Active Response

Always A Bad Day For Adversaries

Month: June 2012

What is ‘Cyber’?

By

On June 22, 2012

In Doctrine and Policy

Recently, a very amusing website launched to ask a very simple question, “will using the prefix cyber make me look like an idiot?”  It predicated the response based on an answer to three questions: (1) Are you a science fiction author, (2) are you about to engage in dirty instant messaging, and (3) are you using the word to engage in scare mongering?  You can see the answer to my questions below based on my everyday usage of the word:

The site is obviously established to poke fun at the growing use of the word cyber to describe many subjects and items.  There are many in the computer security/information assurance field which agree with that premise and openly disagree with it’s use in any form outside of science fiction or dirty instant messaging.

I come from a background in academia and research.  I understand the importance of word choice and usage.  However, I am also aware of the need to adopt a new lexicon when an existing one is not enough.  I believe this is one of those cases.

I too used to abhor the use of the word cyber in the computer security/information assurance/network security domains.  However, as I matured in my understanding of the topic beyond the technical concepts of these fields and into the human factors and psychology of the field I knew these terms did not adequately describe the full scope of the analysis and operations to secure computer systems.

The word cyber is necessary.

It is necessary because this field is much larger than just securing technical systems.  It MUST also embrace analysis, psychology, human factors, and aggressive operations (hence the name of the blog – ActiveResponse), amongst others.

The other terms used in this area (e.g. Computer Security, Information Assurance, Network Security, etc.) are all fine and have their place.  But they lack one fundamental aspect: the human.

Cyber originated in our lexicon with Norbert Wiener in his seminal 1948 book Cybernetics or Control and Communication in the Animal and the Machine.  He took the word cyber from the Greek word  kybernetes, Greek for “steersman” or “governor.”   It was further adopted by science fiction authors into the cyberpunk and famously, cyberspace (by William Gipson).

Faced with the origin of the word, it has not been co-opted.  In fact, I believe it is a better term than others in many instances.  Primarily because it makes humans and operators the central focus of the activities we study – either their offensive exploitation of systems or our defensive reaction or preventative actions.  It is all done because computers are tools for humans to operate more effectively in any number of areas.  They have no inherit value outside of use by humans.  Many of us technical geeks forget that while we are digging into packets or studying architecture diagrams.

Therefore, I will keep using the word cyber proudly knowing that I am using it to keep the human as the central concept in intrusion analysis, information assurance, computer security, network security, or whatever else you want to define to enable humans to use information and communicate more effectively.

United We Stand, Divided We Are Falling: Are Security Collectives a More Effective Model?

By

On June 7, 2012

In Best Practices, Strategy

Anti-virus is a multi-billion dollar industry and is a necessary best-practice and due dilligence measure everyone must implement.  Yet it is failing, by its own volition, spectacularly – and only delivering the least-common-denominator prevention without any signs of improvement.  How can consumers of products, namely security products, guarantee better service and quality from the vendors?  By forming security collectives and achieving economies of scale in security.

NATO: An Example of Collective Security

Mahatma Ghandi was a strong man, but it took the collective work of thousands making salt during the Salt March to make a statement.  One person in need of high quality private insurance in the U.S. does not make a market, but millions coming together into health groups can leverage their collective purchasing power to deliver the necessary health plan at the right price.  Political parties band like-minded people together to set policy and government agendas.  Governments come together for collective benefit (e.g. NATO).

Collectives can make markets, demand services, set prices, deliver effective products, and change industries.  They can leverage their group funding and influence to get what they need where individually they cannot.

One of the most difficult aspects of achieving information assurance and network security is that we rely, almost exclusively, on third-party vendors and service providers to achieve our goals – to deliver the technology, to block the right packets, to prevent the wrong applications from installation, to write secure code for their applications, etc.  These come in the form of application vendors, anti-virus vendors, intrusion detection/prevention platforms, firewall systems, network infrastructure, etc.

Yet these vendors are simply delivering the least-common-denominator in security.  They are building technology and leveraging intelligence only enough to solve the problems for the greatest number – not solving the right problems for their customers.

Mikko Hypponen, recently openly stated that they fail at their job.

“The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms.” — Mikko Hyponen in Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet appearing in Wired June 2012

It is rare that a company, or an entire industry, will admit their faults publicly.  What Mikko says is true.  Anti-virus is designed to protect their customers from the most common threats – but fail at protecting their customers against the most advanced threats.

How then can customers achieve the assurance necessary to operate when the products they rely on most to protect them cannot?

Today: we define our security objectives alone, individually contract with security vendors for products (e.g. anti-virus, intrusion detection systems), and then conduct incident response and intrusion analysis in a vacuum.

What if organizations were to band-together with like-mission partners into security collectives (military with military, critical infrastructure with critical infrastructure, healthcare with healthcare, etc.).  Thereby achieving economies of scale in shared threat intelligence and greater vendor support through collective bargaining.

Is the anti-virus product not delivering the protection you (and your partners in the group) need?  Then take all of your money elsewhere to a vendor that will offer the level of service necessary.  Maybe you need a hunting service for the most advanced adversary.  Maybe you need advanced threat intelligence utilization.  Maybe you need just enough support to keep the next worm from infecting your network.

With security collectives, all customers need not be satisfied with the least-common-denominator of security.

Money talks, and big money talks even louder.  Threat intelligence is nice, shared threat intelligence is stronger.  We need to band together into collectives to make our voices heard and demand better service based on our respective missions.

Powered by WordPress & Theme by Anders Norén