The Cybersecurity Mess

From Simson Garfinkel
Jump to navigationJump to search

Outline of Talk

Today's systems are less secure than those of the 1970s

  1. Computers are more complex — more places to attack them.
  2. There are multiple ways around each defense.
  3. It’s easier to attack systems than defend them.
  4. It’s easier to break things than to fix them.

Consider last week's headlines from Info Sec News

  1. [ISN] March 19: IRS Employee Took Home Data on 20,000 Workers at Agency
  2. [ISN] March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter (secrets stolen in Operation Byzantine Hades, circa 2007)
  3. [ISN] March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.)
  4. [ISN] March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns (FireEye warns US film and entertainment that they will come under attack from Chinese hackers)
  5. [ISN] March 13, 2014: For EC-Council, Mum's the word
  6. [ISN] March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds (36 Apple busses pass Kevin Poulsen's home each day)
  7. Meanwhile, on March 19th SC Magazine reported Unpatched servers still enabling exploitation of two-year-old PHP vulnerability

The cybersecurity mess is technical and social.

  1. Most attention is focused on technical issues:
    1. Malware and anti-viruses
    2. Access Controls, Authentication, Encryption & Quantum Computing
    3. Supply chain issues
  2. Non-technical issues are at the heart of the cybersecurity mess.
    1. Education & career paths
    2. Immigration
    3. Manufacturing policy

We would do better if we wanted to do better.

Technical Trends

  1. High-capacity portable storage
  2. Fully connected networks.
  3. Multiple networks & bridging

Cybersecurity is expensive

  1. Global cybersecurity spending: $60 billion in 2011 (Cyber Security M&A, pwc, 2011)
  2. Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
    1. 172 Fortune 500 companies surveyed
    2. Spending $5.3 billion per year on cybersecurity, stopped 69% of attacks
    3. Raising spending to $10.2 billion would stop 84% of the attacks
    4. Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
    5. 95% is not good enough.

Cybersecurity is undefined

We don't have a good definition of cybersecurity

  1. "Preventing computers from being hacked"
  2. Using “network security” to secure desktops & servers

There is no way to measure cybersecurity

  1. Which OS is more secure?
  2. Which computer is more secure?
  3. Is “open source” more secure?

We do know one thing about cybersecurity...

  1. Spending more money does not make computers more secure.

Cybersecurity research does not make computers more secure

  1. “Reducing successful hacks” creates too big a target.
    1. Targets include data, apps, OS, network, human operators, hiring process, supply chain, family members, ...
  2. Security research creates better attacks.
  1. The environment is less secure:
    1. Increased interconnectedness
    2. Computers in more positions of trust
  2. Attacks today do more damage than attacks in the 1990s.

The more we learn about securing computers, the better we get at attacking them

Cybersecurity is an insider problem

  • bad actors
  • good people with bad instructions
  • remote access
  • malware

If we can stop insiders, we can secure cyberspace... But we can’t stop insiders.

  • Amex
  • Hanssen
  • Manning
  • Snowden

Cybersecurity is a “network security” problem.

We can’t secure the hosts, so secure the network!

  • Isolated networks for critical functions.
  • Stand-alone hosts for most important functions.

But strong crypto limits visibility into network traffic, and... ... ... stuxnet shows that there are no isolated hosts.

Every computer is connected to every other computer on the planet.

  • USB sticks, DVDs, printers (“yellow dots”), scanners.
  • Downloaded software (OS, applications), firmware, microcode
  • Every system is part of a computational ecology.

“to a first approximation, every computer in the world is connected to every other computer.” --- Robert Morris (1932-2001), to the National Research Council’s Computer Science and Technology Board, Sept. 19, 1988

"Secret Code in Color Printers Lets Government Track You" (October 16, 2005) Tiny Dots Show Where and When You Made Your Print San Francisco - A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.

Cybersecurity is a process problem

Security encompasses all aspects
of an organization’s IT and HR
operations.

Microsoft Security Development Lifecycle

Windows RT hack

  • Microsoft controlled the hardware and the software.
  • Windows RT — still hacked
  • January 8, 2013

Cybersecurity is a money problem

Security is a cost.....Not an “enabler” No ROI

Chief Security Officers are in a no-win situation: Security = passwords = frustration No reward for spending money to secure the infrastructure Money spent on security is “wasted” if there is no attack


“If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.” Spaf’s first principle of security administration
Practical Unix Security, 1991

Cyber Security is a “wicked problem”

No clear definition of the wicked problem
You don’t understand the problem until you have a solution.
No “stopping rule”
The problem can never be solved.
Solutions not right or wrong
Benefits to one player hurt another — Information security vs. Free speech
Solutions are “one-shot” — no learning by trial and error
No two systems are the same. The game keeps changing.
Every wicked problem is a symptom of another problem

Pair of Automotive papers

USENIX Security, August 10–12, 2011.

IEEE Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010

My vision of the future

  1. Technical societal collapse.
  2. National Academies - "Severe Space Weather Events --- Understanding Societal and Economic Impacts, Workshop Report" (2008)
  3. "According to a study by the Metach Corpo, the occurance today of an event like the 1921 sotmr would result in large-scale blackouts exposing more than 130 million people and would expose more than 350 transformers to the risk of permanent damage." (Transformers have manufacture lead times of 12 months or more.)

Cybersecurity Mess Slides

Related Slides

Articles