Friday, March 13, 2009

Thoughts on Latest Government Focus on Digital Security

Ties between the US government and digital security are all over the news right now. We have the Director of National Intelligence supporting greater NSA involvement in defending cyberspace, which prompts the (now former) Director of the National Cyber Security Center (NCSC) to resign in protest.

We have the chief security officer of Oracle calling for a Monroe Doctrine for cyberspace while the former director of the National Cyber Security Division says (paraphrasing his speech) security resources are often misaligned and misallocated because organizations are driven to present number-driven metrics based on some combination of threats, vulnerabilities and asset value to management — and that doesn't work.

There is talk of creating a Cyberspace Combatant Command, to stand alongside other Unified Combatant Commands. (Thanks to Greg Conti for the link.) I think a Cyber COCOM would be a great step forward, since Combatant Commands, not the individual services, are the entities which fight the nation's wars,

On a related note, I attended part of the latest Software Assurance Forum sponsored by DHS. Presentations by Mischel Kwon, director of US-CERT, and Tony Sager, chief of the Vulnerability Analysis and Operations (VAO) Group in NSA, were the most interesting to me. I'd reproduce a few noteworthy items.

Mischel Kwon said or mentioned:

  • "Legacy systems are not an excuse. They are a flaw." In other words, you can't make excuses for operating indefensible networks.

  • US-CERT is building its own incident management and ticketing system. This was interesting to me because incident management is a massive headache.

  • US-CERT is looking at using Security Content Automation Protocol as a detection tool, to identify when system configurations change. (SCAP is a protocol, not a tool; but the tools using SCAP can watch for changes.)

Tony Sager said or mentioned:

  • "We can't just fix software to 'solve' security problems because vulnerability is everywhere." Wow, amen. Someone else believes we live in a world of vulnerabilities. Tony may displace one of my Three Wise Men!

  • "No single group of security practitioners is big enough to develop and maintain its own security configuration guides." Therefore, the FDCC was developed. Seriously, if you have to run Windows, why not start with the FDCC as your core image and make changes to FDCC? Don't waste time trying to figure out what a security system looks like. Make use of the government's collective work, applied to millions of computers, and adjust to suit your needs.

  • "DoD cannot afford to maintain separate IT... DoD doesn't improve unless everyone else improves. Tony said that modern network security relies on everyone improving their status, even if that means knowledge to improve security is used by the adversary.

  • "VAO doesn't brief 90% of our constituents." In other words, VAO publishes Security Configuration Guides, which its world-wide constituency consumes. "VAO briefings" refer to NSA's red team presenting its findings to DoD customers following an adversary simulation activity. Red and blue teaming used to be the primary means that customers would learn how to improve their networks. Now, VAO's expertise is delivered much more often in the form of written reports. The written word scales.

  • "Even if a single tool could manage all DoD vulnerabilities, DoD wouldn't want to rely on only one tool." That places too much trust and power in the hands of a single vendor. Instead, DoD (and others) should rely on common protocols to describe vulnerabilities, like SCAP, and then ensure the wiude variety of tools DoD uses can speak that common language.

  • "Every human is a sensor." Advanced intruders are likely to evade technical detection. People are often the best, and only, way to identify advanced intrusions.

Finally, I'd like to briefly mention commentary by two other speakers. Curt Barker from NIST listed two "leap-ahead" initiatives at NIST, namely asymmetric algorithms for the quantum computing environment (in 20-25 years) and very large scale key management. I wonder how long those with quantum computers will be active before new algorithms that resist quantum computer cryptography breaking are widely deployed?

Jason Providakes from MITRE described the potential for the government to build a core capability with known pedigree, augmented by open and commercial software. I found this interesting, because it's possibly 5 to 10 years out of date. In other words, the problems we often see these days involve applications, not the operating system (if that's the "core capability" mentioned).

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.


Andre Gironda said...

"We can't just fix software to 'solve' security problems because vulnerability is everywhere." Wow, amen. Someone else believes we live in a world of vulnerabilities.

This is incorrect. The vulnerability problem is exponential. However, every vulnerability has a root-cause, a "Software Weakness". Software weaknesses have been commonly enumerated by MITRE into about 640 buckets. They released a CWE Top 25 list along with SANS.

We can just fix software to solve security problems. The only thing you have to do is prove that your code is obviously secure. Today, we waste time and money on penetration-testing trying to "prove" that software is obviously insecure. I agree that 99% of software is obviously insecure today.

"Even if a single tool could manage all DoD vulnerabilities, DoD wouldn't want to rely on only one tool." That places too much trust and power in the hands of a single vendor.

Using static analysis, I don't see how the source above (tool) allows tainted data to propagate to the sink (vendor).

Tools (especially ones from vendors) are completely unnecessary, but can often be transformed into something useful when turned into a portal or web service. I think that open software assessment factories are one of the best, if not the very best, tools to manage all vulnerabilities, because you are managing software weaknesses second and software risk analysis first.

Richard Bejtlich said...

Tony Sager also said that we live in a world of vulnerabilities that extends well beyond software, so even if we had no software vulnerabilities it wouldn't make any difference. I believe he mentioned environmental, spectrum, physical, human, and other vulnerabilities. You can't escape it.

SHA-1 said...

Richard - If you haven't run across this article, take a quick look:

"And he argues that if a computer owner has failed to use anti-virus software and install the latest security patches, that machine may be a legitimate military target.

"It may, in the right circumstance, be worthwhile and even fair for the US to hit a computer that is hitting us and stop it from harming us for an hour or days when that computer owner failed to take basic steps to protect us," Col Williamson told the programme."

I bet Symantec would love such a thing.