The year retrospective. 2014 has been the year that under-appreciated infrastructure has been demonstrated as fragile at multiple layers — Heartbleed in OpenSSL, goto fail in Apple TLS, Shellshock in bash, POODLE in SSLv3, TrueCrypt's mysterious shutdown, the Russian credential hoard. Each of these has been an individual incident worth writing about; the cumulative shape across the year is the structural story.
The list of what I wrote about, in chronological order: the sixteen-years-on year-opening; goto fail; Optic Nerve; Heartbleed; the long-form piece on commercial security and state surveillance; TrueCrypt; GameOver Zeus and Operation Tovar; the Russian credential hoard; iCloud and Celebgate; Shellshock; POODLE; Sony Pictures. Twelve substantive posts plus the long-form piece in May.
The structural shape of 2014 organises around four things.
First: the under-appreciated-infrastructure problem is now demonstrably at the core of the security-engineering challenge. OpenSSL was maintained by a small team with minimal funding and shipped with Heartbleed in production for two years. Bash was maintained by one academic on a side project and shipped with Shellshock for twenty-five years. TrueCrypt was maintained by anonymous developers and disappeared overnight. The Linux Foundation's Core Infrastructure Initiative is the first organisational response to the structural problem; whether it actually changes the funding calculus for critical open-source security infrastructure remains to be seen. The wider question — what other infrastructure is under-resourced and fragile in ways the security community has not yet noticed — is the question that will dominate 2015 and beyond.
Second: the destructive-malware threat model has been demonstrated at scale against a private-sector target outside the energy sector. Sony Pictures is the year-end demonstration that the Shamoon pattern from 2012 is reusable and is not bounded to oil-and-gas. The implications for any organisation engaged in business activity that produces sustained political opposition are direct and unpleasant. The defensive response — incident-response infrastructure that addresses business-continuity, communications, legal coordination, and operational recovery in parallel — is what most organisations do not have, and what the post-Sony engagement-team material is being substantially redrafted around.
Third: the consumer-platform authentication infrastructure remains substantially weaker than the platforms publicly acknowledge. iCloud's Find My iPhone endpoint without rate limiting is the cleanest single illustration; the LinkedIn-shape credential breaches at smaller platforms have continued through the year; the credential-stuffing arms race has accelerated. The structural answer remains two-factor authentication everywhere it matters; the deployment remains uneven; the cost-of-not-deploying continues to be paid by the breached user populations.
Fourth: the post-Snowden conversation has substantially landed at the engagement-client level. The data-residency and end-to-end-encryption arguments I have been making since the original PRISM post and the Tempora follow-up are now in the engagement-team standard advisory rather than in the optional material. The long-form piece I published in May has been the framing document the engagement-team has been using through the second half of the year. The clients have, on the whole, accepted the argument; the architectural follow-through has been slower than I would like but is happening.
For Hedgehog, 2014 was the year the SOC committed to twenty-four-hour staffing. The decision came in February, the recruitment ran through spring, and the SOC has been operational at 24/7 from June. We now have eight analysts plus me on operations, six monitoring clients, and an analyst-training programme that has been substantially refined through the year. The financial model is performing better than I had projected; the operational-quality has held through the transition; the structural question of "do I want to be in the role of running a SOC" has been resolved with a confident yes.
The vCISO secondment portfolio is stable: Towry Law, Northcott, News International, Browne Jacobson, TWI. The five-client portfolio has continued to be the right shape for the practice through 2014; I expect it to be the right shape through 2015. The conversations through the year have been substantially shaped by the post-Snowden environment, the destructive-malware threat model, and the under-appreciated-infrastructure pattern. None of those conversations are over.
The reading I have come back to most this year. Schneier on Security on the post-Snowden material continues to be the steadiest source. Brian Krebs on the credit-card-and-breach beat continues to be operationally essential. Greenwald's No Place to Hide, which landed in May, is the long-form work I have referred most to in the engagement-team material. The Crysys/Kaspersky/Symantec analyses on continuing state-grade malware have been the technical reading I have spent most time with.
For 2015, the priorities are continuity. The under-appreciated-infrastructure problem will continue to produce incidents; the destructive-malware category will continue to mature; the consumer-platform authentication issues will continue to surface; the post-Snowden conversation will continue to shape the engagement work. The penetration-testing-methodology piece I revised in 2014 will get another revision based on twelve months of using it. The vCISO portfolio continues. The SOC continues. The notebook continues.
Happy 2015 when it arrives. The notebook will be seventeen years old on Friday.