Wednesday, June 3, 2009

National Cyber Security Review II

So I read as below from the 100 documents submitted for the National 60 day Cyber Security Review:

cat pdf.all.txt | wc
11596  327837 2232007

It took me two days - with copious breaks and diversions. The number of federal agencies that responded to, have something to do with, have developed cyber security standards, or assure compliance of those standards is mind-numbing. I hardly know where to start to discuss all the players and their efforts. And actually, I don't think the federal government does either. It was not untypical to read a line like this:

"There are currently several cyber collaboration centers that interact across the Federal Government space to help disseminate information on security threats, including the U.S. Computer Emergency Readiness Team (US-CERT), National Cybersecurity Center, Joint Task Force- Global Network Operations, the National Cyber Investigative Joint Task Force, the Intelligence Community Incident Response Center, the National Security Agency Threat Operations Center, and the Defense Cyber Crime Center. The exact interactions and roles of each, however, remain unclear."

I sensed confusion (even desperation), an overlap of responsibility, a lack of cohesion in development of cyber strategies and turf wars. In short, with exceptions, the only items not missing are $$$ and ideas. A lot of roadmaps  were proposed and a limited amount of security architecture was described with some interesting exceptions. I suspect that the outcome of this review will serve President Barack Obama's purposes exactly. We have the talent and the resources to become a cyber secure nation. Turf wars, in-fighting, lack of cohesive strategies and lack of prioritization of threat vectors has fragmented the national approach to cyber security.  The 60 day review puts all levels of bureacrats on watch.  What could shake out  of this is the predominance of the most brilliant and most resillient of the national cyber warrior agencies for a cohesive national cyber security strategy.  How this will happen,I do not know. But I would put a bet on NIST, NSA, DOD and CERT re-organization and leadership in this area based on what I read. There may need to be increased standards and federal scrutiny of private critical infrastructures.Occasionally, the documents contained something technically pragmatic and brilliant such as this comment:

Jeff Brown, CISO, Raytheon Company:    

"In today's cyber security environment there is one inescapable truth.  There is no way to  prevent a determined intruder from getting into a network so long as one allows email and  web surfing ­and no business today can long survive without these two bedrocks of the  information age.    The reasons for this are simple.  The vast majority of our Information Assurance  architectures rely on patching and configuration control for protection, the consistent  application of which has thus far proven elusive over large enterprises.  It also relies on  signatures for both protection and detection which, by definition, will not stop the first wave of  the increasing volume of zero day attacks we are seeing today.  Therefore, when you must let  the attack vector (an email or a web address) past your perimeter to the desktop, you are  virtually guaranteed to have successful penetrations. Raytheon believes the best way to address this new reality is to recognize that attackers  will get into your network and expand our defensive actions to detect, disrupt, and deny  attacker's command and control (C2) communications back out to the network.  It is an  acknowledgement of the fact that there are fewer, or perhaps relatively noisier, ways to get out  of a network than to get into it.  Such a strategy focuses on identifying the web sites and IP  addresses that attackers use to communicate with malicious code already infiltrated onto our  computers.  While some of these sites are legitimate sites which have been compromised, the  majority are usually new domains registered by attackers solely for the purposes of command  and control.  There is little danger of unintended consequences from blocking these web sites  and their associated IP addresses for outbound traffic.  Where they are legitimate sites, the  benefit of protecting the enterprise far outweighs any inconvenience there might be if an  employee needs to legitimately go to that site.  Raytheon has had success with this strategy,  but it requires a significant investment, unaffordable to most small and medium size entities  and many larger ones.  One of the corollaries of recognizing that networks can always be penetrated is a shift in  how we measure ourselves.  Measuring ourselves against how many intrusions occur becomes  a far less interesting.  What counts, instead is the intruder's dwell time in our network, or how  long an intruder has had access.  It's more important to recognize how successful the  penetrations were versus how many penetrations occurred."

So Raytheon is practically solving security with a novel approach - one that doesn't sacrifice utility for security. Based on a recent and comprehensive report from Verizon's business unit, Raytheon may be singular in its success. When we switched phone services to Verizon, I had no I idea I would be joining a phone network that boasts an incredibly talented cyber research division.  Verizon's 2009 Data Breach Investigations Report http://www.verizonbusiness.com/products/security/risk/databreach/ is a must read.  The book fits with Misha Glenny's (2008,2009) "McMafia: A Journey Through the Global Criminal Underworld".  Verizon found that "91% of all compromised records were attributed to organized criminal groups". 

Below are some significant quotes from this report (http://www.verizonbusiness.com/products/security/risk/databreach/):
[/STARTQUOTING]
"2008 will likely be remembered as a tumultuous year for corporations and consumers alike. Fear, uncertainty, and doubt seized global financial markets; corporate giants toppled with alarming regularity; and many who previously lived in abundance found providing for just the essentials to be difficult. Among the headlines of economic woes came reports of some of the largest data breaches in history. These events served as a reminder that, in addition to our markets, the safety and security of our information could not be assumed either.

The 2009 Data Breach Investigations Report (DBIR) covers this chaotic period in history from the viewpoint of our forensic investigators. The 90 confirmed breaches within our 2008 caseload encompass an astounding 285 million compromised records. These records have a compelling story to tell, and the pages of this report are dedicated to relaying it. As with last year, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. Below are a few highlights from the report:
....
Some attackers simply repacked existing malware so as to make its signature undetectable by antivirus software (AV) scanners. Others leveraged existing malicious code, but modified it for additional functionality or tailored it to the victim’s environment. Most common in 2008, however, was malware that had (apparently) been created for the attack(s) entirely from scratch. In a rather sobering statistic, 85 percent of the 285 million records breached in the year were harvested by custom-created malware. It is possible that the code preexisted yet went unrecognized by the experts and tools at ICSA Labs, but this matters little to the overall point. More to the point is that, besides being more capable and better adapted, most malware used for the purpose of compromising data is not detectable by modern AV. Unfortunately, many organizations rely on AV as the primary means of malware prevention and detection. AV is certainly a foundational control, but the continuing evolution of malware leaves security programs built solely upon AV for combating malware unstable at best.
....
On the whole, organizations discovered breaches slightly quicker in 2008. However, lest we confuse “quicker” with “quickly,” this statement needs some additional context.Breaches still go undiscovered and uncontained for weeks or months in 75 percent of cases. It is doubtful that any chief security officer anywhere would call this “quick”. "
[/ENDQUOTING]

The report makes clear the general picture of what "cyberwarfare" is today: Organized crime systematically plundering finanicial records for profit without being noticed. A number of current articles confirm this:

http://www.wired.com/threatlevel/2009/04/pins/
http://www.washingtonpost.com/wp-dyn/content/article/2009/04/15/AR2009041501196.html?sid=ST2009041501334

Interesting commentary on Verizons findings can be found at their blog: http://securityblog.verizonbusiness.com/.  

I think I will spend tommorrow and the next day writing code....my capacity for integrating the amount of disparate federal offices concerned with cyber security has reached its limit.

No comments:

Post a Comment