cyber war, cyber peace, stones, and glass houses

Copyright © 2015, Cigital

Cyber War, Cyber Peace, Stones, and Glass Houses

…those who live in glass houses should not throw stones

@cigitalgem

Gary McGraw, Ph.D.Chief Technology Officer

Copyright © 2015, CigitalCopyright © 2015, Cigital

Real Cyber Defense as Deterrence

• Defining “cyber” whatever

• The offense problem• “Active defense”• Attribution• Many vulnerabilities• Payloads are easy• Economics• The NASCAR effect

• The defense solution• Proactive defense vs.

cardboard defense• Deterrence through

defense• Build security in


CYBER CLARITY IS ELUSIVESeparating the Threat from the Hype: What Washington Needs to Know About Cyber Security, Nate Fick & Gary McGrawhttp://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf

http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf

http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf


Cyber Security

• How much of the cyber war talk is hype?• What is real and what is cyber chimera?

Help policymakers find their way through the fog and set guidelines to protect the best of the Internet and cyberspace, both from those who seek to harm it, and from those who seek to protect it but risk doing more harm than good.


Disentangling War, Espionage, and Crime

• Cyber espionage• Much more common than

war• Wikileaks• Anonymous• Operation Aurora• NY Times hack

• Bad compartmentalization makes easy targets

• Cyber crime• Even more common• 1 trillion dollars per year?!

(just ask Ross Anderson)

Building systems properly from a security perspective will address the cyber crime problem just as well as it will address cyber espionage and cyber war. We can kill all three birds with one stone.


Kinetic Impact as Decisive Criteria to be War

REALITY

• To qualify as cyber war, the means may be virtual, but the impact should be real.• 1982 Soviet gas pipeline

explosion• 2007 Israeli attack on Syrian

reactor• 2008 Russia attacks Georgia two

ways• 2008 USB drive infection in Iraq

(meh)• 2010 Stuxnet attack on Iranian

centrifuges

HYPE

• Estonia dDoS attacks• 2007 statue removal kerfuffle• What would Google do?

• Brazilian blackout• 2009 60 minutes story• 100% hype

• China “hijacks” the Internet• BGP mistake• Bad design


US: National Security Dominates

The real and perceived dominance of the U.S. national security establishment in setting cyber security policy is problematic• Cyber security is not only a

military problem• Cyber security recognizes no

geographic boundaries• Snowden revelations did not

help this situation


Offense and Defense

defense means building secure software, designing and engineering systems to be secure in the first place and creating incentives and rewards for systems that are built to be secure

offense involves exploiting systems, penetrating systems with cyber attacks and generally leveraging broken software to compromise entire systems and systems of systems


THE OFFENSE PROBLEM


“Active Defense”

Having a good offense is NOT the same as a good defense.

Panetta on cyber security, “We need to have the option to take action against those who would attack us.”

Grandma on security, “People who live in glass houses should not throw rocks.”


Attribution Remains Unsolved (Ask Gandalf)


Olympic Games & Stuxnet

• The PAYLOAD is what matters• Inject code into a running

control system• Siemens SIMATIC PLC (step

7)• Cyberwar!!

• Natanz in Iran

• Sophisticated, targeted collection of malware

• Delivery• 1 0day (not 4)• Stolen private keys• USB injection• Network C&C

How to p0wn a Control System with Stuxnet (9/23/10)http://bit.ly/RmbrNG

http://bit.ly/RmbrNG





Thread Hijacking in Online Games

• Used in early online game botting programs (circa 2004) but no longer

• Used successfully in Stuxnet in 2009

WoW.EXE

MAIN THREAD

INJECTEDDLL

Loops hundreds of times per second

RenderWorld(..)DETOUR PATCH


INJECTEDCODE PAGE

complete

MAIN THREAD

MAIN THREAD

HARDWARE BP

RenderWorld(..)uncloak

MSG

super

branch

RenderWorld(..)

recloakrestore

CastSpellByID( .. )ScriptExecute( .. )ClearTarget( .. )

MAIN THREAD


Vulnerabilities Are Pervasive


Disguis

e

Process Control

Process Disruption

deterministic

non-deterministic(hacking)

Capa

bilit

y

atypical

Attack Complexity (From Ralph Langner)

http://bit.ly/TvWnuG






Economics (From Ralph Langner)

Nuclear sub fleet

Stealth fighter jet fleet

Eurofighter fleet, Leopard II tank fleet

Cyber weapons program / MIL targets

Cyber weapons program / CI targets

$90B

$40B

$10B

$1B

$100M

Non-state threshold


Singular cyber attack againstnational critical infrastructure

$5M






Offense is Sexy: The NASCAR Effect

Bad news• The world would rather

not focus on how to build stuff that does not break

• It’s harder to build good stuff than to break junky stuff

Good news• The world loves to talk

about how stuff breaks• This kind of work sparks

lots of interest in computer security


THE DEFENSE SOLUTION


Cardboard Shield Defense

Today’s computer and network security mechanisms are like the walls, moats, and drawbridges of medieval times. At one point, effective for defending against isolated attacks, mounted on horseback. Unfortunately, today’s attackers have access to predator drones and laser-guided missiles!


Poor Security Engineering


Proactive Defense

Secretary Panetta is mistaken: “Through the innovative efforts of our cyber-operators, we are enhancing the department's cyber-defense programs. These systems rely on sensors and software to hunt down malicious code before it harms our systems. We actively share our own experience defending our systems with those running the nation's critical private-sector networks.”

• Security Engineering

• Software Security

• Build Security In


HOW TO BUILD SECURITY IN


Software Security Touchpoints


BSIMM: Software Security Measurement

• 104 firms measured (data freshness)

• BSIMM6 = data from 78 real initiatives

• 202 distinct measurements

• 26 over time (one firm 5 times)

• McGraw, Migues, and West


78 Firms in BSIMM6 Community


A Software Security Framework

See informIT article on BSIMM website http://bsimm.com

4 Domains 12 Practices


BSIMM6 as a Measuring Stick


BSIMM6 ResultsTop 12 activities

• purple = good?

• red = bad?

“Blue shift” = practices to emphasize


BSIMM By the Numbers


Defense as Deterrent

“the U.S. is in a good position to outspend its adversaries on proactive defense. Proactive defense can be our differentiator and a serious deterrent to war.”

Proactive Defense Prudent Alternative to Cyberwarfare

http://t.co/2901DHVh

• A first strike in a cyber war is unlikely to be decisive

• No matter how much is spent on cyber-offense, cyber-defense must be addressed anyway

• Proactive defense is a very good differentiator




Guidance for Policy Makers

• Focus on defense by building security in

• Re-orient public private partnerships

• Focus on information users instead of plumbing

• Let civilian agencies lead

FIX THE BROKEN STUFF


WHERE TO LEARN MORE


SearchSecurity + Cigital’s Security Blog• No-nonsense monthly security

column by Gary McGraw: www.searchsecurity.com

• In-depth thought-leadership blog from the Cigital Principals:• Gary McGraw• Sammy Migues• John Steven• Paco Hope• Jim DelGrosso

https://www.cigital.com/blog/

• Gary McGraw’s writings: www.cigital.com/~gem/writing

http://www.searchsecurity.com/




http://www.cigital.com/~gem/writing




Silver Bullet + IEEE Security & Privacy

• Monthly Silver Bullet podcast with Gary McGraw: www.cigital.com/silverbullet

• IEEE Security & Privacy magazine (Building Security In) www.computer.org/security/bsisub/

http://www.cigital.com/silverbullet

http://www.computer.org/security/bsisub/


The Book

• How to DO software security• Best practices• Tools• Knowledge

• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com

http://www.swsec.com/


Build Security In

• Join the BSIMM Communityhttp://bsimm.com

• Send e-mail: [email protected]

• @cigitalgem

mailto:[email protected]

mailto:[email protected]