, what hope does the average enterprise or user stand?

IoT devices poke holes in any perimeter

Internet of Things (IoT) devices are now some of the most prolific network-enabled assets on the planet. Over 6 billion of these devices are known to be currently connected to the internet as of 2019. All these 6 billion devices are web-enabled, app-enabled, require passwords for authentication, and are usually developed and built in nations that are known to have adversarial ties to government hacking organizations. In other words, they are guaranteed to have some level of insecurity from the day they roll off the manufacturing floor. And most, if not almost all, enterprises have some form of an IoT device in their network somewhere.

Whether it's a smart TV, smart thermostat, wireless printer, internet-enabled camera, or some other device somewhere in an enterprise, it is a certainty that an IoT device exists in that infrastructure.

The use of proprietary wireless signals and protocols within IoT devices is the main avenue of compromise for hackers and threat actors. There is a multitude of possible IoT protocols in use by a variety of manufacturers. Listed here are just two of the major protocols and their associated vulnerabilities. The list of all the potential issues with these devices is too long for any one book:

• ZigBee – Sniffing for key exchanges allows man-in-the-middle attacks on encryption, and renders you vulnerable to a factory reset command, resulting in the device automatically connecting to any network that is available, which could be a malicious dummy network set up to collect unencrypted transmitting data (Zillner, 2015).
• NFC – With the appropriate know-how, NFC can be manipulated too: launch a browser to link to a malicious website, download malware, upload personal info, make unwanted calls, or even send SMS messages.

Even newly in use wireless-controlled lightbulbs have already been noted as leaking wireless network credentials outside the boundaries of their buildings. The very nature of the devices that are now in use, and the reasons they are in use, that is, to benefit the user and make some usually menial task easier and more remotely enabled, is also what helps them to be enablers of compromise. Ease of use, over-sharing, application accessibility, and hardcoded vulnerabilities introduce gaping holes into any network in which they exist. No perimeter with an IoT device installed should consider itself secure.

Unfortunately, regardless of how weak or hardened an IoT device may be, the users that touch those tools and operate on networks are almost always never built secure. In the next section, we will analyze the issues that surround basic user education, training, and practices that make security harder to manage and nearly impossible to maintain.

You can't fix stupid, or evil

In a perfect world, no human would ever touch a network. Machines would do everything and humans would simply benefit from those interactions. Machines operate logically and solely with a focus on function. They aren't easily tricked and are not typically open to influence via social means. But, for the time being, we don't live in that science fiction world where machines do everything for us. We still have users, and those users touch our networks, and their actions and issues introduce avenues of exploitation that can cripple what might have been a secure network. We must consider the following:

• The most secure network is the one that no human ever touches. The second that a human puts their fingers onto a keyboard, the threat of compromise via human means, social engineering, phishing, and other standard methods becomes a reality. While technology is relatively binary in nature, humans are not. We are open to influence, fear, folly, and stupidity. Where a machine will simply not open an email that clearly has indications that the email originates from suspicious origins or has suspect attachments, humans might click that email, knowing that it is possibly malicious in nature, because it has a super cute picture of a kitten.
• Currently in cyberspace the overarching method for securing the human relies heavily on training individuals to recognize possibly malicious actions or activities on their network and systems. This training is usually done by a combination of phishing and online teaching materials. While in many instances the use of these training modules does show a verifiable percentage of a reduction in clickthrough rates, it only takes one user and one click to introduce an exploit into a network. No matter how well trained the users are and no matter how current the material is, in most organizations there is usually a 3 to 5 percent continual click rate on follow-on exercises. While that seems small enough and very manageable, consider that in enterprises with 500,000 users, 3 percent is a substantial number of possible exploitation entry points.
• Humans are also fallible with respect to fear and intimidation in cyberspace. In 2019, the tactics of "sextortion" came onto the worldwide scene. This tactic is simple in nature but effective. During a sextortion event, an already compromised email address, one from any of the 400-plus mega breaches, is thrown into a list by a malicious actor. That actor then uses dummy, non-traceable email accounts and sends out hundreds, or possibly thousands, of emails to potential targets. Those emails consist of something similar to the following example:

Figure 1: Example of a "sextortion" email

Source: https://nakedsecurity.sophos.com/2019/03/13/final-warning-email-have-they-really-hacked-your-webcam/

One of the most prolific of these campaigns is affiliated with an automated email-sending botnet called Phorpiex. Researchers at CheckPoint, a cyber security firm, have estimated this sextortion email-sending botnet to average about 30,000 emails per hour. Phorpiex uses an email spam botnet that continually downloads a database of email addresses from a command and control server of previously compromised assets.

Those databases used by Phorpiex include valid leaked passwords in combination with email addresses that help to sell the scam to the end recipient. Even those individuals that have no affiliation with pornography often pay the ransom notice as they genuinely believe that there is someone monitoring their infected machine or phone. The ransom is paid in Bitcoin, and thus there is no financial means to trace the originators of the attack.

However, in recent months this attack has begun to become more targeted and malicious as the same attackers are reselling the lists of those individuals who have paid the ransom to other nefarious actors. Those other threat groups are then retargeting those same individuals, but instead of asking for Bitcoin they are asking for usernames and passwords to specific systems. Essentially, they are leveraging the stress and the higher likelihood that those individuals who paid in the past have something to hide to extort them for access to networks. Should any of those targeted individuals be a high-level executive or a system administrator with higher privileges on a network, the compromise could be cataclysmic for that organization.

While there is a potential problem if an innocuous or innocent user happens to become infected, there is a much more malevolent issue associated with a human workforce: insider threats. Malicious insiders are those individuals who have a specific motivation or reason to exploit an infrastructure from the inside. These motivations come in a variety of possible vectors from monetary, to political, and even emotional, but the potential impact that stems from an insider can have impacts that are far more significant than that of an inadvertent user click.

When an insider makes the decision to conduct a malicious action against their network or infrastructure, they are already a validated user and usually have been provided with all the tools they need to be truly damaging. Most users have some level of administrative privilege, access to network shares, intellectual property, and the specific internals of that organization.

In many cases over the last decade, insiders have been able to maneuver unhindered within infrastructures, as they are not well monitored. Edward Snowden, Bradley (Chelsea) Manning, Jason Needham, Walter Liew, Robert Hanson, and many others all were able to gather valuable data from their employer's network and later wreak havoc on those systems. Even the NSA, with all of its technical prowess and monitoring, was unable to stop an employee from taking home highly classified information.

Nghia Hoang Pho of Ellicot City, Maryland, worked at the Tailored Access Operations unit within the NSA. Pho claimed during his trial that he was taking the files home to "work after hours and earn a promotion," but still he was able to steal (albeit unintentionally, he claims) the highly protected files because of the access and trust within the network that he was provided. It is thought that his home computer was the likely exfiltration point for the Shadow Brokers leaks of NSA-level tools.

Paige Thompson did not work for Capital One when she breached their systems. She was a former employee of a small business that had done previous work in Amazon cloud infrastructure services; her employer provided those services to Capital One. She was arrested in July 2019 for the breach at Capital One that affected as many as 100 million customers. The data she pilfered from Capital One had been stored on a vulnerable Amazon server, due to the fact that its protections were misconfigured by bank cloud security administrators.

Thompson acquired access to company computer login details, stolen from open Amazon servers, or S3 buckets as they are called. She then abused the control she had gained over those cloud machines to both steal data and use their excessive processing power to mine cryptocurrency.

Thompson was overt in the motivations and nature of her insider threat operations planning and execution. She posted on an AWS related Slack channel that she needed to "get information off her servers" and on Twitter she said "I've basically strapped myself with a bomb vest, dropping capitol one dox and admitting it. I wanna distribute those buckets I think first" (Merle 2019).

Thompson was a talented and highly technical engineer who had intricate knowledge of both hacking and exploitation, but her actual job with her employer was never to conduct exploitation operations. For her own, still mostly unknown reasons, she decided to manipulate vulnerabilities in AWS cloud systems that would impact a multitude of different organizations and potentially millions of users.

With all that we have covered in this chapter, there are a few key lessons that we should take away, lessons that have often been learned the hard way by organizations that have fallen victim to malicious attackers exploiting the era of the Fall of the Perimeter:

• Humans are one of the weakest links in the chain that is cyber security. We are easily tricked, open to influence, and fallible by our very nature.
• As infrastructures grow larger and ever more diverse with more devices, more access, and the speed of the cloud, humans will continue to be pivot points for failure in any system wherein they can access information.
• All the training and education in the world fails when one user clicks on a link that is malicious.
• No one specific control placed singularly on a user can hope to stop a malicious insider.

All that said, without truly specialized behavioral monitoring and strategically placed security controls, users will continue to be agents of failure for any network that ignores the power they wield and the damage they can inflict.

Conclusion

The perimeter-based security model is outdated and has unequivocally failed to secure businesses and enterprises across the planet. However, it is not because the basic concept of a secure edge is a failure. It is instead the proliferation of technology combined with the interconnected nature of current infrastructures that make this approach to security so ineffective. The very connectivity that is a boon for mankind, enabling business and everyday life, is its own worst enemy. A failure within one perimeter eventually will lead to a failure in many, and on and on it goes.

While the perimeter-based model of security has proven itself inefficient and a purveyor of failure, there are now issues far beyond those high walls that will afflict cyberspace for the coming decade. The time to understand what those items are and explore how they might be used for malevolent purposes is now, before they become problems that expand beyond the bounds of any control.

In the next chapter, we will move on from detailing the failures of perimeter-based security and discuss future issues that will affect security for governments and organizations. Also in this chapter, we will point out some of the new and more innovative attack types that will emerge in the near future.

References

1. Brandom, R. (2017, October 3). Equifax CEO blames breach on a single person who failed to deploy patch. Retrieved from theverge.com: https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony
2. Constantin, L. (2019, October 30). Credential stuffing explained: How to prevent, detect and defend against it. Retrieved from csoonline.com: https://www.csoonline.com/article/3448558/credential-stuffing-explained-how-to-prevent-detect-and-defend-against-it.html?utm_source=twitter&utm_medium=social&utm_campaign=organic
3. Government Accountability Office (GAO). (2018, August 1). Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. Retrieved from gao.gov: https://www.gao.gov/assets/700/694158.pdf
4. Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Retrieved from wired.com: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
5. HPE. (2016). Cyber Risk Report. New York: HPE.
6. Kan, M. (2019, October 21). NordVPN, TorGuard Hit by Hacks Involving Insecure Servers. Retrieved from pcmag.com: https://www.pcmag.com/news/371439/nordvpn-torguard-hit-by-hacks-involving-insecure-servers
7. Koerner, B. I. (2016, October 23). Inside the Cyberattack that Shocked the US Government. Retrieved from wired.com: https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
8. Ng, A. (2018, September 7). equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed. Retrieved from CNET: https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/
9. Ponemon Institute. (2016). The State of Application Insecurity. New York: Ponemon Institute.
10. Schwartz, M. J. (2018, September 11). postmortem behind the equifax breach multiple failures. Retrieved from www.bankinfosecurity.com: https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-11480

11. Zillner, T. (2015). ZIGBEE exploited, the good the bad and the ugly. las vegas: blackhat conference.