Cyber Security As A Science

Dan Geer wrote an essay for the National Science Foundation on whether Cyber Security can be considered a science.  The short version is this: what constitutes a “science” is somewhat loose, however based on some commonly held dimensions, cyber security is not yet a science, and most likely could be considered a proto-science.  Mr. Geer’s essay is worth reading for yourself, since there is far more nuance than this post will cover.

Similarly, Alex Hutton has also stated in some previous talks that information security is something of a trade craft and not a science.  Information security, cyber security, or whatever moniker we want to assign it, does indeed seem to be more of a trade craft than a science or engineering discipline.

Mr. Geer’s essay points out a few unique challenges in cyber space relative to other scientific disciplines: a major part of the “thing” being modeled is sentient adversaries that can adapt, learn and deceive, and also that the rapid evolution of technology.

There seem to be other confounding factors as well: the “constituent components” of cyber security are arbitrary and implemented in wildly different fashions by different people and organizations with different levels of skill and incentives, to different specifications, with non-obvious defects, and so on.  Translating just a slice of the challenges in cyber security to civil engineering would yield that some timbers used in construction might objectively look similar but have hidden flaws that manifest under certain circumstances, placing a structure’s integrity at risk.  The flaws with the timber are not apparent and not easily detectable without incurring extraordinary expense, and even so, not all flaws are likely to be uncovered.

With respect to technology producers, the “building materials” we have to work with in information technology are flawed in many ways, most of which are unseen.  With respect to the implementers of technology, the ways in which systems are architected and implemented are generally arbitrary, utilitarian and do not in, any appreciable way, reflect the uncertainty inherent in the technology being used.

If timbers were so structurally flawed, civil engineering, building codes, architecture, engineering and so on would need to accommodate for the uncertainty that comes with building a structure that relies on such timbers.  Information technology very inconsistently deals with this uncertainty. The constant spate of breaches seems to indicate that the uncertainty is often not properly accounted for.

Information technology, and by extension information security, is currently a craft.  Some are exceptionally good at their craft, and some are quite poor.  The proliferation of information technology into daily lives has, in my view, created a somewhat low barrier to entry into this craft.  As a result, we have an extremely wide variation in the quality and care with which information technology is implemented.  Similar to furniture or jewelry created by craftsmen, some of it is exceedingly well designed and built and others are complete crap.

Evolving information security into a science has been a personal interest of mine for some time.  I would propose that a key aspect, though not the only aspect by far, of translating information security into a science is a more objective approach to designing and implementing “systems” that are inherently resilient to failure within certain parameters.  Failure to properly engineer at a “system level” view of information technology is what I see most often leading to the most complex security issues.  This will very likely mean that some current technical implementations don’t economically fit into a more scientific future state, which will mean that technology producers will need to adapt accordingly to support the market.

A significant part of this will be clearly understanding the limitations of technology components and designing in a safety margin and detective capabilities that indicate failure.

This is a complicated topic.  I certainly do not think I have the answers, but I believe I can see the problem, or at least some manifestations of the problem.  As Mr. Geer points out in his essay, the way forward is through continued research, continued evolution of our understanding, better defining the “puzzles” that need to be solved and searching for a paradigm that addresses those puzzles, as well as ensuring that practitioners have a common level of competence.

The question is how to start taking those steps.

Thanks to my Twitter friend Rob Lewis (@infosec_tourist) for the link to Mr. Geer’s essay and his constant needling of me in this direction.


The Road To Breach Hell Is Paved With Accepted Risks

As the story about Sony Picture Entertainment continues to unfold, and we learn disturbing details, like the now infamous “password” directory, I am reminded of a problem I commonly see: assessing and accepting risks in isolation and those accepted risks materially contributing to a breach.

Organizations accept risk every day. It’s a normal part of existing. However, a fundamental requirement of accepting risk is understanding the risk, at least to some level. In many other aspects of business operations, risks are relatively clear cut: we might lose our investment in a new product if it flops, or we may have to lay off newly hired employees if an expected contract falls through. IT risk is a bit more complex, because the thing at risk is not well defined. The apparent downside to a given IT tradeoff might appear low, however in the larger context of other risks and fundamental attributes of the organization’s IT environment, the risk could be much more significant.

Nearly all major man-made disasters are the result of a chain of problems that line up in such a way that allows or enables the disaster and not the result of a single bad decision or bad stroke of luck. The most significant breaches I’ve witnessed had a similar set of weaknesses that lined up just so. Almost every time, at least some of the weaknesses were consciously accepted by management. However, managers would almost certainly not have made such tradeoff decisions if they understood that their decision could have lead to such a costly breach.

The problem is compounded when multiple tradeoffs are made that have no apparent relationship with each other, yet are related.

The message here is pretty simple: we need to do a better job of conveying the real risks of a given tradeoff, without overstating them, so that better risk decisions can be made. This is HARD. But it is necessary.

I’m not proposing that organizations stop accepting risk, but rather that they do a better job of understanding what risks they are actually accepting, so management is not left saying: “I would not have made that decision if I knew it would result in this significant of a breach.”

Honey Employees

In between bouts of chasing a POODLE around the yard today, my mind wandered into the realm of honeypots, honey drives and honey records.  I had an idea about creating fake a employee complete with a workstation, company email account, facebook page and so on.

The fake employee would exist for purposes of detecting spear phish attempts, lateral movement to the workstation, access of the employee’s documents, email accounts and so on.  Hence the name “honey employee”. This could serve as a early warning system, and to keep an eye on tactics being used by miscreants trying to worm their way in through the employees.

Is anyone doing this already?

Something is Phishy About The Russian CyberVor Password Discovery

If you’re reading this, you are certainly aware of the story of Hold Security’s recent announcement of 1,200,000,000 unique user ID and passwords being uncovered.

I’m not going to pile on to the stories that assert this is a PR stunt by Hold.  In fact, I think Hold has done some great things in the past, in conjunction with Brian Krebs in uncovering some significant breaches.

However, there are a few aspects of Hold’s announcement that just don’t make sense… At least to me:

The announcement is that 1.2B usernames and passwords were obtained through a combination of pilfering other data dumps – presumably from the myriad of breaches we know of, like eBay, Adobe, and so on, but also from a botnet that ran SQL injection attacks on web sites visited by the users of infected computers which apparently resulted in database dumps from many of those web sites.  420,000 of them, in fact.

That seems like a plausible story.  The SQL injection attack most likely leveraged some very common vulnerabilities – probably in WordPress plugins or in Joomla or something similar.  However, nearly all of the passwords obtained, certainly the ones from the SQL injection attacks, would be hashed in some manner.  Even the Adobe and eBay password dumps were at least “encrypted” – whatever that means.

The assertion is that there were 4.5B “records” found, which netted out to 1.2B unique credentials, belonging to 500M unique email addresses.

I contend that this Russian gang having brute forced 1.2B hashed and/or encrypted passwords is quite unlikely.  The much more likely case is that the dump contains 1.2B email addresses and hashed or encrypted passwords…  Still not a great situation, but not as dire as portrayed, at least for the end users.

If the dump does indeed have actual plain text passwords, which again is not clear from the announcement, I suspect the much more likely source would be phishing campaigns and/or keyloggers, potentially run by that botnet.  However, I believe that Hold would probably have seen evidence if that were the case and would most likely have said as much in the announcement, since it would be an even more interesting story.

Hold is clearly in communication with some of the organizations where records were stolen from ,as indicated in the announcement.  What isn’t clear is whether all of the recognizable organizations were attempted to be contacted, or only the largest, or only those that had a previous agreement in place with Hold.  Certainly Hold has found an interesting niche and is attempting to capitalize on it – and that makes sense to me.  However, it’s going to be a controversial business model that requires organizations to pay Hold in order to be notified if or when Hold finds evidence that the organization’s records have been found.  I’m not going to pass judgement yet.

I Think I Was Wrong About Security Awareness Training

Andy and I had a bit of a debate on the usefulness of security awareness training in episode 75 of our podcast. The discussion came up while covering a story about ransom campaigns and how the author recommends amping up awareness training to avoid malware and spear phishing, the two main avenues of attack for these attackers.

I was on the side of there being some benefit and Andy on the side of it not being worthwhile.

The logic goes like this: attackers are becoming so sophisticated, that it isn’t practical to expect a lay person to be able to identify these attacks – technical controls are really the only thing that is going to be effective.

My thinking, at the time, was that awareness training is like anti-virus: you should have it in place to defend against those things that it can, but we all know there are plenty of attacks it won’t stop. I think that is still a reasonable assumption.

However, I’ve since thought about it some, and in think Andy is probably right…

Awareness training is about trying to establish some firewall rules in minds of people in an organization. There’s an implicit hope that the training will avoid *some* number attacks and an understanding that it won’t catch all of them.

However, people aren’t wired to be a control point. There is a lot of research that demonstrates this point, notably in Dan Ariely’s “Predictably Irrational” books. Focus, attention, diligence and even ethics are influenced by many factors, and awareness training would need to compete against fundamental nature of people.

But it’s worse than just not effective, and that is why I think I’m wrong here. Awareness training *is* believed to be a security control by many. Awareness training is mandated by every security standard or framework I can think of, alongside antivirus, firewalls and the like. And because it is viewed as a control, we count on its effectiveness as part of our security program.

At least that is my intuition. I don’t have hard data to back it up, but that would be pretty enlightening experiment – if it were done correctly, meaning not through an opinion survey.

Educating employees on company policies is clearly necessary. However, it seems that focusing on hard controls rather than awareness education would be a better investment. Those are things like:

  • Two factor authentication or password managers and crazy password complexity requirements instead of trying teach what a strong password is
  • Controls to prevent the execution of malware delivered through email instead of how to recognize malicious files
  • Controls to prevent browsing to phishing sites or exploit kits instead of how to
  • And so on.

Excellent Paper Prioritizing Security Controls To Mitigate Intrusions

The Australian Defense Signals Directorate released a paper the prioritizes mitigation techniques by effectiveness. Even better, they provide subjective assessments of user resistance, upfront and ongoing costs for each mitigation strategy.

I think it is quite telling that the most effective control is application whitelisting.

H/T to @Lerg for finding this.