Monday, November 30, 2009

Real Security Is Threat-Centric

Apparently there's been a wave of house burglaries in a nearby town during the last month. As you might expect, local residents responded by replacing windows with steel panels, front doors with vault entrances, floors with pressure-sensitive plates, and whatever else "security vendors" recommended. Town policymakers created new laws to mandate locking doors, enabling alarm systems, and creating scorecards for compliance. Home builders decided they needed to adopt "secure building" practices so all these retrofitted measures were "built in" future homes.

Oh wait, this is the real world! All those vulnerability-centric measures I just described are what too many "security professionals" would recommend. Instead, police identified the criminals and arrested them. From Teen burglary ring in Manassas identified:

Two suspects questioned Friday gave information about the others, police said.

Now this crew is facing prosecution. That's a good example of what we need to do in the digital world: enable and perform threat-centric security. We won't get there until we have better attribution, and interestingly enough attribution is the word I hear most often from people pondering improvements in network security.

10 comments:

Kevin said...

Luckily it's hard to break into houses in Virginia and steal TVs while sitting in an office in Beijing or Moscow. Evidence suggests that breaking into computers in Virgina while sitting in an office in Beijing or Moscow is a lot easier. I'm unclear on how you arrest and prosecute people who essentially work for a foreign government and are protected by that government. What realistic options are there other then hardening and hoping for the best?

Anonymous said...

I had the chance to attend a workshop on attribution in 2006 put on by the Cyber Conflict Studies Association. The topics and ideas discussed and presented are summarized here:

http://it.toolbox.com/blogs/managing-infosec/attribution-and-cyber-conflict-10935

It's my understanding they are attempting to connect research with policy makers-

"CCSA promotes and leads international intellectual development efforts to advance the field of cyber conflict research. These activities include workshops that bring together professionals from industry, academia and government to discuss strategic issues surrounding cyber conflict and the publication of insightful research articles and position papers in its Journal of Cyber Conflict Studies.

CCSA also plays an important role in our national cyber-readiness strategy, serving as a resource for national security decision-makers and helping to frame and promote national cyber conflict policy."

Interestingly, there is an article dated Nov 14, 2009 and titled "The Cyberwar Plan
It's not just a defensive game; cyber-security includes attack plans too, and the U.S. has already used some of them successfully." It contains a quote by Bob Gourley, former CTO for the Defense Intelligence Agency and is a board member of the Cyber Conflict Studies Association.

Anonymous said...

Whoops, here's the link to the The Cyberwar Plan article:

http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php

Dremspider said...

I have been thinking of this article since I read it and I would have to say I disagree with this. While I understand that you are being sarcastic and exaggerating a bit, the example doesn’t scale well. In my house I have two TVs, a couple of computers and some other miscellaneous electronics. It would be very difficult to steal all of those without being seen, but even if they did my roommate and I would probably lose $4000 at the most, plus maybe some damage to the property. There is no sense in anyone investing more than $4000 in security products to prevent something that may happen and only incur a loss of $4000.

A risk assessment needs to be performed in house security (even if it is only informal). How bad of a neighborhood am I in? How much is the value of my products? How likely is someone going to break in? People buy insurance that covers theft for these reasons it makes more sense to spread the risk then to invest in the newest alarm system.

If you raise the value of the target, more security is put in place. I am sure that the Smithsonian’s Hope diamond is protected with many of the same measures that we do in Information Security. Pen testing, auditing, testing of the control mechanisms (I know you hate that word), as well as defense in depth strategies are performed on any physical item of high value and this can be translated to the “Cyber” domain as well.

Information is of value to companies and often can’t be let out. Proper mechanisms policies need to be put in place to protect these. To make matters worse it is a lot harder to prosecute someone in a cyber incident. With theft in a house the attacker must be physically located in one area, the victim’s house or office. With any cyber crime, there is often multiple victims as well as paths to follow all across the world.

While it would be nice if we could place more of the blame on the criminal, I don’t think that is going to happen anytime soon. The value of the item being protected is too high and the criminals too dispersed. I doubt that the criminal will ever be prosecuted as often in cyber crimes as often as they are in the real world.

LonerVamp said...

I fully sympathize with the position that targeting the threats themselves would be the most effective approach to take. But what if someone does not have a reasonable expectation that global cyber attackers will ever be apprehended and punished accordingly?

Likewise, would the expectation of threat apprehension excuse being thrifty with security measures?

If a homeowner is down at town hall arguing for better policework, but leaves his home unlocked in the face of a known rash of local burglaries, would he have any liability for that? I realize this road may be subtly wrong, as it leads down the avenue of blaming someone else for one's own personal responsibility (a personal peeve of mine from the 90s and 00s). Then again, your above analogy does include rather extreme measures mandated by public office, which does kind of narrow the scope. :) Maybe you're just making a statement, not about the homeowners, but the public office demanding private citizens be unreasonable...

Moving further, I'm not sure I would want an Internet that has "real security" through proper attribution, globally. How fundamentally will that change the Internet and the way it has grown and been used? As such, I'm skeptical on how reasonable I can expect it.

This leaves me with being threat-centric as much as my SMB will allow me, and shoring up defenses by being everything that is not threat-centric.

But I do concede that on some level, especially once get high enough with enough clout and influence and jurisdiction, attribution and being threat-centric makes more sense, even if it is unattainable (like almost all police-work).

Keydet89 said...

We won't get there until we have better attribution...

And we won't have better attribution until organizations have the ability to detect and respond to computer security incidents. After all, how can you attribute something when you didn't know it happened, an outside third party told you about it months after it happened, and in response, your staff wiped out all of the evidence?

Anonymous said...

Directly From: SANS NewsBites Vol. 11 Num. 94. Your Thoughts?


"NIST 800-37 Ends the Era of Federal Certification & Accreditation -
Excellent Beginnings - One More Step To Go.
http://csrc.nist.gov/publications/PubsDrafts.html#800-37_Rev1
The new draft of NIST's Special Publication 800-37 published two weeks ago is open for review. John Gilligan who serve as CIO of both the Energy Department and of the US Air Force and who was the President's Transition Team Lead for IT and IT Security in the Department of Defense has written a brief analysis that illuminates the one key problem that the new document could easily solve, but doesn't. We have included Gilligan's complete analysis here. If you concur with his findings please let the NIST people before December 15 at sec-cert@nist.gov. If you feel like sharing, we'd love to see your suggestions as well at
NIST80037@sans.org."

Mike Montecillo said...

Great post! It is absolutely dead on. Nothing creates more cost inefficiency in a security strategy than unnecessary countermeasures. In order to understand what is necessary we need to have better attribution.

DanPhilpott said...

Well that's a relief, the police arrested all the thieves. So if I leave my keys in the car, front door unlocked and wallet on the lunch counter I can be assured theft won't occur?

Addressing threat-sources is undeniably important, but in the present world (both online and offline) can not be depended upon. Threats, threat-sources and vulnerabilities are all parts of the puzzle, but risk based decisions based on those elements are where effective security springs from.

DK said...

Sweet, so rather then use the identification of an obvious threat as an opportunity to remind myself that the world is not a secure place and I should check out my risk posture to see if I'm still comfortable with it, I should rely exclusively on after the fact mechanisms (the police will get them).

That will be very comforting to people who have lost their possessions.