When it comes to marketing hype, and the suggestion of any new trends, vectors of attack, or other such new ways of circumventing perimeter security, I do tend to be, what one may describe as a ‘Doubting Thomas’, who really does take some convincing. That is why my first impressions of the AET as introduced by StoneSoft at InfoSecurity 2011 left me with questions, asking, is this again just more hype to sell product?
Having looked a little deeper into their claims, things did start to resonate, and I soon started to see the outline of the overall implications. But again, so what, as basically I had only had a show demonstration, and again, being of the ‘Doubting Thomas’ nature, still was not fully convinced – so I said to StoneSoft, expecting disappointment ‘show me’ – and as I expected nothing happened! But then, out of the blue, It was early 2012 when StoneSoft invited me to go over to their Labs, under a very robust NDA.
So what was the outcome of that visit, and what are my thoughts now on the threats of the AET against those protected perimeters of global organisations – it’s simple, Mr Doubting Thomas is now fully convinced they are at risk, and that the AET in this guise, and any other guise that follows is a real contender, not only as a Commercial Threat, but also as a tool in the armoury of the new age Cyber Combatant, and Cyber Warfarin – so what converted the Doubting Thomas? – Let us see.
In my time in Helsinki, I was shown a number of top shelf Firewalls, IDS, and IPS systems, all fully up-to-date, and all reflecting the profile one would expect to find at any well maintained, secure Internet facing site. The StoneSoft Engineers, then fired up their tools, loaded, and adjusted the profile of the AET, and ran then again these security appliances – and shock horror, as if by magic, some, if not all fell victim to compromise, had gained shell access rear of the protective device – trust me, I saw it, I was there, and I observed 'insecurity' in real-time.
Of even more concern was the fact that some of the security appliances performance ranged from inadequate to downright useless when faced with these new style crafted threats, which in one lighting fast test ran 104 AET attempts to intrude, encountered ‘only’ 17 Log Entries documenting Blocked Attempts, with a result of ‘34’ successful intrusions, gaining access to that much loved Shell – and in the case of one security appliance, all this took just 5 seconds.
The problem with security is, everyone in the Good-Camp feels we should be applying the rules of convention, when in fact, in the Black-Camp, no such rulebook exists.
This experience has also made me sit up and realise that when one attends Security Trade Shows(say in 2013) go with an open mind, look behind the sale blurb, and seek out, and you may just find some interesting nuggets reflecting the future of Insecurity.