Month: January 2015

Posted on

What Government Can (And Can’t) Do About Cybersecurity

In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.

People are calling 2014 the “Year of the Breach.” President Obama even focused on “cybersecurity” during his 2015 State of the Union address. I’m thrilled that security seems to have finally broken into the public consciousness. It’s a complex problem that requires an international effort, cooperation between public and private sectors, and careful consideration of the best path forward.

The mess we’re in
I’ve written before about the staggering complexity of application security in the modern enterprise. So it’s not too surprising that the level of insecurity has grown over the past 20 years due to automation’s breakneck speed. The infographic below gives a sense of just how large and complex our codebases are. But like other extremely complex issues, such as healthcare, climate change and education, government intervention is a delicate matter that may do more harm than good.

Click on this link for an interactive view of the Word Cloud by David McCandless.

The commercial sector produces the vast majority of the world’s software. But this market is failing to encourage the development of secure code. Why? Because for the most part, software is a black box. When you buy a car, you can have a mechanic check it out. But software is so complex that it can take months or years to determine whether it’s secure or not. Software is a “market for lemons” where nobody can get paid a fair market price for secure code. So our software ends up stunningly insecure.

I’m not trying to blame the victim here. Malicious attackers are the cause of breaches and we should do what we can to catch them. But given the inherent anonymity of the Internet, the “attribution problem” means that hackers are going to be part of our world for a very long time. This means we’re going to have to do more to protect ourselves.

Proposed government interventions
In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Let’s quickly review a few of these ideas.

  1. Establish Federal breach notification legislation to unify the complex patchwork of state laws. This is a great idea in principle, although there will certainly be arguments about the details. For example, the 30-day limit is too long for consumers whose credit card number was stolen, yet too short for companies to ensure their systems are clean. I’d like to see this legislation expanded to cover all breaches, not just those that involve a privacy leak. If you’ve been hacked, even if no privacy breach occurred, your customers have a right to know the details.
  2. Expand information sharing with DHS through the ISACs. President Obama said, “we are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.” I’m not convinced that the techniques used to combat terrorists will work on hackers. While information sharing is important, it must be done carefully to protect victims of data breaches from further violation.
  3. Allow prosecutors to pursue anyone related to a hacking incident under Federal RICO statute. Given the difficulty of accurately identifying suspects, gathering evidence, and proving relationships in cyberspace, this approach seems ripe for abuse. There’s nothing wrong with aggressively pursuing cyber criminals, but we can’t forget about due process. How easy would it be to frame someone as a hacker if all that is required is a loose association? What if I friend the wrong person on Facebook or LinkedIn?
  4. Radical expansion of the CFAA. The Computer Fraud and Abuse Act is the federal anti-hacking law. Obama’s proposal expands the definition of unauthorized to include any time a user accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” Basically if you know you’re hacking, then you’re guilty of a felony. This subjective standard does nothing to clarify what behavior is allowed under the statute and will lead to messy court cases and bad law.
  5. Even more CFAA expansion. Further, the proposal criminalizes your security tools if you know they could be used for illegal purposes. Another subjective standard, but even if we got past that, it would still be wrongheaded. To use the language of the Betamax decision, these tools have “substantial non-infringing use.” Disarming our limited supply of security researchers is nothing short of insanity.
  6. Allow government backdoor access to secure messaging applications like WhatsApp and Snapchat. British Prime Minister David Cameron and President Obama have called for mandatory backdoors so that intelligence agencies can scan for possible terrorist activity. The desire for this type of backdoor goes back to the Clipper chip, a notoriously flawed idea to escrow encryption keys with the government. Remember that attackers can still use “super-encryption” to defeat any backdoor scheme. That means that we all have to suffer Big Brother with very little benefit in terms of reducing terror.

How to really fix the software market
What strikes me about all these proposals is that they are not very likely to have a substantial effect on the software market. They are all reactive, attempting to target the bad guys rather than focusing on enhancing our own defenses. I think we are capable of producing radically more secure software than we do today. But we’re going to have to raise the bar for developers everywhere. The good news is that we don’t have to resort to making developers liable for vulnerabilities or other tricks.

We need to ensure that software buyers and sellers have the same information about what they are buying. We should start with minimally disruptive interventions such as requiring organizations to disclose information about how their software was designed, built, and tested and information about the people, process, and tools used. Imagine the “Security Facts” equivalent of “Nutrition Facts” label or “Material Safety Data Sheet” for software. Studies of labeling regimes have shown that even if consumers don’t use these labels at all, they still have a significant effect on the companies producing the products.

One thing’s for sure. Cybersecurity is on the government’s agenda for 2015.

A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. Jeff co-founded and is the CTO of Aspect Security, an application security consulting firm that provides verification, programmatic and training services. He is also founder and CTO of Contrast Security, which offers a revolutionary application security technology that accurately identifies vulnerabilities at portfolio scale without requiring experts. From 2004 to 2012, Jeff served as the Global Chairman of the OWASP Foundation and created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten.

[DarkReading]

Posted on

How Well Do You Know Your Zero Days and APTs?

It’s time to take the Zero Day & APT Challenge, where knowledge of the worst threats out there could win you great prizes.

Get on in here and show us what you got! (And remember… Palo Alto Networks Traps would have prevented all of these, even without prior knowledge.)

[Palo Alto Networks Blog]

Posted on

World Leaders Focus on Cybersecurity, But Survey Shows 86% See A Global Skills Shortage

In Washington tonight, US President Barack Obama will propose legislative action to focus on cybersecurity during his State of the Union address. In Davos, 2,500 world leaders from government, industry and civic society are gathering today for the World Economic Forum (WEF) to discuss what WEF Chairman Klaus Schwab describes as “The New Context.” Front and center on the agenda are cybersecurity, risk and the Internet of Things.

Large-scale data breaches have brought this issue to the forefront and showcase that even well-protected, mature organizations face difficulties keeping data secure. And with cyberattacks rising exponentially, it’s no surprise that organizations are aggressively trying to hire those with the skills to prevent them.

There is one problem, however: the severe shortage of skilled cybersecurity professionals. According to the ISACA 2015 Global Cybersecurity Status Report, 86% of respondents believe there is a shortage of skilled cybersecurity professionals and 92% of those whose organizations plan to hire cybersecurity professionals in 2015 say it will be difficult to find skilled candidates. The ISACA 2015 Global Cybersecurity Status Report, conducted 13-15 January 2015, polled more than 3,400 ISACA members in 129 countries. It found that close to half (46 percent) expect their organization to face a cyberattack in 2015, and 83 percent believe cyberattacks are one of the top three threats facing organizations today.

ISACA, which assisted the National Institute of Standards and Technology (NIST) in the development of the US Cybersecurity Framework, has launched its Cybersecurity Nexus (CSX) program. CSX is a global resource for enterprises and professionals that helps identify, develop and train the cybersecurity workforce, while also raising the awareness of cybersecurity throughout the organization. CSX has extensive resources to address the cybersecurity skills gap through training, mentoring, performance-based credentials and applied research. CSX also now offers a Cybersecurity Legislation Watch center, which features the new CSX Special Report.

Cybersecurity is everyone’s business. It is absolutely essential that we accelerate the pace of creating a cyber-aware and cyber-trained society. And we need to do it together. As philosopher and inventor Ben Franklin once said, “We can hang together, or we can hang separately.” At ISACA, we are doing our part by providing knowledge and the tools to assure trust in a digital world.

Matt Loeb, CAE
Chief Executive Officer, ISACA

[ISACA]

Posted on

The Cybersecurity Canon: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners

The Cybersecurity Canon is official, and you can now see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (2011) by Jason Andress and Steve Winterfeld

Executive Summary

Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners is a consolidation of the current thinking around the topic of cyber warfare — not the way you hear about in the media where everything is a war of some kind (War on drugs, War on Terrorism, etc) but a discussion about what it means to conduct warfare via cyberspace.

This is a tough topic because there are so many opinions about what cyber warfare is that you could literally spend an entire book just covering the definitions. The authors deftly avoid that trap and manage to provide a coherent line of thinking around Computer Network Operations even when these kinds of activities bump up against other cyber space dangers like cyber crime, cyber hacktivism, cyber espionage and cyber terrorism. This book is a primer; a one stop shop to get you up to speed on the topic if you are new to it or a refresher even if you have been enmeshed in it for years. It is Cybersecurity Canon-worthy and you should have read it by now.

Introduction

Full disclosure: One of the authors, Steve Winterfeld, used to work for me when he and I were both in the US Army wrestling with all of these ideas right after 9/11. I ran the Army Computer Emergency Response Team (ACERT) and Steve ran the Army’s Southern Regional CERT (RCERT South). He and I have been friends ever since and he even quoted me in one of the back chapters.

Winterfeld and Andress cover everything you will want to consider when thinking about how to use cyberspace to conduct warfare operations. Although the content has been around for a while, it is striking how little the main concepts have changed in the past decade. In a world where new innovations completely alter the popular culture every 18 months, the idea that cyber warfare’s operational principals remain static year after year is counterintuitive. But after reading through the various issues within though, you begin to understand why things change at such a glacial pace. These difficult concepts spawn intractable problems and the authors do a good job of explaining them.

The Story

The first three chapters are my favorites. Winterfield and Andress do a good job of wrapping their heads around entangled concepts like the definition of cyber warfare, the look of a cyber battle space and the current doctrine’s ideas about cyber warfare from the perspective of various nations. It is fascinating. They frustratingly never define what cyber warfare is. Unlike Clarke and Knake in Cyber Warfare: The Next Threat to National Security and What to Do about It, where the authors give a straight forward definition, Winterfeld and Andress describe the plethora of definitions around the community and decide that one more would just confuse the matter.

In the middle of the book, the authors take on the task of describing the Computer Network Operations (CNO) Spectrum, which ranges from the very passive form of Computer Network Defense (CND) through the more active forms of Computer Network Exploitation (CNE) and Computer Network Attack (CNA). It is indeed a spectrum too because the delineation between where CND, CNE and CNA start and stop is not always clean and precise. There is overlap. And somewhere along that same spectrum is where law enforcement organizations and counter-intelligence groups operate. You can get lost fairly quickly without a guide and the authors provide that function admirably. The only thing missing from these chapters is a nice diagram that encapsulates the concept.

I do have a slight issue with the book’s subtitle, which is “Techniques, Tactics and Tools for Security Practitioners.” The way I read this book, the general purpose Security Practitioner will not find this book very useful except as background information. Aside from the chapters on Logical Weapons, Social Networking and Computer Network Defense, most of the material has to do with how a nation state, mostly the US, prepares to fight in cyberspace. There is overlap for the general-purpose security practitioner, but this material is covered in more detail in other books.

The Tech

The book is illustrated. Some of the graphics are right out of military manuals and have thatPowerPoint Ranger look about them. Some are screenshots of the various tools presented. Others are pictures of different equipment. One graphic stood out for me in the Cyberspace Challenges chapter (14). The graphic in question is a neat Venn Diagram that encapsulates all of the cyber warfare issues mentioned in the book, categorizes the complexity of each issue and shows where they overlap in terms of policy, processes, organization, tech, people and skills. My only ding on the diagram is that in the same chapter, the authors discuss how much each issue might cost to overcome. It would have been easy to represent that information on the Venn diagram and make it more complete.

One last observation about the graphics that I really liked is the author’s use of “Tip” and “Note” boxes throughout the book. Scattered throughout the chapters are grayed-out text boxes that talk about some technology or procedure that is related to the chapter information but not directly. For example, in the Social Engineering chapter (7), the authors placed a “Note” describing the various Phishing forms. You do not need the information to understand the chapter but having it nearby provides the reader with a nice example to solidify the main arguments. The book is full of these examples.

Conclusion

Winterfeld and Andress get high marks for encapsulating this complex material into an easy-to-understand manual — a foundational document that most military cyber warriors should have at their fingertips and a book that should reside on the shelf of anybody interested in the topic. Along the way the reader gets a nice primer on the legal issues surrounding cyber warfare, the ethics that apply, what it takes to be a cyber warrior and a small glimpse over the horizon about what the future of Cyber Warfare might bring. This is Cybersecurity Canon-worthy and you should have read it by now.

[Palo Alto Networks Blog]

Posted on

Moving Beyond Proxies: A Better Approach to Web Security

Once upon a time, proxies fulfilled a need traditional firewalls could not meet: visibility into web traffic starting with the categorization of HTTP, and later HTTPS, traffic. However, little to no emphasis was put on the vast number of applications utilizing other avenues of accessing corporate networks.

Proxy deployments today have outlived their usefulness and practicality. They have joined a long list of legacy security products that provide limited security capability against today’s advanced threats.

Download this whitepaper to find out more on the shortcomings of proxies, and how a next-generation security platform can provide faster, simpler and more comprehensive security.

[Palo Alto Networks Blog]

English
English
Exit mobile version