The Cybersecurity Mess

From Simson Garfinkel
Jump to navigationJump to search

Outline of Talk

Cybersecurity is a Wicked Problem that can't be solved

In fact, attempts to solve it make it worse.

Today's systems are less secure than those of the 1970s

  1. Computers are more complex — more places to attack them.
  2. There are multiple ways around each defense.
  3. It’s easier to attack systems than defend them.
  4. It’s easier to break things than to fix them.

Consider last week's headlines from Info Sec News

  1. [ISN] March 19: IRS Employee Took Home Data on 20,000 Workers at Agency
  2. [ISN] March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter (secrets stolen in Operation Byzantine Hades, circa 2007)
  3. [ISN] March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.)
  4. [ISN] March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns (FireEye warns US film and entertainment that they will come under attack from Chinese hackers)
  5. [ISN] March 13, 2014: For EC-Council, Mum's the word
  6. [ISN] March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds (36 Apple busses pass Kevin Poulsen's home each day)
  7. Meanwhile, on March 19th SC Magazine reported Unpatched servers still enabling exploitation of two-year-old PHP vulnerability

The Cybersecurity mess is technical and social.

  1. Most attention is focused on technical issues:
    1. Malware and anti-viruses
    2. Access Controls, Authentication, Encryption & Quantum Computing
    3. Supply chain issues
  2. Non-technical issues are at the heart of the cybersecurity mess.
    1. Education & career paths
    2. Immigration
    3. Manufacturing policy

We would do better if we wanted to do better.

Technical Trends

  1. High-capacity portable storage
  2. Fully connected networks.
  3. Multiple networks & bridging

Cybersecurity is expensive

  1. Global cybersecurity spending: $60 billion in 2011 (Cyber Security M&A, pwc, 2011)
  2. Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
    1. 172 Fortune 500 companies surveyed
    2. Spending $5.3 billion per year on cybersecurity, stopped 69% of attacks
    3. Raising spending to $10.2 billion would stop 84% of the attacks
    4. Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
    5. 95% is not good enough.

Cybersecurity is undefined

We don't have a good definition of cybersecurity

  1. "Preventing computers from being hacked"
  2. Using “network security” to secure desktops & servers

There is no way to measure cybersecurity

  1. Which OS is more secure?
  2. Which computer is more secure?
  3. Is “open source” more secure?

We do know one thing about cybersecurity...

  1. Spending more money does not make computers more secure.

Cybersecurity research does not make computers more secure

  1. “Reducing successful hacks” creates too big a target.
    1. Targets include data, apps, OS, network, human operators, hiring process, supply chain, family members, ...
  2. Security research creates better attacks.
  1. The environment is less secure:
    1. Increased interconnectedness
    2. Computers in more positions of trust
  2. Attacks today do more damage than attacks in the 1990s.

The more we learn about securing computers, the better we get at attacking them

Cybersecurity is an insider problem

  • bad actors
  • good people with bad instructions
  • remote access
  • malware

If we can stop insiders, we can secure cyberspace... But we can’t stop insiders.

  • Amex
  • Hanssen
  • Manning
  • Snowden

Cybersecurity is a “network security” problem.

We can’t secure the hosts, so secure the network!

  • Isolated networks for critical functions.
  • Stand-alone hosts for most important functions.

But strong crypto limits visibility into network traffic, and... ... ... stuxnet shows that there are no isolated hosts.

Every computer is connected to every other computer on the planet.

  • USB sticks, DVDs, printers (“yellow dots”), scanners.
  • Downloaded software (OS, applications), firmware, microcode
  • Every system is part of a computational ecology.

“to a first approximation, every computer in the world is connected to every other computer.” --- Robert Morris (1932-2001), to the National Research Council’s Computer Science and Technology Board, Sept. 19, 1988

"Secret Code in Color Printers Lets Government Track You" (October 16, 2005) Tiny Dots Show Where and When You Made Your Print San Francisco - A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.

Cybersecurity is a process problem

Security encompasses all aspects
of an organization’s IT and HR

Microsoft Security Development Lifecycle

Windows RT hack

  • Microsoft controlled the hardware and the software.
  • Windows RT — still hacked
  • January 8, 2013

Cybersecurity is a money problem

Security is a cost.....Not an “enabler” No ROI

Chief Security Officers are in a no-win situation: Security = passwords = frustration No reward for spending money to secure the infrastructure Money spent on security is “wasted” if there is no attack

“If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.” Spaf’s first principle of security administration
Practical Unix Security, 1991

Cyber Security is a “wicked problem”

No clear definition of the wicked problem
You don’t understand the problem until you have a solution.
No “stopping rule”
The problem can never be solved.
Solutions not right or wrong
Benefits to one player hurt another — Information security vs. Free speech
Solutions are “one-shot” — no learning by trial and error
No two systems are the same. The game keeps changing.
Every wicked problem is a symptom of another problem

Why is Cybersecurity so hard?

Cyber Security has an active, malicious adversary.

The adversary...

  • Turns your bugs into exploits
  • Adapts to your defenses
  • Waits until you make a mistake
  • Attacks your employees when your systems are secure

For example... Compiler bugs are security vulnerabilities! (VU#162289)

C compilers may silently discard some wraparound checks The adversary chooses:

  • What to exploit
  • When to exploit it
  • How to exploit it

We have seen:

  • Optimizations can become security vulnerabilities
  • The same errors are repeatedly made by different programmers

What’s difference between a bug and an attack?

  • The programmer’s intent.

CPU bugs are remotely exploitable

Kris Kaspersky - Remote Code Execution Through Intel CPU Bugs, 2010

This means:

  • Programs that are “secure” on one CPU may be vulnerable on another.
  • Auditing the code & the compiler isn’t enough.


  • “Fact: malware that uses CPU bugs really does exist;”
  • “not apocalypse, just a new threat;”

The supply chain creates numerous security vulnerabilities

  • Hardware
  • Software
  • Apps
  • Wireless providers
  • Carriers
  • Developers
  • Apple

The attacker is smarter than you are, and has more time to find a good attack.

  • ACComplice - Location Inference using Accelerometers on Smartphone

USENIX Security, August 10–12, 2011.

IEEE Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010

Any system can be hacked...

The Good News

Fortunately adversaries are not all powerful.

Adversaries are impacted by:

  • Economic factors
  • Attention span
  • Other opportunities

You don’t have to run faster than the bear….

There are solutions to many cyber security problems...

... but we don’t use them.

As of March 22, 2014

Windows 7 has vulnerabilities, but it’s better.

Apple users don’t use anti-virus.

  • Yes, Apple tries to fix bugs, but

Most “SSL” websites only use it for logging in.


Smart Cards

Many people liken cyber security to the flu.

DHS calls for “cyber hygiene”

  • install anti-virus
  • update your OS
  • back up key files


Another model might be obesity....

Making people fat is good business:

  • Farm subsidies
  • Restaurants
  • Healthcare and medical utilization
  • Weight loss plans
    • Few make money when Americans stay 
trim and healthy.

Lax security is also good business:

  • Cheaper cost of deploying software
  • Private information for marketing
  • Selling anti-virus & security products
  • Cleaning up incidents
    • Few benefit from secure computers

Cyberware is more like bioware than nuclear war

  • Cheap to produce
  • Easy to attack
  • Hard to control
  • Hard to defend
  • No clear end

Non-technical factors impact cyber security.

These factors reflect deep divisions within our society.

  • Shortened development cycles
  • Education: General failure in teaching science, engineering & math

  • HR: Inability to attract and retain the best workers
  • Immigration Policy: Foreign students; H1B Visa
  • Manufacturing Policy: Building in your enemy’s factories is a bad idea

Solving the cyber security mess requires solving these issues

Short development cycles

Insufficient planning:

  • Security not “baked in” to most products.
  • Few or no security reviews
  • Little Usable Security

Insufficient testing:

  • Testing does not uncover security flaws
  • No time to retest after fixing

Poor deployment:

  • Little monitoring for security problems
  • Difficult to fix current system when new 
system is under development

Education is not supplying enough security engineers

Security HR Pipeline

  • High School → College → Graduate School → Career

Mastery Issue:

  • Many professional programmers learn their craft in college.
  • College English graduates: 16 years’ instruction in writing
  • College CS graduates: 4 years’ instruction in programming
    • Is it any wonder their code has security vulnerabilities?

CS Education Stats are terrifying

  • 73% of states require computer “skills” for graduation.
  • Only 37% require CS “concepts”

===High school students do not take the AP computer science (peaked in 2002)

2013 CS AP:

  • "No females took the exam in Mississippi, Montana, and Wyoming.
  • "For states that had some females take the exam the percentage female ranged from 3.88% in Utah to 29% in Tennessee.
  • "11 states had no Black students take the exam: Alaska, Idaho, Kansas, Maine, Mississippi, Montana, Nebraska, New Mexico, North Dakota, Utah, and Wyoming.
  • "Nationally 29,555 students took the AP CS A exam in 2013. This was a big increase (19.25%) from the 24,782 students who took it in 2012. The number of teachers who passed the audit was 2,253 versus 2,103 the previous year. The number of female exam takers was 5,485 which was up from 4,635 the year before. The number of black students was 1,090 which was an increase from 1,014 the previous year. The number of Hispanic students was 2,408 up from 1,919 the previous year.
  • "The percentage female was 18.55% which was lower than the previous year 18.7%. The overall pass rate was 66.85% which was up from 63.2% the previous year.
  • "The female pass rate was 62% which was up from 56.4% the year before. The Asian pass rate was 73%. The white pass rate was 69.23%. The Hispanic pass rate was 45%. The black pass rate was 35.5%.

Talubee Survey Report

2012 results:

  • Peaked in 2003, on the rise again.
  • 2011 enrollment is same as 2004.
  • 15,975 Bachelor degrees in CS, CE and I awarded in the US. (6.9% non-resident alien)
  • 10,518 Masters degrees awarded (7,462 CS, 878 CE, 2178 I); (53.8% non-resident alien)
  • 1929 PhDs (50.1% awarded to non-resident alien)

2009 Study by Lindsay Lowell at Georgetown=

50% of graduate students in sciences are foreigners because salaries aren’t high enough.

“...the problem may not be that there are too few STEM qualified college graduates, but rather that STEM firms are unable to attract them.

Highly qualified students may be choosing a non-STEM job because it pays better, offers a more stable professional career, and/or perceived as less exposed to competition from low-wage economies.”

Manufacturing Policy

  • US did not buy WW2 aircraft in Germany
  • But we do buy our computers from China

There is no obvious way to secure cyberspace

We trust computers…
but we cannot make them trustworthy. 
(A “trusted” system is a computer that can violate your security policy.)
We know a lot about building secure computers...
but we do not use this information when building and deploying them.
We know about usable security…
but we can’t make any progress on usernames and passwords
We should design with the assumption that computers will fail…

but it is cheaper to design without redundancy or resiliency.

Despite the new found attention to cyber security, our systems seem to be growing more vulnerable every year.
  • 7% of Bachelor's degrees awarded to "nonresident alien"

My vision of the future

  1. Technical societal collapse.
  2. National Academies - "Severe Space Weather Events --- Understanding Societal and Economic Impacts, Workshop Report" (2008)
  3. "According to a study by the Metach Corpo, the occurance today of an event like the 1921 sotmr would result in large-scale blackouts exposing more than 130 million people and would expose more than 350 transformers to the risk of permanent damage." (Transformers have manufacture lead times of 12 months or more.)

Cybersecurity Mess Slides

Related Slides

Famous Cyber Attacks