Almost.

Which brings me to the trigger for this post: A spontaneous rationally ill-advised 2am almost 5-hour $15 bus trip to New York City from DC earlier this week to meet @Wh1t3Rabbit while he was passing through. At 226 miles each way, the food court conversation, quick tour of the CyBit floor, and 90 minute talk Raf gave might seem to be weak justifications for the trip to most; but not to me.  Instead, it reminded me of my life growing up…

…Telling my parents I was visiting “friends” 5 miles away and quietly hopping a Greyhound bus from Daytona Beach to go 260+ miles to meet other efnet IRC ops in South Beach, Miami…then Begging on the phone that night to “stay the night to work on a project”

…Dating a girl because someone dropped me off at a party 30 miles away and it took so many weeks to find a ride back from the hosts house that she and I figured getting together was the only sensical thing to do…

…Carrying a 486 PC on another Greyhound bus all the way from Florida to NC to move in with a guy I originally met on a BBS before heading to Finland to move in with a girl (my future and ex wife) I met on Geocities…

…standing in the rain at Kezar stadium in San Francisco for hours on end – with nowhere to stay that night myself – redboxing to my “ten years older than me online girlfriend” trying to talk her out of suicide by telling her to think of her 7 cats…

…being kidnapped by German Tori Amos fans in Tampa I met on IRC for two days because I had no money, no phone numbers memorized, and I couldn’t actually remember how to get back to my dorm (at the college I only went to one class at the entire semester)..

…Deciding in 10 minutes to use a random $200 “scholarship” check I got (for no good reason I could tell) to fly to Oklahoma to go meet “Stella” from IRC for a couple of nights…telling no one else…and coming back to find my suitemates knocking on my bedroom door telling me to “get the hell off the computer and come eat”…and quietly disappearing into another online friend’s house…only the first time no one knew where I was living…

…couch crashing as a lifestyle…first in a little hacker compound and later in another BBS hangout…

…dropping a friend off at the airport but enjoying the conversation so much I bought a round trip ticket to sit next to her and got on the return flight a few hours later…

…legitimately having to ask “which state am I in?” after getting off of an airplane…

…blowing an emergency roadblock with a friend and heading into an area of Florida completely on fire…and finding the only other living soul back there was a lost pizza delivery dude…

…waking up on a complete empty train…in a metal cavern…walking out the door…following a yellow line…up a few steps…and walking through yet another metal door into a night club…(apparently, they put train cars on ferries in some parts of the world)…

…calling home collect from Sweden with only $80 in my pocket, unable to find Geocities girl and realizing that no matter how far from home you are in the US, you can always *walk* back….

…putting a sheet up as a bedroom door because it had been broken down so many times by friends, family, and strangers that no one wanted to bother putting up a new door…

Anyway. You get the idea.  I’ve spent a lot of time with every material possession of any importance to me fitting into a backpack and having a very flexible definition of “secure safe personal space”; that backpack was “home” to me more than any physical location was.  Much older now than I was in most of those vignettes and having lived a more grounded adulthood, it was only this recent New York trip that made me realized how much that lifestyle is still with me.  I mean, I knew that I enjoy a relatively flexible lifestyle that allows for spontaneous travel and chance encounters…in general. But sitting on an actual greyhound bus to New York, with no rationally justifiable purpose or agenda and everything that mattered  - including clothing – in a single backpack, brought back very specific physical memories; I actually felt, for the first time in a long while, at home.  There was a part of my that relaxed which I hadn’t even felt clenched.  Even the odd double-images created by bus windows were something that tasted of old friends…

I’m obviously not suggesting that I want to live out of a backpack for the rest of my life, but it was a striking reminder that no matter how far we get from our pasts, or how many transformations are created by new experiences, those pasts are always with us. Even if we don’t always notice them. In a personal transition period now, I had been unsure what I wanted to do next.  I’m still not sure, but now I have a much more specific idea of where to start looking…and how to integrate (and take advantage of to everyone’s benefit) that mindset in my professional career.

(And, now that I hear morning birds chirping, it’s time for sleep…)

More important than my talk are the slides themselves.  I managed to put together one of the only presentations you’ll find with relatively short summary of the critical infrastructure landscape that also provides some framing help and advice on how to approach the topic more effectively (See this post for a longer treatment of the executive order sections).  It’s meant to have a strong verbal component, so if something seems incomplete or your need more information, feel free to ping me.  I hope you enjoy. (PDF HERE)

(Consider viewing these full screen)

In response to this RFI, rather than suggest specific content, I would like to bring NIST’s attention to several conceptual perspectives that I believe have so far been underrepresented in the discussion so far.

Perspective 1: A Need for Common Conceptual Framing

First, I believe the potential value of a successful framework will not be in the content, but in the conceptual model the content is organized around.  One of the primary problems facing us as individual organizations and as a nation is the not only the lack of a common cyber security lexicon, but also significantly incomplete and often incompatible views as to what comprises cyber security itself.  This point can be illustrated in two ways:

1. After attending the recent NIST Framework Workshop, it was evident that many speakers were discussing only component pieces of cyber security (e.g., information sharing), and not the entirety of the problem (e.g., procurement). The result was a grab-bag of security ideas that could not be evaluated in terms of each other or their role in security as compared to the rest of the ideas shared.  The discussion lacked the structural and conceptual rails required to guide the participants down the path of solving the same problem. I was left wondering “How does this all fit together?”.
2. One of the critical infrastructure sectors recently asked their pertinent government agencies (there were 4 represented) for guidance on which federal tools and frameworks should be used, by whom, when, and why.  Industry believed the tools lacked appropriate descriptions.  After investigation, the fundamental issue was not that the tools lacked descriptions, but that those using them were not aware of the full scope of problems which needed solving.  Participants lacked a common, complete conceptual framework in which to evaluate the tools.  This lack of a broad, structured, conceptual model made it difficult for them to assess or use other content.

These are only two examples of many.  This is a problem that occurs in almost every cyber security dialogue – even among cyber security SME’s. For this reason I believe that one of the primary values of the NIST Framework should be in providing that common view – not only of security practices, but also how those practices fit together to reduce risk.  One might call it a “cyber security algorithm” where program, practice, and control domains are variables which must be used to solve for “assured risk reduction”.  In such a model, individual best practices and content elements can be tied to each “variable” and can be selected by industry.  This provides some assurance that they are all working coherently together.

Such a model could conceivably be broken down into six different layers of activities (national, sector, business, architecture, implementation, operation) broken into two dependent but different risk life cycles: Strategic (risks from cyber systems) and Operational (risks to cyber systems).

In this manner, the structure of the NIST framework could be used independently of the content to educate readers, assist them with communication, and be helpful as a tool to solve for specific cyber security outcomes.

Perspective 2: Non-Cyber Business Maturation and Foundations

In my experience, many organizations would have very successful cyber security practices, but their extra-cyber practices are not able to effectively use or support the good cyber-specific ones.  These extra-cyber practices include procurement, marketing, scheduling, business operations, development, testing, sales, database administration, communications, etc.  It is often said that “good security isn’t bolted on, it’s baked in”.  That is only partially correct.  Good security is good business – there is often little to distinguish the two.  Security usually fails long before anyone with “information security” in a title or department name is involved.  As such, I believe the NIST framework should focus more on identifying good business practices which lead to successful cyber security than on cyber-specific ones. It should also keep in mind that those most in need of the framework are the least likely to understand their own role in the cyber security problem domain.

Perspective 3: Quality Assurance & Human-Centric Cyber Security

As we have seen many times now – in the cases of some large and well known security breaches of organizations who were fully aware and invested in cyber security best practices – the problem we are facing is not just one of knowledge, but one of consistency of practice. It is relatively difficult, the way we do business today, to assure the application of best practice (whether through internal business incentive or government regulation) in a consistent manner.  The NIST framework should attempt to improve this consistency.

One aid in achieving that consistency is identifying where cyber security faults – which are really just errors made by a human in an authorized role somewhere on a timeline – are occurring and describing them in terms of human-role/authorized-action control pairs.

Examples could include: CEO/SuccessDefinition, Vendor/FeatureInclusion, Vendor/QualityAudit, ProcurementOfficer/ProductEval, Subcontractor/OrganizationBridging, ITManager/WorkPrioritization, etc.

 Putting these pairs into a timeline or lifecycle model would allow us to describe desired cyber security state and control points in a manner that would: Be valid through most possible iterations of technology, allow users of the framework to better identify which best practices were applicable when and to whom, reduce cost by placing controls as close to the fault source as possible, and help increase consistency by more effective and efficient control placement.

In closing, I believe that the NIST cyber security framework has the potential to be an extremely valuable tool, but that its success will depend on its framing and structure. It must speak to non-traditional cyber-security audiences in their own voices and simplify otherwise high levels of detail in a way that enabled significantly better dialogue than we as a community have been able to achieve so far.

Thank you for your time and efforts.

V/R,

Jack Whitsitt/Energysec

1. What is the Executive Order and why was it issued?

This is a two prong answer. First, obviously it was absolutely a political goad to congress to write legislation and to poke at the Republicans. However, more importantly, it is also potentially a very valuable order that was seriously thought through and that will be used.

Think of it like a mother (the White House) telling kids (DHS, SSA’s) to “clean up the house”.  Based on existing house rules (overarching critical infrastructure directives/laws), she expects it will be done and goes off to handle other things.She comes back to find out that the kids of swept once or twice then went on to xbox, pushed stuff under the bed, or made more of a mess of the toy box trying to clean it than it was before.

Mom comes back and says “Ok, I left you to your own devices, here are the specific ways – again within the larger context of house rules – you are going to clean up. In the case of cyber security, the White House has said: You – DHS and SSAs and everyone else – are going to remove barriers to information sharing, work with our customers (industry) to build some coherent approach to solving the problem to our satisfaction  – some standard way of organizing the whole mess, and you’re each (especially you SSA’s!) are going to create explicit privacy and civil rights protections or else you fail.

2. What are the main thrusts of the Order?

1) Improve Information Sharing

2) Use business-function driven risk analysis to determine priorities

3)Create a framework of standards for reducing risks from cyber security issues to critical infrastructure

4)Engage industry to the greatest extent possible, and assure privacy and civil liberties are embedded in the entire process.

Whether any of this will be successful or remain uncorrupted is a different question.

4. What will the “Framework” described be?

Based on comments from NIST: The framework will includewhatever will achieve effective cyber: processes, technologies, architectures, concepts, specifications, etc.  It is intended to be layered and include broad principles, common practices, and sector specific realities.

The role of NIST is to support the industry development of the framework.  The government will depend on the actions of the private sector after sharing, up front, performance goals. NIST is being engaged because it has experience gathering lots and lots of input, but this will NOT be a typical NIST thing.

The aim of the framework approach is to enhance adaptability, with cost and impact to economics of business being an integrated explicit part of the conversation.

Additional benefit is that, by increasing interoperability of requirements, concepts, expectations, etc, baseline security can be driven to market/products (my comment: which has been a vendor/industry complaint often voiced)

Moreover, a goal of the EO – both in context of information sharing and the framework – is harmonization of efforts (this was repeated extensively and resonated with my experience in the dialogue) – particularly nby the federal government (which, again, has been a substantial private industry complaint).

5. Standards? What is meant by standards? That sounds scary!

Not as much as you’d think. Based on comments from NIST: Generally, common basis of comparison…some are performance…but some are norms to promote collective collaborative action. These latter are developed by industry and what the EO is referring to. In other words, the Framework of Standards is meant less to be comparative and more to allow everyone and everything to be working together.  (Jack’s note: I’ve said for years there should be a Chinese menu of options selectable by environment and risk, this looks like it might be going down that path).

6. What are some simple things to know ahead of time that I might not already?

There are laws, mandates, and programs on the books now and have been for years.  This includes strategic planning, incident response, information sharing, and engagement. The sector specific agencies’ jobs(SSA) are to take broad cybersecurity capabilities within DHS and apply them in sector (industry) specific ways.  All major players in industry have been actively engaged in the dialogue so far.  There have been certain cultural, process, political, perception, legal, and conceptual barriers to progress despite existing work and engagement.  The Executive Order attempts to rectify these barriers while keeping in tact most of the fundamental structures already in place.

7. How does the new PDD relate to the Executive Order? 

The PDD is an update/replacement to HSPD-7.  These documents are not cyber specific, but are the policy  context under most critical infrastructure protection activities that the federal government engages in (including cyber security) are driven by.  The old HSPD-7 and the National Infrastructure Protection Plan from DHS which supports it have been around for years and understanding them is necessary to understand a lot of the intent behind the executive order.

8. What is an SSA, as defined by HSPD-7, the new PDD, and the NIPP?

SSA’s (ref’d above) are the sector (Energy-DOE, Transportation-TSA, Chemical-DHS, etc) specific agencies who are the functional owners of engaging their segments of the private industry in gov cyber security efforts. The EO and the new-PDD update their responsibilities from what they were under the old HSPD-7, but they’re similar.  For reference, a paraphrased overview of the old SSA responsibilities is to:

• Use mechanisms like Critical Infrastructure Partnership Advisory Council (which allows gov/industry cooperation) to bring Sector Coordinating Councils (made up exclusively of non-lobbyist private industry) together with Government Coordinating Councils (Sector Specific Agency points of contact) to work together on planning the reduction of risk
• Encourage organizations with information to share with those who need it and encourage development of information sharing programs and mechanisms
• Promote education, training, and awareness within industry in coordination with other government and private sector partners
• Identify, prioritize, coordinate federal Critical Infrastructure Protection activities in sector – ie, make sure the government is organized and doesn’t overburden the private sector
• Appraise congress of industry’s current status and progress in reducing risk, based on engagement and feedback from industry
• Increase integration of cyber security efforts with other all hazards protection and response programs – in other words, since cyber attacks can have physical implications, make sure first responder type organizations are working with cyber ones
• Develop and implement sector risk management program (within the government) and framework and use to determine risk priorities of sector and coordinate (not require) risk assessment and management programs with industry. This means create a process by which, facilitated by government, industry can get together and figure out where it is and what it’s priorities

9. How does CISPA relate to this?

An executive order cannot change already legislative assigned federal responsibilities, so everything the EO directs occurs under existing mandates and laws.  Further, the EO addresses information sharing AND getting the government’s overall act together in cyber security.  CISPA, on the other hand, is aimed (for better or worse, this post isn’t for my opinions on it) on removing legal barriers to information sharing and addressing specifically problems associated with industry cybersecurity needing to intersect with the intelligence community.

10. What guarantee do we have to transparency in any of this?

Workshops kick off in April.  NIST has questions to industry on its website and will be reaching out further (more proactively than “on the website”) in the near future. If you read my earlier NIST post, you’ll see transparency and participation are core, not tangential, tenets here and are one of the things that will (or is intended to at least) distinguish this from past efforts. Further, if you have been on any of the DHS calls with industry, every single conversation revolves around getting more and better industry involvement. They are very serious about it.  Finally, in my own work with some of this (which is tangentially related), transparency and engagement have been priorities I’ve seen.

11. Indeed it’s written with the basis that Government will continue to be the determining data librarian for cyber threats.

Over and Over and Over industry tells gov “we need better threat info”.  Most of EO not dealing with the framework is written to that end – it primarily deals with pushing data TO the private sector because they have requested it. However, post-order messaging has (correctly) been: Look, we don’t have a classified pot of information at the end of the rainbow that’s going to save the day. Industry, you guys know about yourselves way more than we do – or you should.  If you don’t share, that’s fine, but we can’t help you unless you help us to do it.

I don’t like the disproportionate focus on Information Sharing. I think it’s a waste of time, but we collectively have created this stupid beast. I might be a red herring, but it’s our collective red herring.This deserves a longer treatment than a couple of sentences, so come see me talk about it at SOURCE Boston

12. Why is the Cyber EO so obtuse? And while the PPD adds context – it’s clear that we require more (and more) clarity

Much of the obtuseness is because a) some is to be defined later by b) federal agencies who will get very clear direction from those in the WH charged with implementing the EO within the context of c) existing language on the books and in response to d) specific beefs from industry and dialogue failures in the past. What most people lack is the appropriate context from which to interpret it, since most people are not critical infrastructure owners and operators or feds who have been engaged in the discussion. Much of the insight Im trying to provide here isn’t direct experience with the EO iteself, but the cultural language which has developed in the civilian space on the topic of critical infrastructure protection over the past several years.  It’s not understood well outside of Washington, but those it is speaking to understand it.  This is a huge problem and one I’ll try to address in Boston

13. Is this more of the government telling private sector they’re coming?

Gov’t is already there: HSPD-7, NIPP, SSA’s, CIPAC, CSCSWG, CNCI, NCCIC, foobar.   Regulatory capability already there: TSA, DOE(NERC CIP), etc. This EO speaks to and sorts out this *existing* stuff in one prong and tries to sort out information sharing barriers in another prong (barriers which, right or wrong – mostly wrong – industry has cited over and over and over as the reason their cyber sucks)

14. Why do we have any faith that Government has the agility and consistency to get it right this time?

We don’t. but, the way the framework components are laid out, we have an interesting opportunity to force it to work by the order’s focus on creating real consensus business-driven requirements. In particular, I believe cyber security is a quality assurance problem over unbounded time driven from business priorities and is almost 100% a human-centric problem.  There might be space here for that conceptual shift to occur.  More on that later, possibly in Boston

15. Should the Cyber EO have been so broad? Look at the “Designated Critical Infrastructure Sectors and Sector-Specific Agencies” list in the PPD.

Don’t forget that the PPD is based on years old definitions and, more importantly, is an all-hazards list primarily focused on physical attacks. In large enough scale, most things are critical in the terms of the broader discussion.

The trick is, for cyber, determining what within those spaces is critical. It’s a different functional discussion – as this is all laid out – than which sectors are critical. That’s handled in a process – a version of which I’ve been facilitating at a sector level for the past year – that is designed to base decisions on business driven threat scenarios.  It’s not perfect, but it’s a huge improvement from past methodologies.

16. If and only if (IFF) the Cyber EO was really meant to get action to answer these questions – then it should not have been issued so broadly, so politically charged, and otherwise tied to SOTU the way it was.

Agree. It’s over-politicized – but that gets into questions of its effectiveness and clarity in the current political and cultural environment, and that’s out of scope here.

17. Why not leverage the bodies of work existing up-front?

Because the process of engagement in finding and applying those existing bodies of work is the key element of this part of the EO, not the outcomes themselves. It’s an attempt to build in continuous flexibility and applicability in changing environments and compared to differing and dynamic priorities.  Think “it’s not the destination but the journey” here and add on “and the requirement to iterate through multiple journeys as a lifestyle”. The mechanism NIST and the collective gov builds to continuously engage industry in the development and adaptation of the framework are where our real opportunities to make this valuable come in – but we need to work together coherently. More in this in Boston.

Also see this document from NIST: http://www.nist.gov/itl/cyberframework.cfm

18. What makes this a compelling DHS issue instead of economic development, science, or other component of Government?

Because the EO can only really address already existing legislatively assigned authorities. This EO is a goad for further legislation, and that might change the agency assigned responsibilities. That said, I actually agree this should be a DHS issue – no other agency has the type of broader mission required to effectively coordinate cybersecurity in the broad terms it requires – NSA would be one of the worst choices, since their core mandates are, in many cases, only of use in terms of focused support.  Think correlation with physical and geographically dispersed response and coordination.  The FBI, similarly, would be a terrible choice since their mandate is “prosecute and convict”.

19. What about regulation of industry?

There are a number of agencies who *already have* regulatory authority over private sector critical cyber infrastructure – some have used it, some haven’t. The EO asks that they use the new processes in the EO to reevaluate whether they should regulate and how if they don’t now and the effectiveness of any regulation if it’s already in place. Every two years, the government is required to check with industry to make sure any regulation is a) effective and b) not too burdensome.  In my opinion (based on work with some of the processes which will be used),  this is much less likely to result in additional regulation than is suspected. (This is because the processes attempt to be more empirical and data-informed than the more speculative and subjective attempts in the past.)

20. Why haven’t I heard about any of this and why does it not resonate with me?

So much of this has been driven by lobbyists and industry associations….unfortunate in many cases…but almost impossible to get substantive input from more fair representation.  The reasoning behind this is something I’ll cover in Boston and it’s something we need to culturally change together – and we can.

Section-by-Section translation of the EO based on my own interpretation; designed to get through all of the heavy government language to the spirit of what each section is attempting to convey. Some of this might be wrong, but I think I’ve hit the substance. Will refine over time:

Important to remember: EO can’t change existing law and responsibilities

Sec. 1-3

Fluff

Sec. 4.  Cybersecurity Information Sharing.

 a) The US Government will pass more (unclassified) information than they already are, and from more sources, to the private sector faster so that they (industry) can better protect themselves.

 b) More about the rapid dissemination of these reports, but now mentions the ability to disseminate limited classified reports

 c)The government will enhance a new program (previously announced) to provide classified threat and technical information to qualified critical infrastructure companies (including commercial service providers who work with criticalinfrastructure)

 d) The intel community will speed up processing of security clearances for private sector companies with critical infrastructure

 e)Since actually becoming a fed is hard, and because not everyone wants to, there are initiatives going on – and which the EO directs to be hurried/expanded – to allow private citizen subject matter experts to come under temporary service

Sec. 5.  Privacy and Civil Liberties Protections.

a) Agencies already have privacy/civil liberty offices and procedures in place. They must make sure any action they take in regard to the EO is done using those offices and procedures.

 b) DHS must make formally sure on a recurring bases that 5a) is indeed happening

 c) When DHS reports on this, it will consult with OMB (to provide another layer of oversight)

 d)Private entity information will be protected by the most protective interpretation of the law

Sec. 6.  Consultative Process 

The government will engage with private sector stakeholders on all aspects of the EO and will utilize mechanisms that already exist and are currently being used to collaborate with industry on cyber security and critical infrastructure – particularly those outlined in HSPD-7 and DHS’s National Infrastructure Protection Plan

 Sec. 7.  Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.

a) NIST will lead the development of a framework to reduce risks to critical infrastructure from cyber systems.  The framework speaks to the process of reducing risk.  The framework is intended to make sure business efforts, policy efforts, and technical efforts are aligned and working together.  The framework will incorporate existing standards and best practices as much as possible (clarification: NIST has said here that they mean interoperability/common frame of reference type standards, not performance or measurability focused standards. Ie, the intent of the standards is to help everyone work together.)

b) The framework is *process focused* and intended to deal with the fact that this is the real world; it’s goal is to work collectively to figure out the best ways to reduce risk – the process is the focus, not the results. “The journey is the destination”.  The framework will include ways to measure how well organizations are participating in the process.

c) The framework will explicitly include ways to protect business interests and civil liberties

d1) This process will be as inclusive as possible. Government required to show up to the table and government required to engage industry as much as industry is willing to participate.

d2) The government will provide outcome goals for the framework based on critical determinations made in section 9 (the intricacies of this are a bit out of scope of this review. Suffice it to say that there is already existing work here being done and existing processes already in use that will most likely be used to fulfill this requirement.). This is assigned to the heads of relevant agencies, which means its a performance criteria for those individuals, which means it will get done.

e) a preliminary version of the framework will be done in 240 days, final in a year

f) The process of engagement and validity of approaches will be reviewed regularly for appropriateness in addressing cyber security

Sec. 8.  Voluntary Critical Infrastructure Cybersecurity Program.

a) There will be a program (outreach & engagement?) to encourage private sector adopting the framework process

b) The agencies already on the hook for industry engagement for critical infrastructure (sector specific agencies – SSAs – under HSPD-7 and the National Infrastructure Protection Plan – NIPP) will use their existing mechanisms (like CIPAC) to reach out to industry on a sector by sector basis and address sector specific risks and concerns

c)The Sector Specific Agencies will let the president know annually how this is all going – is industry participating or no?

d)the government will try and create additional value for industry to participate

e) The government will try and figure out how – or if it even makes sense – for the government to adjust its procurement and contracts to use/fit in with the framework

Sec. 9.  Identification of Critical Infrastructure at Greatest Risk.

a) Within 150 days, DHS will determine, based on potential national consequences from a cyber attack, what infrastructure is critical.  This speaks to a consultative process (as described in section 6) that the government will use to identify what the framework and the rest of the Order is aimed at. I’ve been working within one industry for some time using a version of the process that will be used here. The process uses business-function driven risk analysis to determine priorities: Critical Functions->Value Chain->Supporting Cyber Infrastructure->Program level vulnerabilities->Scenarios to be protected against. Ish.

b) The sector specific agencies will, in line with their existing role, provide DHS with enough information to make these determinations. The EO assigned this to the heads of the sector specific agencies, in particular, and so it is a performance criteria for them. This tends to mean it will get done.

c) Owners and operators of critical infrastructure will be confidentially notified of their status as critical infrastructure and there will be a mechanism for them to ask to be reconsidered

Sec. 10. Adoption of Framework (Read: Potential Regulation)

a) Agencies who can currently regulate will look at any new information provided by the preliminary framework and determine if the way they are currently handling regulation is sufficient based on framework identified risks (my note here: TSA has, in the past, declined to regulate because industry was actively participating already. This directive does not make future regulation a given).

b)If current regulation isn’t sufficient, regulatory agencies will propose actions.

c)within two years, agencies will work with owners and operators to determine if any new regulation is ineffective or excessively burdensome and will make recommendations for relief/changes

d) DHS will help out any agencies who don’t have the technical cyber qualifications to do this effectively

e) Regulatory agencies that aren’t sector specific agencies should consult with everyone and get on board, too

Sec. 11. Definitions (Speaks for itself. Read these without translation)

(a) “Agency” means any authority
of the United States that is an “agency” under 44 U.S.C.
3502(1), other than those considered to be independent
regulatory agencies, as defined in 44 U.S.C. 3502(5).
(b) “Critical Infrastructure Partnership Advisory Council”
means the council established by DHS under 6 U.S.C. 451 to
facilitate effective interaction and coordination of critical
infrastructure protection activities among the Federal
Government; the private sector; and State, local, territorial,
and tribal governments.
(c) “Fair Information Practice Principles” means the eight
principles set forth in Appendix A of the National Strategy for
Trusted Identities in Cyberspace.
(d) “Independent regulatory agency” has the meaning given
the term in 44 U.S.C. 3502(5).
(e) “Sector Coordinating Council” means a private sector
coordinating council composed of representatives of owners and
operators within a particular sector of critical infrastructure
established by the National Infrastructure Protection Plan or
any successor.
(f) “Sector-Specific Agency” has the meaning given the
term in Presidential Policy Directive-21 of February 12, 2013
(Critical Infrastructure Security and Resilience), or any
successor.

(CAVEAT: I wrote this in about 10 minutes. Please Understand if it’s not complete or poorly worded)

So,  the Executive Order (full text HERE ) looks like it is more focused on an Asset Based risk perspective than a Functions and Business centric one – particularly in the definition and use of the upcoming NIST framework and the determination of criticality. I might be wrong, and a lot hinges on what the NIST framework ends up looking like, but the language as it sits now has me….watchful.  Some thoughts on why an asset-centric approach is problematic:

1. Attackers use different paths to achieve different real world objectives (things blown up, data stolen, etc)

2. Asset criticality therefore changes according to the path the attacker takes, which objectives are chosen, and which defenses are in place. In other words, asset criticality is dynamic.

3. Assets can be protected to a very high level without any assurance whatsoever that undesired consequences are not caused by attacks.

4. Functions and business objective centric protection approaches (such as DHS’s CARMA) linked to capability domain frameworks (such as the ES-C2M2) tied into technical assessments (such as DHS CSET) assure that protection programs and measures are working together to reduce actual dynamic tactical and strategic risks and reduce the risk of ineffective controls inappropriately targeted and configured.

5. Asset centric approaches create static defenses which attackers can work around while functions and business consequence focused approaches actively address the reality of how attacks occur, where controls should be placed, and to what level they must be configured.

6. Functions based approaches also create a more lexically coherent framework that assures all stakeholders are having the same conversation.  Asset Based approaches, though speak to fixed points where each stakeholder may have a different perspective on the goals of any controls.

7. Functions and business consequence driven frameworks can also be more effectively used to determine the success or failure of cybersecurity efforts and provide more realistic and useable metrics and goals.

FURTHER CONTEXT **HERE** AND **HERE** AND **HERE**

FOUNDATONAL CONCEPTS

Cybersecurity is a quality assurance problem that occurs unbounded over time; what we are tackling is not a matter of fixing individual errors, but reducing the frequency of them to a level where we can continuously afford to remedy the ones that do happen. Multiplied by the increasing number of cyber systems we develop or change every year, the errors requiring mitigation are increasing constantly and will exceed defensive resources without a reduction in the rate at which they are made.

We must reframe the discussion to account for this “quality assurance” perspective if there is any hope of improving the quality of our cybersecurity posture.  Direct experience has shown at least four areas requiring focused development to successfully broaden the cybersecurity dialogue:

1. Success Criteria: To date, much of the cybersecurity conversation has lacked coherent, actionable risk reduction objectives. The development of a “Common Operational Picture”, for example, is only a tool to reduce risk, not a strategic goal.  Similarly, while a Minimum Level of Hygiene is a useful description of a suite of efforts, it does not speak to what the specific success of those efforts would look like.  Instead, success criteria should speak to business and national security priorities to be enabled at defined performance levels in the face of cybersecurity errors.  If we can begin to describe objectives in this way, we will be more successful at building mechanisms to achieve them.

2. Holistic Inclusion: Traditionally the area of IT or Security Specialist staff, an analysis of the timeline on which cybersecurity problems occurs leads to the observation that those roles have far less of an impact than those who are not specialized.  Because of their role in defining success criteria and operating cyber systems, business leaders, operations staff, managers, procurement officers, and many others have far more impact on the state of cybersecurity over time than those in roles who focus on it.

3. Common Framing:  It is very difficult to solve a problem as a group when those in the group, because of their backgrounds, have different ideas of what the problem actually is.  Cybersecurity is a complicated, multi-dimensional problem which must be solved at several discrete, if interdependent, levels.  Often, those who work in one level are not aware of the others or how they fit in.  If asked what cybersecurity means, people in different roles may have wildly different answers.  Even explaining what one cybersecurity tool or framework does versus another requires a common framing of cybersecurity that experience has shown to be lacking in most cases.  Any national initiatives should take into account (at a minimum) this problem or actively work to solve it.

4. Trust: In today’s world, businesses are part of a larger system of industry, national, and world proportions. While competition is one aspect of that system, so is cooperation.  Often mistakenly called trust, this focus area, should instead begins to carve out a formal space and culture for competitive peers to operate cooperatively in the interest of common success.

Fundamentally, there are five often ignored truths that I’ll use to make my case:

1. Cyber security is a problem that occurs over unbounded time (thanks Win Schwartau). In other words, measuring state at any single point doesn’t provide a complete picture of exactly what your risk actually is. Just for example: Time to detection, time to compromise, how often and when changes occur, etc are all problems that cannot be described as single points:

Cyber security is actually a *rate* problem overall: How many errors occur per time period and how many resources does it take to address the errors?

A Strategic win is when the relationship between the error rate and the mitigation rate constantly remains at an acceptable level or better.

2. Complexity is constantly increasing. We’re, collectively,  always building new systems and adding new features at a frenetic pace.  This means that:

As complexity increases, if the error rate stays the same, resources to mitigate must increase unless those resources become more efficient.

3. Resources are limited. At some point, you cannot increase the number of resources and so:

Since resources are limited, either the error rate must be adjusted or the resources be made infinitely more efficient (to account for constantly increasing complexity).

4. Human behavior defines every aspect of security state. Just for example:

DEVELOPERS build TECHNOLOGY 
ENGINEERS build TECHNOLOGY 
ARCHITECTS design TECHNOLOGY 
IT STAFF change TECHNOLOGY 
AUTHORIZED PEOPLE operate TECHNOLOGY
SECURITY STAFF protect TECHNOLOGY
EXECUTIVES/OWNERS require TECHNOLOGY

5. Quoting from a previous post, humans hopes, dreams, passions, fears, biases, moods, and biochemistries dictate what they do. They’re not perfect. They make mistakes. In other words:

Human behavior is what causes the cyber security errors that result in compromise. 

Defensive Resource efficiency is also negatively affected by the rate of human behavior errors

Therefore, if the rate at which people (“Users”) make mistakes is not managed and their activities are not subject to a certain level of long term quality assurance and control, the increasing complexity of systems assures that errors will eventually increase beyond the levels to which available defensive resources can mitigate them, even in the face of tactical efficiency improvements.

–

Adjusting the effectiveness of resources (by automating a patching program, or adding malicious code detection, for example) does give a boost to level of defense capability from that point on.  But, because resources will max out and because ultimately effectiveness is bounded at the top by error rate (which is a human problem), defense capability will still eventually flatten out against vulnerabilities introduced by increasing complexity and an unmanaged error rate and a strategic loss will occur.

–

If, however, if Error Rate is reduced (through adjusting user behavior and turning it into culture), the rate at which vulnerabilities are introduced can be kept in enough check to allow for defensive capabilities to be effective – even in the face of increasing complexity. (Assumed: Number of humans to be changed is much more static than level of complexity)

–

Once the strategic distance between vulnerabilities and defensive capabilities is no longer growing with complexity over time, measures such as automated patching programs, malicious code detection,etc, etc can be used to change the day to day relationship between offense and defense, allowing for the potential of an acceptable level of risk to be achieved as a function of rate, not a moment in time.

….The aristocrats.

This is my first post of two on the topic.  The second will be more “me” and will specifically outline the difference in looking at cyber security as a strategic vs tactical problem and how the implications of the “user” conversation.  (Caveat: A lot really depends on how you define “users”, so I’m careful to here.) Enjoy and thanks to everyone who’s contributed to the shape of my brain.

Click the pictures to make them big enough to read.

–

What is a network?

Let’s pretend it’s newly birthed whole, untouched.

—-

Well, that’s almost a network. We still need users.

Who are Users? They’re everyone who can affect your network.

Don’t agree? All basic attributes are the same…

The only things that change are implementation details: roles, motivations, environment

—-

This is a more complete picture

These users – in their roles – affect equipment.

That causes the computers to be in a given state.

Even with environmental constraints, like hardware, baseline configs, security configs, etc…

human actions occur before network built

—-

To be secure, we can influence the decisions made, or put in place technical controls

Both options affect the same logical chains of actions, just in different places. 

—-

But do we even need to describe technical controls?

Because honestly, computers are just proxies for the will and desire of users.

Which sets of users is responsible for computer action just depends on where in time you’re looking.

—-

Putting in technical controls requires influencing decisions made by users

Therefore it’s pretty clear that user activities can be used independent of technology to describe security.

—-

Specifically, if time is collapsed, authorized user roles and their associated attributes are the network:

Which leades us to interesting implications:

You can structure activities into common role activities in a way that will help you manage and manipulate the human squishy stuff.

The specific attributes are out of scope here, but take home the idea that at a non-tech specific level, they’re  finite, discrete.

This means humans can be addressed as potential state attributes directly.

And so no matter what you do, if you do not influence user behavior, you will never be secure.

What are the implications? See next blog post!

I’m not going to review the language of the bill – I’m sure it’s terrible. Most cyber legislation is. It can’t not be. They all go too far, lack clarity of language, introduce unforeseen escalations of government rights, etc.

There’s no need to go over the givens. :)

So, then, what? Well, after I finally read CISPA and the surrounding reporting, what I noticed was that very few people seem to understand that the bill didn’t come out of nowhere. The language in it, the motivations behind it, the structure of the bill, etc…all of it… completely reflects the information sharing discussion that’s been going on between those engaged in public/private partnership cyber security activities for years.  It’s not just a random congressional fart.  Anyone who has been part of that discussion should recognize the bill as an old …if not friend…sparring partner.

For those who don’t know, there is, in this space, an institutionalized gridlock in the debate about information sharing.  CISPA clearly is an attempt to remedy this very, very specific gridlock. It’s not a general cyber security bill. It’s not even a general information sharing bill.. It is designed to address the perspective that the government has information it won’t share, that clearances have been roadblocks, and that legal ambiguities have prevented sharing.

Now, while I happen to think that some of these are in fact roadblocks, I also know CISPA doesn’t touch the heart of what the most severe and core information sharing problems are. But, unfortunately, I’m in the minority. A great number of otherwise intelligent people do believe in what it’s trying to accomplish, typically terrible language notwithstanding.

Maybe no one else finds this worth noting, but I at least thought it was unusual that the structure of the existing conversation is so clearly reflected in a piece of legislation…

I’ve seen people fly, I’ve seen birds fly, I’ve seen a horse fly, I’ve even seen a house fly, but I’ve never seen an organization fly. And, as silly as it might seem, this really does have significant implications for managing cyber risk – especially when we look incredulously at the many public compromises and wonder “why does it keep happening?”.

A good way of approaching that question is to look at where cyber risk management is “succeeding”. Succeeding? Yes! Cyber risk is, in fact, being managed – and quite well! If you doubt this, you might need to ask yourself important questions like “Which risks are being managed?” and, more importantly, “Which risks to *whom*?”

What I mean to say is that, while organizations can have an effect on the world around them, they can’t actually be seen or touched. They’re not tangible and they can’t…”fly”. Instead, they are the conceptual sum of the many varied decisions of individual people. These conceptual sums are inanimate; they cannot – and do not –feel risk. Instead, it is their executives, owners, employees, and customers who feel risk. Their soft squishy human hopes, dreams, passions, fears, biases, moods, and biochemistries ultimately drive organizational “risk tolerance” and we should never forget it. Here, it’s crucial to understand that people almost exclusively put risks to themselves ahead of all others (including an organization’s).

So, then, if the “collective” risks to individuals do trump all else, where do we look for ownership and resolution?

Well, some would say “users”, but do “users” (or “individual performers”) care more about meeting their boss’s expectations or saving the intangible organization from invisible adversaries and hidden costs without direction? Probably the former.

Further, while “the bosses” who set these expectations might see that the cyber problem exists, their primary risks resolve around meeting their own senior leadership’s expectations as well.

Ok, but isn’t IT Security key to cyber risk management? Not really. IT Security, like any other group, must align themselves with their senior leaders’ and executives’ priorities. Without that alignment they hold no sway or effect.

So, then, it’s on Executives. Senior leaders, what drives your risk appetites?

I ask because cyber risk management is a hard problem. Aren’t you safest if you follow best practices and “buy Cisco”? Ultimately, if you do and your organization gets compromised, what happens to you? Most likely very little – you did your best after all. Is it even in your best interest, then, to know cyber is a hard problem? If you’re aware that best practices have been failing like communism, aren’t you then obligated to come up with solutions of your own? Wow. No way. It’s best to believe the hype; best to buy Cisco; best to keep transferring the risk.

Intentional ignorance (or lack of “awareness”) isn’t just bliss, it also reduces risk to those people directing organizations and dictating the priorities of their human building blocks.

Now, I’m back here to encourage you (if you have a personal or professional interest in Energy Critical Infrastructure Cyber Security and/or Risk Management) to attend the Security Risk Management Practices for Electric Utilities Town Hall in New Orleans this May 30-31 put on by NESCO. 

I’ll be speaking as part of a panel and am looking forward to some fantasic conversations! More info below:

Progress! As you can see below, we’ve confirmed several additional speakers such as Tony Stramella from the NSA and Steve Carmel from Maersk (who was a fantastic speaker last year – he talked about his experiences with maritime piracy and pirates! Did I mention he talked about pirates??).

The Offensive perspective panel (Kevin Finisterre, Ruben Santamarta/Reversemode, and hopefully Josh Wright) is going to rock out with some talented vulnerability researchers and Mark Fabro will do his always brilliant job of improving the discourse. 

We’ll be excited to hear Bryan Sartin discuss the past year’s data breaches and front-line experts in the field let us know how the stuff you’ve heard in the news might apply to you (Scot Terban, Liam from Symantec, and the now-short-haired Adam Meyers). 

Boeing and Darryl Song from Volpe are going to dish on transportation-specific concerns, and the CTO of the CIA will drive home the need for security to be data-centric. 

Mike Murray will be both entertaining and captivating – even if I dont know his talk yet – and Russell Thomas will bring a much needed formal perspective to risk management and cyber security. 

Patrick Gray gives a lightning fast, but insightful presentation on social media, Jack Johnson will help us understand financial issues facing organizations today, and Amit Yoran will talk about…whatever. He’s just a smart guy.

Hope you can make it. If you’re interested in attending, the registration link is here: Invitation.

(Please, if you’re a vendor and plan on selling, we’ll take a pretty dim view of that at this particular conference. )

So, one of the things I get to do as part of my job which has been pretty exciting is to put together the agenda for our 2nd annual Cyber Security in Transportation summit. It’s happening November 1 & 2 this year in the DC area and is going to be full of outstanding talks for all ages and backgrounds. ;) The summit is aimed at executives and decision makers from within the transportation industry who might be effected by cyber security or whos actions may affect the security of their organizations. We’re covering general cyber security themes as well as transportation specific ones. If you’re in the transportation sector – pipeline, aviation, freight rail, mass transit, highway & motor carrier – and want to attend, let me know at sintixerr@gmail.com.

The tentative agenda currently looks like this:

Summit Schedule (Click for Larger)

You can find a copy of my presentation here: http://sintixerr.files.wordpress.com/2011/07/natotbilisiswhitsitt.pptx 

When writing – and delivering the presentation – I found it difficult to support both the scope of the panel as described – Energy Specific SCADA threats/vulnerabilities – while at the same time meeting the audience’s need for a higher level view of the problem.  I definitely need to work more on bridging the gap between the technical realities of what we do and the knowledge/perspective of policy makers…but that was always going to be hard…if it was easy, it would happen more often. :)

As for the rest of the conference, there were a number of presentations given, but I was most impressed by Alexander Klimburg’s take. He spoke about the intersection between attribution difficulties in cyber space and recent talk about kinetic response to attacks by nation states. Policy discussions seem to be moving, according to Alexander, in a direction which results in rapid, somewhat automated, escalation of hostilities between nations in the event of a cyber attack which seems to have come from another nation.  With the confidence in attribution being as low as it is – and with such a high probability of non-state actors being involved – this type of escalation becomes probablematic and ill-advised. Alexander’s talk proposed creating confidence building measures between states and non-state cyber attack actors, building in enough of a policy buffer to allow thoughtful responses to attacks, and having the media “name and shame” attackers where confidence isn’t 100% as a deterrent.

I don’t completely agree with all of the details, but philosophically, I think he was on point. 

What I also found interesting about the conference was that the same conclusions were drawn at the end of this conference that are drawn at the end of every other cyber conference:

• More information sharing is needed
• Public/Private Partnerships are important and difficult
• Cyber is a real threat
• Large organizations can help solve some, but not all problems in cyber security
• There needs to be clearer definition of roles and responsibilities

Someone in the audience rightly asked: “Yes, that all is obvious, but how do we do it?”

That’s a perfect question, and one I ask constantly.  I’ll say again: You can’t just say “cyber security is a problem” and expect to implement a plan to solve it; you can only speculate as to what types of efforts might be involved.  The problem needs to be defined in a much more structured, specific manner than we have so far (in my mind, using threat models which link risks to strategic business objectives from cyber systems to tactical risks to those cyber systems…at some point I’ll post a model for that here).

That all said, the trip was fantastic:

My NATO and Georgian hosts were gracious, professional, and intelligent. The locals were a lo of fun – I spent one evening with three random Tbilisians (one cute bartender, a guy who claimed to be a male model and was explaining the story of the city’s founding in broken english and by waving his arms up and down like a giant bird, and a US expat helping to start a lab). The country was beautiful; I particularly loved some of the crypts on the floor of a church in Mtskheta (the script was beautiful…I suggest checking out Georgian writing).

Thanks to Julijus for inviting me to speak. I was very grateful for the opportunity.

(Edit: This is a pretty rough draft of this blog post. It may change significantly and I want to add many more thoughts, but I wanted to get it out before it became OBE.)

If you have one error, you fix it and move on.

If you have the same error again, you fix it “better” and move on.

But if you keep having a variety of errors at a steady or increasing rate, you stop looking at the causes of individual errors and look at your basic business practices.

Cyber Security problems are errors. Cyber Security problems are systems or data doing things their owners and society do not with them to do.

Cyber Security errors keep occurring despite being fixed individually.

New types of cyber security errors are occurring over time as new systems are built, as data changes, and as new use cases develop.

By the time we fix our past errors, we’ve created new ones.

Let’s stop focusing national and organizational programs on fixing individual cyber security errors  – or even fixing common classes of cyber security errors.

Instead, let’s focus on reducing cyber security error rates in general.

To reduce the rate of cyber security errors, non-cyber specific business practices must be evaluated to determine where cyber security errors are being introduced.

Hmm. This sounds a lot like business management and quality control, not cyber.

Yes, it does.

Tackling individual cyber security errors in our critical infrastructure without reducing error rates will assure failure.

Tackling error rates will create long term, sustainable success by freeing up the vast, unnecessary number of resources we’ve allocated to individual problems to better use through the reduction of the number of errors which have to be dealt with in the first place.

Stop wasting so many resources. :)

1. Talking over your audience’s head is mean.  No one cares how smart you are unless you can make them just as smart on your topic in 20 minutes or less.
2. Speaking of 20 minutes. Stay on the time clock. Wasting 15 minutes of someone else’s time is presumptuous and rude.
3. Having a Slide Extravaganza doesn’t make you a good presenter.  Slides are talking points, nothing more. By the 98^th slide, your audience will hate you.
4. Engage. If people opt to read their horoscope on their l33t Droids rather than watching you in person, your presentation sucks.
5. Tone. If you have a terrible voice, amplifying it on a  microphone is just plain mean. Record yourself ahead of time and listen to it. Adjust accordingly.
6. Hair Matters.
7. Thanking everyone for thanking the thank you people gets redundant. Appreciation is one thing – but it’s not the academy awards.    
8. Pick one point. Maybe two. Not 438. Your audience is not Neo. They will not be able to learn Kung Fu
9. Relevance. Know the audience and have a backup plan if no one can relate to what you’re talking about. Otherwise, you’re just filling space.
10. Smile. If it’s supposed to be a joke and you frown, your audience might not get the cue to laugh
11. If you smile while you make a joke, and the audience still doesn’t laugh, see “know the audience” (or “talking over your audience’s head”).
12. Look nice. There are enough cave trolls in the audience. Give people something better to look at.
13. Be a wingman. If one of your colleagues is getting ogled by above-mentioned cave troll – be sure to intervene on her behalf. Especially if the cave troll is of unspecified gender
14. Don’t let friends sit in the back row and make you laugh unless they’re part of your shtick. Especially on a panel when it’s not your turn.
15. Bring pillows. If you’re going to put people to sleep, they may as well be comfortable.
        

“He could come from anywhere – from anywhere all at once. So we run into the classic problem of defense, cubed. The farther out you deploy your defenses, the more of them you have to have, and if your resources are limited, you soon have more fortifications than you can man. What good are based on moons, Jupiter, or Saturn, or Neptune, when the enemy doesn’t even have to come in on the plane of the ecliptic? He can bypass all our fortifications. The way Nimitz and MacArthur used two-dimensional island-hopping against the defense in depth of the Japanese in WWII. Only our enemy can work in three dimensions. Therefore we cannot possibly maintain defense in depth..”

“So even if we intercept 99 of 100 attacking squadrons, he only has to get one squadron through to cause terrible destruction.  We saw how much territory a single ship could scour when they first showed up.  Get ten ships to us for a single day, and if they spread us out enough, they’d have a lot more than a day and they would wipe out our most important centers. “

“I don’t think there is a solution. There is no point in trying to defend at all. So the only strategy that makes any sense at all is an all-out attack.”

I’ll let you all think through the implications of these passages and get back to me.

On another, related, topic, I have a question: A lot of us are quick to reference Sun Tzu’s Art of War in cyber security, but I havent seen (or havent recognized – I  might just be ignorant here) many attempts to use known historic, strategic war/battle thinkers in our industry much beyond Sun. Is there anything else – or anyone else – we should be looking at from a classic “war” perspective that we’re not already? Who? Why? Who/What am I missing? Is it relevant to ask?

What exactly is an RDoS? It works a lot like a syn-flood, which spins up a whole lot of blank connection attempts to a server. The server must receive these connections, wait for awhile to see if valid data arrives, then close them. The thing is, because the sender knows the connections are blank (and using things like botnets and such), it can generate a lot more connection attempts than the server can handle. Eventually, the server gets so busy that it fails to respond to real connections.

Now, think of how we handle “security”.  We religiously and studiously avoid building hardened, defensible systems from the ground up and rely on fixes, patches, and incident responders to cope with the eventual problems later (hoping all the while – in vain – that the attacks never come).

What we end up with, by and large, are systems that are so poorly constructed that it takes a large amount of effort to detect, confirm, respond to, and recover from attacks.  Further, while attackers can fairly easily attack multiple systems simultaneously, we require dedicated defenders/responses for much smaller groups of systems (or even individual systems).  This leaves us with an “RDoS”. Our security philosophies leave so much open that we can never, ever sufficiently resource our defenses at an adequate level. Everyone is occupied. Just ask your incident response vendors, teams, and CERT’s (over beers, of course), about their available resources vs the demand for their services, vs the large iceberg of incidents under the water that aren’t even talked about yet.

As I’ve said before: Good guys – you, we, have failed and will continue to fail if we keep going down this same road.  We can’t win until we change strategies completely. We need to embrace our failure and build systems which are defensible from the inside, which are measurably effective against operational/business objectives,  and which assume, from the get go, that sections and components have, are, and will continue  to be compromised. This hacking perimeters on, giving lip service to change control, and our complete inability to integrate cyber into our ORM and our ORM into our business decision making is a waste of time and resources. We’d be better off spending the money and time elsewhere if we’re going to keep doing security as badly as we do it now.

If anyone disagrees with this post, I’d LOVE to hear a rational argument as to why. (Really!)

(UPDATE: 08/06/10)

I really think some of Bruce Potter’s remarks at Shmoocon in 2009 are pertinent here:

People are getting owned a lot.
Trends

• Increased success in getting past our defenses
• Increasingly malicious motivations. The bad guys aren’t after web defacements
• In spite of the above, we haven’t changed our methods. Its a lot of the same
• Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?

This post will also serve as a brief introduction to what it would take for you to write your own Cocoa client for the server. But, If you just want the software, you can get it here:

• Server Application (and source code / Xcode Project)
• Quartz Composer Plug-In Client (and source code / Xcode Project)

Notes:

• To install the client for Quartz Composer, close QC and copy the .plugin file to: “/Library/Graphics/Quartz Composer Plugins”. When you next open QC, you should find it in your Patch Library listed as “MindSetQCClient”.  Usage of the patch should be obvious,
• The server shouldn’t need to start first as long as the client periodically checks for a vended object, but when troubleshooting it’s probably a good idea to start the server, then the client.
• The server needs the Thinkgear bundle in same directory as the server app. (I’m not including the Thinkgear bundle, it’s available from the Neurosky website for free as part of their developer stuff.
• Neurosky documentation has instructions for how to figure out what serial port your mindset is on, iirc.  The default for the server is the one I use.
• I’ve borrowed so heavily from a hodge-podge of tutorials and examples, that I’m not going to include a license for the code. Use it as you will.

.

So, onward to the tutorial/implementation details:

.

Distributed Object Mindset Server and Client

This server is intended to be a little easier to use than some of the connection methods Neurosky provides (at least in my mind). It grabs data from the Mindset and provides it to Cocoa client applications (such as my Quartz Composer plug-in) by using Objective-C / Cocoa’s Distributed Objects interprocess messaging capability.

To access the Mindset data, the client must create an NSConnection to “JacksMindsetServer”. This gives it access to a vended object which supports the following very simple protocol (this protocol will have to be included in your client header file):

@protocol PassingMindData

-(int) getDataCount;

-(NSArray *)getOldestData;

-(void)removeOldestData;

@end

Creating the connection to the vended object which uses that protocol is simple and requires only a short bit of code:

if (!sharedObject)

{

NSString *_host = nil;

sharedObject = (id <PassingMindData>)[[NSConnection rootProxyForConnectionWithRegisteredName:@"JacksMindsetServer" host:_host] retain];

}

You should now have an object called “sharedObject” which allows all of the methods specified by the “PassingMindData” protocol created above and which will pass the data from the mindset server to your code. To do so, the primary method is “getOldestData”. Calling this method will return an array of the oldest line of values from the Mindset and getDataCount returns the number of lines currently queued.

The returned array contains ordered NSNumbers representing each type of value available from the mindset. The array elements can always be accessed in the following order:

• Attention (0)
• Meditation (1)
• Raw (2)
• Delta (3)
• Theta (4)
• Alpha1 (5)
• Alpha2 (6)
• Beta1 (7)
• Beta2 (8)
• Gamma (9)
• Gamma2 (10)
• SignalQuality (11)

The client is left to access these elements as it pleases from the NSArray object returned by getOldestData. The server also relies on the client to remove the original data from the server as soon as it grabs it by calling “removeOldestData” on “sharedObject”.  (If the client does not call this, there is no auto-cleanup by the server until it’s stopped or exits and the client will not be able to access new data.)

If multiple lines of data are queued, getOldestData and removeOldestData should be executed repeatedly. A simple example would be:

if ([sharedObject getDataCount] > 0)

{

mindDataLine = [NSArray arrayWithArray:[sharedObject getOldestData]];

[self setOutputAttention:[[mindDataLine objectAtIndex:0] doubleValue]];

[sharedObject removeOldestData];

}

That’s really it.  How to write a server is out of the scope of this post, but Neurosky has some great documentation and have provided examples from which I have –heavily–  borrowed.

Let me know if you have questions or need further explanation. I’m going to continue to work on the art project with this stuff and will post more about that later.

In this demo (which is a significant step further than my last), my project selects between a series of images, merges them, moves them, and adds various visual effects based only on input from my brain waves (as measured by a Neurosky Mindset). All images – both drawings and photos – were made by me.  Depending on when I run this, the images selected and how they’re merged vary significantly. In this case, only a small subset were selected. Other times, there is a wider variety. It’s important to note that often, this has created pairings and mergings that are fantastically cool looking.  The Next step, creating a self portrait video of me sleeping with a curved screen over top of me projecting what my mind does with this while I sleep.

Thinking out loud, I wrote this earlier:

One of my interests, part of my future role, and with a perspective grounded in building/designing ways to detect badness / working on ICS-CERT, is in combating our habit of defining security in technical terms or on relying on technologists to “fix it”without ever defining what “it” is.  A secure system is one that does no more and no less than the people who have ownership and stake in it wish it to do- and that’s a business rule/decision/appetite.  As a technologist, if you ask me to secure your systems and let me define what that means, I’ll fail.  (ie: There is no “evil” flag in TCP). I’d like to make a plea for organizations to define security through risks to interrelated cross-sector business and social requirements (and associated appetites) before spending so much effort to create technical security plans, standards, controls, laws. An army without a defined mission can be potent just based on size and power, but one that has a mission and defined goals is much, much better.

I’m sure I’ll evolve what I actually want to say between now and September, but that’s where my head is now.

It’s always interesting dealing with the somewhat schizophrenic nature of government messaging.  While I understand the constraints, the risks, and the realities of trying to run a free-for-the-private sector service that actually DOES something in the government, it was always a little disheartening to hear (or read) people suggest that the government wasn’t doing anything for some of our cyber security problems, that it didnt have the services available, or “Well, I heard DHS started ICS-CERT, but I think they shut it down?” And, with the media so often just not getting it – and people so often not doing basic research – this happened more frequently than it should.  So, now that I’m in the role of customer here (and not on the floor there), I can finally say:

If you’re an asset owner, a vendor, a service provider, a customer, or otherwise a stakeholder in private sector or government critical infrastructure / key resources, you should be aware of CSSP and ICS-CERT (ICS-CERT has been functioning, in its current form, since earlier this year).

To start with: The Control Systems Security Program (CSSP) is an offering out of Homeland Security which:

“attempts to…reduce industrial control system risks within and across all critical infrastructure and key resource sectors by coordinating efforts among federal, state, local, and tribal governments, as well as industrial control systems owners, operators and vendors. The CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk-mitigation activities.”

This includes providing a FREE cyber security assessment tool, onsite assessment visits, and the well-run Industrial Control Systems Joint Working Group (ICSJWG) and its associated conferences. CSSP also provides a variety of free-training in Control Systems Security, both locally in DC as well as, for it’s hands-on Red/Blue Team training,  in Idaho Falls.

Then, providing a tactical operational arm to the more strategic CSSP, ICS-CERT is a fully functioning free CERT service for your CIKR organizations. ICS-CERT will, as part of its mission:

1. Provide onsite fly-away technical incident response
2. Perform digital media analysis on media potentially affected by an incident
3. Coordinate the responsible release of vulnerabilities (involving third party researchers, vendors, etc.)
4. Provide timely situational awareness
5. Coordinate national response, via its seats in the National Cybersecurity Communications and Integration Center (NCCIC), with US-CERT, NCC, Law Enforcement, and other organizations.

All you have to do, basically, is ask.  They’ve assisted, during my tenure, quite a few organizations – large and small – and continue to do so.

(Importantly, ICS-CERT has neither a law-enforcement NOR a regulatory function. Their mission is to assist you in defending yourselves and responding to incidents. Your data is, and remains, yours, in any interaction with them. )

And you thought the government doesn’t do anything for cyber security :)

To contact ICS-CERT:

• Call the ICS-CERT Watch Floor: 1-877-776-7585
• Email regarding ICS related cyber activity: ics-cert@dhs.gov

Their website is: http://ics-cert.org

The talks start at 4:45 and go for an hour (or a little over) and you can find us at:

Mount Vernon Place United Methodist Church
900 Massachusetts Ave NW, Washington DC

If you want to hear more about consumer-grade fun with using your brainwaves to manipulate the world around you, come check it out!

The current speaker lineup is:

• Look Ma, No Wires (Michael Panfield)
• Sysadmins: Have smartphone, will travel (Betsy Nichols and Andrei Tchijov)
• AI: Three most common reactions (Bradford Barr)
•  ??? (Alan McCosh)
• Writ Large: scaling a Cartesian robot (Dan Barlow)
• Urban Data Access: How communication builds communities (Will Holcomb)
• Fast Creativity: Using the DNA of Improvisational Comedy to Foster Ideas Fast (Shawn Westfall)
• While you sleep: Making Art with your mind (and a little code) (Jack Whitsitt)

Really?

What gives? 0days/0-days/zero days used to mean (generally speaking) those exploits of which neither the vendor nor the “good guys” knew anything about. Ie, “zero days” had passed since a solution -could have- begun being developed.   I like About.com’s phrasing:

“A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor.”

A flaw that the vendor and the response community have known about for months but which the vendor hasn’t addressed is NOT a 0day - it’s an unpatched problem :P (There are cases where the time from the issue being known about until the vendor patches it has exceeded, in some cases, a decade.)

I’m trying to figure out how we got to this perceived definition and I wonder if it’s our refusal to come to grips with the fact that there are hundreds/thousands of security flaws running around out there that “the bad guys” know about (and use) that the “good guys” dont have a clue about. We run around patching things like if only we could just reduce the time it takes to patch systems to near-zero that somehow we would be measurably more secure.

If we just write out the truly severe part of the vulnerability window  – where there are vulnerabilities and exploits we don’t know about – from our language/definitions, it won’t exist right?

Right?

Bueller?

Would you buy a corvette? Hells no. You’d wait until you found something that met your minimum requirements: Moving the family around. If you got the vette, you would have gotten something that, even if it fit “some” of your requirements (moving some people around), doesn’t  fit enough of them to actually solve the problem. Furthermore, if you did get the vette, you probably wouldnt be able to afford the van so your problem would go on even longer than if you hadnt gotten the corvette.

Welcome to the kind of security that says “we should do more of what we’ve been doing, even though we know the architectures don’t work…because something is better than nothing.“  We can’t continue to add on layer after layer of security at ever increasing cost when no number of those layers, as modeled today, will ever get us to a comfortable place.  Getting owned by X% fewer people is still getting owned and doesn’t really change your risk profile unless X is a much bigger number than today’s most common best practices get us.

Nothing is ever perfect, so I’m not suggesting no one should take action until they find a perfect solution. Rather, I’m suggesting we all take a close look at our solution sets and look at how good they’re ever going to get at the end of the day and make decisions appropriately. When selecting a “50%” solution architecture for $Y, dont get caught thinking $Yx2 will get you a 100% solution with the same architecture:)

Take a look at it if you’re in the control systems / SCADA and security/emergency space (particularly with regard, but not limited, to cyber).

Edit/Update: Now that I’m no longer there, I do have a brief take on the subject and a summary of information HERE

Official press release follows:

—

Washington, DC — DCist.com is pleased to announce its fourth annual DCist Exposed Photography Show, at Long View Gallery, running March 6 to 21, 2010. Out of over 1,000 individual entries submitted through Flickr.com, 47 winning images were selected by a panel of judges to be included in this year’s DCist Exposed exhibit. DCist.com prides itself on engaging and promoting emerging local photographers through its daily use of images from the popular, reader-generated DCist Flickr photo pool.  Each day, DCist.com selects photos from the pool for use in its daily coverage of local news, arts and entertainment, food and sports.

This year’s opening reception will be bigger and better than ever, to be held Saturday, March 6, 2010 from 6 to 10 p.m. At the bar, mixologist Scott Palmer from Dino will have a special punch, Leopold Brothers will host a liquor tasting, and Pabst Blue Ribbon will hold down the fort with plenty of beer.  Nage will provide hor’dourves, while DJs v:shal kanwar and Sequoia spin tunes.  Reception is $5 per guest at the door.

Long View Gallery is located at 1234 9th St. NW, just a few blocks from the Mt. Vernon/Convention Center Metro. The 2009 DCist Exposed event welcomed over 1,000 people on opening night, and with this even larger venue, we expect our biggest crowd ever. All photographs selected and displayed at DCist Exposed will be for sale at prices well below traditional gallery shows.  Regular gallery hours are Wednesday-Saturday, 11 a.m. to 6 p.m., and Sunday, 12 to 5 p.m.

The 2010 DCist Exposed Photography Show is sponsored by Ten Miles Square, Pink Line Project, and Pabst Blue Ribbon.

I finally decided to put the Xcode project and associated source for pkviz up for free download and license it under GPL v3.

I’ve created a google code page for it HERE.

You can grab a stand alone zip of the source/project HERE.

(I’ve never used SVN before, so what’s up at the google code page might periodically be fubared, so you might want to start with the zip)

Feel free to download, comment, and please -contribute-. This was my first Objective-C app and first Xcode project, so if it’s a mess…well…deal or help? :)

Just remember the google code page if you want to post some updates or questions.

I’ve also made some haphazard notes to help people understand the code:

—–

The aquireData class handles reading the tcpdump text file. It uses Core Data to store the data. If I had to do it over, I wouldn’t have used Core Data…but it is what it is.  You can find the data model by double-clicking pkviz_DataModel under the Models folder in the project in Xcode.

pkGraphView is a subclass of NSView that I use to handle the layers, which are done in Core Animation (easy enough to understand). The view has a delegate function (drawLayer) which I handle in the layerDelegate class to deal with drawing the paths for each layer.

Everything else is handled by transformData – it’s pretty much my controller.

Rough flow:

the Load button tells aquireData to parse tcpdump and store in a core data context

The launch button kicks off transform data, which pulls in the data from the core data context, sticks it into an array, launches a thread to pop out individual packets, and then tells the view when it’s read to display another packet.  Everything else stops, starts, adjusts the current packet referenced, or aids this animation loop process.

The main array of packets in transformData is bytepakposSet.  It is an array of packet arrays. packet arrays contain arrays of bytes with 2 values in them: bytevalue, and byteposition

so, if you wanted to access the third packet in bytepakposSet and see what the byte value of the first byte stored is, you’d do:

[[[[bytepakposSet objectAtIndex:2] objectAtIndex:0] objectAtIndex:0] intValue];

if you wanted to get the byte value and position returned in an array:

[[bytepakposSet objectAtIndex:2] objectAtIndex:0]

Core Data doesnt return objects in order, so you dont know ahead of time what order the bytes are in the packet, youll have to sort them by position in packet first. You can find position:

[[[[bytepakposSet objectAtIndex:2] objectAtIndex:0] objectAtIndex:1] intValue];