Applying Probability to CyberSecurity

If you ask your IT team if your network is secure, hopefully they'll say 'yes'. If you ask a hacker, I'm pretty confident they will say 'no'. Technically, it is the hacker that is right, but a more informative answer is 'somewhere in between'. It's a black and white question with a gray answer.

I minored in physics, and while that didn't turn me into a great physicist, it did teach me a different perspective on the world. If you stick with physics long enough to cover the Heisenberg uncertainty principle you learn that nothing is certain in the universe. The best you can do is a probability that can approach certainty, but you can never quite get all the way there.

Using that perspective, the best answer you can hope for about network security is "probably" or "mostly". The hacker knows that even if you've applied every patch to every system on your network, there are dozens of known exploits that don't have patches available yet. Some of those might have been publicly disclosed, so anyone could take advantage. The others might not be publicly disclosed, but that doesn't mean a bad guy somewhere hasn't discovered it independently. That same bad guy might have a dozen more exploits that the vendor is unaware of, in that case there isn't even a patch in the works.

Even if network security was a certainty, there are other vectors for exploits. A trojan could come in via email. An employee could bring in an already infected notebook and plug it into the network. The list goes on and on.

Now you might be tempted to throw up your hands at the futility of it all, but that's black and white thinking. You can't eliminate the possibility of a breach, but you can reduce its probability. You can keep your software patched and allow for fewer exploits. You can run an IPS to detect and block exploit attempts. You can enforce policies like blocking web sites, scanning email, and forbidding high-risk protocols to reduce access to alternate vectors.

Since you can't completely eliminate the possibility of a compromised system on your network, here is a scary question: How do you know you don't have a compromised system right now? Ask yourself this - if an exploit did slip into your network, how likely are you to discover it? There was one time when I accidentally deployed an open mail relay on my home network. I discovered it was being used to relay spam because I could see the blinking light at night, indicating network traffic when I knew I wasn't using the network. You'll probably want to use a more sophisticated technique. Here are four areas to consider:

Detection of Attacks

The reason detection is important is because it builds a layered defense and because of the way probability works. If there's a 5 percent chance that an exploit can make it into your network and 5 percent chance an exploited system will go undetected, then there's only a 0.25 percent chance that someone will manage both feats at the same time. You can't get all the way to zero, but you can make the probability very small.

Detection of compromises is something that's often neglected. Aside from monitoring logs on your systems, you can use honeypots on your network to detect systems attempting to propagate worms, or users probing the network. There are tools available for monitoring for bad behavior from your own systems (I helped build one at my previous job).

Protecting and Monitoring the Data

Don't forget your data - if you've got a database full of sensitive data, you'll want to make sure that data isn't compromised and doesn't escape out into the wild. You might consider inserting "canaries" into the data. By that, I mean fake entries that can be monitored. For example, if your database contains email addresses, you might insert a few that are otherwise unused and monitor them in case a wayward employee starts selling addresses to spammers.

Recovery Plans

Don't stop there, your defense scheme needs to bring things all the way home. Your ultimate goal is not so much network security itself, but to prevent business loss due to a security lapse. You can keep building layers till you cover all aspects, including recovery. What's your recovery plan in the case you detect a compromised system? If you plan to restore from backup, have you verified the backup wasn't already compromised? Does your insurance cover losses due to security lapses?

Cyber Simulation

And finally, whatever your complete solution, do not just set it up and cross your fingers that it will work. You'll need to run simulations so you can see it work under realistic conditions. Now don't forget to run simulations that are as realistic as possible, because remember, it's not about black and white. It's about improving your odds.

The Difficulty of Protecting People

We talk a lot about security here on the blog, primarily around how to harden cyber infrastructures against attack. In many of those cases we are detailing ways in which you can secure networks, data centers, sensitive data and more. The concept of personal security, however, is something we all think about now, especially when you are inundated with news stories about TSA security measures. It seems like there is a subtle problem with the focus of our security. Terrorists target people. Yet all of the security measures are designed to protect edifices, not people. It's really the obsession of our enemies with doing something "big" that saves us rather than an effective security strategy.

Take for example the restriction that only people actually flying are allowed past security in the airport. What that means is that, rather than having the majority of people around the airport inside a secured area, you now have big concentrations of people who have not gone through security. Taking that further - in the recent incident at Newark Liberty International Airport, where a man walked in the exit, the result was everybody was forced to leave the secure area, so they could be re-screened. Once the secure area was vacated, great, the airport and planes were protected from the potential terrorist, but now a giant crowd of people were milling around in an unsecured area, along with the potential terrorist.

If I was a terrorist, I'd set up a two-man operation. One guy to go through the exit and force an evacuation and get all the security busy and focused inside, and another guy to drive a truck through the front door into the resulting crowd, and blow it up. Sounds similar to using a DDoS evasion to slip past an IPS, right? Our response, however, protects the planes and the building at the expense of the people. I think it comes from thinking about strategic defense, but the terrorists are not making strategic attacks.

I never complain about something unless I have a positive alternative to offer at the same time, so here is what I think would be a more effective strategy to combat terrorists. To develop an idea, I started thinking what prevented recent terrorist attacks, when the current approach failed.

In theory, there are some secret government programs that have prevented terrorist attacks before they happened, but since they're secret I can't really build anything on those programs. But, when Abdulmatallab (the "crotch bomber") tried his plan, he was brought down by passengers, regular people who stepped up and did something. It was the same thing, regular people stepping up, at the tragic expense of their own lives, that prevented Flight 93 from crashing into the White House.

If you step into an airport full of 20,000 people, the odds are very good that at least 19,999 of them are not terrorists and in fact they are people gladly willing to punch a terrorist in the face under the right circumstances. Rather than treating all 20,000 people as liabilities, what if they simply put a picture up from the security camera showing the guy going in through the exit, with an announcement of "If you see this guy, alert security immediately. And watch for unusual behavior on your flights.". All of a sudden, you have 19,999 allies and they can stay in the relatively safe secure area.

There is precedent for a system like this, look at the Amber Alert system. Rather than attempting to corral a state full of people, which would be the TSA approach to a kidnapping, it gets the word out, on the assumption that the vast majority of people would gladly help if they just knew that they needed to lend a hand.

My concept is a "terrorist alertness" certification class you could take. It would involve getting a background check, and being verified against all homeland security lists. Then you would spend a week learning what is suspicious behavior and what to do if you see it occur. You'd end up with a certification card that would allow you to breeze through security when you fly. Rather than relying on a glassy-eyed security guard at the gates (which, by the way, is not a knock on the security guards, it's incredibly hard to stay alert monitoring for a tiny, remote possibility) before the flight, they'd call all the certified people up to the desk to have a quick meeting. They'd show them pictures of all the people on the flight who are on some sort of watch list, seat them nearby, and tell them to stay alert.

Would you feel safer knowing that the people who are watching out for terrorist behavior were sitting in the same plane you are, not on the ground back at the airport? Would you be willing to go through a certification like that if it saved trouble at the security gates? I bet lots of people would. More importantly - do you think potential terrorists might be deterred if they knew this was going on?

I can say with certainty that this would make me feel a lot safer than having my water bottle confiscated at the security check does. This kind of system exists in other areas, and it works. Neighborhood watches are widely known to reduce crime. CPR training means a random person nearby might be able to help when help is needed, and the experts are too far away.

Of course, being a network guy, I can't help but relate this anti pattern back to the network security world. This same class of mistake is made there, too. People protect the integrity of their network at the expense of the functionality they built it to provide.

Just think about an IPS. Hopefully, you have a high level of confidence that the IPS that secures your network will block an attack, that is the whole point, right? But here is the question: what happens to your good traffic while the attack is underway? Does it still flow? Can you continue to run your business while the attack is prevented, or does the IPS lock things down and get in the way of the good traffic? If you turn on enough filters to secure your network, can the IPS still support the bandwidth you need?

After all, it's not really the network (planes) you're trying to protect, it's the data (people) that flows through it.