Cyber Defense is Hard and NOT Glamerous

Whereas Hacking is hard but includes a level of cool factor in the world (criminal or ethical).

A new report came out yesterday from Rand.org:

http://www.rand.org/pubs/research_reports/RR1024.html

defendersdilemma

 

It is a PDF that can be downloaded for free and is only 162 pages.

http://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf    (if you have not noticed, on my site unless the link is ~100-lots- characters long I like to place the whole link so that you can be certain what you are clicking on)

The report is well researched and validates most cyber defense issues including some that I have written about here.

 

Chief Information Security Officers(CISO) feel attackers that have the upper hand, and will continue to have it.  Here is a particularly pessimistic quote:

“It will get worse before it gets better, and I do not know if things will get better,” one observed.

Black Hat discussion about this subject post from October 2014:

http://oversitesentry.com/my-it-is-outsourced-i-dont-worry-about-security/

The fundamental problem in defense(also blue team) is that we have to defend all the computers, networks, and now mobile devices.

Sun Tzu Book  “Art of War”  http://suntzusaid.com/book/6

[ You can ensure the safety of your defense if you only hold positions that cannot be attacked. ]

And since we don’t have places that cannot be attacked on the Internet, this is why we get into “risk management”, where we now create weak points for the attacker to attack.

As I have mentioned in the post from March 20 http://oversitesentry.com/why-risk-management-model-failed-us/

Here are the challenges as stated in a concise diagram (from rand.org paper):

measurecountermeasure-defendersdilemma-rand.org

It is a good diagram to make sure it is understood fully, in case a partial understanding exists, further learning would be required.

 

The attackers (red team) always can get a way into the organization because of user failures including password mismanagement, or spear phishing attacks.

If a social engineer attacks –> calls your employee and asks for their password which is then given, how do you defend against that?

The only way is user-awareness training, but whenever people are involved potential mistakes can occur.

 

The cycle of vulnerabilities discovered and patch deployment is also covered:

vulnerability-attacktimeline

 

 

 

Unfortunately for some patching computers on a regular basis does not occur, so even old vulnerabilities unpatched can be dangerous.

 

The real problem in defense is that patching computers and other electronic devices takes an enormous effort to  stay ahead of the game. Of course some computers (WindowsXP) can no longer be patched.

The life of a vulnerability until it is patched in all systems can be some time (pg 79 in the report)

Vulnerabilities are patched within 120 days on average and a vulnerability found by one person has a 10% chance of being found by another over a year.  So how can we  ensure that we find all the vulnerabilities every time new code is introduced?  It is through fuzzing and 60 million test cases on a zero-day vulnerability for Firefox.

Then there is (Return Oriented Programming) which bypasses a mitigation technique of Microsoft’s (DEP)

This leads us to both offense and defense try to find flaws first:

offensevsdefensescramble-rand.org

As more devices get connected (per Cisco ) to the tune of 7 devices for each person by 2020 these devices need to be patched properly.

The difficulties in Cybersecurity also depends on the type of organization to defend (what size is the org).

4 different sized orgs, 5 categories of diligence, and 5 categories of value.

Means there are 100 types of orgs (4*5*5)

Loss is defined as value at risk * external hardness * internal hardness

You have to see all the results of these graphs, but training rises as a function of size in year 0(2015) and 10(2025)

 

 

 

Let’s assume we can do a small amount of forecasting, 10 year forecasting is folly… Other than that this report is very interesting to see that a large effort at quantifying cybersecurity  comes up with the conclusion

Small businesses are in trouble, because likely will not spend the money or training to defend properly.

 

Therefore there will be losses from cyberattacks  to the tune of 7.8% in 2015 (I wont mention 2025- will be higher).

Although the losses from larger organizations are higher% they also have more to lose.

The final lessons are that self-knowledge is important, since knowing what is on your machines and the risk associated will at least give an understanding of the challenge.

Reputation was considered very important to the people surveyed.

Deciding what to defend  (perimeter defense or interneal systemic defenses)

The amount of investment in Cybersecurity will go up or the cyberattacks will cost money – either way you will have to spend more.  I suppose maybe the real purpose for this report is for RAND customers to be more comfortable in spending more money.

 

 

 

 

1 thought on “Cyber Defense is Hard and NOT Glamerous”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.