on internal users
2012/01/09
With BYOD (Bring Your Own Disaster Device at the workplace) gaining traction, there is no point in having three sets of users / user machines (internal, external and the DMZ plus spaghetti policy exceptions). You only have external users and the DMZ.
Internal users and insider threats “do not exist”. It makes life simpler and you get rid of hybrid characterizations for consultants and outsourcers…
A vision so noble
2011/12/14
Vasilis Katos at the 1st Athens Chapter ISACA Conference argued that we do not need cyber security experts, rather we need champions on the multitude of the different and complex areas that this domain encloses. He is not alone in believing this about experts. With the domain being new, hot and with commitment from Governments for financial backing of projects, the landscape is open for expertship claim. And since we are at the infant stages, many try to establish themselves as the strategists who set the pace, no matter how disconnected from reality they may be.
Whenever a new domain is introduced, until it is sufficiently comprehended people try to use analogies to make the connection. It is a no brainer then that since anything colored “cyber” starts to get a military approach, analogies with highly successful strategists of the past and relevant studies of them will appear. Think of it: Sun Tzu seems to fit every subject, from the battle ground, to sports, to (non military) management. I’ve seen efforts for both Sun Tzu (although far from a complete treatment) and Clausewitz and I am sure that others exist too. It is no wonder then that John Boyd and his OODA Loop would receive treatment too.
Since I found the OODA Loop concept interesting I set out to learn a bit more about it. This is not an easy task for a civilian for Boyd did not really leave much written work behind with the exception of a continually refined set of slides that when finalized took about 15 hours to present. To understand the loop, I read “A vision so noble” by Dan Ford. It’s chapter 2 contains a longer explanation of the OODA Loop than Wikipedia does and even includes a hand written sketch of it:
The OODA Loop as John Boyd sketched it toward the end of his life
For a more understandable version of the loop see the Wikipedia drawing and article.
Boyd is mostly an attacker and not a defender and indeed one can find cyber similarites in his work, where in page 40 Ford uncovered from his boxes:
Infiltration
* Blitz and guerrillas infiltrate a nation or regime at all levels to soften and shatter the moral fiber of the political, economic and social structure. To carry out this program, a la Sun Tzu, Blitz and Guerrillas:* Probe and test adversary to unmask strenghts, weaknesses, maneuvers and intentions.
* Shape adversary’s perception of the world to manipulate or undermine his plans and actions.
Purpose
* To force capitulations when combined with external political, economic and military pressures.or
* To minimize the resistance of a weakened foe for the military blows to follow.
Do not all the above match Cyber Warfare aims? So there exists value in studying Boyd and his tactics, but not a one-to-one mapping as many would hope that would make the transition to a cyber domain easier. The OODA Loop is there, one has to understand that it is not completely linear (OODA means Observation, Orientation, Decision, Action but you are constantly in an observation state that provides feedback) and is valuable.
Boyd believed that People not weapons win wars. Not very far from the observation that a good friend has made that people and not machines get hacked or my belief that people are the actual cyber weapons.
A good 70 page book based on Ford’s MSc Thesis that definitely helps expand our thoughts on the matter.
Off to read “The Dynamic OODA Loop: Amalgamating Boyd’s OODA Loop and the Cybernetic Approach to Command and Control” now.
PS1: An earlier version of Ford’s book seems to be available on Lulu as PDF.
PS2: Boyd on management
“There will be blood”
2011/12/10
Jeffrey Carr concludes his 2012 cyber predictions by writing:
“The very worst part of this prediction is that its inevitable. CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has refused to do what’s necessary to protect our nation’s critical infrastructure because it’s 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice. In the words of Upton Sinclair and the movie based upon his book Oil! – “there will be blood”. It’s just a matter of time”.
What is missing is the State’s ability to run the show. Had the State the ability to run the show, it would not have been that much dependent on such a fragile operation mode for the critical infrastructure. But as it is a waste to maintain an idle workforce capable of “doing the job” while actually not doing it (the other option being running the show, which also means a totally different kind of economy), Government resorts to regulation which again is problematic, since there cannot exist a Good Regulator (the Good Regulator can run the show; how many regulatory authorities actually can?) again this is problematic. To counter the problem new rules are placed on top of older ones and thus the Regulatorium emerges.
Blood? The Critical Infrastructure interdependencies are no less complex than the global Economy (imagine the CIP of a nation being attacked because it exports energy to another which is the actual target) so it is going to be rivers of it.
In 2003, Diomidis Spinellis in “Reflections on trusting trust revisited” concluded:
“Those of us who distrust the centralized control over our data and programs that TC platforms and operating systems may enforce can rest assured that the war for total control of computing devices cannot be won.”
Well it is the end of 2011 now and I think we are losing. The computer is being substituted by the tablet and the tablets are dominated by markets (Kindle, iTunes, Android, webstore, Opera, …). Yes you can jailbreak, but really how many do? Since almost every computer related trend seems to be a periodic phenomenon (just think of how many times you’ve seen the thin client vs fat client fashion come and go), we are now reliving the walled garden times. Centralized control is all over the commodity tablets and smartphones (is it really a phone or just a computer who by the way dials too?) “for our good”. The market owners do it “for the customer’s benefit”, not for the money. The developers like it for they push their products through a single channel. And most of the consumers like it for they cannot be bothered to search for applications elsewhere than the store.
Variety kills variety and we’re at the killing stage. We like having options, but we do not like many options and therefore we willfully assigned central control to the industry. It is a periodic phenomenon. We’ll reboot when the industry’s grip gets too tight. In the mean time we who distrust the centralized control over our data and programs are vastly outnumbered by the rest of the consumers.
It has already begun
2011/11/28
Not a post, but my response to “How Would We Know if a Cyber War Started?“:
Well one way to answer the title’s question is this: One can view Cyber War as a highly computerized evolved form of the Cold War. It has begun years ago, it is being conducted right now by various players (state and non-state actors) and will continue in the future. So it has already begun.
Other than that, I’m with @JeffreyCarr on the article’s relevance.
Embracing the Kobayashi Maru
2011/11/22
It seems that I am not the only one who has thought† that the Kobayashi Maru can be used in a cyber security context. “Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat” describes the tricks employed by the students when they were given a very short notice to memorize the first 100 digits of π and then write them down. The students were allowed to cheat, but if they were caught they would fail the exercise. This as part of a class that aims to help students build adversarial thinking.
While the discussed solutions were indeed innovative, I strongly believe that the average Greek University student would come up easily with a few working plans :) Next time, if the authors want to make the exercise harder, they should use the previous students as proctors and grade them too. That would develop adversarial thinking even further and could become the Prison Experiment for cyber security.
Hat tip to GK for showing me the article!
on cyber attack attribution
2011/11/20
Whenever an attack is traced back to Russia (like this one) or China, the attribution decay is very fast. One cannot be very sure of whether this is an attack that was initiated from “within” these countries, or whether they were used as hops conveniently pointing to the usual suspect. Another interesting observation is that although
“states that deny involvement in a cyberattack, but refuse to open their investigative records to the victim-state, end up casting doubt on their willingness to stop cyberattacks and cannot expect to be treated as a state living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are unwilling to prevent cyberattacks and have declared themselves a sanctuary state“†
this does not seem to (openly) apply to super-powers.
Update: It seems that this specific incident of critical infrastructure failure was not a cyber attack:
The failure was due to a faulty command inputted by a contractor several months ago who accessed the system remotely while travelling through Russia on personal business. Over time, his mistake caused greater and greater errors until, several months later, the pump failed.”
We should never attribute to malice what can be attributed to a mistake.
[†] – Solving the Dilemma of State Responses to Cyberattacks
Observations from a house broken into
2011/11/12
- Schneier’s Law holds for households. No matter where you’ve hidden it, the burglars will find it. They’ve seen it before.
- If you want a post assessment on what inside your house has some street value, just make a list of what is missing.
- A friend observed that people probably do not upgrade their locks as frequently as their software.
- Why did this happen to me? Why not, indeed.
- Every day you discover another thing missing. Confusion: Was it stolen or is it just misplaced?
On separate networks and air-gaps
2011/11/02
If anything, Stuxnet and Duqu have proved that separate (via air-gap) “more secure” networks do not exist. There exists only one network, the Internet, with some parts labeled as classified and with various degrees of slow connectivity to the rest of the World. And yes sometimes the networking device is just a human with a (USB) stick.
This and exceptions that I have to deal with daily drive me closer to a firewall-less world. I am not there yet though.
The one true way to avoid Data Loss
2011/10/08
The one true way to avoid (critical) Data Loss is to not generate critical data at all.
The above statement is not to be taken as not to invest in DLP. You have to. It simply means that you have to understand (unforeseen) limitations in such solutions. To paraphrase the Internet robustness principle:
Be conservative in the data that you generate (collect); be liberal in how you process them.
For if you generate it, eventually it will fly.
