Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 14: putting the puzzle together as a strategic and operational process 2

Posted in business and convergent technologies, social networking and business by Timothy Platt on April 22, 2013

This is my fourteenth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-188 for Parts 1-4 and its continuation page, postings 189 and following for Parts 5-13.) It is also a direct continuation of Part 13, where I first wrote of the first, second and now rapidly approaching third waves of black hat hacker and cyber-criminal activity.

To repeat, or at least expansively paraphrase from the end of Part 13 and continue from there:

• Early, first wave hackers primarily sought to show their prowess and count coup by proving that they could gain access to computer systems. Their vulnerability identification efforts were closely held as proprietary to themselves so as to limit competition from their peers, and the exploits that they developed were highly individual and crafted as exercises in their personal technical mastery.
• Second wave black hat hackers then moved in with a strictly for-profit motive. Some, of course have shown as high a level of computer technology savvy and expertise as any first wave hacker, but here that skill and its fruits became commoditizable products and services, and the buyers of their efforts need not be computer technology experts of any type – only business people who see value in these business supporting capabilities.
• At the same time that first wave hacking was being supplanted by a second wave as the primary source of motivation for malicious online and computer-targeting activity, the first low level and ineffective efforts to standardize and streamline exploit development began to take form. And I have already noted that, at least for those first steps in Part 1 where I wrote of script kiddies, who either attempted to hand assemble their own malware code from more expertly developed blocks of code that others had produced, or who used early development tools to do this for them.
• On a non-malware track, legitimate software developers work with blocks of code that others develop, and both in tapping into established code libraries and in coordinately developing larger programs where their own work has to fit in and work with the products of other developers’ efforts. Think team development of large object oriented software packages as a working example there. So this basic approach does not in and of itself necessarily mean lack of skills – it can also be pursued as a possible route to faster and more efficient development. For malware production this of course carries a price though. Among other things, reusing lines of programing code might mean that a presumably “new’ malware threat might already be known by reactive malware detecting security software in place, due to its containing specific code snippet sequences already in its malware definitions libraries. So when code developed is static, reuse of established code that has already gone out to the world as a means of productivity and product development improvement can be self-limiting.
• Then polymorphic code arrived on the scene and two things happened. The potential threat profile that would have to be identified and blocked by standard reactive gatekeeper software such as anti-virus programs began to grow hyper-exponentially, and reuse of code specifically designed to offer polymorphic code variability to a threat as it spreads might remain as difficult to generically identity by reactive means as if it were completely novel. This, I add would particularly apply if the polymorphic engine component of a malware package were itself developed in specific instance through a polymorphic code generator. And this brings me to the next step of this code development and its evolution.
• When malware producers went commercial and developed and sold their wares as profitable market offerings, pressures developed and increased to produce more, better, and faster. More and more sophisticated and I add expensive development tools began to be added to the malware designer’s and producer’s toolkits. And the rate of development of new malware threats with no previously identified code signatures to identify them skyrocketed. And this brings me to here and now.

If I were to succinctly if somewhat cartoonishly summarize the first two waves and introduce the third I would probably do so as follows:

Wave 1: The script kiddie approach, giving way to more and more sophisticated automated malware development tools with visual programming and related technologies.
Wave 2: Development and spread of polymorphic code and capacity of malware to adaptively change to stay effective when deployed, coupled by larger scale and business production level malware innovation, development, production and sale.
Wave 3: The application of web 3.0, or semantic web and artificial intelligence (AI) technologies to flexibly automate threat vectors and their production, distribution and management.

I wrote this three step progression strictly in terms of technology deployed. Technology enables, and progressively more enabling technology brings progressively wider ranges of participants into this activity. Newer and more flexible malware technologies and methods of developing and deploying it open doors to new players who bring in new motives and reasons. And the more automated and standardized malware production becomes as a marketable commodity, the less necessary it becomes that any buyer/deployer have hands-on technical skills of their own. They only need a business model and capacity to follow through on it that would call for malware as a part of their tool set, and a source of motivation and direction that would lead them to do so.

So some of the organizing understandings as to who is deploying malware and why that would go into developing a more proactive response system are at the very least getting more complicated. The primary sources of threat are not going to fit into a basic, simple, generic monetary profit motive model anymore. And simply adding in the variously skewed perspectives that different governments can display when preparing for their cyber-“defense”, will not necessarily complete the threat source assessment set as a simple addition to what has to be accounted for in combination with wave 2 profit motives.

If I were to summarize this operationally, I would state that the current and ongoing sweep of evolutionary change in malware production and in black hat hacker activity in general is to:

• Progressively increase the pace of change in what threat profiles have to be addressed, and
• Progressively increase the pace of change in which new types of vulnerabilities have to be identified and new exploit types addressed,
• While decreasing the visibility of the human sources of these events and their threat profiles and reducing their accountability,
• By making successful exploits more surreptitious and less overtly visible to infected and compromised systems and users.

I am going to continue this discussion in a next series installment where I will more fully discuss third wave hacking and malware. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time and its continuation page, and at Social Networking and Business.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: