Kung Fu Wisdom on Threats
Given the seriousness of my last post, I though some words of wisdom from the great Kwai Chang Caine would improve everyone's mood. Consider a scene from Kung Fu.
Caine is talking to an Amish man who says "When someone hits me with a stick, I have three choices: I can hit him back, I can let him hit me again, or I can run away.” Caine replies with a fourth option: "You can take the stick away from him."
The unspoken element of Caine's reply is that you can peacefully disarm an opponent, which may require Shaolin-like skill. Most people do not have such skills and are stuck with one of the three previous options.
None of these work approaches for digital security.
The answer to this problem is you apprehend the criminal for assault, prosecute, and incarcerate. "Rehabilitation" is nice, but at least for the duration of his prison time he can't hurt those outside prison. You may enjoy a deterrence effect, although this is debatable. Regardless, this is the only way to deal with a threat once it has obtained evil capabilities and intentions. (You can argue for shaping the threat's life such that those evil capabilities and intentions are not reached, but that's an issue for social scientists.)
It's all about the risk equation: Risk = Asset value * Vulnerability * Cost
Caine is talking to an Amish man who says "When someone hits me with a stick, I have three choices: I can hit him back, I can let him hit me again, or I can run away.” Caine replies with a fourth option: "You can take the stick away from him."
The unspoken element of Caine's reply is that you can peacefully disarm an opponent, which may require Shaolin-like skill. Most people do not have such skills and are stuck with one of the three previous options.
None of these work approaches for digital security.
- If you hit the intruder back, unless he's incapacitated he remains ready for another attack. If you do knock out one of his drones, he activiates number two of ten thousand.
- If you let him attack again, you lose a second time. The threat is also free to hit again.
- If you run away by disconnecting from the network, you lose all the network's benefits.
- Taking away the stick (perhaps by criminalizing "hacker tools") only punishes law-abiding citizens. If you do peacefully shut down a drone, again he activates number two of ten thousand.
The answer to this problem is you apprehend the criminal for assault, prosecute, and incarcerate. "Rehabilitation" is nice, but at least for the duration of his prison time he can't hurt those outside prison. You may enjoy a deterrence effect, although this is debatable. Regardless, this is the only way to deal with a threat once it has obtained evil capabilities and intentions. (You can argue for shaping the threat's life such that those evil capabilities and intentions are not reached, but that's an issue for social scientists.)
It's all about the risk equation: Risk = Asset value * Vulnerability * Cost
- No one is deploying worthless assets.
- 30+ years of trying to develop resources that are vulnerability-free has failed.
- Only the threat component has a chance to be reduced, thereby reducing overall risk (assuming it outpaces the asset and vulnerability categories, which is problematic still).
Comments
Something akin to wearing armour in your metaphor.
Ah, nice idea. I think the attacker's response would be to find a bigger stick.
I really have enjoyed your past few posts. A couple of things have come to mind:
A better risk model would help you straighten out your thoughts and identify opportunities to increase defense. risk != value * vulnerability * cost. Rather, risk = probable frequency of loss events & probable magnitude of loss.
That said, loss events happen (frequency = 1) when we have a threat event (contact & action by a threat agent) and are vulnerable to the threat (the strength of our controls <= the strength of the attackers skills & resources).
If we cannot significantly increase the strength of our controls beyond the capability of the threat agent, then we can only hope to reduce the contact and action by the threat. Reducing contact involves many concepts, including obscurity. We may not have that luxury. Reducing action of a threat agent involves reducing their perceived level of effort, risk to them (probability and impact of getting caught), and the perceived value of successful action.
Anyhow, great stuff,the last few articles, and I hope the new job is treating you well.
Your answer is similar to a beefed up version of the fourth option.
By jailing the bad guy, you are taking away the stick from him (no access to his tools/vectors/etc.) and potentially any bigger stick he might try to hit you with.
But jail doesn't prevent everything. How about he "transfers" the stick to someone else, outside of the jail? Too remote a risk to consider?
So one might want to develop stick-resistance and stick-avoidance techniques as well as apprehend the criminal. And since security theater is now considered a viable option, the victim may try to carry something and/or put on an attitude that might fool potential stick-carriers seeking harm.
How about holding software vendors partially responsible? Dealing with threats is basically out of range unless you're a government or intelligence agency. The next best thing would be to hold software vendors responsible for poorly written apps. From one of your previous entries, you mentioned PlugBoy from Black Hat. Clearly the vendor should be held responsible. It's not impossible to write secure code (or at least very good code). Just look at qmail or even IIS 6. It can be done. If software vendors had to pay per vulnerability found in their products and how widely used their products are, they'd take security a lot more seriously. However, since vendors can basically get away with what they want, they'll do whatever it takes to be the first to ship, even if it means selling products that are bug-ridden. Just my $0.02 worth.
A variation of taking away his stick peacefully is egress filtering and filtering in general. Most worms propagate via tftp. Windows doesn't need tftp installed by default since the OEMs image the hard drives directly I'm guessing. ISP's could filter outbound traffic and the tftp traffic internally. They do this anyway to limit BitTorrent and other high bandwidth traffic, but worm or botnet traffic doesn't affect them directly, so there's no incentive to protect their clients or other ISPs. Until you catch the guy, he's still wielding the stick and doing damage. The solutions are there, but companies are lazy and some governments are profiting from this crime as havens and Western governments are more worried about terrorism.
I disagree. You actually think companies try and develop vulnerability-free software? Now I know you are smarter then that! They don't do it because they don't have to. There is no disadvantage to not and plenty of advantages to get the software out there.
The answer is exactly what Bruce Schneier has been stating for ages. Make the software companies legally and financially responsible for their software. That will do it. As soon as you make them responsible, then it will force it. Every company I've consulted for, reacts when money / legal issues are against them.
-mike
>It's all about the risk equation:
> Risk = Asset value * Vulnerability * Cost
Hmmmm... Let's see: Asset value is really an unknown. We can make guesses about it but it's a range between "we underestimated" and "whoops! we completely forgot to factor in the value of Joe's Patent that he was working on that wound up being blown by his blog posting." And Vulnerability - hmmm... well, that's totally an unknown. We can make guesses, of course. And Cost? How do we compute that? What we paid or what it's worth? In other words, mostly a guess.
So what our risk equation looks like is:
Risk = A wild-ass guess X a number we picked out of our butts X an extrapolation
I am digging this new science of Risk Management!!! It sounds like nothing but Bullsh*t with rounding errors
mjr./Marcus Ranum
I agree with you. I don't advocate assigning numbers to any of the factors (although for demonstration purposes I did do that in my first book -- won't happen again!) However, I like the concept of breaking out risk into asset, threat, and vulnerability components, then determining whether risk increases or decreases if you hold two variables constant and change the third.