Tag: Security

The one true way to avoid Data Loss

The one true way to avoid (critical) Data Loss is to not generate critical data at all.

The above statement is not to be taken as not to invest in DLP. You have to. It simply means that you have to understand (unforeseen) limitations in such solutions. To paraphrase the Internet robustness principle:

Be conservative in the data that you generate (collect); be liberal in how you process them.

For if you generate it, eventually it will fly.

False Positive

Όταν μια εταιρία συγκεντρώνει τα στοιχεία που γνωρίζει από τις συναλλαγές μου, το κάνει γιατί έχει ως στόχο το οικονομικό της όφελος, τη βελτίωση των υπηρεσιών που προσφέρει προς εμένα κ.ο.κ.

Όταν το Κράτος (που δεν είναι επιχειρηματίας) κάνει το ίδιο, τότε έχει στα χέρια του false positives πιθανών μελλοντικών εγκλημάτων:

“As governments widen their definitions of just who is a potential threat it makes increasing sense for citizens engaged in previous innocuous activities (especially political and financial privacy) to protect their data from being useful if seized.”

(Σκέψου τώρα τι σημαίνει να έχεις παρόμοιες αγοραστικές συνήθειες με κάποιον που φέρεται να συμμετέχει σε μια τρομοκρατική οργάνωση.)

Η ακεραιότητα του χαρακτήρα των σημερινών διαχειριστών των δεδομένων δεν μου λέει τίποτε. Ούτε η ικανότητα. Δε θα είναι στη θέση τους σε 5 ή σε 10 χρόνια έτσι κι αλλιώς. Καλό είναι καμιά φορά οι άνθρωποι που παίρνουν αποφάσεις να σκέφτονται και πέρα από το χρονικό ορίζοντα της θητείας τους.

Εγώ δε θέλω να είμαι false positive. Και φυσικά εάν δεν πάρω την φοροκάρτα κάποια στιγμή θα είμαι. I will play along. Μπορεί να μη μου αρέσει το μέτρο αλλά θα το εφαρμόσω. Και απλά θα περιμένω χρόνια μετά να σκάσει το false positive στον εμπνευστή του. Μπορεί να μην το μάθω ποτέ αλλά δεν έχει σημασία, έτσι κι αλλιώς δε θα χαρώ με το βάσανό του. Θα ήθελα όμως να μπορώ να του πω “eat your own dogfood”.

Το Κράτος κάνει ότι μπορεί για να βγάλει αληθινούς τους γραφικούς. Ποιος είναι πιο γραφικός τώρα;

Attribution Decay

Earlier this morning I watched William Gibson tweeting about attribution decay:

Attribution Decay occurs when successive RTing strips out the original twitter. Sometimes I watch it happen.

To which I replied that:

attribution can be seen as a signal and therefore behave accordingly

The cyber warfare literature is full of writings on the demand for proper attribution and the problems it poses when action (kinetic or not) is needed. However I have not yet seen a proper term describing the (instinctive) strategy employed by attackers who want to leave no proper attribution trace behind (usually hopping from system to system). “Attribution decay” seems to fit perfectly.

Strategic Cyber Security

Strategic Cyber Security” (which is available for download) is a book that states from the very beginning that computer security has evolved from a technical discipline to a strategic concept. To this end the author tries to examine four strategic choices: IPv6, Sun Tzu‘s “Art of War“, Cyber Attack Deterrence and Cyber Arms Control. The book is written for those people who read executive summaries. As such it can be seen as a long (very long) executive summary that often repeats itself. I cannot count the times Eligible Receiver is mentioned in the book, but it is now imprinted in my brain.

There is no technical coverage of IPv6 in the book. As such, discussion of IPv6 is limited to the vast address space that it offers which will give the opportunity to eliminate NAT, thus having better attribution capabilities on unauthorized connections. It also shows big faith on IPSec deployment as a means of stopping cyber attacks. The concerns about privacy invasion with the deployment of IPv6 are also mentioned, but not specifically. In fact most such concerns can easily be debunked by now. As a purely technical solution, I feel that IPv6 does not mix well with the three other choices that are examined in the book, given the fact (that the author also notes) that IPv4 will be with us for a long (very long) period of time.

I had thought of drawing parallels between the “Art of War” and cyber security a number of times, the last being when von Clausewitz was mentioned in Daily Dave. Ten specific points are discussed which do not fit to the cyber domain.

Thanks to the book I got to learn a few things about Deterrence Theory. Deterrence is based on two axis: Denial and Punishment. Denial means that those who control the strategic technology will deny you access to it, while punishment means that should you develop said strategic advantage countermeasures for other strategic players will be enforced.

The final choice discussed in the book, is the examination of whether a Cyber Arms Treaty can have some positive results (It so happens that there’s a wikileak relevant to the matter. If others exist, a more systematic treatment of these should take place). To examine the possible success or failure of such an agreement, the highly successful Chemical Weapons Convention is used. From the comparison there seems to be little room for success for limiting the development and use of “cyber arms”.

I found chapter 10 of the book the most interesting. It makes use of the Decision Making Trial and Evaluation Laboratory (DEMATEL) method in order to compare rank the four strategic choices. Unfortunately it is not very easy to locate online material about the original DEMATEL method, however there’s lots of available literature (and a lot of it by the Chinese) on DEMATEL variations used in health, agriculture and other areas.

To me learning about DEMATEL was the one thing I got from the book. The rest of it while interesting, was not equally appealing.

Breaches and the five stages of grief

I recently observed while discussing a harmless incident related to someone I know, that how breaches are dealt with may be viewed through the five stages of grief model.

I was planning on writing more on my thoughts on this, but it seems that Jeremiah Grossman beat me to it since 2007. My version would be slightly different:

The five stages of grief for incident handling:
Denial “We never got hacked.”
Anger “How the heck did this get so bad?!?!?”
Bargaining “Is it possible that it is not a hack?”
Depression “We do not have time to rebuild; keep it running as it is.”
Acceptance “We got hacked.”, spoken in pubic.

in-house

I copy from “Cyberwar: a Whole New Quagmire” written by Markus J. Ranum (emphasis mine):

“The best defense against something like Stuxnet could not possibly be a strong offense – how can you pre-empt something unknown that was released without attribution? Stuxnet was exactly adequate for its job. How do you prevent such a thing from working on you? You do exactly the opposite of what we’re doing everyplace: you in-house security, in-house IT, and begin to build your infrastructure so that there are unpredictable and unknown barriers within it, including critical sections that are air-gapped and closely monitored. Yes, that is expensive and inconvenient. The question is whether the alternative is even more expensive and inconvenient.”

And that is why outsourced government clouds will not work. We only have to wait until the first major event to see this. The lean behavior is to build people so as to control the infrastructure. Short term cost cutting practices are for bonus hunters who will be long gone (disclaiming any responsibility) when disaster strikes.

Won’t “free market” advocates love this, I wonder.

How I came to read “Inside Cyber Warfare”

From time to time I am privileged enough to attend presentations on cyber warfare that are not so open to the public. In one of such presentations the speaker spoke of Schmitt’s criteria, a set of rules that can help a state decide when dealing with a cyber attack, whether it is an act of war or not.

I set off to learn more on Schmitt’s criteria and eventually found out that they are coded in “Computer network attacks and the use of force in International Law”. I contacted Professor Schmitt asking for a copy of the paper and he directed me to HeinOnline. It seemed that I should pay $30 for 24 hours of access on HeinOnline in order to download the paper. Serious books cost less than that!

So I decided to contact the person who gave the presentation from which I learned about the criteria. He recommended that I should read “Inside Cyber Warfare“. The ebook cost $30. It also happened that the very same day O’Reilly was running a special offer campaign to help the Japanese Red Cross and their Fukushima efforts, so I even bought it for less.

Whose is the loss now HeinOnline?

I cannot stress enough how much I loved “Inside Cyber Warfare”. The author analyzes recent Cyber War incidents, talks a lot about Project Greygoose and the insight that it offered to analysts. It details the three major cyber doctrines and strategies (Russia, China and the US) with lots and lots of references. It contains an analysis on the Law of Armed Conflict and how it correlates to cyberspace and in my humble opinion, it predicts both stuxnet and the RSA hack.

Jeffrey Carr (@jeffreycarr) tweeted to me that a second edition is in the works. I am eagerly waiting for it since the first one covers cyber conflicts up to 2009. And for the third. And for the rest of the editions to come. For this is a continuous book; a lifetime’s work. The landscape is changing rapidly and Jeffrey Carr has positioned himself as one of those few who can accurately and objectively depict it anytime.

PS: For those who want to read about Schmitt’s criteria, Denning’s “The Ethics of Cyber Conflict” is a good place to start:

When Does a Cyber Attack Constitute the Use of Force?

Not all cyber attacks are equal. The impact of a cyber attack that denies access to a news website for one hour would be relatively minor compared to one that interferes with air traffic control and causes planes to crash. Indeed, the effects of the latter would be comparable to the application of force to shoot down planes. Thus, what is needed is not a single answer to the question of whether cyber attacks involve the use of force, but a framework for evaluating a particular attack or class of attacks.

For this, we turn to the work of Michael Schmitt, Professor of International Law and Director of the Program in Advanced Security Studies at the George G. Marshall European Center for Security Studies in Germany. In a 1999 paper, Schmitt, formerly a law professor at both the US Naval War College and the US Air Force Academy, offered seven criteria for distinguishing operations that use force from economic, diplomatic, and other soft measures. (Schmitt, 1999) For each criterion, there is a spectrum of consequences, the high end resembling the use of force and the low end resembling soft measures. The following description is based on both Schmitt’s paper and the work of Thomas Wingfield, author of The Law of Information Conflict. (Wingfield, 2000, 120-127)

1. Severity. This refers to people killed or wounded and property damage. The premise is that armed attacks that use force often produce extensive casualties or property damage, whereas soft measures do not.

2. Immediacy. This is the time it takes for the consequences of an operation to take effect. As a general rule, armed attacks that use force have immediate effects, on the order of seconds to minutes, while softer measures, such as trade restrictions, may not be felt for weeks or months.

3. Directness. This is the relationship between an operation and its effects. For an armed attack, effects are generally caused by and attributable to the application of force, whereas for softer measures there could be multiple explanations.

4. Invasiveness. This refers to whether an operation involved crossing borders into the target country. In general, an armed attack crosses borders physically, whereas softer measures are implemented from within the borders of a sponsoring country.

5. Measurability. This is the ability to measure the effects of an operation. The premise is that the effects of armed attacks are more readily quantified (number of casualties, dollar value of property damage) than softer measures, for example severing diplomatic relations.

6. Presumptive Legitimacy. This refers to whether an operation is considered legitimate within the international community. Whereas the use of armed force is generally unlawful absent some justifiable reason such as self-defense, the use of soft measures are generally lawful absent some prohibition.

7. Responsibility. This refers to the degree to which the consequence of an action can be attributed to a state as opposed to other actors. The premise is that armed coercion is within the exclusive province of states and is more susceptible to being charged to states, whereas non-state actors are capable of engaging in such soft activity as propaganda and boycotts.

cybernetics and cyber war

My favorite cyber crime story is still from 1994: “The Technology Secrets of Cocaine Inc.“. Mostly because of this:

The traffickers have the advantages of unlimited funds and no scruples, and they’ve invested billions of dollars to create a technological infrastructure that would be the envy of any Fortune 500 company — and of the law enforcement officials charged with going after the drug barons. “I spent this morning working on the budget,” the head of DEA intelligence, Steve Casteel, said recently. “Do you think they have to worry about that? If they want it, they buy it.”

I’m going through a lot of the current literature on cyber war, cyber crime and how the cyberspace is the new dimension.Strategies and tactics are being published and there are even people who write about regulation of cyber weapons (go figure).

With all this noise generated on the subject from all kinds of people, maybe it is time to make the leap and start thinking about moving from cyber space to cybernetic space. War (and organized crime) is a lot about management (and many aspiring management suits recite “Art of War” seeking enlightenment and higher ground) so it seems natural to me that cybernetic management deserves a chance as a strategic tool.

Hmm…