Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/19/2019
02:30 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Making the Case for a Cybersecurity Moon Shot

There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.

There's been a lot of talk lately of a cybersecurity moon shot. Unfortunately, the model seems to be the war on cancer, not the Apollo program. Both are worthwhile, but they are meaningfully different.

Allow me to start with a line from a speech by President Kennedy on May 25, 1961. Odds are you've heard these words:

… This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish.

That's what a moon shot is: a clear, measurable milestone with reasons for doing it and challenges to overcome. And so the image to recall is not the iconic first footstep, but this:

Apollo 11 splashdown. Courtesy NASA.
Apollo 11 splashdown. Courtesy NASA.

Unlike JFK's moonshot, explained Grant Schneider, federal CISO, at the recent 9th Annual Billington Cybersecurity Summit, "there isn’t going to be an instant where we say we've achieved success in cybersecurity. We're not blasting anyone into cyberspace." Instead, Jeannette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, put forth a different vision:

Within 10 years, I'd like to see a true fundamental shift in how the Internet is operated in. I'd like to be in a place where we have move passed the "whack-a-mole" approach to cybersecurity incidents.

This is not the way to put a woman on the moon and return her safely to earth. But getting away from whack-a-mole is certainly a worthwhile goal for cybersecurity.

Defining a Moon-Shot Goal for Cybersecurity
The Apollo missions did not do everything that space exploration enthusiasts wanted. We did not establish a permanent presence outside the atmosphere, even if you count the International Space Station. (It makes no claim to being self-sustaining.) It's been 46 years since a person went to the moon. No one has been to Mars. Of the many goals expressed by the engineers and visionaries, we executed on one. 

On the other hand, we can and should define moon-shot goals for cybersecurity. My goal is to define game-changers, with objectives that are imaginable and with the criteria:

  • No single project will be more impressive or impactful.
  • No single project will be more important for our long-term ability to operate a resilient cyberspace.
  • The result thus justifies the effort and expense.

Some possibilities:

  • Payloads attached to email will not result in an attacker's code running on a computer, or the compromise of credentials needed to log in to it. (That is, phishing, either with a URL, an executable attachment, or an exploit-bearing attachment, will fail. We have many of the parts, such as execution whitelists, anti-execution mitigations, password managers, and MFA, but we rarely deploy them all in an integrated, usable package.)
  • Red teams given execution access to a standard desktop cannot move laterally without setting off alarms that are not lost because the SOC is a sea of tranquility.
  • Investigators digging into a compromise six months after it's started can enumerate 90% of the actions taken by a red team.

These goals do not solve every problem in security any more than the moon shot solved every problem on earth, or even within the exploration of space.

My success criteria could be usefully refined, but such refinement distracts from the importance of setting and reaching for a moon-shot-style goal. The goal need not be that every computer has these properties, but it would be useful to achieve them with the most-deployed desktop configuration in the federal government. We need criteria about usability. We need to stop complaining about people, and give people technologies that allow them to safely do their jobs. We need to ensure that if a red team is part of the criteria, the goal is not made meaningless by rules placed on their work.

Focusing our attention on a moon shot can be a powerful technique. There are severe and unsolved problems in our field that may be solvable with the right attention. It is worth picking one.

What other goals are worthy of the name "moon shot"?  Share your thoughts in the comments.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/26/2019 | 7:36:41 PM
Re: A network that understands hardness
Sure - how about:

Abandon the "permitted by default" network model.  Endpoints must prove to networks that they are ready to be exposed to anything beyond their immediate neighborhood.  Moderate access requires only basic proof of hygeine, while a new Internet-facing web server (or container) must demonstrate being hardened and ready before the flood gates are opened.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/26/2019 | 6:58:42 PM
Re: A network that understands hardness
I think I see where you're going -- can you rewrite it as a moonshot goal?
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/25/2019 | 8:43:26 PM
Re: A network that understands hardness
Right - there is a big distinction between general purpose endpoints and special purpose "things".  Laptops get patched regularly, and have decent internal firewalls.  That said, the market for network firewalls has not gone away - it's interesting to look at reasons why. 

Laptops are great and all, but they aren't where most of the value resides.  Data centers are fragile in one way - huge uptime pressure, and an unwillingness to patch.  IoT devices are fragile in a completely different way - they lack a decent patching infrastructure, and are generally designed to a pricepoint, not about flexible response to a changing security landscape.

My response to your moonshot question comes from a point of view that "between" still matters.  Security tech is either placed on endpoints, or between them.  The endpoint security products face challenges (too many agents, not to mention endpoints that aren't built to accomodate agents - does your fridge?).  That's why there is still a large challenge space around "between" controls.  It's the old debate - shiould the network just be dumb pipes, or should it provide intelligent services and controls?

I'm suggesting a moonshot for a network that can enforce intelligent controls *between* endpoints as the way forward.  This is a moonshot because today, endpoints do not have to play along, or follow any hygeine standards, or register what kind of object they are.  We've stacked up some ways to lock down laptops, and messed around with MDM, but what about all the things that are neither?
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/25/2019 | 6:09:50 PM
Re: A network that understands hardness
Hi thanks Mike!

 

Is this still a problem? I was under the impression that most mainstream systems were fairly firewalled these days, but perhaps I'm thinking more of desktops and less of IoT?

 

Adam
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/20/2019 | 2:39:43 PM
A network that understands hardness
Nice question, Adam.  How about a project to ensure a machine directly exposed to the Internet does not immediately succumb to all the known "background radiation" out there? 

There are a range of possible implementations (proactive vs reactive hardening).  But similar to your goal of "email payloads should never be detonated", I'm thinking "maintain a living battery of tests that must pass as basic hygeine before a machine can be exposed widely".  It's not NAC - it's more like the inverse.  NAC says you can't even access a local network unless you're "clean" to a specified level.  This project flips that, to say the level of hardening required depends on breadth of exposure to others.

The moonshot aspect of this is to teach the network (where access policy is enforced) about the quality or hardness of each endpoint.  In an IoT future, this may be essential - consumer IoT is too weak to be treated like other endpoints.
schopj
50%
50%
schopj,
User Rank: Strategist
2/19/2019 | 4:31:31 PM
Moonshot
Getting Microsoft to log at least as much as Sysmon and to start better protecting those logs so they cant be easily deleted, or if they can, can also be easily recovered.  I shouldnt have to install a third party app, or any app, just to get detailed logs monitoring process hashes and who started what from what program, or any of the other things that advanced logging applications log.  It is an MS operating system and it should log everything that is done on it, period.  
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: He still insists that security by obscurity is the way to go.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9681
PUBLISHED: 2019-09-17
Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X...
CVE-2019-9009
PUBLISHED: 2019-09-17
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
CVE-2018-20336
PUBLISHED: 2019-09-17
An issue was discovered in Asuswrt-Merlin 384.6. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2019-12755
PUBLISHED: 2019-09-17
Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an information disclosure issue, which is a type of vulnerability whereby there is an unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
CVE-2019-14826
PUBLISHED: 2019-09-17
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.