JANUARY 29, 2010

Applying Probability to CyberSecurity

If you ask your IT team if your network is secure, hopefully they'll say 'yes'. If you ask a hacker, I'm pretty confident they will say 'no'. Technically, it is the hacker that is right, but a more informative answer is 'somewhere in between'. It's a black and white question with a gray answer.

I minored in physics, and while that didn't turn me into a great physicist, it did teach me a different perspective on the world. If you stick with physics long enough to cover the Heisenberg uncertainty principle you learn that nothing is certain in the universe. The best you can do is a probability that can approach certainty, but you can never quite get all the way there.

Using that perspective, the best answer you can hope for about network security is "probably" or "mostly". The hacker knows that even if you've applied every patch to every system on your network, there are dozens of known exploits that don't have patches available yet. Some of those might have been publicly disclosed, so anyone could take advantage. The others might not be publicly disclosed, but that doesn't mean a bad guy somewhere hasn't discovered it independently. That same bad guy might have a dozen more exploits that the vendor is unaware of, in that case there isn't even a patch in the works.

Even if network security was a certainty, there are other vectors for exploits. A trojan could come in via email. An employee could bring in an already infected notebook and plug it into the network. The list goes on and on.

Now you might be tempted to throw up your hands at the futility of it all, but that's black and white thinking. You can't eliminate the possibility of a breach, but you can reduce its probability. You can keep your software patched and allow for fewer exploits. You can run an IPS to detect and block exploit attempts. You can enforce policies like blocking web sites, scanning email, and forbidding high-risk protocols to reduce access to alternate vectors.

Since you can't completely eliminate the possibility of a compromised system on your network, here is a scary question: How do you know you don't have a compromised system right now? Ask yourself this - if an exploit did slip into your network, how likely are you to discover it? There was one time when I accidentally deployed an open mail relay on my home network. I discovered it was being used to relay spam because I could see the blinking light at night, indicating network traffic when I knew I wasn't using the network. You'll probably want to use a more sophisticated technique. Here are four areas to consider:

Detection of Attacks

The reason detection is important is because it builds a layered defense and because of the way probability works. If there's a 5 percent chance that an exploit can make it into your network and 5 percent chance an exploited system will go undetected, then there's only a 0.25 percent chance that someone will manage both feats at the same time. You can't get all the way to zero, but you can make the probability very small.

Detection of compromises is something that's often neglected. Aside from monitoring logs on your systems, you can use honeypots on your network to detect systems attempting to propagate worms, or users probing the network. There are tools available for monitoring for bad behavior from your own systems (I helped build one at my previous job).

Protecting and Monitoring the Data

Don't forget your data - if you've got a database full of sensitive data, you'll want to make sure that data isn't compromised and doesn't escape out into the wild. You might consider inserting "canaries" into the data. By that, I mean fake entries that can be monitored. For example, if your database contains email addresses, you might insert a few that are otherwise unused and monitor them in case a wayward employee starts selling addresses to spammers.

Recovery Plans

Don't stop there, your defense scheme needs to bring things all the way home. Your ultimate goal is not so much network security itself, but to prevent business loss due to a security lapse. You can keep building layers till you cover all aspects, including recovery. What's your recovery plan in the case you detect a compromised system? If you plan to restore from backup, have you verified the backup wasn't already compromised? Does your insurance cover losses due to security lapses?

Cyber Simulation

And finally, whatever your complete solution, do not just set it up and cross your fingers that it will work. You'll need to run simulations so you can see it work under realistic conditions. Now don't forget to run simulations that are as realistic as possible, because remember, it's not about black and white. It's about improving your odds.