Friday, March 30, 2007

Threat Deterrence, Mitigation, and Elimination

A comment on my last post prompted me to answer here. My thesis is this: a significant portion, if not the majority, of security in the analog world is based on threat deterrence, mitigation, and elimination. Security in the analog world is not based on eliminating or applying countermeasures for vulnerabilities. A vulnerability-centric approach is too costly, inconvenient, and static to be effective.

Consider the Metro subway in DC, pictured above. There are absolutely zero physical barriers between the platform and the trains. If evil attacker Evelyn were so inclined, she could easily push a waiting passenger off the platform into the path of an arriving train, maiming or killing the person instantly.

Why does this not happen (regularly)? Evelyn is presumably a rational actor, and she is deterred by vigilante justice and the power of the legal system. If she killed a Metro passenger in the state of Virginia she would probably be executed herself, or at the very least spend the rest of her life in prison. Hopefully they are few people like Evelyn in the world, but would more Metro passengers be murdered if there were no attribution or apprehension of the killers?

How do you think the Metro board would react to such an incident?

  1. Build barriers to limit the potential for passengers to land in front of moving trains

  2. Screen passengers as they enter Metro stations

  3. Mandate trains to crawl within reach of waiting passengers

  4. Add Metro police to watch for suspicious individuals

  5. Add cameras to watch all Metro stations

  6. Lobby Congress to increase penalties

My ranking is intentional. 1 would never happen; it is simply too costly when weighed against the risks. 2 would be impossible to implement in any meaningful fashion and would provoke a public backlash. 3 might happen for a brief period, but it would be abandoned because it would slow the number of trains carrying passengers. 4 might happen for a brief period as well, but the costs of additional personal make it an unlikely permanent solution; it's also ineffective unless the police is right next to a likely incident. 5 and 6 could happen, but they are only helpful for deterrence -- which is not prevention.

Earlier I said Evelyn is a rational actor, so she could presumably be deterred. She could also be mitigated or eliminated. Imagine if Evelyn's action was a ritual associated with gang membership. Authorities could identify and potentially restrict gang members from entering the Metro. (Difficult? Of course. This is why deterrence is a better option.) Authorities could also infiltrate and/or destroy the gang.

Irrational actors cannot be deterred. They may be mitigated and/or eliminated.

Forces of nature cannot be deterred either. Depending on their scope they may be mitigated, but they probably cannot be eliminated. Evelyn's house cannot be built for a reasonable amount of money to withstand a Category V hurricane. Such a force of nature cannot be deterred or eliminated. Given a large enough budget Evelyn's house could be built to survive such a force, so mitigation is an option. Insurance is usually how threats like hurricanes are mitigated, however.

Everyone approaches this problem via the lens of their experience and capabilities. Coders think they can code their way out of this problem. Architects think they can design their way out. I am mainly an operator and, in some ways, an historian. I have seen in my own work that prevention eventually fails, and by learning about the past I have seen the same. In December 2005 I wrote an article called Engineering Disasters for a magazine, and in the coming weeks a second article with more lessons for digital security engineers will be published in a different venue.

I obviously favor whatever cost-effective, practical trade-offs (not solutions) we can implement to limit the risks facing digital assets. I am not saying we should roll over and die, hoping the authorities will catch the bad guys and prevent future crimes. Nevertheless, the most pressing problem in digital security is attribution and apprehension of those perpetrating crimes involving information resources. Until we take the steps necessary to address that problem, no amount of technical vulnerability remediation is going to matter.


LonerVamp said...

Also, more people might get pushed off into trains if we were more detached and knew no one was watching us or around. Typically, social mores really restrict what people do or do not do. Do you wander up to someone and grope/touch them in a store? What if the lights were out? Would that action be a bit more possible and easier to perform?

The digital world is much the same way. Normally rational and law-abiding people who have a kind heart can become something a little bit farther down the moral ladder when online.

You're right, for better or worse. We can't target the threats very easily in the digital world. Either they are simply across borders that we can't legally reach or identity is just not tracable.

Of course, while I don't think the borders will ever become more transparent, there may be a day when identity is enforced much more online. Or which case we still might have better results with prevention than we will with threat mitigation.

And I'm skeptical that I'll see such identity gains in my lifetime (all attempts can eventually be forged or more deniable than something like analog fingerprints at a crime scene).

(I don't take into consideration insider threats in my comments above...)

Anonymous said...

It would be very hard to push someone onto the tracks from Russia or China, hence the unique issue with the electronic world.

Rob Lewis said...

The reason that " no amount of technical vulnerability remediation is going to matter" is because we are building fortresses on sand.

When you say prevention has always failed, are you speaking of efforts in the network and application space?

The National Security Agency (NSA) last year published, " The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments".

It's premise is that missing mechanisms in operating systems mean that the assumption that you can make security efforts up the stack work is seriously flawed.

This is the source of disconnect. Fix the operating systems, and many vulnerabilities go away. The lack of internal controls in the o/s opens the door for the number of vulnerabilties to increase exponentially.

Fix the O/Ss and our foreign friends will have to find a new hobby.

Anonymous said...

Trying to go after the threat is very 1996. The feds have been trying this for a long time. It just doesn't work.

I think that the number of threats in the US has fallen maybe some due to laws. However I think it is more related to xbox, myspace, mp3's, etc. American hacker kidz are lazy compared to the Russian kid with slow internet access and lack of material distractions.

bamm said...

anonymous said...
Trying to go after the threat is very 1996. The feds have been trying this for a long time. It just doesn't work.

I call BS. Sure, there has been some involvement by law enforcement to go after an attacker here and there, but that doesn't change the fact that there still isn't decent policy or support for chasing after the threat (notice I didn't place the blame on LE themselves).

I get tired of the whole internet being the wild west analogy but it remains ever so fitting. The outlaws of the internet are taking advantage of the lack policing just like the outlaws of the old west. The risk of being caught is slim. The risk of being prosecuted is slimmer.

Blaming ranchers and railroads for their losses only works so much. It wasn't the hiring of armed guards that made the railroads safer, it was the settling and civilization of the lands which brought better policies and policing. The true deterent became a significantly increased risk that the outlaw might find himself hanging from a noose.

Anonymous said...

Why do you call BS? When I say "feds" I am referring to everyone from the Special Agents to the lawmakers to the laws, to the whole process.

Are you trying to tell me that if only there were better laws, policy and support, we could do more to degrade the threat? The US gov has tried many times to "help" private industry:

Infraguard: Never seen them at any of my customers.

NIPC: Formed after Feb 2000 DDoS attacks. No teeth. Now defunct.

DHS: Every Cybersecurity Czar they have had is not even there long enough to get business cards with his name of them. What a joke.

USCert: When do they ever tell industry about new risk? These guys get info from ISPs and private industry. Have yet to see them make an impact.

Bah, I don't want to get more off-topic so I'll circle back and say worrying about how we can go after the threats is pretty much pointless. I'd rather focus on prevention (as a previous poster said).

Besides, here is the crappy dirty truth that I am sure will get me flamed. If I am a business, to some degree I want there to be a threat. If I protect myself better then my competition, they will get owned and not me. Yeah I know that an unsafe society is bad for all, tide rises all boats float higher, blah blah blah. Do you think other retailers felt bad about TJMaxx and send over a donation to help them recover? I don't.

bamm said...


None of the organizations you mentioned where/are policing organizations. Their charters are all about centralized reporting and "protection".

What laws there are, aren't percieved as being enforceable. If you want to talk something that isn't working, last I knew we've been focusing on prevention since before 1996, how does that seem to be working?

Anonymous said...

regarding Metro and unprotected station platforms - what about Denver airport and all the other airports that now have automated trains and synchronized inside and outside doors? Such an upgrade would not be astronomical to implement on the DC metro.

A better analogy might be speeding, weaving and agressive driving on the highways of DC. People do it with relative impunity since there are so few cops on the road.

The question is whether we as a society are willing to pay for much higher levels of enforcement - maybe even 100% and automated - which would be at least 'fair'. Anything less than that opens the question of bias.

Davi Ottenheimer said...

You've nicely demonstrated the point that information security is really just the application of extant thinking -- economics, political science and philosophy for starters. Shame that the infosec consultants aren't first required to become proficient in these disciplines, as well as versed in the study of history (i.e. how to analytically process datasets to achieve clarity in an answer), before plying their trade.

Richard Bejtlich said...

Hi Davi,

Funny you would mention those subjects. I studied them all as an undergrad, followed by even more in grad school. I'm a consultant. Maybe it helped? :)

mrShop said...
This comment has been removed by a blog administrator.