Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/19/2019
02:30 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Making the Case for a Cybersecurity Moon Shot

There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.

There's been a lot of talk lately of a cybersecurity moon shot. Unfortunately, the model seems to be the war on cancer, not the Apollo program. Both are worthwhile, but they are meaningfully different.

Allow me to start with a line from a speech by President Kennedy on May 25, 1961. Odds are you've heard these words:

… This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish.

That's what a moon shot is: a clear, measurable milestone with reasons for doing it and challenges to overcome. And so the image to recall is not the iconic first footstep, but this:

Apollo 11 splashdown. Courtesy NASA.
Apollo 11 splashdown. Courtesy NASA.

Unlike JFK's moonshot, explained Grant Schneider, federal CISO, at the recent 9th Annual Billington Cybersecurity Summit, "there isn’t going to be an instant where we say we've achieved success in cybersecurity. We're not blasting anyone into cyberspace." Instead, Jeannette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, put forth a different vision:

Within 10 years, I'd like to see a true fundamental shift in how the Internet is operated in. I'd like to be in a place where we have move passed the "whack-a-mole" approach to cybersecurity incidents.

This is not the way to put a woman on the moon and return her safely to earth. But getting away from whack-a-mole is certainly a worthwhile goal for cybersecurity.

Defining a Moon-Shot Goal for Cybersecurity
The Apollo missions did not do everything that space exploration enthusiasts wanted. We did not establish a permanent presence outside the atmosphere, even if you count the International Space Station. (It makes no claim to being self-sustaining.) It's been 46 years since a person went to the moon. No one has been to Mars. Of the many goals expressed by the engineers and visionaries, we executed on one. 

On the other hand, we can and should define moon-shot goals for cybersecurity. My goal is to define game-changers, with objectives that are imaginable and with the criteria:

  • No single project will be more impressive or impactful.
  • No single project will be more important for our long-term ability to operate a resilient cyberspace.
  • The result thus justifies the effort and expense.

Some possibilities:

  • Payloads attached to email will not result in an attacker's code running on a computer, or the compromise of credentials needed to log in to it. (That is, phishing, either with a URL, an executable attachment, or an exploit-bearing attachment, will fail. We have many of the parts, such as execution whitelists, anti-execution mitigations, password managers, and MFA, but we rarely deploy them all in an integrated, usable package.)
  • Red teams given execution access to a standard desktop cannot move laterally without setting off alarms that are not lost because the SOC is a sea of tranquility.
  • Investigators digging into a compromise six months after it's started can enumerate 90% of the actions taken by a red team.

These goals do not solve every problem in security any more than the moon shot solved every problem on earth, or even within the exploration of space.

My success criteria could be usefully refined, but such refinement distracts from the importance of setting and reaching for a moon-shot-style goal. The goal need not be that every computer has these properties, but it would be useful to achieve them with the most-deployed desktop configuration in the federal government. We need criteria about usability. We need to stop complaining about people, and give people technologies that allow them to safely do their jobs. We need to ensure that if a red team is part of the criteria, the goal is not made meaningless by rules placed on their work.

Focusing our attention on a moon shot can be a powerful technique. There are severe and unsolved problems in our field that may be solvable with the right attention. It is worth picking one.

What other goals are worthy of the name "moon shot"?  Share your thoughts in the comments.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/26/2019 | 7:36:41 PM
Re: A network that understands hardness
Sure - how about:

Abandon the "permitted by default" network model.  Endpoints must prove to networks that they are ready to be exposed to anything beyond their immediate neighborhood.  Moderate access requires only basic proof of hygeine, while a new Internet-facing web server (or container) must demonstrate being hardened and ready before the flood gates are opened.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/26/2019 | 6:58:42 PM
Re: A network that understands hardness
I think I see where you're going -- can you rewrite it as a moonshot goal?
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/25/2019 | 8:43:26 PM
Re: A network that understands hardness
Right - there is a big distinction between general purpose endpoints and special purpose "things".  Laptops get patched regularly, and have decent internal firewalls.  That said, the market for network firewalls has not gone away - it's interesting to look at reasons why. 

Laptops are great and all, but they aren't where most of the value resides.  Data centers are fragile in one way - huge uptime pressure, and an unwillingness to patch.  IoT devices are fragile in a completely different way - they lack a decent patching infrastructure, and are generally designed to a pricepoint, not about flexible response to a changing security landscape.

My response to your moonshot question comes from a point of view that "between" still matters.  Security tech is either placed on endpoints, or between them.  The endpoint security products face challenges (too many agents, not to mention endpoints that aren't built to accomodate agents - does your fridge?).  That's why there is still a large challenge space around "between" controls.  It's the old debate - shiould the network just be dumb pipes, or should it provide intelligent services and controls?

I'm suggesting a moonshot for a network that can enforce intelligent controls *between* endpoints as the way forward.  This is a moonshot because today, endpoints do not have to play along, or follow any hygeine standards, or register what kind of object they are.  We've stacked up some ways to lock down laptops, and messed around with MDM, but what about all the things that are neither?
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/25/2019 | 6:09:50 PM
Re: A network that understands hardness
Hi thanks Mike!

 

Is this still a problem? I was under the impression that most mainstream systems were fairly firewalled these days, but perhaps I'm thinking more of desktops and less of IoT?

 

Adam
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/20/2019 | 2:39:43 PM
A network that understands hardness
Nice question, Adam.  How about a project to ensure a machine directly exposed to the Internet does not immediately succumb to all the known "background radiation" out there? 

There are a range of possible implementations (proactive vs reactive hardening).  But similar to your goal of "email payloads should never be detonated", I'm thinking "maintain a living battery of tests that must pass as basic hygeine before a machine can be exposed widely".  It's not NAC - it's more like the inverse.  NAC says you can't even access a local network unless you're "clean" to a specified level.  This project flips that, to say the level of hardening required depends on breadth of exposure to others.

The moonshot aspect of this is to teach the network (where access policy is enforced) about the quality or hardness of each endpoint.  In an IoT future, this may be essential - consumer IoT is too weak to be treated like other endpoints.
schopj
50%
50%
schopj,
User Rank: Strategist
2/19/2019 | 4:31:31 PM
Moonshot
Getting Microsoft to log at least as much as Sysmon and to start better protecting those logs so they cant be easily deleted, or if they can, can also be easily recovered.  I shouldnt have to install a third party app, or any app, just to get detailed logs monitoring process hashes and who started what from what program, or any of the other things that advanced logging applications log.  It is an MS operating system and it should log everything that is done on it, period.  
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18610
PUBLISHED: 2019-11-22
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary syste...
CVE-2019-9536
PUBLISHED: 2019-11-22
Apple iPhone 3GS bootrom malloc implementation returns a non-NULL pointer when unable to allocate memory, aka 'alloc8'. An attacker with physical access to the device can install arbitrary firmware.
CVE-2013-6811
PUBLISHED: 2019-11-22
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DSL-6740U gateway (Rev. H1) allow remote attackers to hijack the authentication of administrators for requests that change administrator credentials or enable remote management services to (1) Custom Services in Port Forwarding...
CVE-2013-6880
PUBLISHED: 2019-11-22
Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting (XSS) attacks via the HTTP Referer header.
CVE-2019-15652
PUBLISHED: 2019-11-22
The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices before 18.1.0 doesn't properly sanitize input for error messages, leading to the ability to inject client-side code.