Month: March 2014

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Reamde (2011) by Neal Stephenson

I’ve already reviewed two Neal Stephenson works, Snow Crash and Cryptonomicon, for inclusion in the Canon. Here is a third: a high-octane, straight-up cyber thriller that elevates the genre in the process.

The novel has everything that a cyber thriller needs: Chinese hackers, Russian mafia, cyber crime, massively multiplayer online role-playing games (MMORPGs), hacking culture, and guns. It is classic Stephenson, and not quite as dense as some of his other works. While it is a wildly imaginative story, the details are real and correct. If you are a cybersecurity professional, you will not learn anything new here, but you will appreciate a ripping good story told within the boundaries of the cybersecurity community you know.

Stephenson centers on Richard Forthrast, the founder and owner of the Fortune 500 company that manages T’Rain, an MMORPG. He is a former drug smuggler who funneled his profits into a computer gaming company and turned T’Rain into the most popular computer game on the planet. Across the world, a group of young and talented Chinese hackers and T’Rain players devise an elaborate gold-farming ransom scheme. They create and distribute the Reamde virus, which essentially bricks the T’Rain gamer’s computer until the victim delivers a specified amount of virtual gold to a remote location in the T’Rain online world. The hackers collect the virtual gold and convert the gaming money into real money for profit.

Forthrast’s niece, and employee, inadvertently shares a sample of the Reamde virus with her boyfriend. The boyfriend dabbles in credit card fraud, and when the Reamde virus corrupts the computer network of his Russian mob contact—specifically the group’s pension fund, the obshchak—the Russians come looking for the perpetrator.

What follows is a mad dash around the world as the Russian hackers, with Forthrast’s niece in tow, try to get their money back from the Chinese hackers. They run into a separate collection of international terrorists operating out of the same abandoned Chinese building as the Chinese hackers and an MI6 agent tracking the terrorists. As the terrorists escape and evade the Russians, MI6, and the Chinese hackers, they end up in the backwoods of Canada, Forthrast’s backyard. There’s a lot of fun stuff going on here.

The story is similar in heft—almost one thousand pages—to two other Stephenson works: Cryptonomicon and The Baroque Cycle. But Reamde is a straight-up cyber thriller and Stephenson doesn’t spend a lot of time diverging from the main story as he did in those books.

Gold Farming

Gold farming has been a staple of MMORPGs from almost the beginning of online games. It’s a term used to describe MMORPG player behavior when the player’s intent is not to play the game as the designers intended. Instead, gold farmers gather as much virtual loot available within the game for the purpose of reselling that virtual loot to other players for real-world currency. MostMMORPGs have fully functioning economies and gold farmers take advantage of that. Entire businesses have popped up, especially in China, dedicated to that effort.

In Reamde, Stephenson takes that phenomenon to the next level. Most MMORPGs distribute loot randomly within the gaming world, but in T’Rain, naturally occurring gold deposits form around the game world similarly to how they form in the real world. Tom Bissell, writing for The New York Times, described it this way:

“Two things have assured T’Rain’s commercial success: actual geological laws have been programmed to govern its terrain (it is this feature from which the game’s name derives); and the game uses a currency system based on real money — treasure mined from the strata of T’Rain’s crust can be transformed into earthly coin.”

If you take a step back from that explanation, you realize that the T’Rain economy functions eerily similar to how the Bitcoin economy works. In both systems, the amount of treasure available in the world is finite and is worth only what the people within the economy are willing to pay for it. I could find no reference that confirms that connection between T’Rain and Bitcoin, but I do find it an interesting coincidence. Stephenson is adept at explaining how money systems work. Bitcoin launched in 2009, and Stephenson published Reamde in 2011. Even if the connection was unintentional, Stephenson had to be at least thinking about Bitcoin while he was writing the book.

Wardriving

Wardriving is the act of driving around town with a collection of remote networking gear and looking for unsecured WiFi routers. In Reamde, the Russian mafia needs to find the Chinese hacker hideout in China. They kidnap the good guys and whisk them away to Xiamen, China, so that the good guys can help them with the search. The good guys, under threat of death, search for the Chinese hackers by wardriving the streets of the city and frequenting the many Internet cafes, or wangbas, that most of the locals use for Internet access.

Lock Picking

Some of the good guys in our story are traditional white-hat hackers (hackers that exploit weaknesses in systems not to steal or to cause mischief but to understand how those systems work and perhaps to offer better ways to build those systems). One interesting cultural phenomena that emerged from this hacking culture is a fascination with locks and how to pick them. If you have ever attended DEFCON, you already know what I mean. There is usually a room dedicated to the lock-picking craft, and every time I have wandered in there in the last five years, the room is jammed with expert lock pickers showing wannabes how to get started. In Reamde, the good guys lock pick their way out of several situations, and Stephenson takes a moment to explain why these white-hat hackers might have that skill.

MMORPG Battle

During the course of the story, the good guys who are working for the Russian mafia deposit the ransom of virtual gold into a remote area of T’Rain in the hopes that the Chinese hackers will unbrick their computers. A problem arises when the T’Rain community discovers the Reamde virus scheme. Many clans within the game stake out the route to the remote location in order to ambush the Reamde victims before they deposit their virtual gold.

In T’Rain, if you kill an adversary in the game, you collect his or her valuables. The Chinese hackers need to collect the ransom and walk it out of the remote area and into a T’Rain city where they can convert the virtual money into real money. With the clans blocking their path, this becomes problematic. What results is a massive clan battle between the Chinese Reamde clan and all of the other T’Rain clans in the game. Stephenson completely captures the complexity, stress, and strategy of directing hundreds of your own teammates that are maneuvering across a vast virtual terrain against thousands of hostiles whose intent is to prevent you from doing just that.

Conclusion

This novel has everything that a good hacker novel needs, right up through a bit about how to survive a zombie apocalypse. It is classic Stephenson without the denseness of Cryptonomicon and The Baroque Cycle, and it elevates the genre of the cybersecurity thriller above other entries in the field. While it is a wildly imaginative story, many of the details are real and correct and you’ll appreciate what a good time this is.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Security Metrics: Replacing Fear, Uncertainty and Doubt (2007) by Andrew Jaquith

I have been interested in cybersecurity metrics and how to visualize them since before we were connecting the Internet with strings and soup cans. In 2011, I had been looking for somebody to put some rigor to the idea when I stumbled upon a strong, positive review of Andrew Jaquith’s book on Amazon. A little more digging told me this was a book I really should check out.

From the beginning, Jaquith attacks the security community’s sacred cow of applying annualized loss expectancy (ALE) to convince management that the security program it is paying for is working. I have to say that I loved this attack. I remember first learning about ALE when I was studying for the Certified Information Systems Security Professional (CISSP) exam back in the day. I thought then that ALE sounded well and good when you said it fast, but in reality, you were just making up the numbers to plug into a formula that sounded scientific.

According to Jaquith, and most every CISSP preparatory exam book on the planet, “ALE is the monetary loss that can be expected for an asset due to a risk over a 1-year period and is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO).”

Doesn’t that sound precise and mathematical? Indeed it does. But it turns out that there are lots of problems with this formula. The biggest problem is that we don’t know what the probabilities are. How can we possibly know what the probability is that an advanced-persistent-threat-style attack will compromise the computer that your chief of counsel’s secretary uses? This is not the insurance industry; we do not have actuary tables derived from decades of data collection that can tell us precisely what these adversaries will do, how often they will do it and how much it will cost us when they do it.

So what, Jaquith and others have asked, do ALE practitioners do in the absence of hard data? They guess. They estimate. They fudge. And when they do this, they undermine the veracity of the very process that they are trying to convince management is so exacting. What good is a scientific formula if all you do is fill it with garbage data?

Jaquith’s thesis is that, instead of using imprecise models like ALE, security professionals should use metrics instead. He says that “[this change in thinking] requires practitioners to think about security in the same way that other disciplines do – as activities that can be named, and whose efficiencies can be measured with key indicators.”

Coincidentally, the first time I read Jaquith’s book, I just happened to listen to the Patrick Gray Risky Business podcast from April 2011 where he interviewed Brian Snow. Snow is a former NSA information assurance technical director, and he had a lot to say then about the folly of using probabilistic risk assessments, like ALE, to improve the cost-effectiveness of securing nuclear facilitates and government information assurance programs.

Snow made the point that these models are fine for standard risks that routinely occur—like what is the mean time to failure of the hard drive in your laptop—but that they fail miserably when trying to predict cases that have high impact to an organization but are not likely to occur. These cases that Snow referred to are called “black swan events.”

Black Swan Events

The “black swan event” term was made famous by Nassim Nicholas Taleb in his 2007 book “The Black Swan: The Impact of the Highly Improbable.” For some organizations, computer breaches are black swan events that Taleb describes as “outliers that carry extreme impact.” They are outliers because the chances of something like that happening to your network are pretty small, but when it does, the cost to your organization is extreme.

Jaquith’s solution is to “… quantify, classify, and measure information security operations in a modern enterprise environment” and to provide “… a set of key indicators that tell customers how healthy their security operations are.”

He spends a good portion of his book, two entire chapters actually, explaining what some of these metrics might be. Your organization might not have a use for all of them, but you will appreciate the thoroughness that Jaquith uses to explain why they should be considered.

As a bonus, he spends a chapter reviewing the fundamentals of statistics. If you are like me and slept through your probability and statistics course in college, you will welcome this refresher. Jaquith’s simple explanation alone about what a standard deviation is and what correlation really means is worth the price of admission.

As an extra bonus, he spends a chapter on visualization. I am a fan of Dr. Edward Tufte, who is in my opinion the world’s leading expert on how to visually display complex data. Tufte devotees will learn nothing new here but will appreciate how Jaquith reduces Tufte’s four seminal books on the subject to six rules:

• It’s about the data, not the design
• Just say no to three-dimensional graphics and cutesy chart junk
• Don’t go off to meet the (Microsoft) wizard
• Erase, erase, erase.
• Reconsider Technicolor
• Label honestly and without contortions

The only real fault I have with the book is the last chapter, “Designing Security Scorecards.” Here, Jaquith had the opportunity to show some practical security dashboards that perhaps some real organization used and found useful. Instead, he spends the entire chapter explaining what goes into making a scorecard.

As I got closer to the end of the book, I just knew that I was going to see some dazzling examples that I might use in my own organization. When I turned to the last page and found nothing but the index, I was dumbfounded. He provided no examples of real-world security dashboards. D’oh! So close to being perfect!

Why It’s Worth It

That one caveat aside, Jaquith’s book is well worth the read. I recommend it highly. I dare you to get to the end of that book without learning something that will help you in your current job, and even if security metrics are not your thing, then statistics and visualization will make you a more well-rounded business person.

But for you security professionals out there, this book is for you. It will help you unshackle yourself from the chains of probabilistic risk assessments. It will turn you away from the dark side and toward a more meaningful process to assess your enterprise’s security. You should have read this by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Breakpoint (2007) by Richard Clarke

In an earlier entry I looked at Richard Clarke’s Cyber War, and this time around I’ll look at how Clarke jams a boatload of cutting edge cybersecurity ideas into this slim, Michael Crichton-esque political thriller. Clarke wrote it in 2007 but set it in the near future of 2012 and when I say there is a boatload of information, I am talking about yacht-sized, not dingy-sized.

The bad guys in this novel execute most of the cyber fantasy attacks against the United States that any group of cybersecurity geeks (including myself) could conjure up after a few beers sitting around a bar at the annual Black Hat / DEFCON conventions in Vegas (incidentally, one of the settings in the book).

Clarke gives us bombings of US beachhead routers on both coasts that reduce inbound and outbound internet traffic to just 10 percent, buffer overflow attacks against a communications satellite that sends it reeling out to space, SCADA attacks that blow up a research institution with a live nuclear reactor and a well-coordinated SCADA attack that takes out all power west of the Mississippi. Of course, in the novel, US government leadership, specifically the Intelligence Community (IC), thinks the Chinese are behind everything and they put all of their efforts into proving it.

All of these “fantasy” attacks are quite possible in the real world and the cybersecurity community has been talking about them for at least the last decade. At Palo Alto Networks, for example, we spend a lot of time looking at SCADA security and the challenges in securing such systems. (One of our experts, Del Rodillas, is speaking on the topic at an ISC-ISAC event on January 22.)

Clarke definitely knows the landscape. Before he retired from government service, he served three different Presidents as the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cybersecurity. The political theory behind these acts is known as Escalation Dominance. It is the idea that China, or any government really, would launch some kind of attack against the US that would hurt the country in an effort to prove that they could launch a much larger attack that would really hurt if the US did something that the opposing government did not like.

Why Read It

In the afterword to this novel, Clarke said that it was easier to talk about these issues in a fictional setting then it was to talk about them in dry, academic and political journals. I concur – and that’s one reason why I’ve included novels and “lighter” books in my selections the Cybersecurity Canon. The truth is that many of these things are much more exciting and frightening when splashed across the fictional page.

This is a good read. Clarke’s story races across 10 days in March of 2012 as our heroes, Susan Connor – an agent for the Intelligence Analysis Center (IAC) – and Jim Foley – an ex-marine on loan to the IAC from the NYPD — try to out-think the US Intelligence Apparatus and Law Enforcement community and track down the real culprits behind the Internet attacks. Critics have taken Clarke to task for his wooden characters in the story, but I found that not to be true. I liked his portrayal of the misguided Internet billionaire especially and I liked the way he portrays New York and Boston cops.

The bottom line here is that this is book is a fun political thriller that gets the cybersecurity stuff right. I recommend it.

Rick Howard