The concept of Security has been around for centuries. One of the oldest concepts of physical denial of access is building a wall. A physical barrier that acts as a prevention and deterrent for restricting access by those not permitted to gain entry. Examples include the Great Wall of China, the Berlin Wall, the Israeli West Bank Barrier Wall, and Sacayhuaman in Peru. The majority of these walls protected against unauthorized entry for that period of time. But a single boundary defense such as a wall is not adequate in modern times because of the advanced tactics and technologies used by those wishing unwarranted entry.
In a computing environment, a using only a wall for defense would be the equivalent of only using a username/password for complete protection. Thus a modern physical defense utilizes defense in depth, which too is not a modern concept.
Even the phrase, "Guards, Gates & Guns" shows how different physical controls can be used to prevent entry. Again, these are both preventative and deterrent controls which can be used in conjunction with a physical wall to limit access. Here are a few other security controls which could be added to a wall to add defense in depth to a stationary barrier:
Motion sensors
Electrified fences
Additional patrols
Air Surveillance via plane or satellite
When there is a large threat vector (such as a 500 mile border) then a physical barrier in addition to other natural deterrents provides the best total security solution.
In reality the use of a wall as a single physical security control is about as ridiculous as expecting to have the enemy pay for it's installation.
The other option would be to allow entry but then control access once inside. So not everything inside a network is attractive to the enemy, so knowing how to be selective about how to protect critical data and configurations may be a better defense than a single external boundary defense.
The moral of this post is that using archaic security controls to deter and protect against external entry is wasteful and ineffective. A smart approach would be embracing defense in depth by utilizing physical, technical and administrative controls specific to the threat landscape and attack vectors, resulting in a controlled managed risk environment.
If you're thinking this could be applied to non-IT-related current events, you're right.
Friday, January 25, 2019
Sunday, January 13, 2019
Week 6 - Who are the real heros here?
Organizations pay a large percent of their overhead to fund cybersecurity programs. This is done at the federal, state, private, public, and all other levels and in every industry. Millions are spent to protect and defend our privacy and personal data in addition to the critical information our businesses and governments need to keep internal and available to those who need it. There are paths for certifying, assessing and authorizing IT systems in an effort to build confidence that they are protected to the highest standard.
Based on the NIST Risk Management Framework as well as other security models such as ISO 27001 and COBIT, the majority of the security controls put in place are to defend against malicious hackers (previously called crackers) whose nefarious intentions were to steal valuable information.
A few years ago there emerged a trend where vulnerability identification was outsourced using third-party persons and organizations, commonly referred to as Bug Bounty programs. Essentially these are hackers who decided to come out from the darkness to legally hack various organizations to discover vulnerabilities for profit. One of the largest bounty-for-hire companies, HackerOne, provided some interesting statistics in their annual report (HackerOne 2018):
- Over 90% of hackers are under the age of 35
- 8% of hackers are under the age of 18
- 58% of hackers are self-taught
- At 78%, Burp Suite is by far the most popular set of hacking tools
- 31.3% of techniques are learned through reading other hackers blogs on their results and tactics.
- at 78%, websites are the most valued target of hackers
- The most popular countries participating in Bug Bounties are India and the United States
- Fun, to be challenged and to learn are all bigger motivators than earning money from hacking.
- Cross-site scripting and SQL injections are the most popular attack vectors, followed by fuzzing.
The irony of this concept it laughable. These organizations no doubt spend millions to protect their data from the same people hired to discover vulnerabilities against them. But equally as disappointing is the fact that the effort going into securing and accrediting these systems is upended by the very people being hired to protect them. The belief that systems are protected because someone gives their seal of approval is being proven incorrect and that further vulnerability analysis is necessary. In fact, one could say perhaps the white hat hacking should be done first so identify the largest gaps in security, and then the expected protocol defense added after the easily exploitable has been patched.
The goal is always mitigating the risk to a level acceptable by the organization. Until a few years ago, hackers were all bad. Perhaps the better way of looking at cyber security is to include these offensive hacking partners into the total solution to achieve a better overall risk posture.
2018 Hacker Report, HackerOne, 2018. Retrieved from: https://www.hackerone.com/sites/default/files/2018-01/2018_Hacker_Report.pdf
Based on the NIST Risk Management Framework as well as other security models such as ISO 27001 and COBIT, the majority of the security controls put in place are to defend against malicious hackers (previously called crackers) whose nefarious intentions were to steal valuable information.
A few years ago there emerged a trend where vulnerability identification was outsourced using third-party persons and organizations, commonly referred to as Bug Bounty programs. Essentially these are hackers who decided to come out from the darkness to legally hack various organizations to discover vulnerabilities for profit. One of the largest bounty-for-hire companies, HackerOne, provided some interesting statistics in their annual report (HackerOne 2018):
- Over 90% of hackers are under the age of 35
- 8% of hackers are under the age of 18
- 58% of hackers are self-taught
- At 78%, Burp Suite is by far the most popular set of hacking tools
- 31.3% of techniques are learned through reading other hackers blogs on their results and tactics.
- at 78%, websites are the most valued target of hackers
- The most popular countries participating in Bug Bounties are India and the United States
- Fun, to be challenged and to learn are all bigger motivators than earning money from hacking.
- Cross-site scripting and SQL injections are the most popular attack vectors, followed by fuzzing.
The irony of this concept it laughable. These organizations no doubt spend millions to protect their data from the same people hired to discover vulnerabilities against them. But equally as disappointing is the fact that the effort going into securing and accrediting these systems is upended by the very people being hired to protect them. The belief that systems are protected because someone gives their seal of approval is being proven incorrect and that further vulnerability analysis is necessary. In fact, one could say perhaps the white hat hacking should be done first so identify the largest gaps in security, and then the expected protocol defense added after the easily exploitable has been patched.
The goal is always mitigating the risk to a level acceptable by the organization. Until a few years ago, hackers were all bad. Perhaps the better way of looking at cyber security is to include these offensive hacking partners into the total solution to achieve a better overall risk posture.
2018 Hacker Report, HackerOne, 2018. Retrieved from: https://www.hackerone.com/sites/default/files/2018-01/2018_Hacker_Report.pdf
Friday, January 4, 2019
Week 5 - This Means War!
It's no secret, those who work in cyber security in the DoD are accused of being a low-value administrative requirement fed mostly by fear and pressure from leadership based on gregarious stories in the news. The reputation cyber professionals have is that they slow progress, impede the mission and generally operate on rules that continually change.
First, let's address the rumor of cyber requirements always changing. The answer is, yes, cyber requirements do change all the time. Policy changes because threats change. Techniques change from criminals. Technologies emerge and then get exploited. Insiders get better, or perhaps lazier. All these changes need to be addressed by changing the way cybersecurity is performed.
The other issue with cybersecurity is that it ends up taking too long to implement and approve. Typically the organization is held to the standards of an outside standards body or approver and needs to meet the mark in terms of required compliance checklists, vulnerability assessments. There are so many rules, policies, guidelines, best practices and expectations that to address EVERY possible security control would take months if not years. And then, when you think you've addressed them all, you need to start over because the threats have changed, the policies have been updated and what you addressed in the beginning is outdated. A vicious circle that can never been completed.
But it this really the best way? Perhaps we're trying too hard? Are all these checks really necessary if we're ultimately postponing the delivery of a capability to our company or organization?
Another perspective:
In the early 1940s when America was jumping into WWII, the entire country took enormous sacrifices to support the warfighter. Women took jobs, factories previously making iron parts changed to making bombs (my grandfather was one of them) and the ability to field capabilities and products to those on the front line was streamlined without mission-essential checks.
Let's present this perspective another way:
Your wife is pregnant, 40 weeks. It's 2am and she screams hat her water broke. Your job is to get to the hospital right away. But, if you were to do things the RIGHT way, this is what it would look like:
1. You get out of bed.
2. You make your bed.
3. Brush your teeth
4. Put on fresh clothes. Perhaps dress in layers.
5. Before leaving, adjust the thermostat so not to waste energy while not there.
6. Ensure all the doors are locked, windows closed, major appliances not running.
7. Both of you get in the garage.
8. Inspect car to ensure all tires are properly inflated
9. Once inside the car, adjust the mirrors to make sure proper field of vision is required, especially in blind spots.
10. Make sure wife is buckled in, perhaps get her some bottled water.
11. Turn on car, and let it warm up (remember back in the 80s)
12. Find a radio station that is soothing to your wife. Adjust the temperature control.
13. Back out, but go slowly to look for neighbors, dogs, etc.
14. Program the hospital in Waze and select the most efficient route.
15. Drive conservatively since it is late night, your senses are muted and the darkness could obscure a cute raccoon or other furry animal.
16. Pull into the hospital and find a good parking spot in a well-lit area, in proximity to security cameras.
I think you get the point.
In real life, ALL those checks go out the window, and it's a mad dash to the hospital with little regard for how your breath smells, what you're wearing, or proper road etiquette. Laws be damned, this baby is coming out!
In real life, if we were under physical attack by our advisaries and bombs were being dropped in our cities, boats were coming ashore and bad guys were taking over our cities and terrorists were using chemical weapons aimed at our schools and government centers, you know for a FACT that cybersecurity would be limited to:
1. Network defense
So while we are not currently under attack, we are under attack by digital enemies who are looking to beat our networks and steal our military and technological secrets. A rapid model like this won't work in the DoD or any other organization, but how could we develop a model where a system could undergo an appropriate level of review, validation and risk assessment but without putting the data or people at risk? I'm thinking, like two weeks.
Like most everyone else, we are at the mercy of the approving official. I don't have an answer for this. I can't control those who are pulling my strings, but perhaps I can find a way to cut them.
First, let's address the rumor of cyber requirements always changing. The answer is, yes, cyber requirements do change all the time. Policy changes because threats change. Techniques change from criminals. Technologies emerge and then get exploited. Insiders get better, or perhaps lazier. All these changes need to be addressed by changing the way cybersecurity is performed.
The other issue with cybersecurity is that it ends up taking too long to implement and approve. Typically the organization is held to the standards of an outside standards body or approver and needs to meet the mark in terms of required compliance checklists, vulnerability assessments. There are so many rules, policies, guidelines, best practices and expectations that to address EVERY possible security control would take months if not years. And then, when you think you've addressed them all, you need to start over because the threats have changed, the policies have been updated and what you addressed in the beginning is outdated. A vicious circle that can never been completed.
But it this really the best way? Perhaps we're trying too hard? Are all these checks really necessary if we're ultimately postponing the delivery of a capability to our company or organization?
Another perspective:
In the early 1940s when America was jumping into WWII, the entire country took enormous sacrifices to support the warfighter. Women took jobs, factories previously making iron parts changed to making bombs (my grandfather was one of them) and the ability to field capabilities and products to those on the front line was streamlined without mission-essential checks.
Let's present this perspective another way:
Your wife is pregnant, 40 weeks. It's 2am and she screams hat her water broke. Your job is to get to the hospital right away. But, if you were to do things the RIGHT way, this is what it would look like:
1. You get out of bed.
2. You make your bed.
3. Brush your teeth
4. Put on fresh clothes. Perhaps dress in layers.
5. Before leaving, adjust the thermostat so not to waste energy while not there.
6. Ensure all the doors are locked, windows closed, major appliances not running.
7. Both of you get in the garage.
8. Inspect car to ensure all tires are properly inflated
9. Once inside the car, adjust the mirrors to make sure proper field of vision is required, especially in blind spots.
10. Make sure wife is buckled in, perhaps get her some bottled water.
11. Turn on car, and let it warm up (remember back in the 80s)
12. Find a radio station that is soothing to your wife. Adjust the temperature control.
13. Back out, but go slowly to look for neighbors, dogs, etc.
14. Program the hospital in Waze and select the most efficient route.
15. Drive conservatively since it is late night, your senses are muted and the darkness could obscure a cute raccoon or other furry animal.
16. Pull into the hospital and find a good parking spot in a well-lit area, in proximity to security cameras.
I think you get the point.
In real life, ALL those checks go out the window, and it's a mad dash to the hospital with little regard for how your breath smells, what you're wearing, or proper road etiquette. Laws be damned, this baby is coming out!
In real life, if we were under physical attack by our advisaries and bombs were being dropped in our cities, boats were coming ashore and bad guys were taking over our cities and terrorists were using chemical weapons aimed at our schools and government centers, you know for a FACT that cybersecurity would be limited to:
1. Network defense
So while we are not currently under attack, we are under attack by digital enemies who are looking to beat our networks and steal our military and technological secrets. A rapid model like this won't work in the DoD or any other organization, but how could we develop a model where a system could undergo an appropriate level of review, validation and risk assessment but without putting the data or people at risk? I'm thinking, like two weeks.
Like most everyone else, we are at the mercy of the approving official. I don't have an answer for this. I can't control those who are pulling my strings, but perhaps I can find a way to cut them.
Subscribe to:
Comments (Atom)