The Dangers of "Theatre of Security"

 

The other day I was reading "Advanced Persistent Threat Hacking" by Tyler Wrightson.  I came across a phrase that struck me.  

Theatre of security (TOS)

Up until my reading I had understood this phrase and how it applies to organizations.  Oddly enough though I never had the words for it.  I could describe it, but never called it TOS.

I love learning.

Mr. Wrigtson provides a good metaphor for TOS.

Think about magiciaions, they will conduct slight of hand, distractions, and other tricks to create the allusion of magic.  A magician shows you a red ball in his/her right hand.  They wiggle their fingers, talk about their right hand, look at their right hand, talk to you about how you should be looking at their right hand, meanwhile the left hand subtly (somehow) removed the red ball and is placing it under the table.

Magic!!

Certainly appears that way, however imagine if you had not been staring at his/her right hand?  What if instead, you observed that the left hand moved up to the right hand for no apparent reason, that the left hand moved slowly down while the magician says "now keep your eye on my right hand."

You have effectively broken the allusion, you know how he/she was able to trick people.  But you were not tricked.  This small piece is the reality of the danger TOS.

Let's bring this example into the security realm.

Let say I am a business, I have the typical security hardware/software solutions in place to protect assets internally and keep the baddies out.

Great!

However I also want to dissuade threat actors from choosing me as a target.  So I put up virtual hurdles(port obfuscation etc.).  A threat actor port scans and sees that in my top 1024 ports there is no ssh service.  sad.  The criminal moves on!!

Allusion! I do have ssh service enabled!  I put my ssh service on port 45,000 because I'm tricky that way.

So I "stopped" the first criminal from landing on me and doing a snatch-and-grab.  The next criminal waits a bit longer, does a bit better recon and learns that I have ssh service on port 45,000.  They spend a bit more time and bruteforce my credentials and have gained access.

This is a basic example of the dangers of TOS.  Was my environment secure because I obfuscated a port? Well, the answer is yes, but minimally.  Think about your own organization, this example can easily scale out to any size.

Cyber professionals and criminals are in a constant battle of wits.  The truth is that given enough time, (hours,days,weeks,years) a malicious APT hacker will gain entry.

The primary lesson here is do not make your security solution a puffed up target.  

If you want to protect your organization, actually do it and don't rely on theatrics to stop criminals.

Andrew Campbell