cyber war, cyber peace, stones, and glass houses
TRANSCRIPT
![Page 1: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/1.jpg)
Copyright © 2015, Cigital
Cyber War, Cyber Peace, Stones, and Glass Houses
…those who live in glass houses should not throw stones
@cigitalgem
Gary McGraw, Ph.D.Chief Technology Officer
![Page 2: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/2.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Real Cyber Defense as Deterrence
• Defining “cyber” whatever
• The offense problem• “Active defense”• Attribution• Many vulnerabilities• Payloads are easy• Economics• The NASCAR effect
• The defense solution• Proactive defense vs.
cardboard defense• Deterrence through
defense• Build security in
![Page 3: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/3.jpg)
Copyright © 2015, Cigital
CYBER CLARITY IS ELUSIVESeparating the Threat from the Hype: What Washington Needs to Know About Cyber Security, Nate Fick & Gary McGrawhttp://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf
![Page 4: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/4.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Cyber Security
• How much of the cyber war talk is hype?• What is real and what is cyber chimera?
Help policymakers find their way through the fog and set guidelines to protect the best of the Internet and cyberspace, both from those who seek to harm it, and from those who seek to protect it but risk doing more harm than good.
![Page 5: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/5.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Disentangling War, Espionage, and Crime
• Cyber espionage• Much more common than
war• Wikileaks• Anonymous• Operation Aurora• NY Times hack
• Bad compartmentalization makes easy targets
• Cyber crime• Even more common• 1 trillion dollars per year?!
(just ask Ross Anderson)
Building systems properly from a security perspective will address the cyber crime problem just as well as it will address cyber espionage and cyber war. We can kill all three birds with one stone.
![Page 6: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/6.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Kinetic Impact as Decisive Criteria to be War
REALITY
• To qualify as cyber war, the means may be virtual, but the impact should be real.• 1982 Soviet gas pipeline
explosion• 2007 Israeli attack on Syrian
reactor• 2008 Russia attacks Georgia two
ways• 2008 USB drive infection in Iraq
(meh)• 2010 Stuxnet attack on Iranian
centrifuges
HYPE
• Estonia dDoS attacks• 2007 statue removal kerfuffle• What would Google do?
• Brazilian blackout• 2009 60 minutes story• 100% hype
• China “hijacks” the Internet• BGP mistake• Bad design
![Page 7: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/7.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
US: National Security Dominates
The real and perceived dominance of the U.S. national security establishment in setting cyber security policy is problematic• Cyber security is not only a
military problem• Cyber security recognizes no
geographic boundaries• Snowden revelations did not
help this situation
![Page 8: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/8.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Offense and Defense
defense means building secure software, designing and engineering systems to be secure in the first place and creating incentives and rewards for systems that are built to be secure
offense involves exploiting systems, penetrating systems with cyber attacks and generally leveraging broken software to compromise entire systems and systems of systems
![Page 9: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/9.jpg)
Copyright © 2015, Cigital
THE OFFENSE PROBLEM
![Page 10: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/10.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
“Active Defense”
Having a good offense is NOT the same as a good defense.
Panetta on cyber security, “We need to have the option to take action against those who would attack us.”
Grandma on security, “People who live in glass houses should not throw rocks.”
![Page 11: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/11.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Attribution Remains Unsolved (Ask Gandalf)
![Page 12: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/12.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Olympic Games & Stuxnet
• The PAYLOAD is what matters• Inject code into a running
control system• Siemens SIMATIC PLC (step
7)• Cyberwar!!
• Natanz in Iran
• Sophisticated, targeted collection of malware
• Delivery• 1 0day (not 4)• Stolen private keys• USB injection• Network C&C
How to p0wn a Control System with Stuxnet (9/23/10)http://bit.ly/RmbrNG
![Page 13: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/13.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Thread Hijacking in Online Games
• Used in early online game botting programs (circa 2004) but no longer
• Used successfully in Stuxnet in 2009
WoW.EXE
MAIN THREAD
INJECTEDDLL
Loops hundreds of times per second
RenderWorld(..)DETOUR PATCH
![Page 14: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/14.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
INJECTEDCODE PAGE
complete
MAIN THREAD
MAIN THREAD
HARDWARE BP
RenderWorld(..)uncloak
MSG
super
branch
RenderWorld(..)
recloakrestore
CastSpellByID( .. )ScriptExecute( .. )ClearTarget( .. )
MAIN THREAD
![Page 15: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/15.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Vulnerabilities Are Pervasive
![Page 16: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/16.jpg)
Copyright © 2015, Cigital
Disguis
e
Process Control
Process Disruption
deterministic
non-deterministic(hacking)
Capa
bilit
y
atypical
Attack Complexity (From Ralph Langner)
http://bit.ly/TvWnuG
![Page 17: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/17.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Economics (From Ralph Langner)
Nuclear sub fleet
Stealth fighter jet fleet
Eurofighter fleet, Leopard II tank fleet
Cyber weapons program / MIL targets
Cyber weapons program / CI targets
$90B
$40B
$10B
$1B
$100M
Non-state threshold
http://bit.ly/TvWnuG
Singular cyber attack againstnational critical infrastructure
$5M
![Page 18: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/18.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Offense is Sexy: The NASCAR Effect
Bad news• The world would rather
not focus on how to build stuff that does not break
• It’s harder to build good stuff than to break junky stuff
Good news• The world loves to talk
about how stuff breaks• This kind of work sparks
lots of interest in computer security
![Page 19: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/19.jpg)
Copyright © 2015, Cigital
THE DEFENSE SOLUTION
![Page 20: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/20.jpg)
Copyright © 2015, Cigital
Cardboard Shield Defense
Today’s computer and network security mechanisms are like the walls, moats, and drawbridges of medieval times. At one point, effective for defending against isolated attacks, mounted on horseback. Unfortunately, today’s attackers have access to predator drones and laser-guided missiles!
![Page 21: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/21.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Poor Security Engineering
![Page 22: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/22.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Proactive Defense
Secretary Panetta is mistaken: “Through the innovative efforts of our cyber-operators, we are enhancing the department's cyber-defense programs. These systems rely on sensors and software to hunt down malicious code before it harms our systems. We actively share our own experience defending our systems with those running the nation's critical private-sector networks.”
• Security Engineering
• Software Security
• Build Security In
![Page 23: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/23.jpg)
Copyright © 2015, Cigital
HOW TO BUILD SECURITY IN
![Page 24: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/24.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Software Security Touchpoints
![Page 25: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/25.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM: Software Security Measurement
• 104 firms measured (data freshness)
• BSIMM6 = data from 78 real initiatives
• 202 distinct measurements
• 26 over time (one firm 5 times)
• McGraw, Migues, and West
![Page 26: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/26.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
78 Firms in BSIMM6 Community
![Page 27: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/27.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
A Software Security Framework
See informIT article on BSIMM website http://bsimm.com
4 Domains 12 Practices
![Page 28: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/28.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM6 as a Measuring Stick
![Page 29: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/29.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
![Page 30: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/30.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM6 ResultsTop 12 activities
• purple = good?
• red = bad?
“Blue shift” = practices to emphasize
![Page 31: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/31.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM By the Numbers
![Page 32: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/32.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Defense as Deterrent
“the U.S. is in a good position to outspend its adversaries on proactive defense. Proactive defense can be our differentiator and a serious deterrent to war.”
Proactive Defense Prudent Alternative to Cyberwarfare
http://t.co/2901DHVh
• A first strike in a cyber war is unlikely to be decisive
• No matter how much is spent on cyber-offense, cyber-defense must be addressed anyway
• Proactive defense is a very good differentiator
![Page 33: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/33.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Guidance for Policy Makers
• Focus on defense by building security in
• Re-orient public private partnerships
• Focus on information users instead of plumbing
• Let civilian agencies lead
FIX THE BROKEN STUFF
![Page 34: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/34.jpg)
Copyright © 2015, Cigital
WHERE TO LEARN MORE
![Page 35: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/35.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
SearchSecurity + Cigital’s Security Blog• No-nonsense monthly security
column by Gary McGraw: www.searchsecurity.com
• In-depth thought-leadership blog from the Cigital Principals:• Gary McGraw• Sammy Migues• John Steven• Paco Hope• Jim DelGrosso
https://www.cigital.com/blog/
• Gary McGraw’s writings: www.cigital.com/~gem/writing
![Page 36: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/36.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Silver Bullet + IEEE Security & Privacy
• Monthly Silver Bullet podcast with Gary McGraw: www.cigital.com/silverbullet
• IEEE Security & Privacy magazine (Building Security In) www.computer.org/security/bsisub/
![Page 37: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/37.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
The Book
• How to DO software security• Best practices• Tools• Knowledge
• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com
![Page 38: Cyber War, Cyber Peace, Stones, and Glass Houses](https://reader036.vdocuments.us/reader036/viewer/2022062523/58cf098b1a28ab5f2b8b5521/html5/thumbnails/38.jpg)
Copyright © 2015, CigitalCopyright © 2015, Cigital
Build Security In
• Join the BSIMM Communityhttp://bsimm.com
• Send e-mail: [email protected]
• @cigitalgem