Thursday, May 10, 2007

Vulnerability-Centric Security

The vehicle pictured at left is a Mine Resistant Ambush Protected vehicle, the US Army's replacement for the Hummvee. I read about this vehicle in Army Times. That article said:

At a meeting to be held this week, according to a Pentagon source who spoke on condition of anonymity, the Army’s leadership is expected to request $9 billion for 9,000 MRAPs to be fielded through fiscal year 2008, with another 8,700 for fiscal 2009.

That's $1 million per vehicle.

I have a sinking feeling that although the new vehicle is "Mine Resistant," the "Ambush Protected" part will be tested by unpredictable, creative adversaries.

What does this teach us about digital security?

Frequently I hear people refer to the "if cars were like Windows" analogy. Let's take a look at cars and PCs, given the MRAP is really just a fancy car.

  1. A car that doesn't start may be like a PC that doesn't boot. It could be the fault of the manufacturer or the owner, depending on maintenance, etc. If it's the manufacturer's fault, they could be held responsible for the problem.

  2. A car that behaves erratically or in an unsafe manner while being driven may be like a PC that behaves erratically or crashes. It could be the fault of the manufacturer or the owner, depending on maintenance, etc. If it's the manufacturer's fault, they could be held responsible for the problem.

  3. A car that gets hit by a boulder dropped from a bridge may be like a PC that is attacked by an exploit. This is not the fault of the driver or PC operator -- it's the fault of the threat dropping the boulder and the intruder launching the exploit. (Even if the PC is not patched, it's not the victim's "fault." If you can't accept that, consider the PC fully patched and the vulnerability a zero-day.)


In cases 1 and 2, we could hold either the owner or the manufacturer responsible for the problem, depending on the circumstances. In case 3, the threat is responsible.

Unfortunately, few owners are in a position to do anything about threats. If we take a vulnerability-centric approach, we end up driving vehicles like the MRAP and building layers of security around PCs (anti-virus, network firewalls, etc.) In both cases the mitigation is costly and ultimately ineffective, because the threat remains free to devise new and ingenious ways to inflict his will against the target.

Thinking we can build "invulnerable" vehicles like the MRAP is like Bruce Schneier thinking we can build invulnerable software. Sure, you can make more attack-resistant vehicles and software, but for what cost? Ultimately the threat must be directly addressed. No one thinks the way to peace in Iraq is by giving every Iraqi a bunker in which to live and a MRAP to drive. Why do people think we can do that with software?

8 comments:

LonerVamp said...

Of course, like you said, most owners can't really do anything about threats, which tend to be external to us (let's ignore insider threats for a moment since I'm kinda abusing the term "external"). Therefore, security is outside of our control? I don't think anyone likes that, and I'm not sure our social system can handle that. (Then again, so many frivolous lawsuits since the McDonald's hot coffee spill incident means lots of people are blaming lots of other people for their ills...)

I'm not sure I buy into a threat-centric approach simply because that can be so easy to just say, "blame it on the theats!"

Not that I'm saying that's your approach or that I spit on threat-centric. I prefer a blend of various approaches.

Anonymous said...

I find it ironic that you bring up iraq as your example.

Directly addressing the (perceived) threat has wasted more lives, money, and resources than just fixing the vulnerability at home while not making the asset (US) one bit safer.

Anonymous said...

Some of us remember a time when vehicles would break down every five minutes. Then the Japanese came along and build more reliable cars at the same (or lower) cost to the consumer. Maybe the same can happen to software.

As far as eliminating the threat (arresting someone on a bridge with a bolder, etc), due to a global economy and the reachability of the Internet I think we need to come to the realization that this type of enforcement is very difficult in a cyber environment.

Richard Bejtlich said...

LonerVamp,

I didn't say we should only do threat-centric security and ignore vulnerability-centric security. You won't find me running exposed, unnecessary, unpatched services waiting for the police to deter or capture threats. However, too many people equate "security" with "vulnerability-centric security." That is the point of this post.

Anonymous,

This is not a political blog. I brought up Iraq because it is the place where the MRAP is being deployed. If I could have discussed the MRAP without Iraq I would have done so.

As for "fixing the vulnerability at home," you actually make my point. Please tell me how you would comprehensively "fix" vulnerabilities in the US to the point where a threat-centric approach wouldn't be needed? Just make me a list of the vulnerabilities to be fixed. You don't even need to explain countermeasures. I'll check back in 50 years to see how much progress you've made. :)

Anonymous said...

Richard, poor Richard...Please stick to things you know about.

I would assume you've spent years in the trenches learning about Information Technology and Security as far as systems are concerned. But I think you have little to no understanding of Mine Protected vehicles and what they mean to the men and women who are in the 'real' trenches.

So far, the Cougar and Buffalo (the two MRAP's that have been in theater for over two years) which are manufactured by Force Protection, Inc. in Ladson, SC have encountered over 2,000 IED's and have logged over 2,000,000 combat hours without a single fatality.

Now that is something, given that on average 2 lives are lost every time a Humvee encounters an IED.

As for you statement that they are $1,000,000 each, this is incorrect. The CAT I MRAP which is a 4x4 Cougar goes for a little over $500,000 each. The CAT II is a 6x6 Cougar and is about 10% more.

The CAT III, which is the Buffalo goes for close to a million, but it is in a class all it's own.

So lets see, a fully up-armored Humvee goes for about $350,000 and we average two deaths per IED encounter, or we spend $150,000 more and have no deaths....Not a hard one to figure.

No one said they are indestructible, but just like best business practices mandate firewalls, anti-virus and IDS, you would be a fool for trusting your war-fighting systems (we call them Soldiers, Sailors, Marines and Airmen) to anything less.

The best offense is a good defense. These are the best available.

Mr. Zippy

Richard Bejtlich said...

Second Anonymous,

You missed my point entirely. You are talking about cases 1 and 2. Lousy cars from the Big Three in the 1970s and 1980s weren't failing because aggressors were shooting at the engines. Security involves intelligent adversaries whereas reliability is a superset that includes problems of the type you describe.

Richard Bejtlich said...

Mr Zippy,

Give me a break. Did I even imply that I do not want our soldiers protected? I have friends in Iraq, Afghanistan, and other places too.

As far as "The best offense is a good defense." goes, try that out on the battlefields of history. Start by checking out the Maginot Line and see how far that takes you. There's a reason the adage is "the best defense is a good offense."

Richard Bejtlich said...

Regarding costs -- if I buy 9000 of these for $9 bil, that's $1 mil per vehicle on average. I don't care if they "cost" $650k each -- I'm still paying $1 mil each on average.