RealSecurity

Hey, where did you buy that router? Do you know who made the components, wrote the drivers, or the embedded code that makes it tick? Or how about the chipset in that new server or smart meter? Com'on, be honest, you know squat. Well, no biggie, right? It's just a chip, some basic instructions to process a few bits through a pile of transistors. Sorry to burst your bubble, but the bad guys know better.

In part 1 I provided a short recap on the topic of cyberwar and gave some basic perspectives of how military tactics have changed to accommodate different enemies and environments in history. Most importantly the integration of the enemy making it difficult to distinguish friend from foe and the fact that status can change without warning, what we currently see with insurgents and reflective of the cyber theater of war. Another point I wanted to hit home with you is the arsenal of military weapons we have at our disposal have been, in some cases, rendered moot.

Carnegie Mellon University's CyLab, the largest university-based research and education center for computer security, in collaboration with author Jody Westby, a CyLab distinguished fellow and CEO of Global Cyber Risk, a security risk advisory company, produced a survey report titled, "Governance of Enterprise Security: CyLab 2010 Report" demonstrating enterprise boards are losing focus on security. I've read this report and wanted to provide additional perspective.

Cyberwar will be fought in the ether, and as discussed, a more appropriate expression of this is a "cyber theater of war". As with many new things, we attempt to take what works today and apply to what is emerging. A very natural human reaction; use what you have and "don't reinvent the wheel" are common. However, in the domain of cyberwar the application of traditional military strategy will not entirely work and usher in new theories of war that will ultimately influence 21st century - and beyond – warfare tactics in both the physical and cyber worlds.

At this point in this series of posts about cyberwar (see previous postings Cyberwar and Weaponization of Cyberspace) I want to touch on cyberwar theory and talk about the physical manifestations of cyberwar.

There are a number of folks in the security industry that have downplayed the realities of cyberwar. In some circles the conversation of cyberwar will elicit some interesting reactions and many tend to deny its potency relative to traditional warfare and traditional weapons. Moreover, many begin to blur the lines between cyberwar, cyberterrorism, and other cyberattack scenarios confusing the topic. In virtually every conversation of this nature I’m the one that stands out as the lone voice saying they’re not only wrong, but woefully underestimating the situation.

You can’t pick up a paper, read a news article, or scan a blog without something about Cyberwar in there somewhere. Moreover, there are a number of books surfacing and, conservatively speaking, a great deal of activity in the government sector concerning cyberwar. This will be the first of several posts I’m planning on this topic. I want to talk about war, the cyber element, what’s happening today and things we can expect, what governments are up to, the physical realities of cyber war, and most importantly, the weaponization of cyberspace.

When attending the InfoSec Security Conference in Orlando last week I had the opportunity to sit down with Rich O’Hanley, editor in chief for CRC Press, and Stephen Fried, author of “Mobile Device Security” to talk about my book.

I vividly recall the movie in 1979 about a nuclear power plant on the verge of self-annihilation that upon catastrophic failure would melt a hole to China. Of course, adding to the movie’s popularity was its ominous reflection of life as the Three Mile Island Nuclear Generating Station in Pennsylvania suffered a cooling system failure twelve days after the movie was released. Interestingly, the device that ultimately failed was called the “12 valves” that controlled coolant flow to the core. For reasons I cannot fully explain, every time I read another story about China hacking other countries, especially the US, I think about that movie and the fear that resonated with the public so deeply for decades. If China doesn’t change their policy on how they approach other nations concerning these attacks, it will dramatically change their future and undermine their potential.

There is much hoopla concerning advanced persistent threats (APT) that has found a home in an industry abuzz with increasingly sophisticated hackers. APT is a new acronym and concept that is receiving enormous attention as if it was something completely fresh and enlightening, and it isn’t. I have come to the conclusion that it isn’t the threat that is necessarily changing, but rather our acceptance and acknowledgement of the change.

Today we have the reemergence of discussion concerning side channel attacks. Although the discussion is surfacing once again (with almost Cicada-like predictability), the topic has been the bane of security since communications left paper for the ether. The core issue is the ability for attackers/eavesdroppers to discern informative details of a communication channel that is presumably secure. It’s interesting to me that this problem still exists and I think few in the industry speak of it regularly – me included. It’s a huge security problem and the advent of the cloud will only make it much worse.

I was having a conversation recently with someone who just finished a project implementing a very large scale virtual environment. Once complete, their first customer said, “OK… we need 2000 servers provisioned, today.” The discussion was interesting, as was the customer’s request, and has rolled around in my head for weeks. Ultimately, I concluded that I was fascinated by the focus on “servers”, something I feel will vaporize in the near future and will have interesting implications for security – good and bad.

Before you unplug your computer, hop off the grid, and go buy that S&W M&P 15 you’ve been eyeing at the local gun store because you’re convinced the government couldn’t stop a thirteen year old with an iPhone, let’s look at this result a little deeper.

Depending on whom you are speaking with when the topic of cloud computing surfaces you will certainly get a number of different perspectives. As I’ve shared in past writings, cloud computing is generally quantified into one of three buckets: revolutionary, evolutionary, and more of the same. While the first two have merit, it is the last one I feel is a bit short sighted… and here is why.

It is one thing to talk about securing a system, but quite another when determining how much and to what depth security should be applied. All too often we talk about securing something, but do not necessarily do so in a proactive manner based on a consistent model. Moreover, one that takes into consideration of the entire system, not just the server, but the network, interactions with other systems, applications, and data stores. DIACAP is an evolutionary approach to certification an accreditation that sets a common criteria of security that takes into account the broad, interconnected nature of today’s technology infrastructures.