Thursday, April 27, 2006

Risk Mitigation

If you've been following the last few days of posts, I've been thinking about security from a more general level. I've been wondering how we can mitigate risks in a digital world where the following features are appearing in nearly every digital device.

Think about digital devices in your possession and see if you agree with this characterization of their development. Digital devices are increasingly:

  • Autonomous: This means they act on their own, often without user confirmation. They are self-updating (downloading patches, firmware) and self-configuring (think zeroconf in IPv6). Users could potentially alter this behavior, but probably not without breaking functionality.

  • Powerful: A cell phone is becoming as robust as a laptop. Almost any platform will be able to offer a shell to those who can solicit it . There is no way to prevent this development -- and would we really want to?

  • Ubiquitous: Embedded devices are everywhere. You cannot buy a car without one. I expect my next big home appliance to have network connectivity. Users can't do much about some of these developments.

  • Connected: Everything will be assigned an IPv4 (or soon) an IPv6 address. Distance is seldom a problem. Every digital maniac is a few hops away.

  • Complex: I am scared by the thought of running Windows Mobile on my next phone. Can I avoid it? Probably not. How many lines of code are running on that mini-PC -- I mean "phone" -- I'll be using?

In my opinion, this digital world is increasingly resembling the analog one. In fact, those five attributes could describe people as easily as complex machines!

The key factor in this new world will not be static vulnerabilities, but dynamic threats. The number of opportunities for threats to play havoc will vastly dwarf the chances for defenders to address vulnerabilities.

Think about how we deal with security in a typical city. I call it the "local police model."

  • Police can never prevent all crimes, although they can try.

  • Police more often respond to crimes. They proceed to track and jail criminals.

  • By prosecuting criminals, the justice system removes threats.

  • No one spends time or money putting bars on windows or replacing door locks in the average suburban neighborhood.

  • Crime still happens, but society survives as long as the level of crime is acceptable.

Why did a police model rise? Back in the cave man days, we lived in tribes. If you didn't belong to my tribe, I could beat you back with my club. As societies evolved, communication and ties between tribes prevented this simple model from working. More sophisticated threats with ingenious attacks (e.g., white collar crime) took advantage of these social ties.

Guess what -- this is where we are now in the digital world. Once upon a time you might have been able to restrict access based on trusted IPs. Then you had to shut down ports that couldn't be shared. Now we do business with everyone, and I can't be sure that the Microsoft SMB/CIFS that I'm exchanging with a business partner is normal or malicious when I use a standard access control device.

A threat-centric approach to security has served the analog world well enough. I think that is the only way to move forward as the digital world becomes as complex as the analog.

One more thought: The number of assets continues to rise. The number of vulnerabilities in those assets continues to rise. The number of threats continues to rise. The ability of security experts to apply countermeasures can not keep pace with this world. Is it time for autonomous agents to work on behalf of "the good guys?" I am beginning to agree with Dave Aitel's idea of nematodes that act on behalf of human agents.

It is becoming increasingly difficult for humans to even understand the digital environment. The only real way to know exploitation is not possible is for exploitation to be tried and then found to fail. Nematode agents may roam the network constantly testing intrusion scenarios and reporting their progress. Perhaps next-generation detection devices will monitor nematode activity. When they see another agent that is not a registered nematode exploit a target, that will be the sign that an intrusion has occurred.


Anonymous said...

Your points are all worth contemplating for the time being. The real problem and a future problem is controlling autonomy. This ties in with removing the rights of citizens (automatic freeways) to drive their cars etc. Of course there are many other illustrations of this. I'd like for you to think of the future say... 50 years from now. The humanoid robot will have become a reality and the next Donald Rumsfeld will be employing this robot in order to realize a better, faster, cheaper military force. What happens when these robots get 0wn3ed? What happens when Windows For Robots (WFR) suffers from multiple client side buffer overflows i.e. when the robot encounters an obstacle or logic issue that causes infinite recursion in a poorly implemented algorithm. Can we trust that the Roomba will follow the same standards as presented here: Robot Fault-Tolerance Using an Embryonic Array

Copyright © 2057 Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052-6399 U.A.C. All rights reserved.

UAC is the United American Countries.

Anonymous said...

Please excuse me.

Anonymous said...

I really think you're on the right track. The world is going to increasinly marry computer systems and connectivity (Internet) with people's everyday lives. Unfortunately, security is less and less a black and white situation. Granted, it's never been a "you are now at a secure state, please proceed," but you could definitely get close to being as secure as you could while balancing that with usability.

But I think you're right, and it has been my belief lately that computer security is all about the art of risk mitigation/analysis. You can't prevent all thefts, but you can prevent a lot, mitigate the rest, and plan for those few that do happen.

The days of corporate networks being easily defined by building walls and silly cables and wiring and optics are disappearing very fast as mobile phones, devices, laptops, wireless, and the Internet just take off like mad. The borders are suddenly blurring or becoming so huge, you can't protect them very well.

Threat-centric... interesting. :)

-- LonerVamp

Anonymous said...

I also wanted to mention, and forgot earlier, that businesses are merging technology infrastructures more as well, between partners, peer-to-peer apps, web services, and flat-out mergers. All these little city-states of computer networks are blending as well, which means company A trusts the systems at company XYZ. And because XYZ trusts companies B, C, and D, then transitively A trusts them as well. So they all better be secured.

Even going beyond that, though, are the trust in the internal threats, the employees inside the companies that all must be trusted...even as companies work together or compete...

That'll be tough to be vigilant...

Here's a question for you, Richard, and one I've been wrestling with a lot as I move further into this field. Do you see IT security moving more towards consulting services, or do you see corporate entities starting to move fully into having on-site IT security staff as their own little army of protection?


Richard Bejtlich said...

The bigger the company, the more likely they are to have in-house security. It's not a certainty, though. At one time MSSPs seemed all the rage, but I've seen some places (especially .gov) taking security back in-house.

Tim Bilbro said...

A threat-centric approach is certainly logical, and really the only alternative if things continue to go the way the are going. When zero-day threats are coming daily or faster, the model we use today, patching and updating signatures, will almost certainly breakdown.

Your analogy of the local police model is good, I think. To carry it further, folks who are able, tend to leave localities where crime is high - or policing is bad. Don't allow your data to live in a bad neighborhood, I guess!

RU_Trustified said...

Since vulnerabilities and by associated opportunities, threats, are increasing exponentially, I am not sure mechanically, how it could be done.

I like Ranum's approach with deny-by-default instead. Then the number of threats can multiply infinitely and still be of no concern.