Applying Probability to CyberSecurity

If you ask your IT team if your network is secure, hopefully they'll say 'yes'. If you ask a hacker, I'm pretty confident they will say 'no'. Technically, it is the hacker that is right, but a more informative answer is 'somewhere in between'. It's a black and white question with a gray answer.

I minored in physics, and while that didn't turn me into a great physicist, it did teach me a different perspective on the world. If you stick with physics long enough to cover the Heisenberg uncertainty principle you learn that nothing is certain in the universe. The best you can do is a probability that can approach certainty, but you can never quite get all the way there.

Using that perspective, the best answer you can hope for about network security is "probably" or "mostly". The hacker knows that even if you've applied every patch to every system on your network, there are dozens of known exploits that don't have patches available yet. Some of those might have been publicly disclosed, so anyone could take advantage. The others might not be publicly disclosed, but that doesn't mean a bad guy somewhere hasn't discovered it independently. That same bad guy might have a dozen more exploits that the vendor is unaware of, in that case there isn't even a patch in the works.

Even if network security was a certainty, there are other vectors for exploits. A trojan could come in via email. An employee could bring in an already infected notebook and plug it into the network. The list goes on and on.

Now you might be tempted to throw up your hands at the futility of it all, but that's black and white thinking. You can't eliminate the possibility of a breach, but you can reduce its probability. You can keep your software patched and allow for fewer exploits. You can run an IPS to detect and block exploit attempts. You can enforce policies like blocking web sites, scanning email, and forbidding high-risk protocols to reduce access to alternate vectors.

Since you can't completely eliminate the possibility of a compromised system on your network, here is a scary question: How do you know you don't have a compromised system right now? Ask yourself this - if an exploit did slip into your network, how likely are you to discover it? There was one time when I accidentally deployed an open mail relay on my home network. I discovered it was being used to relay spam because I could see the blinking light at night, indicating network traffic when I knew I wasn't using the network. You'll probably want to use a more sophisticated technique. Here are four areas to consider:

Detection of Attacks

The reason detection is important is because it builds a layered defense and because of the way probability works. If there's a 5 percent chance that an exploit can make it into your network and 5 percent chance an exploited system will go undetected, then there's only a 0.25 percent chance that someone will manage both feats at the same time. You can't get all the way to zero, but you can make the probability very small.

Detection of compromises is something that's often neglected. Aside from monitoring logs on your systems, you can use honeypots on your network to detect systems attempting to propagate worms, or users probing the network. There are tools available for monitoring for bad behavior from your own systems (I helped build one at my previous job).

Protecting and Monitoring the Data

Don't forget your data - if you've got a database full of sensitive data, you'll want to make sure that data isn't compromised and doesn't escape out into the wild. You might consider inserting "canaries" into the data. By that, I mean fake entries that can be monitored. For example, if your database contains email addresses, you might insert a few that are otherwise unused and monitor them in case a wayward employee starts selling addresses to spammers.

Recovery Plans

Don't stop there, your defense scheme needs to bring things all the way home. Your ultimate goal is not so much network security itself, but to prevent business loss due to a security lapse. You can keep building layers till you cover all aspects, including recovery. What's your recovery plan in the case you detect a compromised system? If you plan to restore from backup, have you verified the backup wasn't already compromised? Does your insurance cover losses due to security lapses?

Cyber Simulation

And finally, whatever your complete solution, do not just set it up and cross your fingers that it will work. You'll need to run simulations so you can see it work under realistic conditions. Now don't forget to run simulations that are as realistic as possible, because remember, it's not about black and white. It's about improving your odds.

Upcoming Cyber Security Events

Tomorrow begins a mad rush of cyber security events throughout the country. BreakingPoint will have people at several shows over the next month, and in most cases we will be providing on site cyber security simulation demonstrations. In case you are attending one of these shows or simply live in the area and want to meet up give us a shout here or on Twitter. I've listed some of the upcoming events below:

		DoD Cyber Crime Conference January 25-27, 2010  |  St. Louis, MO BreakingPoint will be exhibiting in booth #404 at the Cyber Crime Conference.The conference focuses on all aspects of computer crime and incident response: intrusion investigations, cyber crime law, information assurance, as well as research, development, testing, and evaluation of digital forensic tools. Learn more.
		Netcentric Warfare January 25-27, 2010  |  Arlington, VA BreakingPoint will be exhibiting at IDGA's NCW event. It is the world's largest and most respected event focused on network enabled operations, and the premier forum for the exchange of plans and best practices on the net-centric innovation. Learn more.
		Cyber Warfare January 27-28, 2010  |  London, UK BreakingPoint will be exhibiting and speaking at this conference. Stay tuned for more details on the presentation. Learn more.
		AFCEA West 2010 February 2-4, 2010  |  San Diego, CA BreakingPoint will be exhibiting in booth #2006 at the AFCEA West conference. West is the largest event on the West Coast for communications, electronics, intelligence, information systems, imaging, military weapon systems, aviation, and more. Learn more.
		USEUCOM Intelligence Summit February 15-17, 2010  |  Heidelberg, Germany BreakingPoint is an exhibitor at USEUCOM. The Summit will bring together US and European mission partner capability planners, program managers, intelligence producers, end-users, and subject matter experts from government, military, law enforcement, academia, private sector, and leading edge technology organizations. Learn more.
		NANOG February 21-24, 2010  |  Austin, TX BreakingPoint is the Monday Afternoon Break Sponsor at NANOG. Learn more.

Google Leaving China After Cyber Attack?

News just came out about Google contemplating packing up and leaving China all together due to recent cyber attacks. In a blog post on their site, "A new approach to China", Google states that back in mid-December they detected a "highly sophisticated and targeted attack on our corporate infrastructure originating from China" and that the attack resulted in "the theft of intellectual property from Google."

The blog post dives into more specifics the Google uncovered about the attacks:

"First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists..."

The blog post goes on to describe how Google also has evidence that Gmail accounts of human rights activists inside and outside of China have been accessed routinely by third parties. Notably, though, Google has already used the information they have gained from these attacks to "...make infrastructure and architectural improvements that enhance security for Google and for our users."

This last part, of course, hit home with what we talk about here on this blog. Real-world simulation of cyber attacks is one of the most important tools in finding the weak spots in your cyber infrastructure. Obviously this is only the beginning of this story and we will be keeping track of and commenting on the news as it continues.

The Difficulty of Protecting People

We talk a lot about security here on the blog, primarily around how to harden cyber infrastructures against attack. In many of those cases we are detailing ways in which you can secure networks, data centers, sensitive data and more. The concept of personal security, however, is something we all think about now, especially when you are inundated with news stories about TSA security measures. It seems like there is a subtle problem with the focus of our security. Terrorists target people. Yet all of the security measures are designed to protect edifices, not people. It's really the obsession of our enemies with doing something "big" that saves us rather than an effective security strategy.

Take for example the restriction that only people actually flying are allowed past security in the airport. What that means is that, rather than having the majority of people around the airport inside a secured area, you now have big concentrations of people who have not gone through security. Taking that further - in the recent incident at Newark Liberty International Airport, where a man walked in the exit, the result was everybody was forced to leave the secure area, so they could be re-screened. Once the secure area was vacated, great, the airport and planes were protected from the potential terrorist, but now a giant crowd of people were milling around in an unsecured area, along with the potential terrorist.

If I was a terrorist, I'd set up a two-man operation. One guy to go through the exit and force an evacuation and get all the security busy and focused inside, and another guy to drive a truck through the front door into the resulting crowd, and blow it up. Sounds similar to using a DDoS evasion to slip past an IPS, right? Our response, however, protects the planes and the building at the expense of the people. I think it comes from thinking about strategic defense, but the terrorists are not making strategic attacks.

I never complain about something unless I have a positive alternative to offer at the same time, so here is what I think would be a more effective strategy to combat terrorists. To develop an idea, I started thinking what prevented recent terrorist attacks, when the current approach failed.

In theory, there are some secret government programs that have prevented terrorist attacks before they happened, but since they're secret I can't really build anything on those programs. But, when Abdulmatallab (the "crotch bomber") tried his plan, he was brought down by passengers, regular people who stepped up and did something. It was the same thing, regular people stepping up, at the tragic expense of their own lives, that prevented Flight 93 from crashing into the White House.

If you step into an airport full of 20,000 people, the odds are very good that at least 19,999 of them are not terrorists and in fact they are people gladly willing to punch a terrorist in the face under the right circumstances. Rather than treating all 20,000 people as liabilities, what if they simply put a picture up from the security camera showing the guy going in through the exit, with an announcement of "If you see this guy, alert security immediately. And watch for unusual behavior on your flights.". All of a sudden, you have 19,999 allies and they can stay in the relatively safe secure area.

There is precedent for a system like this, look at the Amber Alert system. Rather than attempting to corral a state full of people, which would be the TSA approach to a kidnapping, it gets the word out, on the assumption that the vast majority of people would gladly help if they just knew that they needed to lend a hand.

My concept is a "terrorist alertness" certification class you could take. It would involve getting a background check, and being verified against all homeland security lists. Then you would spend a week learning what is suspicious behavior and what to do if you see it occur. You'd end up with a certification card that would allow you to breeze through security when you fly. Rather than relying on a glassy-eyed security guard at the gates (which, by the way, is not a knock on the security guards, it's incredibly hard to stay alert monitoring for a tiny, remote possibility) before the flight, they'd call all the certified people up to the desk to have a quick meeting. They'd show them pictures of all the people on the flight who are on some sort of watch list, seat them nearby, and tell them to stay alert.

Would you feel safer knowing that the people who are watching out for terrorist behavior were sitting in the same plane you are, not on the ground back at the airport? Would you be willing to go through a certification like that if it saved trouble at the security gates? I bet lots of people would. More importantly - do you think potential terrorists might be deterred if they knew this was going on?

I can say with certainty that this would make me feel a lot safer than having my water bottle confiscated at the security check does. This kind of system exists in other areas, and it works. Neighborhood watches are widely known to reduce crime. CPR training means a random person nearby might be able to help when help is needed, and the experts are too far away.

Of course, being a network guy, I can't help but relate this anti pattern back to the network security world. This same class of mistake is made there, too. People protect the integrity of their network at the expense of the functionality they built it to provide.

Just think about an IPS. Hopefully, you have a high level of confidence that the IPS that secures your network will block an attack, that is the whole point, right? But here is the question: what happens to your good traffic while the attack is underway? Does it still flow? Can you continue to run your business while the attack is prevented, or does the IPS lock things down and get in the way of the good traffic? If you turn on enough filters to secure your network, can the IPS still support the bandwidth you need?

After all, it's not really the network (planes) you're trying to protect, it's the data (people) that flows through it.