Is this a hack... or an attack?
Protect your organization from expired name server domain threats

Internet Security Isn't a Battle: It's a Health Crisis

Andra Zaharia invited me to share my thoughts in her recent Heimdal Security blog, Is Internet Security A Losing Battle? Please read the other 30+ experts thoughts at Andra's blog. Here, I've complemented what I shared with Andra with some additional thoughts.

To answer Andra's question directly, any battle that you engage on your enemy’s terms, with indefensible assets or limited offensive capabilities, and where your enemy’s risk and cost of attack is small is arguably a losing battle. However,  I’m not certain that warfare remains the right analog for Internet security today.

I'm convinced that it's wrong.

I say this because many of the military analogs that we have used - firewalls, bastion hosts, secure perimeters, trip wires, challenge-response authentication, countermeasures - haven't been as successful when applied to security computing or networking as medical analogs have. Virology, for example, remains one of the most easily understood analogs: most people are familiar with terms like virus, infection, inoculation, and quarantine and appreciate how they apply to Internet connected devices. Gradually, terms like resiliency, patching, and triage are becoming useful analogs.  Healing and maintaining human beings and the ecosystem in which they reside are more familiar and comforting than military concepts.  They are often more proactive analogs than the "bubble boy" approach that military analogs suggest. 

With this suggestion in mind, let's look at the Internet ecosystem health today:

  • The devices and software that comprise the Internet are organisms that are not perfectly healthy from the moment they’re installed. Not only are the devices or software individual organisms but they are easily or adversely affected by other organisms they interact with in a larger  organism, the Internet itself.
  • Device or software immune systems are weak (e.g., poorly designed, lacking secure code review or not present at all), or non-existent (shipped with no holistic security consideration whatsoever). These immune systems are further weakened by poor hygiene (e.g., lax administration, default configuration, lax or ignored patch management).
  • The devices or software are often prematurely delivered, i.e., shipped before "maturity" testing or secure code review. We acknowledge this year after year yet we persist in imagining that persistent incubation or health monitoring and triage (secure perimeters, firewalls, IDS/IPS) would suffice. Moreover, these systems are themselves fragile: the same hardware, software, or administrative fragility exists among these systems. An uncomfortable truth follows from this observation:
  • The incentives to provide healthy systems compete or conflict with the current Internet market economy. Device manufacturers and software developers are largely business entities in pursuit of financial rewards. They are not regulated. They are not obliged to consider health or safety in the manufacture of their devices or software. They generally do not warranty or assume liability for their product. Perhaps equally importantly, they weigh the costs to provide safe or resilient products against the benefits such investments might offer and conclude that these investments would not increase market share or that they would lose market share to competitors with cheaper albeit less safe or resilient products. 
  • The people who use devices and software are not care providers nor did they expect to be when they acquired devices. They are in large part ignorant or in denial of this fragility and the very real threat these pose to their own health (financial harm, loss of privacy, etc.). They are also addicted to the extent that they would not sacrifice the advantages the Internet offers, perhaps irrespective of the degree of risk.
  • The people who use devices and software are as neglectful of their Internet health as they are neglectful of their personal health. I trust this is obvious.

The biggest challenge with Internet health is that the organisms change at a faster rate than the human body. New Internet organisms appear hourly (apps, networks, IoT devices). There are common DNA or genomes among these, but that is in fact part of the problem! We re-use or adapt what is problematically unhealthy in each generation of new organisms. We are effectively nurturing an unhealthy ecosystem and in tandem, nurturing an Internet that is very negatively affected by infectious disease.

We need to build systems that collect and analyze Internet health data. We are in the process of defining health indicators for Internet Identifiers (domain names and addresses) at ICANN.  Our goal is to first identify diseases, then define metrics, and only after, to collect, measure and analyze data that are needed to derive health metrics. In a second stage, we can examine the metrics to see what we can learn from this study. We believe that other Internet subsystems (operating systems, clouds, provider networks) could implement similar projects. The cumulative findings might help us identify "diseases", flaws in system hygiene, or ways to improve health. 

If you are interested, you can join the ITHI (Identifier Technology Health Indicators) initiative at ICANN (http://www,icann.org/ithi). There is also an open public comment period on the definition of identifier diseases that will end on January 9th 2017. You can submit you comments at https://www.icann.org/public-comments/ithi-definition-2016-11-29-en.

We need to pause, thoughtfully design “healthy” devices or software. We need to identify diseases or other illnesses that adversely affect these if we expect to develop the means to immunize and establish appropriate hygiene. This is hard work. Expensive work. It flies in the face of conventional Internet drivers. It’s more likely that we’ll continue along the conventional path until some apocalyptic event forces change.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

These are very good insights and certainly worth considering as we attempt to develop a deeper understanding or framework. Thank you!

There is a lot of value in approaching security from a (public) health perspective. But it's also important to acknowledge some of the limitations of the metaphor:

1. Human diseases/pathogens are not sentient. They adapt through random mutation within a limited set of predictable parameters. In contrast, security threats have the full benefit of human ingenuity behind them; the attackers also have specific knowledge of the defenses in use.

2. The human body has evolved an autonomous immune system over a long period of time. Hardware and software vendors often don't have the luxury of refining their products' defenses over countless generations.

3. Health is intensely personal. The effects are often obvious and in many cases painful and scary. Even exposure to diseases (e.g., being in the presence of someone with an infection) can cause a visceral and immediate reaction (e.g., retreating). Technology is much less personal, and the effects frequently less obvious.

4. The basics of personal health and hygiene are pretty easy to teach/learn: wash your hands, avoid exposure to sick people, get enough sleep, eat plenty of vegetables, etc. The basics of information security hygiene are far more complex and difficult to teach/learn.

I still think we can learn from the healthcare metaphor. We have a healthcare system that is excellent at tracking and slowing the spread of disease, developing new treatments, etc. And there are indeed many parallels to infosec. But we always have to be cognizant of where the model differs from our reality, so we can make the most of it.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)