Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I've long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down.
In pre-summary, I'm still sceptical of information-classification approaches (or information-led control implementations) as I feel they target a theoretically sensible idea, but not a practically sensible one.
Information gets stored in information containers (to borrow a phrase from Octave) such as the databases or file servers. This will need to inherit a classification based on the information it stores. That's easy if it's a single purpose DB, but what about a SQL cluster (used to reduce processor licenses) or even end-user machines? These should be moved up the classification chain because they may store some sensitive info, even if they spend the majority of the time pushing not-very-sensitive info around. In the end, the hoped-for cost-saving-and-focus-inducing prioritisation doesn't occur and you end up having to deploy a significantly higher level of security to most systems. Potentially, you could radically re-engineer your business to segregate data into separate networks such as some PCI de-scoping approaches suggest, but, apart from being a difficult job, this tends to counter many of the business benefits of data and system integrations that lead to the cross-pollination in the first place.
Next up, I feel this fails to take cognisance of what we call "pivoting"; the escalation of privileges by moving from one system or part of a system to another. I've seen situations when the low criticality network monitoring box is what ends up handing out the domain administrator password. It had never been part of internal/external audits scope, none of the vulns showed up on your average scanner, it had no sensitive info etc. Rather, I think we need to look at physical, network and trust segregation between systems, and then data. It would be nice to go data-first, but DRM isn't mature (read simple & widespread) enough to provide us with those controls.
Lastly, I feel information-led approaches often end up missing the value of raw functionality. For example, a critical trade execution system at an investment bank could have very little sensitive data stored on it, but the functionality it provides (i.e. being able to execute trades using that bank's secret sauce) is hugely sensitive and needs to be considered in any prioritisation.
I'm not saying I have the answers, but we've spent a lot of time thinking about how to model how our analysts attack systems and whether we could "guess" the results of multiple pentests across the organisation systematically, based on the inherent design of your network, systems and authentication. The idea is to use that model to drive prioritisation, or at least a testing plan. This is probably closer aligned to the idea of a threat-centric approach to security, and suffers from a lack of data in this area (I've started some preliminary work on incorporating VERIS metrics).
In summary, I think information-centric security fails in three ways; by providing limited prioritiation due to the high number of shared information containers in IT environments, by not incorporating how attackers move through a networks and by ignoring business critical functionality.
The text that follows is a short statement I prepared for the press ahead of my presentation at the 'The International Conference on Cyber Conflict' (http://www.ccdcoe.org/ICCC/) in Tallinn, Estonia. It felt like I had very mixed response, so I'd be interested to hear what others think…
In the piece that follows I will make 5 basic hypothesis, namely:
This fact is graphically illustrated by the apparent success of the Stuxnet attack against the the Iranian nuclear enrichment program at Natanz. By all accounts Stuxnet was a devastatingly successful attack launched by one nation or group of nations against key national infrastructure of another nation. It bypassed all reasonable security controls and could easily have been more destructive, potentially even causing loss of life. All that at the measly price of between $ 500,000 and $ 2 million - apparently less than what the US airforce currently spends in a day.
When it comes to securing an entire country against a well-funded and well-equipped adversary this is even more true, because governments have a dependency on systems and infrastructure for banking, administration, utilities, industry and communications that they do not control. Security in many of these industries is still very poor and, even if governments did apply themselves to improving security as a matter of national policy, I would argue that it may already be too late and that many systems are already compromised by malicious software, some of which will be too sophisticated to detect and remove on the scale required.
A simple analogy for what I'm saying here can be seen in the recent Wikileaks saga. We tend to think of the Wikileaks saga in terms of Julian Assange and the 'leak', but really what we should be considering is the fact that over 500 thousand people apparently had access to the so-called 'secret' documents that Assange ultimately released to the world. Its a problem of scope: How can a government hope to protect something that is being accessed by half a million people, and how can we begin to believe that, with that level of exposure, the security of SIPRNET hadn't already been breached multiple times before?
Now you can see why information warfare is asymmetrical and why it is almost impossible for an entire country to defend itself. This is the core element of my hypothesis this week.
If my government were to approach me and ask: "How can we defend ourselves in this new realm of cyber warfare?" I would have to answer: "We can't". So what option is left to South Africa? Either we can ignore the problem and hope it goes away, or possibly we can develop our own offensive capability to act as a deterrent to would-be attackers. I'm not sure whether this strategy would work, but I do believe that it would at least be feasible to implement, which a defensive strategy is ultimately not. If you accept our previous assertion that a capability like Stuxnet could be developed for just a few million dollars, then even South Africa could afford to get in on the cyber warfare game and potentially strike a few retaliatory blows against its enemies or would-be enemies and thereby maintain a kind of uncomfortable peace. Rather than developing such a capability, we could acquire one commercially, or possibly join a treaty to obtain one, but it strikes me as basically the same thing.
I've argued that this new reality poses a real national-security challenge to small and emerging countries like South Africa who are 'connected' but can never really be sufficiently 'protected' to defend themselves against a well funded adversary. I surmised that this is true (to a greater or lesser extent) for all countries, no matter how large or powerful.
If this analysis is accurate then it is my opinion that countries have two options going forward. Now, I am no military or political scientist so my domain of expertise is being severely stretched here, but the two options I see are:
I love this view of the future as it resonates deeply with the original hacker ethos in which I was 'raised', but I have to confess that I struggle to imagine it being real.
In the second model countries will endeavor to defend themselves by building deterrents - tools of mass cyber destruction aimed at their enemies with the threat of destructive digital force. As history has shown us during the Cold War it seems to me that this approach will ultimately reach a kind of digital stand-off where no single country can afford to unleash its weapons for fear of also destroying itself and the conflict will be reduced to an endless series of spy-vs-spy intrigues and counter-intrigues that will play off in the computers of every government, business, school and even home in the world.
There may be a third option, but if there is I fail to see it. One thing is clear: Unless governments, NGOs, thinkers like Tom Wingfield and other leaders act quickly to highlight and address these challenges then history will take its inevitable course and my colleagues and me will soon all be wearing uniforms and working for the military.