Real Security Is Threat-Centric
Apparently there's been a wave of house burglaries in a nearby town during the last month. As you might expect, local residents responded by replacing windows with steel panels, front doors with vault entrances, floors with pressure-sensitive plates, and whatever else "security vendors" recommended. Town policymakers created new laws to mandate locking doors, enabling alarm systems, and creating scorecards for compliance. Home builders decided they needed to adopt "secure building" practices so all these retrofitted measures were "built in" future homes.Oh wait, this is the real world! All those vulnerability-centric measures I just described are what too many "security professionals" would recommend. Instead, police identified the criminals and arrested them. From Teen burglary ring in Manassas identified:
Two suspects questioned Friday gave information about the others, police said.
Now this crew is facing prosecution. That's a good example of what we need to do in the digital world: enable and perform threat-centric security. We won't get there until we have better attribution, and interestingly enough attribution is the word I hear most often from people pondering improvements in network security.
Comments
http://it.toolbox.com/blogs/managing-infosec/attribution-and-cyber-conflict-10935
It's my understanding they are attempting to connect research with policy makers-
"CCSA promotes and leads international intellectual development efforts to advance the field of cyber conflict research. These activities include workshops that bring together professionals from industry, academia and government to discuss strategic issues surrounding cyber conflict and the publication of insightful research articles and position papers in its Journal of Cyber Conflict Studies.
CCSA also plays an important role in our national cyber-readiness strategy, serving as a resource for national security decision-makers and helping to frame and promote national cyber conflict policy."
Interestingly, there is an article dated Nov 14, 2009 and titled "The Cyberwar Plan
It's not just a defensive game; cyber-security includes attack plans too, and the U.S. has already used some of them successfully." It contains a quote by Bob Gourley, former CTO for the Defense Intelligence Agency and is a board member of the Cyber Conflict Studies Association.
http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php
A risk assessment needs to be performed in house security (even if it is only informal). How bad of a neighborhood am I in? How much is the value of my products? How likely is someone going to break in? People buy insurance that covers theft for these reasons it makes more sense to spread the risk then to invest in the newest alarm system.
If you raise the value of the target, more security is put in place. I am sure that the Smithsonian’s Hope diamond is protected with many of the same measures that we do in Information Security. Pen testing, auditing, testing of the control mechanisms (I know you hate that word), as well as defense in depth strategies are performed on any physical item of high value and this can be translated to the “Cyber” domain as well.
Information is of value to companies and often can’t be let out. Proper mechanisms policies need to be put in place to protect these. To make matters worse it is a lot harder to prosecute someone in a cyber incident. With theft in a house the attacker must be physically located in one area, the victim’s house or office. With any cyber crime, there is often multiple victims as well as paths to follow all across the world.
While it would be nice if we could place more of the blame on the criminal, I don’t think that is going to happen anytime soon. The value of the item being protected is too high and the criminals too dispersed. I doubt that the criminal will ever be prosecuted as often in cyber crimes as often as they are in the real world.
Likewise, would the expectation of threat apprehension excuse being thrifty with security measures?
If a homeowner is down at town hall arguing for better policework, but leaves his home unlocked in the face of a known rash of local burglaries, would he have any liability for that? I realize this road may be subtly wrong, as it leads down the avenue of blaming someone else for one's own personal responsibility (a personal peeve of mine from the 90s and 00s). Then again, your above analogy does include rather extreme measures mandated by public office, which does kind of narrow the scope. :) Maybe you're just making a statement, not about the homeowners, but the public office demanding private citizens be unreasonable...
Moving further, I'm not sure I would want an Internet that has "real security" through proper attribution, globally. How fundamentally will that change the Internet and the way it has grown and been used? As such, I'm skeptical on how reasonable I can expect it.
This leaves me with being threat-centric as much as my SMB will allow me, and shoring up defenses by being everything that is not threat-centric.
But I do concede that on some level, especially once get high enough with enough clout and influence and jurisdiction, attribution and being threat-centric makes more sense, even if it is unattainable (like almost all police-work).
And we won't have better attribution until organizations have the ability to detect and respond to computer security incidents. After all, how can you attribute something when you didn't know it happened, an outside third party told you about it months after it happened, and in response, your staff wiped out all of the evidence?
"NIST 800-37 Ends the Era of Federal Certification & Accreditation -
Excellent Beginnings - One More Step To Go.
http://csrc.nist.gov/publications/PubsDrafts.html#800-37_Rev1
The new draft of NIST's Special Publication 800-37 published two weeks ago is open for review. John Gilligan who serve as CIO of both the Energy Department and of the US Air Force and who was the President's Transition Team Lead for IT and IT Security in the Department of Defense has written a brief analysis that illuminates the one key problem that the new document could easily solve, but doesn't. We have included Gilligan's complete analysis here. If you concur with his findings please let the NIST people before December 15 at sec-cert@nist.gov. If you feel like sharing, we'd love to see your suggestions as well at
NIST80037@sans.org."
Addressing threat-sources is undeniably important, but in the present world (both online and offline) can not be depended upon. Threats, threat-sources and vulnerabilities are all parts of the puzzle, but risk based decisions based on those elements are where effective security springs from.
That will be very comforting to people who have lost their possessions.