Risk Mitigation
If you've been following the last few days of posts, I've been thinking about security from a more general level. I've been wondering how we can mitigate risks in a digital world where the following features are appearing in nearly every digital device.
Think about digital devices in your possession and see if you agree with this characterization of their development. Digital devices are increasingly:
In my opinion, this digital world is increasingly resembling the analog one. In fact, those five attributes could describe people as easily as complex machines!
The key factor in this new world will not be static vulnerabilities, but dynamic threats. The number of opportunities for threats to play havoc will vastly dwarf the chances for defenders to address vulnerabilities.
Think about how we deal with security in a typical city. I call it the "local police model."
Why did a police model rise? Back in the cave man days, we lived in tribes. If you didn't belong to my tribe, I could beat you back with my club. As societies evolved, communication and ties between tribes prevented this simple model from working. More sophisticated threats with ingenious attacks (e.g., white collar crime) took advantage of these social ties.
Guess what -- this is where we are now in the digital world. Once upon a time you might have been able to restrict access based on trusted IPs. Then you had to shut down ports that couldn't be shared. Now we do business with everyone, and I can't be sure that the Microsoft SMB/CIFS that I'm exchanging with a business partner is normal or malicious when I use a standard access control device.
A threat-centric approach to security has served the analog world well enough. I think that is the only way to move forward as the digital world becomes as complex as the analog.
One more thought: The number of assets continues to rise. The number of vulnerabilities in those assets continues to rise. The number of threats continues to rise. The ability of security experts to apply countermeasures can not keep pace with this world. Is it time for autonomous agents to work on behalf of "the good guys?" I am beginning to agree with Dave Aitel's idea of nematodes that act on behalf of human agents.
It is becoming increasingly difficult for humans to even understand the digital environment. The only real way to know exploitation is not possible is for exploitation to be tried and then found to fail. Nematode agents may roam the network constantly testing intrusion scenarios and reporting their progress. Perhaps next-generation detection devices will monitor nematode activity. When they see another agent that is not a registered nematode exploit a target, that will be the sign that an intrusion has occurred.
Think about digital devices in your possession and see if you agree with this characterization of their development. Digital devices are increasingly:
- Autonomous: This means they act on their own, often without user confirmation. They are self-updating (downloading patches, firmware) and self-configuring (think zeroconf in IPv6). Users could potentially alter this behavior, but probably not without breaking functionality.
- Powerful: A cell phone is becoming as robust as a laptop. Almost any platform will be able to offer a shell to those who can solicit it . There is no way to prevent this development -- and would we really want to?
- Ubiquitous: Embedded devices are everywhere. You cannot buy a car without one. I expect my next big home appliance to have network connectivity. Users can't do much about some of these developments.
- Connected: Everything will be assigned an IPv4 (or soon) an IPv6 address. Distance is seldom a problem. Every digital maniac is a few hops away.
- Complex: I am scared by the thought of running Windows Mobile on my next phone. Can I avoid it? Probably not. How many lines of code are running on that mini-PC -- I mean "phone" -- I'll be using?
In my opinion, this digital world is increasingly resembling the analog one. In fact, those five attributes could describe people as easily as complex machines!
The key factor in this new world will not be static vulnerabilities, but dynamic threats. The number of opportunities for threats to play havoc will vastly dwarf the chances for defenders to address vulnerabilities.
Think about how we deal with security in a typical city. I call it the "local police model."
- Police can never prevent all crimes, although they can try.
- Police more often respond to crimes. They proceed to track and jail criminals.
- By prosecuting criminals, the justice system removes threats.
- No one spends time or money putting bars on windows or replacing door locks in the average suburban neighborhood.
- Crime still happens, but society survives as long as the level of crime is acceptable.
Why did a police model rise? Back in the cave man days, we lived in tribes. If you didn't belong to my tribe, I could beat you back with my club. As societies evolved, communication and ties between tribes prevented this simple model from working. More sophisticated threats with ingenious attacks (e.g., white collar crime) took advantage of these social ties.
Guess what -- this is where we are now in the digital world. Once upon a time you might have been able to restrict access based on trusted IPs. Then you had to shut down ports that couldn't be shared. Now we do business with everyone, and I can't be sure that the Microsoft SMB/CIFS that I'm exchanging with a business partner is normal or malicious when I use a standard access control device.
A threat-centric approach to security has served the analog world well enough. I think that is the only way to move forward as the digital world becomes as complex as the analog.
One more thought: The number of assets continues to rise. The number of vulnerabilities in those assets continues to rise. The number of threats continues to rise. The ability of security experts to apply countermeasures can not keep pace with this world. Is it time for autonomous agents to work on behalf of "the good guys?" I am beginning to agree with Dave Aitel's idea of nematodes that act on behalf of human agents.
It is becoming increasingly difficult for humans to even understand the digital environment. The only real way to know exploitation is not possible is for exploitation to be tried and then found to fail. Nematode agents may roam the network constantly testing intrusion scenarios and reporting their progress. Perhaps next-generation detection devices will monitor nematode activity. When they see another agent that is not a registered nematode exploit a target, that will be the sign that an intrusion has occurred.
Comments
Copyright © 2057 Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052-6399 U.A.C. All rights reserved.
UAC is the United American Countries.
Please excuse me.
But I think you're right, and it has been my belief lately that computer security is all about the art of risk mitigation/analysis. You can't prevent all thefts, but you can prevent a lot, mitigate the rest, and plan for those few that do happen.
The days of corporate networks being easily defined by building walls and silly cables and wiring and optics are disappearing very fast as mobile phones, devices, laptops, wireless, and the Internet just take off like mad. The borders are suddenly blurring or becoming so huge, you can't protect them very well.
Threat-centric... interesting. :)
-- LonerVamp
Even going beyond that, though, are the trust in the internal threats, the employees inside the companies that all must be trusted...even as companies work together or compete...
That'll be tough to be vigilant...
Here's a question for you, Richard, and one I've been wrestling with a lot as I move further into this field. Do you see IT security moving more towards consulting services, or do you see corporate entities starting to move fully into having on-site IT security staff as their own little army of protection?
--LonerVamp
Your analogy of the local police model is good, I think. To carry it further, folks who are able, tend to leave localities where crime is high - or policing is bad. Don't allow your data to live in a bad neighborhood, I guess!
I like Ranum's approach with deny-by-default instead. Then the number of threats can multiply infinitely and still be of no concern.