The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Happy Anniversary—Bang My Head Against A Wall

Share:

Over the last month or two I have received several invitations to go speak about cyber security. Perhaps the up-tick in invitations is because of the allegations by Edward Snowden and their implications for cyber security. Or maybe it is because news of my recent awards has caught their attention. It could be it is simply to hear about something other than the (latest) puerile behavior by too many of our representatives in Congress and I'm an alternative chosen at random. Whatever the cause, I am tempted to accept many of these invitations on the theory that if I refuse too many invitations, people will stop asking, and then I wouldn't get to meet as many interesting people.

As I've been thinking about what topics I might speak about, I've been looking back though the archive of talks I've given over the last few decades. It's a reminder of how many things we, as a field, knew about a long time ago but have been ignored by the vendors and authorities. It's also depressing to realize how little impact I, personally, have had on the practice of information security during my career. But, it has also led me to reflect on some anniversaries this year (that happens to us old folk). I'll mention three in particular here, and may use others in some future blogs.

In early November of 1988 the world awoke to news of the first major, large-scale Internet incident. Some self-propagating software had spread around the nascent Internet, causing system crashes, slow-downs, and massive uncertainty. It was really big news. Dubbed the "Internet Worm," it served as an inspiration for many malware authors and vandals, and a wake-up call for security professionals. I recall very well giving talks on the topic for the next few years to many diverse audiences about how we must begin to think about structuring systems to be resistant to such attacks.

Flash forward to today. We don't see the flashy, widespread damage of worm programs any more, such as what Nimda and Code Red caused. Instead, we have more stealthy botnets that infiltrate millions of machines and use them for spam, DDOS, and harassment. The problem has gotten larger and worse, although in a manner that hides some of its magnitude from the casual observer. However, the damage is there; don't try to tell the folks at Saudi Aramaco or Qatar's Rasgas that network malware isn't a concern any more! Worrisomely, experts working with SCADA systems around the world are increasingly warning how vulnerable they might be to similar attacks in the future.

Computer viruses and malware of all sorts first notably appeared "in the wild" in 1982. By 1988 there were about a dozen in circulation. Those of us advocating for more care in design, programming and use of computers were not heeded in the head-long rush to get computing available on every desktop (and more) at the lowest possible cost. Thus, we now have (literally) tens of millions of distinct versions of malware known to security companies, with millions more appearing every year. And unsafe practices are still commonplace -- 25 years after that Internet Worm.

For the second anniversary, consider 10 years ago. The Computing Research Association, with support from the NSF, convened a workshop of experts in security to consider some Grand Challenges in information security. It took a full 3 days, but we came up with four solid Grand Challenges (it is worth reading the full report and (possibly) watching the video):

  1. Eliminate epidemic-style attacks within 10 years
    • Viruses and worms
    • SPAM
    • Denial of Service attacks (DOS)
  2. Develop tools and principles that allow construction of large-scale systems for important societal applications that are highly trustworthy despite being attractive targets.
  3. Within 10 years, quantitative information-systems risk management will be at least as good as quantitative financial risk management.
  4. For the dynamic, pervasive computing environments of the future, give endusers security they can understand and privacy they can control.

I would argue -- without much opposition from anyone knowledgeable, I daresay -- that we have not made any measurable progress against any of these goals, and have probably lost ground in at least two.

Why is that? Largely economics, and bad understanding of what good security involves. The economics aspect is that no one really cares about security -- enough. If security was important, companies would really invest in it. However, they don't want to part with all the legacy software and systems they have, so instead they keep stumbling forward and hope someone comes up with magic fairy dust they can buy to make everything better.

The government doesn't really care about good security, either. We've seen that the government is allegedly spending quite a bit on intercepting communications and implanting backdoors into systems, which is certainly not making our systems safer. And the DOD has a history of huge investment into information warfare resources, including buying and building weapons based on unpatched, undisclosed vulnerabilities. That's offense, not defense. Funding for education and advanced research is probably two orders of magnitude below what it really should be if there was a national intent to develop a secure infrastructure.

As far as understanding security goes, too many people still think that the ability to patch systems quickly is somehow the approach to security nirvana, and that constructing layers and layers of add-on security measures is the path to enlightenment. I no longer cringe when I hear someone who is adept at crafting system exploits referred to as a "cyber security expert," but so long as that is accepted as what the field is all about there is little hope of real progress. As J.R.R. Tolkien once wrote, "He that breaks a thing to find out what it is has left the path of wisdom." So long as people think that system penetration is a necessary skill for cyber security, we will stay on that wrong path.

And that is a great segue into the last of my three anniversary recognitions. Consider this quote (one of my favorite) from 1973 -- 40 years ago -- from a USAF report, Preliminary Notes on the Design of Secure Military Computer Systems, by a then-young Roger Schell:

…From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality.

That was something we knew 40 years ago. To read it today is to realize that the field of practice hasn't progressed in any appreciable way in three decades, except we are now also stressing the wrong skills in developing the next generation of expertise.

Maybe I'll rethink that whole idea of going to give a talks on security and simply send them each a video loop of me banging my head against a wall.


PS -- happy 10th annual National Cyber Security Awareness Month -- a freebie fourth anniversary! But consider: if cyber security were really important, wouldn't we be aware of that every month? The fact that we need to promote awareness of it is proof it isn't taken seriously. Thanks, DHS!

Now, where can I find I good wall that doesn't already have dents from my forehead....?

Comments

Posted by JBaker
on Sunday, October 6, 2013 at 03:00 PM

Spaf,

You are (as usual) correct, we cannot get industry
or the Gov’t serous about the challenge. As we
discussed during the SAF study several years ago,
it will take a Cyber Pearl Harbor before the “leadership”
in DC will take appropriate step to stem the tide.

Best Regards,

John

Posted by Rob
on Sunday, October 6, 2013 at 03:51 PM

Spaf,

I had a colleague recently that left for a considerable amount of money.  He was promoted quickly and viewed to most as a great resource before he left the office for a 300% increase in salary.  I thought he knew quite a bit, and he was very technical, and he was a great resource day-to-day. 

When he showed me some recent techniques for exploiting a particular system, I asked how might you stop this.  He was simply puzzled, and he had not even a hint of an answer or even possible approach.  When we dealt with broader problems that raised a host of competing factors such as economics, privacy, or corporate liabilities, he looked at only technical solutions and had little thought about satisfying all the competing equities while creating an enduring and long term solution.

How did this candidate impact the future of the office:

I can say that in one case, I had to fight to hire a candidate from Purdue that demonstrated the ability to solve new and complex problems.  The candidate was given a very low salary offer, which the candidate did not accept.  When I asked why we gave the candidate such a low offer, I received the answer that the candidate did not have X certifications on Y topic to justify the higher pay.  I tried to explain that the candidate demonstrated the mastery of the topic area, because the candidate was one of the first people to try X on Y topic.  This was directly related to a salient issue our office had struggled with, which another student at Purdue was solving for us in a graduate course.  I said there is no certification for taking this type of new approach, and that this approach may yield great results and have immediate impact.

The recruiters admitted that they only picked the candidate based on my recommendation, but in reality, they didn’t think the candidate would be successful.

The recruiters then used the colleague mentioned above as a prime example of the type of employees that “We” needed in the office:  the employee that left to develop exploits.  I tried to highlight the salient difference between candidates that can identify problems and one that can deal with uncertainty and complexity.

I don’t know the status of the candidate, but I did fight several months to get the candidate hired.  I also raised a number of these issues with our recruiting office, which I am VERY sure were ignored.

This is a small example, but it shows how the few candidates that can deal with uncertainty and complexity are often passed over…

-Rob

=======
Spaf sez:

That is definitely a problem in too many places, and why I’m please the recent National Academies report said the field is too dynamic and young for formal “professionalization”: with so few people who understand it, certificates take the place of skills.  I have tried to ensure that we provide an environment here to teach problem solving in the context of cyber security, but it certainly isn’t appreciated (or understood) too many places….

Posted by Jack Holleran
on Sunday, October 6, 2013 at 05:27 PM

Spaf,

Do you really mean 40 years where you say 30 years?  Or is this a 10th anniversary reprint (very possible in my mind)?

As for Rob, he should have raised his concerns to executive management after 1-2 dialogs with HR.  HR has its own requirements and unless executive management changes those requirements, Rob is not going to get the resources desired.

As to your impact, your have created a cadre of experts who in total have your capabilities.  After you (and many of us) are gone, your impact will still be present and felt for many years.  That is a great legacy!

My observation (over 4 decades) is people at least know how to spell s-e-c-u-r-i-t-y.  Unfortunately, in many organizations the group is considered overhead and hard to justify when executive bonuses and shareholder dividends are considered.  They understand tangible security (guards, guns, bullets, fences, locks, etc.); they still haven’t come to grips with the intangible bits and bytes which represent the total intellectual property owned by the institution and ultimately their livelihood.

When key CEOs lose their competitive advantage, they are going to start reacting like Thor with a hammer of vengeance.  They will start demanding affordable solutions that might start an upswing to the changes you and Roger have preached about.

Who are the key people?  I’m not sure but I would target money people, health, and pharmaceutical people since those industries seem to be the only ones that get negative attention when something happens in their industries.  If they force the creation of affordable solutions, then maybe the rest of the business world will follow. And the cost of security will fall.

And since you are in the academic world, do the other schools (e.g. - business, health, soft sciences, etc.) discuss the impact of security?  When students in these schools go out into the world after graduation, are they concerned about the impact of bad security? Do they have any awareness or insight when bad security is in their environment, without a note from corporate security, a CNN news report, or a visit from the IT department?

In essence, we have developed good solvers (students who come through programs like yours).

But we haven’t developed good “wanters” (every one else).

Jack

=============
Spaf sez:

Ooops—yes, 40.  Now fixed in the body of the post.  I plead insufficient coffee!

As to people in other fields—- heck, if we could just get everyone leaving with a CS degree to understand the importance of security (and privacy) we’d be a step ahead.  I don’t think we’re even close for other disciplines.

Posted by Bill Caelli
on Sunday, October 6, 2013 at 07:18 PM

Yes - lots of anniversaries this year for cybersecurity month!
And another one - 1973 - and the call from the then NBS for a new cipher to protect unclassified Govt systems - which eventually became DES and - well - consider that story against the latest re NIST!

BUT - just another note - visit China/Hong Kong and see how just how many ICT students there are familiar with SELinux, for example, and its base concepts (remember Trusted XENIX, Trusted/CMW SOLARIS, and Roger’s GEMSOS!!!  ( Here in Australia and over there at colleges/universities - unknown, if any really??)

Posted by Dave Dittrich
on Monday, October 7, 2013 at 01:25 PM

Hey Spaf,

I have to correct you on something. You did make a huge contribution that is playing out today. Sure, engineering has not gotten better. That is out of your (and our) hands.

But you produced a detailed analysis of the Internet Worm, to help responders understand it and deal with it. That event prompted DoD to stand up CERT/CC, which helped spread the word and coordinate responders.

Then in 1999, when the first major DDoS attacks began, your work was one of the inspirations for me, then several others, in writing the first five or so very detailed technical analyses of DDoS attack tools.

Today, private researchers and companies produce similarly (or even more technical) reports on malware they are dealing with on a regular basis.

So please, at least breath deeply and smile for a moment before the first head strike to the wall. You *have* made a difference. I thank you for that!

Posted by Teodor Sommestad
on Tuesday, October 8, 2013 at 02:16 AM

I think that you are being too hard on yourself and the security community. I cannot help to think that managing these challenges must have been more of a vision than a goal that you though we would reach in 10 years. Consider number 3 for example. The financial sector is huge and all more or less all they do is to assess and act on financial risks. Unlike the software industry they have hordes of bright educated people specialized on tuning and improving quantitative models working 50-60 hours a week. The challenge to catch up with them in managing/assess risks must have been seen as very bold thing when you presented these challenges. (On the other hand, the financial crisis leaves some room for interpretation when it comes to who has the best models.)

Posted by Daniel Isaiah Shalach
on Thursday, October 17, 2013 at 10:58 PM

After reading this I kept coming back to one part.
“As far as understanding security goes, too many people still think that the ability to patch systems quickly is somehow the approach to security nirvana, and that constructing layers and layers of add-on security measures is the path to enlightenment”

In this day and age redundancy seems to make many feel safe and yet… it seems if you show enough smoke and mirrors no one looks behind the curtain anymore.

But….happy anniversary and may all the curtains come down.

Posted by Market Research
on Friday, October 18, 2013 at 04:18 AM

You know you really have a beautiful way of writing and articulating your perspective on the world, that’s a real talent and you should continue to develop it!.

Posted by Teodor Sommestad
on Tuesday, October 22, 2013 at 02:05 PM

I think that you are being too hard on yourself and the security community. I cannot help to think that managing these challenges must have been more of a vision than a goal that you though we would reach in 10 years. Consider number 3 for example. The financial sector is huge and all more or less all the actors in that sector does is to assess and act on financial risks. Unlike the software industry they have hordes of bright educated people specialized on tuning and improving quantitative models working 50-60 hours a week. The challenge to catch up with them in managing/assess risks must have been seen as very bold thing when you presented these challenges. (On the other hand, the financial crisis leaves some room for interpretation when it comes to who has the best models.)

Posted by Tom Kozlowski
on Monday, November 4, 2013 at 02:28 PM

Does the use of proxys on PC’s help in the security of things like emails, or personal transactions?
Thanks

——

Spaf sea: proxies can help in only some cases.  For instance, a mail proxy can make it more difficult for someone to identify your host.  However, few proxies are written to provide security services.

Posted by abeaf
on Saturday, November 23, 2013 at 05:29 PM

think that you are being too hard on yourself and the security community. I cannot help to think that managing these challenges must have been more of a vision than a goal that you though we would reach in 10 y

Leave a comment

Commenting is not available in this section entry.