Platt Perspective on Business and Technology

Stuxnet and beyond – moving towards a new paradigm for information security due diligence and risk remediation

Posted in business and convergent technologies by Timothy Platt on December 5, 2010

This is my ninth posting to date in a series on cyber-conflict where that includes the grey area of uncertainty of cyber-warfare. The first eight postings in this series are all available at Ubiquitous Computing and Communications – everywhere all the time, starting there with posting 58. Collectively they have at least touched on a number of basic issues involved in understanding cyber-conflict and preparing for its possibilities with a more effective due diligence and risk remediation program.

In the course of writing these preceding installments I have discussed three specific cyber attack events in a measure of detail, and the software and systems behind them. I chose them as working examples that I could use as a basis for more general discussion; there are others I could have chosen for this instead but these three seem to me appropriate for this purpose as collectively they touch on a sufficiently wide range of the core issues involved in cyber-conflict per se to offer a more general illumination of the overall topic.

At this point I want to step back from the specific incidents I have been writing of and from that level of discourse, to look at this subject with a wider perspective. I have already made a number of general observations up to now that any wider perspective view should at the least be consistent with. I want to add some more points to that list here and to present at least some preliminary thoughts in the direction of developing a new strategic doctrine for cyber-conflict defense.

1. It is important that cyber defense be formulated and conducted according to a clearly understood and articulated, operationally defining strategic doctrine. One-off and ad hoc are by their very nature reactive, and reactive alone will always leave you preparing for the last conflict and the last type of assault – and vulnerable to being blindsided by the next.
2. Consistent with that, any strategic vision and doctrine should be flexible and scalable, so that it is not simply a response to some set of specific forms of attack (e.g. denial of service, or now that plus router signaling based attacks for carpet bombing assaults.)
3. It should be scalable as to the level and range of systems and networks that may be vulnerable. It should be flexible in addressing in as open ended a manner as possible a range of technology approaches that could be deployed to exploit vulnerabilities.

Current information technologies are always changing and new ones are emerging and on an ongoing basis and with great rapidity. And even where patches and other information security due diligence responses are being actively developed and distributed to address vulnerabilities in the individual components of information management systems, new and emergent vulnerabilities arise with increased systems complexity. These vulnerabilities generally go unconsidered and unnoticed – until they are exploited in an attack.

4. Defense should be developed agnostic to any particular code format deployed in an attack and without the assuming limitations of any specific technological approach.
5. Defense should be developed with an eye to identifying and responding to new and even unexpected methods for deploying malware and other deleterious code. Consider Stuxnet here and the role that flash drives and possibly other portable storage devices appear to have played in breaching air gap barriers in infecting SCADA systems cut off from direct Internet access.
6. But the real focus has to start in understanding what has to be defended, and where its identifiable vulnerabilities may be. Defense should start from a focus on understanding what has to be defended.
7. This means understanding the component parts of systems and it means understanding the way combining them into progressively more complex systems can and will lead to creation of new and emergent vulnerabilities.
8. Operationally and in execution of strategy this has to include an awareness of the potential for behavioral engineering and the compromising of information systems through users and user practices.

It is easier to focus on and prepare for a specific threat hazard and the more specific this is, the easier it is to prepare for it – and the more likely that the next challenge you face in practice will be a “none of the above.” In a real sense it is impossible to prepare for absolutely anything, and when new vulnerabilities are emerging all the time and both at the component and emergent systems levels, “absolutely anything” can almost come to seem a realistic label. An effective cyber-conflict defense doctrine can and will help you limit that “anything” operationally to a more manageable set of somethings.

Operationally I would offer a set of recommendations for implementing any cyber-security doctrine and pretty much regardless of its specific details.

• Cyber-security can be no stronger than its weakest link and if you only focus on the software and hardware, that greatest vulnerability will be in the people who use these systems. Your greatest vulnerability will be in what you do not adequately consider.
• Training in safe and secure access and use of information systems has to be held as high priority and exactly the same way software patches and other technology-protective measures are.
• Deploy and utilize penetration testing – in-house hackers to help you identify and test out both potential vulnerabilities and potential remediations for them. This should be an ongoing process, and here I cite the US National Security Agency (NSA) Red Team and Blue Team approach where they simultaneously seek to test-exploit vulnerabilities and block and stymie these test attacks.
• Here, however, it is important that penetration testing be devised and carried out with a goal of testing for systems complexity and its emerging vulnerabilities as well as testing for component level vulnerabilities – testing for systems level gaps and weaknesses in how the parts connect, or fail to effectively and securely. And the ongoing findings of this should inform both direct operational practice and also strategic planning and prioritization.
• And never rest on your laurels, thinking that because you have identified and blocked one test assault you could automatically identify the next one let alone the next real assault – before it has caused disruption, compromise of confidential information and harm.
• Penetration testing per se is of course simply one approach that can and should be used and the most obvious of them. Due diligence and risk remediation efforts should all be done coordinately, whichever approaches and tools are used, and results should never simply end up in dusty folders or their electronic equivalents.

As a final thought here I go back to a general point I have repeatedly made in the earlier installments to this series. You do not automatically know who has launched an attack because sources can be hidden and spoofed. If you see evidence of a potential and even likely source of an attack you may have correctly identified the attacker, but you may have simply identified a step in the process through which the attack was launched. You may have actually identified the intended target where a cyber-attack was launched primarily and with a long term goal of damaging the credibility of a third party. In this, the systems attacked and compromised could be seen as potentially being more collateral damage than actual intended target. I come back to the April, 2007 cyber-attacks on Estonia with that, where it can be argued they were the intended target but a solid case can be made that Russia was, and its credibility with a wide swath of its neighboring countries.

• Security doctrine may connect to response but if you do not know where your response should legitimately be directed you may simply be helping to carry out that initial attack as initially planned out.
• Cyber-security and due diligence, risk remediation and defense from cyber-attack cannot be carried out locally or by any one group or nation as if in a vacuum. This is preeminently a context where collaboration is needed – even when that means cooperation and collaboration with others with whom you do not generally agree. And I cite the growing, global interconnectivity and interdependence that I simply scratch the surface on in this blog and in sections of it like Ubiquitous Computing and Communications – everywhere all the time.

I will be posting further updates on this general topic, though not necessarily one per week as I have recently.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: