Friday, February 21, 2020

DNA sequencing computer attacks - The large security gap chasm that enterprises face

I was having a discussion with a friend who works in a three letter agency about the large gap that most enterprises have in their security and overall maturity.

Overall, maturity across most enterprises remains low when you look at the full width of what would be expected of a secure enterprise.

In a humorous text message, my friend sent me an really cool conference on DNA sequencing used to attack a computer system.

Here I am arguing 

  • about the value of isolating a compromised workstation even if it is the CEO's laptop.
  • that Winter2019 is a terrible password 
  • that the user who changed his password when told it was a bad password, from Summer2019 to Winter2019 lack computer security competency
  • that if performing a simple vulnerability scan across your network causes major issues it means your systems are at the bottom end of the quality scale

.... and in a lab somewhere in Washington, they hacked a computer using DNA.

Yes, you read that right.

If you want to expand your views of the complexities enterprises face in defending against malicious attacks, listen to this 29 minute talk.




Summary (extract):
A group of researchers from the University of Washington has shown for the first time that it's possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer.

Thats right folks, as security professionals, we have to test users for weak passwords, test computers for malware, and test software for out of band attacks coming in through DNA.

I thought this was a really cool image that is being painted about how wide protecting enterprises against attacks can be.

We have to explain to management that Winter2019 is a bad password AND we have to explain that software in an embedded system could be exploited by a DNA sample.  If they do not even understand the first one..... that second one is going to be a hard sell.

The reality is that attackers invest all their time in finding weaknesses that they can exploit.  Enterprises still struggle to have enough budget just to keep systems updated. 

Lets just say that breaches will continue to happen, and sites like databreachtoday.com might have to change their names soon to data breach this hour . com


So if you are competent in cyber security... job security is probably ensured.

This week, our local government announced yet another data breach where a user account was used to log in and steals the personal information of 360,000 employees (TVA Nouvelle - Ministère de l'Éducation).   

A single user account that can suck out all the records over the Internet.

What a wide chasm we indeed are facing.


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









No comments:

Post a Comment

Imagine a Vulnerability Testing tool that defaults to showing you partial results

Well, to my surprise, Tenable.IO has added a new setting that defaults to NOT showing you everything. So when creating a new scan, you are f...