Tuesday, October 28, 2008

Vulnerabilities and Exploits Are Mindless

Jofny's comment on my post Unify Against Threats asked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

So, Richard, I'm curious which security people - who are decision makers at a business level - are focusing on vulnerabilities and not threats?

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are people like that, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y really need to be fired.


This comment was on my mind when I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story FBI: US Business and Government are Targets of Cyber Theft in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest SANS NewsBites:

Assistant Director in charge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world. Henry did not name cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 countries, but suggested that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are about two dozen that have developed cyber attack capabilities with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intent of using those capabilities against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US. The countries are reportedly interested in stealing data from targets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US. Henry said businesses and government agencies should focus on shoring up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir systems' security instead of on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 origins of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks.

The editors' comments are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

(Pescatore): It really doesn't matter where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks come from, businesses have been getting hit by sophisticated, financially motivated, targeted attacks for several years now.
(Ullrich): A very wise remark. It doesn't matter who attacks you. The methods used to attack you and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 methods used to defend yourself are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. We spend too much time worrying about geographic origins. In cyberspace, nation states are a legacy concept.


This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mindset that worries me, even though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI AD agrees. It ignores this fact: Vulnerabilities and exploits are mindless. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, intelligent adversaries are not. Therefore, if you are doing more than defending yourself against opportunistic, puerile attackers, it pays to know your enemy by learning about security threats (as shown on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book cover to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right).

Once your security program has matured to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where not any old caveman can compromise you, it pays to put yourself in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary's place. Who might want to exploit your organization's data? What data would be targeted? How could you defend it? How could you detect failure? When complaining to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government and/or law enforcement, to whom can you attribute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attack? Knowing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy helps prioritize what to defend and how to do it.

About cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AD telling businesses not to worry about threat sources: he's just quoting official FBI policy. I wrote about this in More Threat Reduction, Not Just Vulnerability Reduction:

Recently I attended a briefing were a computer crimes agent from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FBI made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following point:

Your job is vulnerability reduction. Our job is threat reduction.

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, it is beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats.


Let's briefly address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "In cyberspace, nation states are a legacy concept." comment. We've been hearing this argument for fifteen years or more. Last time I checked, nation states were alive and well and shaping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cyberspace works. Just this morning I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following Economist article Information technology: Clouds and judgment; Computing is about to face a trade-off between sovereignty and efficiency:

The danger is less that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud will be a Wild West than that it will be peopled by too many sheriffs scrapping over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rules. Some enforcers are already stirring up trouble, threatening employees of online companies in one jurisdiction to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir employers based in anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to fork over incriminating data for instance. Several governments have passed new laws forcing online firms to retain more data. At some point, cloud providers may find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves compelled to build data centres in every country where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do business.

Finally, independent actors do not operate intelligence services who target our enterprises; nation states do. I've written about Counterintelligence and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cyber Threat before. Part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem may stem from a distinction Ira Winkler made at RSA 2006, which I noted in my post RSA Conference 2006 Wrap-Up, Part 3:

I highly recommend that those of you who give me grief about "threats" and "vulnerabilities" listen to what Mr. Winkler has to say. First, he distinguishes between those who perform security functions and those who perform counter-intelligence. The two are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. Security focuses on vulnerabilities, while counter-intelligence focus on threats.

Maybe I spend more time on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 counterintelligence problem than ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs, but I can't see how vulnerability-centric security is a good idea -- except for those who sell "countermeasures."

9 comments:

Naveen J P said...

Use Cases, I thought is a pretty standard way to approach problems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days.
It helps immensely to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system while solving problems.
Is it done differently in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability-world?

Anonymous said...

I think its a mix. Threats, vulns, countermeasures and asset centricity all play a role. Our job as security pros is to figure out where we get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most cost effective solutions for our customer - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business.

You are right to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se as separate concerns, each concern yields totally different workstreams, projects and value.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past I have argued that Infosec is too focused on Threats and not enough on vulns. People like threats because it is exciting and vulns are boring, but now we see that to just give one example, almost every F500 publishes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir entire back end over MQ Series with no access control at all.

I would also add that asset focus is important. If you think about, assets are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one single advantage you have over most adversaries. They are likely to know far more about threats, vulns and countermeasures than a corporate info sec person does. The one thing that enterprise is likely to know more about is assets. So I like starting with assets before I preordain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next level of centricity.

Anonymous said...

Richard, I think it might help to simplify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument a bit.

If you're a left-handed soup sandwich, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus should be on vulnerabilities because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood that you'll be compromised by an advanced attack is low.

If your vulnerability management, i.e. KNOWN vulnerability management, is mature cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it's better to focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actors capable of launching unknown attacks. At that point it becomes worth it to ask, "Who wants to hurt me? Who can benefit from stealing my data?" Etc.

But having this conversation when you lack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basics is like scooping water out of a boat that's at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocean.

So, yes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is something to be said for "fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability and stop worrying about where a potential exploit might come from", but this mentality ignores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most dangerous threats are likely attacking vulnerabilities that you aren't yet aware of. As such it's more effective to think about what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might be after, and about defense-in-depth, than to focus on patching known issues.

Anonymous said...

You hit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nail on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 head.

Read http://www.securecomputing.net.au/News/126871,hackers-attack-forensics-tools.aspx

Criminals are increasingly deploying aggressive anti-forensics technology to ensure that prosecution is impossible, according to experts.
Criminals are increasingly deploying aggressive anti-forensics technology to ensure that prosecution is impossible, according to experts.

Christopher Novak, Principal, Verizon Business, said: “We're increasingly seeing hackers not only attempt to avoid detection, but actually attack forensic investigators.
For example, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are several toolkits out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re that actively defeat forensics tools by crashing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system when recognised tools are booted. Anti-forensics techniques are a clear and present danger.”

Overall, anti-forensics techniques such as wiping of data have become a factor in 88 per cent of cases handled by Verizon Business. Additionally, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques are becoming more successful, according to Novak, demonstrated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that 63 per cent of businesses are typically taking months racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than days to discover data leaks.

“Investigations are taking longer, due to techniques ranging from simple wiping of data to corrupting altering or obfuscating log files. We're also seeing increasing interest in and use of encryption and steganography to hide attack tools and secure stolen data from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hackers”, said Novak in his presentation 'Cyber CSI: How Criminals Manipulate Anti-Forensics to Foil cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Crime Scene'.

However, Novak was keen to point out that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last year has seen a shift from externalised threats to internal issues due to increased security and awareness. “We often find now that it's a businesses partners or third parties that are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of problems”, he said.

Richard Bejtlich said...

Just a note on anti-forensics vs counter-forensics.

z said...

I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous post a little differently. Seems like focusing on threats racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than vulnerabilities also relates to implementing general countermeasures (racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than specific). It seems to me that technology and it's implementations are in constant flux, but basic security principles don't change so much. Businesspeople have to evaluate many different risks and have many different priorities. I read your previous post as a problem relating technology details - or specific vulnerabilities - to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wider concerns of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business. So instead of relating technical concerns, you should frame issues in more general terms that decision-makers can understand. Meaning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can relate to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat of a natural disaster racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than, say, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details of MS08-067 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network. Hope I didn't misunderstand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, I just got a few different things out of your posts.

I think you've written before that people like to focus on specific technologies, or specific vulnerabilities. Maybe because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can be easily measured and controlled, or tailored to an "elevator speeech", or maybe security is still a maturing field. Maybe it has more to do with selling a service or product, or delivering an easily-communicated result. My "takeaway" has been that such thinking takes away from a good security posture. I'm also getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concern of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole business, and touches all areas.

- Francois

Marco said...

I completely agree with this approach to manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security, but don´t you think that standards like PCI-DSS just focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opposite? They are almost based on Vulnerability scans and procedures for continuous monitoring (based on known signatures, exploits, etc). What is you thought about this subject?

Thanks in advance!
Marco

H. Carvey said...

Richard,

A couple of things...

Once your security program has matured to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point...

IMHO, this is key. As a consultant, many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organizations I deal with are in crisis-mode when we first meet, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very reason that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security program hasn't matured, or as is often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y simply don't have one to speak of.

Djb referenced Chris Novak's comment (above), with respect to, "...demonstrated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that 63 per cent of businesses are typically taking months racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than days to discover data leaks."

How does this happen? A solid infosec program, including a CSIRP and response team, does not generate revenue nor add to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line in a demonstrable manner, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore is not a priority. That program needs to start with a solid assessment of where data rests, it's state at rest as well as in transit, and a reduction of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall attack surface.

Unknown said...

I'm wondering if a graph would be useful to illustrate this topic.
(1)
vertical scale: maturity of security stance
horizontal scale: interest in threats

As an organization's security maturity increases, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can become more interested in threats over chasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities.

(2)
vertical scale: position in organization
horizontal scale: interest in threats

As one's position in an organization moves up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ladder, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y likely become more interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategic concerns, such as threats.

Of course, I wouldn't consider this very universal. I'm sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are very high leaders in an organization who simply never will worry specifically about cybersecurity threats. And if it doesn't happen up top, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I bet it doesn't have much power lower in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 org. Admins and middle managers may take threats into account when designing systems and processes, but ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than taking a defensive approach, wouldn't be able to do much else in regards to threats; certainly nothing offensive.

(3)
I think you have great points, but I think as ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs mentioned above, it is a blend of thinking about vulns and threats that results in a solid security stance.

(4)
Lastly, I think reacting to and tracking vulns gives more feedback than focusing on threats. If I have a list of vulns to address, I can mark cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m off as done or tracked. But if I protect my organization from threat type A, will I ever know that I was successful? It seems like a much more intangible measure. Kinda like a police department comparing # of criminal arrests to # of prevented crimes. This might be why, ultimately, law enforcement is very reactive; it doesn't try to prevent [all] crime so much as deter it and catch those who do it.