Sunday, May 30, 2010

Digital Security Is Not Just an Engineering Problem

Recently I participated in a small meeting involving a cross-section of people interested in digital security and public policy. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meeting one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 participants voiced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 often-repeated but, in my opinion, misguided notion that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary problem with digital security is "design." In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet was not designed to be secure." If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet was not designed to be secure, all applications are "built on a foundation of sand" and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore can never be "secure."

This is a typical "engineering" mentality applied to digital security. I do not agree with it. You might think it's because I'm not a "professional engineer." Strangely enough, at USAFA I took classes in chemistry, physics (two courses), math (calc III and diff eq), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmodynamics, and five pure engineering courses (electrical, mechanical, civil, aeronautical, astronautical) plus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dreaded Academy "capstone" course -- all of which would qualify me for a minor in engineering at a "normal" college. Still, I do not think digital security is an engineering problem.

My opinion does not mean that engineering has no role. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrary, good engineering helps reduce vulnerabilities and exposures. Unfortunately, that focus only affects part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk equation. Focusing only on engineering completely ignores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, which in my judgement is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest problem with digital security today.

You know what prompted me to write this post? It was Security Engineering Is Not The Solution to Targeted Attacks by Charles Smutz, a professional software developer who creates custom security tools for a large defense contractor. Charles wrote:

[B]laming security engineering for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of targeted attacks is [a] herring as red as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y come. A world where security engineering actually tried to solve highly targeted and determined attackers would not be a fun place in which to live. In absence of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r solutions, an intelligence driven incident response model is your best bet.

You know I agree with that.

Charles wrote his post to refute Security engineering: broken promises by Michal Zalewski. Michal is a really smart security researcher but I agree with Charles that Michal has also fallen for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "security as design problem" mentality.

If you want to know what I think works, please consult my 2007 post Threat Deterrence, Mitigation, and Elimination.

7 comments:

H. Carvey said...

Richard,

Great post. It's things like this that bear repeating.

Unfortunately, what it doesn't result in is that intelligence driven incident response model.

HypedUpCat said...

Rich,
I concur with your idea that all security does not (and cannot feasibly) be built into a version 1 or original engineering foundation. The idea that we only had one chance to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet secure is ludicrous.
Security can be added afterwards or in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next version, as we learn and innovate. How did anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r engineer come up with a car security add-on called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 set belt or IPv6 (which though not perfect has additional security capabilities).
We learn, we adapt (both for good and bad) and eventually we Improve.

Kris said...

doesn't it always just come down to a conjunction of time, opportunity & motivation?
good old: http://en.wikipedia.org/wiki/Routine_activity_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory

Anonymous said...


Focusing only on engineering completely ignores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat, which in my judgement is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest problem with digital security today.


If infosec practitioners like me are focused on vulnerabilities (whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r in products, people, or processes), it's because we can do very little about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat. I have zero diplomatic, military, legal, or financial influence over potential attackers. Unlike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real world, where I'm allowed to use lethal force to defend myself, I can't even hack back. So I ask in all sincerity, what can I do ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than reduce my vulnerability to security threats through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 careful engineering, operation, and monitoring of my information systems?

emily said...

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues, is that most organizations, those that employ your typical infosec department model have your policy side and you engineering side. There's not one section in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re for intelligence and threat coordination. The policy folks will look to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineers and say, "why can't your tools detect/prevent/remediate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem" - and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engineering folks will retort, "why are your policies so weak and not enforced". So long as that back and forth goes on and that some matrixing and adapting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 environment, nothing will advance.

I can easily say that, if we had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 manpower, I'd have started an intelligence analysis group... outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 console watching IR/IH and forensics and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standard engineering. I would have fed that info back into those groups, but also used it to inform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 policy makers and make sure that those adapted policies were addressed and enforced. However, corporate, and now i can say it, civilian USG security hasn't advanced to that stage... it's going to require an evolution beyond regulations (FISMA, SOX, GLBA), and beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current tools (SIEM, AV, DLP, etc.). It just needs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right primeval goop to get started.

Richard Bejtlich said...

Anonymous,

I agree with your statement, at least for now. It's important to recognize our limitations but not accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I discuss options for "active defense" whenever I can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days. I even talked to a group of engineers in my company last month, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y wanted to know why we weren't fighting back!

Dave Funk said...

To Anonymous,

I'm more of a glass is half-full guy. If you are monitoring, you are regularly catching bad guys trying to mess with your network. If you are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government, US CERT (or CIRT or whatever) is providing you data on bad guys. Weicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r you are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government or not Symantec and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r service providers are getting that data and are including it in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir managed monitoring services. All of this is intelligence driven data that can or should be part of your network protection. It is not insignificant data. We catch more maleware from our own and Symantec black lists than from our anti-malware programs. We'd all like to fight back, and a couple of people have/are.
As for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Security Strategy. The glass ain't half-full. If it is an 8 oz. glass it is missing about 3.9 oz. to get to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 half way mark. More and more in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government are figuring this out. Unfortunately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are getting no help from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administration (this or last) OMB, Congress, or NIST. Just remember, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is too frequently an inverse relationship between FISMA score and computer security readiness.