Previous month:
October 2016
Next month:
February 2017

December 2016

Internet Security Isn't a Battle: It's a Health Crisis

Andra Zaharia invited me to share my thoughts in her recent Heimdal Security blog, Is Internet Security A Losing Battle? Please read the other 30+ experts thoughts at Andra's blog. Here, I've complemented what I shared with Andra with some additional thoughts.

To answer Andra's question directly, any battle that you engage on your enemy’s terms, with indefensible assets or limited offensive capabilities, and where your enemy’s risk and cost of attack is small is arguably a losing battle. However,  I’m not certain that warfare remains the right analog for Internet security today.

I'm convinced that it's wrong.

I say this because many of the military analogs that we have used - firewalls, bastion hosts, secure perimeters, trip wires, challenge-response authentication, countermeasures - haven't been as successful when applied to security computing or networking as medical analogs have. Virology, for example, remains one of the most easily understood analogs: most people are familiar with terms like virus, infection, inoculation, and quarantine and appreciate how they apply to Internet connected devices. Gradually, terms like resiliency, patching, and triage are becoming useful analogs.  Healing and maintaining human beings and the ecosystem in which they reside are more familiar and comforting than military concepts.  They are often more proactive analogs than the "bubble boy" approach that military analogs suggest. 

With this suggestion in mind, let's look at the Internet ecosystem health today:

  • The devices and software that comprise the Internet are organisms that are not perfectly healthy from the moment they’re installed. Not only are the devices or software individual organisms but they are easily or adversely affected by other organisms they interact with in a larger  organism, the Internet itself.
  • Device or software immune systems are weak (e.g., poorly designed, lacking secure code review or not present at all), or non-existent (shipped with no holistic security consideration whatsoever). These immune systems are further weakened by poor hygiene (e.g., lax administration, default configuration, lax or ignored patch management).
  • The devices or software are often prematurely delivered, i.e., shipped before "maturity" testing or secure code review. We acknowledge this year after year yet we persist in imagining that persistent incubation or health monitoring and triage (secure perimeters, firewalls, IDS/IPS) would suffice. Moreover, these systems are themselves fragile: the same hardware, software, or administrative fragility exists among these systems. An uncomfortable truth follows from this observation:
  • The incentives to provide healthy systems compete or conflict with the current Internet market economy. Device manufacturers and software developers are largely business entities in pursuit of financial rewards. They are not regulated. They are not obliged to consider health or safety in the manufacture of their devices or software. They generally do not warranty or assume liability for their product. Perhaps equally importantly, they weigh the costs to provide safe or resilient products against the benefits such investments might offer and conclude that these investments would not increase market share or that they would lose market share to competitors with cheaper albeit less safe or resilient products. 
  • The people who use devices and software are not care providers nor did they expect to be when they acquired devices. They are in large part ignorant or in denial of this fragility and the very real threat these pose to their own health (financial harm, loss of privacy, etc.). They are also addicted to the extent that they would not sacrifice the advantages the Internet offers, perhaps irrespective of the degree of risk.
  • The people who use devices and software are as neglectful of their Internet health as they are neglectful of their personal health. I trust this is obvious.

The biggest challenge with Internet health is that the organisms change at a faster rate than the human body. New Internet organisms appear hourly (apps, networks, IoT devices). There are common DNA or genomes among these, but that is in fact part of the problem! We re-use or adapt what is problematically unhealthy in each generation of new organisms. We are effectively nurturing an unhealthy ecosystem and in tandem, nurturing an Internet that is very negatively affected by infectious disease.

We need to build systems that collect and analyze Internet health data. We are in the process of defining health indicators for Internet Identifiers (domain names and addresses) at ICANN.  Our goal is to first identify diseases, then define metrics, and only after, to collect, measure and analyze data that are needed to derive health metrics. In a second stage, we can examine the metrics to see what we can learn from this study. We believe that other Internet subsystems (operating systems, clouds, provider networks) could implement similar projects. The cumulative findings might help us identify "diseases", flaws in system hygiene, or ways to improve health. 

If you are interested, you can join the ITHI (Identifier Technology Health Indicators) initiative at ICANN (http://www,icann.org/ithi). There is also an open public comment period on the definition of identifier diseases that will end on January 9th 2017. You can submit you comments at https://www.icann.org/public-comments/ithi-definition-2016-11-29-en.

We need to pause, thoughtfully design “healthy” devices or software. We need to identify diseases or other illnesses that adversely affect these if we expect to develop the means to immunize and establish appropriate hygiene. This is hard work. Expensive work. It flies in the face of conventional Internet drivers. It’s more likely that we’ll continue along the conventional path until some apocalyptic event forces change.


Is this a hack... or an attack?

This post originally appeared at ICANN blog on 15 Sep 2015.

Nearly every day, we see news stories or tweets that reveal another "cyber attack" against a well-known brand, bank or government agency are commonplace today. These are almost always characterized as sophisticated hacking schemes. Some are described as acts of hacktivism. In an effort to characterize certain attacks as the most sophisticated ever, one enthusiastic Wikipedia contributor uses the phrase advanced targeted computer hacking attack. However, the reality is that a cyber attack doesn't necessarily involve hacking, and a great many hacks have nothing to do with attacks.

What is a Hack?

The term "hack" was originally intended to describe a cleverly written or "coded" piece of software. Often, these kinds of software solved an immediate and thorny problem quickly and efficiently. For example, in the early days of computing, memory was a precious resource, so the developer of a piece of software that made remarkably efficient use of memory might have been complimented as having hacked a great bit of software, and he may have been acknowledged as a terrific hacker. The "hacker" label was a sign of respect. Unfortunately, hacking is now more often associated with cyber attacks, cyber espionage or online criminal activity.

What is hacktivism?

Hacktivism is the use of a cyber attack as a form of protest. Common cyber attacks used by hacktivists are denial of service attacks or web site defacements. The term is used very broadly to include attacks against government web sites, law enforcement agencies, online game sites and even terrorist sites. Multinational companies like Google, Apple and Microsoft are often targets of defacement attacks: these kinds of attacks exploit the Domain Name System (DNS) or domain registration services. The term hacktivism derives from activism, but many criticize this analog because unlike activists, hacktivists can often attack in the relative safety of the Internet's anonymity.

Are all cyber attacks conducted by hackers?

No. Invariably, news and social media channels characterize or glamorize attackers as talented individuals who write very sophisticated software. These characterizations are generally wrong in several respects; while there may be some talented individuals who write crime or attack software, much of what is used as attack software is often not very sophisticated but just clever enough to exploit a vulnerability. Very often, components of the attack software's "package" are not even the attacker's original work. In fact, it's increasingly common that individuals who launch attacks simply buy attack packages in underground marketplaces or download them from public repositories.

Do all cyber attacks involve hacking?

No. Let's use password attacks to illustrate. An attacker who uses social engineering to convince a helpdesk operator to disclose the user name and password for an account does not use a software hack. Such attacks, including some high profile Twitter account and DNS hijacking attacks, don't rely on hacking. Compare this to an attack where an attacker scans a network, installs exploit software on a vulnerable computer and uses that computer to gain access to a sensitive database. Here, hacking – the use of specially crafted software – is a critical component of the attack.

Does the distinction really matter?

Yes. Accurately characterizing a cyber attack may be helpful to your organization's incident response team or law enforcement. For example, if the attack was the result of an attacker applying social engineering to a helpdesk staffer, inspecting call or chat logs is more important than inspecting computers for unauthorized (exploit) software.

It never hurts to get the language right.