You are currently browsing the tag archive for the ‘rant’ tag.

Someone today asked me about CISA.  The truth is, I’ve stopped paying attention. Everyone, just shut up and pass something so we can move on.  But, I do have perspective that might be relevant: I’ve spent the past 12 years in infosec, including doing threat analysis, have spend the past 8-ish years in Critical Infrastructure, have been a government operational incident responder to the private sector with access to super secret info sauce, have helped build a strategic government pubic/private partnership program, worked with a number of ISACS, and have worked in a non-profit ISAO-like environment.  Here’s what I think:

A long time ago, in a galaxy far too close to here, a bunch of techies, not in sufficient control of the business and other environmental factors to influence the cybersecurity exposure business was creating or suffering from,  said: “We need better, actionable information to succeed!”.  This was both sexy-tech driven and a last-resort.  If the business was leaving the doors and windows open, the “defenders” (heh) needed to know as much about their adversary as they could.

At the same time, businesses, finding they were becoming more and more on the hook for serious adversary conflict  (as opposed to automated worms) tried to offload their responsibilities to the government.  Lack of “Information Sharing” was a really convenient roadblock to partnership. “Hey, look, gov, we’d really like to help, but you’ve got all this awesome intel that you won’t share, how can WE do anything? YOU should!”.

Government, having its own interests, was also looking for more data because, essentially, most of theirs was limited or sucked or wasn’t useable.  At the end of the day, cyber conflict is occurring on private infrastructure – the government infrastructure either being tangential to the discussion at hand, handled internally, or a peer infrastructure the private critical infrastructure (i.e: The internet is the internet is the internet and its all a common geography of conflict).   So they said (and, for what it’s worth, largely truthfully): “We can’t send you information if you don’t send US information! How can we know what’s actionable for you?” The fact that they might have their own uses for the information was tangential to this roadblock/truth.

This was *exactly* what industry hoped would happen!  Industry, having done this in the past with other non-cyber information sharing, knew this would stymie everyone for awhile: Competitive disadvantages, risk of prosecution for what they shared, inability of government to release classified information effectively, and the biggie – risk of regulation!

So at this point, we had:

Techies going: “Mmmm..Info Share! Sexy! We want more info! Wait, actually reduce exposure? That’s no fun, and besides, that’s really out of our control – business people suck at making decisions”

Industry: “Sweeeeet. This techie cry for Info Sharing is cool! It’s something that looks like low hanging fruit that we can use to block cyber interaction with the government indefinitely”

Gov: “Hmm. Cyber is scary and we have little to no visibility and we’re on the hook to help without (for the most part) regulation, we need information to better conduct conflict and apply game theory to international relations! We need to get industry to trust us and give us all their bits!”

Given the long history of the government ROYALLY screwing up trust relations with industry, this stood for years as a happy-medium-quagmire with everyone taking pot shots at each other from across entrenched positions.

But wait!  Suddenly it actually got serious – the MEDIA started running away with cyber? Can those Chinese kids take out the power grid? OMG! (Note: I actually think the risks from cyber conflict are potentially VERY severe, but these are not the SAME risks as the ones Media got hold of).  And suddenly, congress, who KNOWS where it’s risks come from – bad political coverage by the media forcing uneducated people to vote or clamor for some MEME-OF-THE-DAY – got involved.

Congress: “Gov, Industry, Techies? What do we need to do CYBER better?!!?!?”

All: “Informaaaatttiion Shaaaarrrriiinnnnggg…”

And now, Congress has it, and everyone has lost COMPLETE sight of the fact that, at best, information sharing is a MATURE and DIFFICULT capability that results from mature organizational awareness and decision making and will, again at best, help catch the EXCEPTIONS that are not handled by mature organizational decision making, and will do little to NOTHING to reduce cybersecurity risk exposure or to reduce the escalating cost and complexity of the problem over the time.  Instead, it will help better execute/conduct conflict in cyberspace, satisfy techies who want to play more complicated games and solve more interesting problems, and leave the governments involved without any real position change in their ability to apply game theory strategically to cyberspace.

(NOTE ABOUT THE BELOW: This post was more about the history of information sharing driving these types of bills. My comments below are much less informed)

Does CISA trample on rights and privacy? Maaaaayyybee – Probably not…this is an old discussion that wasn’t completely initiated by government.  It may have secondary cascading effects, but I don’t believe that’s the primary motivation for it (or even A motivation).

Do I want them to pass it? Well, the government has shown it is PERFECTLY WILLING to try and get this information by other means, so….are we really losing anything? If nothing else, if we pass AN information sharing bill, at least there’s an increased possibility everyone will be able to finally share the Information that the Info Sharing Emperor Has No Clothes?


Earlier this week, I started back up at TSA supporting their private sector critical infrastructure responsibilities under HSPD-7 and the NIPP.  Being new (well, new again), I just had to get on some of my recurring soap boxes.  One of them was our doomed-to-failure to security approaches.  (Nice to start off on an optimistic foot yeh?)  Pretty soon, the conversation narrowed down to the role of CERTs and incident response. In the middle of trying to explain how sending a bunch of guys in trenches to combat an enemy who could nuke from thousands of miles away was a waste of time, I had a revelation: The “bad guys”, with complete cooperation with the “good guys”, are creating a denial of service condition across the country and planet: a Responder Denial of Service – or, an “RDOS”.

What exactly is an RDoS? It works a lot like a syn-flood, which spins up a whole lot of blank connection attempts to a server. The server must receive these connections, wait for awhile to see if valid data arrives, then close them. The thing is, because the sender knows the connections are blank (and using things like botnets and such), it can generate a lot more connection attempts than the server can handle. Eventually, the server gets so busy that it fails to respond to real connections.

Now, think of how we handle “security”.  We religiously and studiously avoid building hardened, defensible systems from the ground up and rely on fixes, patches, and incident responders to cope with the eventual problems later (hoping all the while – in vain – that the attacks never come).

What we end up with, by and large, are systems that are so poorly constructed that it takes a large amount of effort to detect, confirm, respond to, and recover from attacks.  Further, while attackers can fairly easily attack multiple systems simultaneously, we require dedicated defenders/responses for much smaller groups of systems (or even individual systems).  This leaves us with an “RDoS”. Our security philosophies leave so much open that we can never, ever sufficiently resource our defenses at an adequate level. Everyone is occupied. Just ask your incident response vendors, teams, and CERT’s (over beers, of course), about their available resources vs the demand for their services, vs the large iceberg of incidents under the water that aren’t even talked about yet.

As I’ve said before: Good guys – you, we, have failed and will continue to fail if we keep going down this same road.  We can’t win until we change strategies completely. We need to embrace our failure and build systems which are defensible from the inside, which are measurably effective against operational/business objectives,  and which assume, from the get go, that sections and components have, are, and will continue  to be compromised. This hacking perimeters on, giving lip service to change control, and our complete inability to integrate cyber into our ORM and our ORM into our business decision making is a waste of time and resources. We’d be better off spending the money and time elsewhere if we’re going to keep doing security as badly as we do it now.

If anyone disagrees with this post, I’d LOVE to hear a rational argument as to why. (Really!)

(UPDATE: 08/06/10)

I really think some of Bruce Potter’s remarks at Shmoocon in 2009 are pertinent here:

People are getting owned a lot.

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?

NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?

Yesterday, I threw down my soap box into another discussion of ways to rearchitect the internet – specifically the pieces supporting critical infrastructure.  It was, as usual, about technical solutions to large scale, enterprise security problems.  It was a bit of a stretch for me to bring this up in that particular thread, but I think it’s important to beat the drums on this subject wherever possible:

The “security” problems we’re having nationally and globally aren’t technical.  They’re not even security problems, really; they’re failures of management. In fact, they’re very similar failures to those leading up to and causing the current economic mess.  Any technical discussion is really putting the cart before the horse.

For example,  I was recently on a con-call recently where a bunch of people at a large enterprise were trying to track down (to keep it generic) “Secure Devices” they’d purchased. Absolutely no one knew where they all were, who owned them, how many there were, whether they worked or not, how they were configured, etc. Some groups knew theirs, others didn’t. In some cases, there was duplication of effort. In others, worse still, there was conflict of effort. How can this environment possibly result in “security”?

This kind of management mess is the primary contributor to the failure of cyber security – CIKR or otherwise, not technical problems.

Why do I believe this? I started out doing network security analysis. I was really good at it, but couldn’t do it nearly well enough because the tools seemed to suck.  So, I started designing better tools to do things in ways that had never been done before. But then I found that even with better tools, I still couldn’t provide a good basis for analysis because I didn’t know anything about the organization I was “securing”. Once I figured that out I went to try and get the business leaders to provide that information to their security team and I found that the information had never been collected and no one seemed to see the value in doing so.  That’s how I ended up (in short) with the perspective I have today.  It’s based in a sequence of layered steps that I know are solid – I only wish I could do a better job of communicating the dependencies here.

The conceptual failure seems to be the belief that technical risk remediation is a sane strategic end-goal.  It’s not. There will always be technical vulnerabilities and failures of design – that’s a given. You can fix these individually, but that’s a tactic not a strategy.  There is no end game or any way to get ahead of the curve.

Instead, we lack and should pursue national business, social, and government consensus on solid plans to:

  • Assess current environments and keep those assessments up to date,
  • Do interdependency analysis,
  • Plot those against business risk (individual organizations, nationally, etc.)
  • Measure performance and success in terms of business needs supported

Not to mention consensus on “communication” (which is probably even more important) like: who should be at the table for these things, how communication happens and with who, etc. You get the idea.

These are all deficits that are completely independent of the technical architecture of our infrastructure.  Filling them would get us a long way down the road to solving our security problems in our current environments

We have a habit, in the cyber world, of consistently making changes without sober scientific evaluations of cause+effect and it bites back every time.  And, until we start getting better at the above named activities, we can’t do that evaluation in any way that will guarantee successful solutions. (I recognize that there are many, many good initiatives going on in these areas…but so far, they still seem disjointed and lacking enough universal consensus to solve the problem.)

Maybe some of these technical suggestions for rearchitecting the internet will work. Who knows? We don’t even have consensus on where, why, or how our current technology fails or where it succeeds.  How can we claim to know what will fix it? Technical solutions to security problems without business context will only ever, at best, be hail mary’s and misguided hope.

Now to get a little more ranty (smile):

I really fear what is happening…which is calls for large scale, quick change without even the most fundamental management practices in place.  (eg, business architecture).

What is going to happen is we’re going to invest a lot of time, money, and effort in investing in technical re-engineering and we’re STILL going to get trampled on by malicious actors…except we’ll be billions of dollars more in the hole. I think that merits being called out as often as possible.  What do you think?

The government and large enterprises get compromised constantly and -at will-.  The whole mess from top to bottom, public and private, is absolutely fubar’d. This is public knowledge – it ends up in CNN regularly. Yet,  our management processes are SO bad, that even ending up on mainstream news does not force real change. Failing FISMA does not force real change.  There is NO visibility from cyber technology to management to business leaders to business risk. There are exceptions, but this is the rule. So you dont have the visibility to make the needed changes.  Not only that, but without the data gathered by these management processes, security controls cannot ever be effectively placed, configured, or run.  We will lose, no matter what technology we put in place without these management practices. There is no question.

Technical solutions may work,  but that’s like putting a finger in the dam. Unless there is a framework to consistently identify and correlate environment, requirements, risk, technology, operational processes, controls will eventually fail because the enterprise (national, private, whatever) cannot respond to evolving threats. Spend the money up front to put in strong security practices, though, and the rest will follow.

Even then, we can’t possibly identify all the inter-dependencies and requirements needed to make large changes move without going through exactly the kind of process and management methodology I’m referring to anyway.  Just to put the cart before the horse requires the horse be in the front. (Does that even make sense? heh.)

Follow me on Twitter

My Art / Misc. Photo Stream