SAND2011-6020C

Cybersecurity Challenges and

Opportunities

Edward B. Talbot

Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed
Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
SAND Number : XXX-XXXX X
 Outline
• A Thought Experiment
– Evidence
• The Exemplar Threat: The Insider
• Full-scope Cybersecurity
• Effective Cybersecurity
A Thought Experiment

Analyst, Administrator or Adversary?

• “To do my job, I need the following for all web
traffic entering or leaving your site:
– I need access to every packet.
– I need the time-history of the traffic.
– I need tools so I can analyze the data.”

• Analysts, administrators, and adversaries require

the same resources.

• Analysts, administrators, and adversaries pose

similar threats to cybersecurity.
 Are we doing cybersecurity wrong?

… and
so on

Probability of compromise increases with each “monitor” (program,

administrator, analyst,…) that is added to the communication path.
Detection and protection are mutually exclusive.

• Increased detection:
– may increase the probability that a bad guy will be discovered and
caught.
– will increase the probability that data will be compromised.

• Improved user protection:

– will decrease the probability that data will be compromised.
– may enable compromise without detection.

Any system that is capable of detecting all that is going on inside

of it is capable of revealing all that is going on inside of it.
 Outline
• A Thought Experiment
– Evidence
• The Exemplar Threat: The Insider
• Full-scope Cybersecurity
• Effective Cybersecurity
The Exemplar Threat: The Insider

“Generic” Insider Threat Model

A disgruntled former employee takes
revenge on the victim organization
after they failed to fix a vulnerability Subject destroyed
he reported in their software while organization’s reputation
he was employed. • Used his still-active
previous company email
Insider resigns after account to notify the
employer failed to company’s customers of
take action the security flaw
Insider found a • Never patched • Directed customers to
serious security flaw the vulnerability insider’s website, which
in current • Left the victim contained instructions
employer’s code organization a for
• Immediately month later • fixing the security hole
notified employer • Accidentally crashed
Insider had a history about the
of insider sabotage previous employer’s
vulnerability email servers
• Convicted three
years earlier at a • Victim organization went
previous employer out of business
The content of this slide was collected
strictly from publicly available information
The Exemplar Threat: The Insider

Insider Threat Observations

• Intent is the only certain way to distinguish between benign
and malicious insiders.
– Intent is devilishly hard to determine.
– A manipulated insider is equivalent to a malicious insider.
• In cyberspace, smart and/or well-resourced people will always
be able to redirect attribution to the not-so-smart or well-
resourced.
– Any conclusion reached based solely on cyber data is subject to
deception.
“Beyond a Reasonable Doubt:
The standard that must be met by the prosecution's evidence in a criminal
prosecution: that no other logical explanation can be derived from the facts
except that the defendant committed the crime, thereby overcoming the
presumption that a person is innocent until proven guilty.”
Source: http://legal-dictionary.thefreedictionary.com/Beyond+a+Reasonable+Doubt
The Exemplar Threat: The Insider

The insider threat is out-of-scope for

current cybersecurity thinking.
• Example: Mao (card game)
– The game forbids its players from explaining the
rules, and new players are often told only "the only
rule you may be told is this one.”
– The ultimate goal of the game is to be the first
player to get rid of all the cards in their hand.
7.) Application
– Specifics are discovered through trial and error.
6.) Presentation – A player who breaks a rule is penalized by being
5.) Session given an additional card from the deck.
4.) Transport – The person giving the penalty must state what the
3.) Network incorrect action was, without explaining the rule
that was broken.
2.) Data Link
1.) Physical
• User frustration and confusion are unintended
consequences of using limited scope rules to
address an out-of-scope problem.
“…unintended consequences are outcomes that are not the outcomes intended by a
particular action. The unintended outcomes may be positive or negative.”
Source: http://en.wikipedia.org/wiki/Unintended_consequences
 Outline
• A Thought Experiment
– Evidence
• The Exemplar Threat: The Insider
• Full-scope Cybersecurity
• Effective Cybersecurity
Full-scope Cybersecurity
Full-scope cybersecurity addresses all systemic
vulnerabilities and the insider threat.
HMI 15 Human Less predictable Example Layer 12-15
Perception 14 Cultural Norms Larger Error Bars Vulnerabilities:
Cognition 13 Social Norms Less Deterministic • Spear-phishing
Experience 12 Organizational Roles • Social engineering
7.) Application
11 7.) Application
Authorities 6.) Presentation
10 6.) Presentation
Expectations 9 5.) Session
Session
Traditional, limited-scope
Incentives 8 4.) Transport
Transport
cybersecurity
7 Network
3.) Network
6 DataLink
2.) Data Link
5 1.) Physical
Physical
4 System Hardware
(Motherboard, etc.) Example Layer 1-4
3 Component (ICs…) Vulnerabilities:
More Certain • Supply Chain
2 Semiconductor Physics Smaller Error Bars
1 Atomic More Deterministic
Full-scope Cybersecurity

Full-scope cybersecurity acknowledges that

insiders can be hired, ordered or created.
Hired

Deliberate
Poor Treatment and
Paycheck

Malicious Insider
Hiring and Incentives
(Intentional)
Recruiting
Benign Created
Poor Business Processes,
Manipulated
Support, and Training
Malicious Insider
(Unknowing)
Ordered
Purchase

Requisitions and
Order

Service, Supplies, and Equipment

Contracts

Solutions to the insider threat problem may lie predominantly

OUTSIDE the purview of traditional cybersecurity practice.
Full-scope Cybersecurity

Limited scope strategies transform a loyal and committed

workforce to a confused and/or bitter set of vulnerabilities.

Deliberate
Poor Treatment and
Malicious Insider
Incentives
Paycheck

(Intentional)
Hiring and
Recruiting
Benign Created
Poor Business Processes,
Manipulated
Support, and Training
Malicious Insider
(Unknowing)

Loyal, Committed, Confused, Bitter,

“Sensor” Network Disconnected Individuals

“The self-fulfilling prophecy is, in the beginning, a false definition of the situation
evoking a new behavior which makes the original false conception come 'true'.”
- Social Theory and Social Structure, Robert K. Merton
 Outline
• A Thought Experiment
– Evidence
• The Exemplar Threat: The Insider
• Full-scope Cybersecurity
• Effective Cybersecurity
Effective Cybersecurity

Absolute Certainty is Unobtainable

Loyal, Committed, Confused, Bitter,

“Sensor” Network Disconnected Individuals

No Certainty

Know Little Know “Everything”

Know Trust No Trust

"We can have all the records in the world and if somebody wants to trade outside them
or something, you know, they're not going to tell us they're trading in their cousin's
name," [Warren Buffett’s partner Charlie] Munger said. "I think your best compliance
cultures are the ones which have this attitude of trust and some of the ones with the
biggest compliance departments, like Wall Street, have the most scandals.”
- http://articles.economictimes.indiatimes.com/2011-05-03/news/29499643_1_charlie-munger-warren-buffett-berkshire-hathaway
Effective Cybersecurity

Effective Cybersecurity
Are the processes
…inadvertently
we are putting in
resulting in the
place to detect
creation of this?
this…

• What doesn’t work (by itself):

– Enforcement/compliance/oversight/governance…
– Physical controls (guards, gates, guns,…)
– Cyber controls (access controls, IDS,…)
• What works – every employee is a sensor:
– Develop and cultivate trust, loyalty and accountability.
What if we are doing cybersecurity wrong?

… and
so on

Opportunity: Refocus cybersecurity on user protection.

Effective Cybersecurity

A Notional User Protection System

• Anonymous – predictably unlikely to extract
useful data.
• Non-attribution – forensics pushed to the
endpoints.
• Non-persistence – no trace remains of data
transferred.
• Strong authentication – at all endpoints, as
certain as the real world (endpoint and real
world equivalence).
 Summary: Cybersecurity Challenges
and Opportunities
• The assumptions underlying cybersecurity as it is
practiced today are delusions.
– Evidenced by experience with incidents.
• We need cybersecurity approaches architectures based
on what people (and systems) actually do.
– Not what we wish they did.
– A focus on cybersecurity protection supports users.
• People respond favorably to positive incentives and
being treated well.
– Effective cybersecurity develops a culture of trust, loyalty
and accountability through positive incentives and fairness.
“We cannot solve our problems with the same thinking we used
when we created them.”
- Albert Einstein
Back-ups
Effective Cybersecurity

A Thought Experiment:
What if we’re doing cybersecurity wrong?
Probability of Compromise

1.0

You and me
talking in my
office with the
door closed.

No Lots of monitoring, applications,

Monitoring personnel, storage…

…to Amount of Monitoring …from

User Intrusion
Strong Protection Strong Detection Detection
Protection $$$
Protecting Good Guys Catching Bad Guys Systems (IDS)
Systems (UPS)
Limited-scope solutions confuse users.
PUSH HERE TO
PUSH HERE LAUNCH NUCLEAR
FOR COFFEE ATTACK
A Thought Experiment

Assumptions vs. Incident Realities

• Correctness • Correctness
– Components reasonably – Exploits often rely on well-
work as designed understood coding errors
• Policy • Policy
– Effective operating – Effective policies not
policies are practiced followed
• Monitoring • Monitoring
– Timely situational – Faulty or non-existent
awareness of reasonable situational awareness
fidelity available • Response
• Response – Inability to respond to
– Effective coordinated previously unexperienced
mitigation of breaches incidents.
A Thought Experiment
“Basic cybersecurity practices” are
increasingly inadequate.
Subject: Mailbox Quota Exceeded
“Everyone should make From: “xxxxxxxxxxxxxxxx.“
xxxxxxxxxx@xxxxxxxxx.xxxxx
basic cybersecurity Date: Tue, March 29, 2011 2:34 pm
practices as reflexive as To: Undisclosed recipients:;
putting on a seatbelt – Priority: Normal

using antivirus software, You have exceeded the storage limit on your mailbox.
being careful which You will not be able to send or receive new mail until
websites you visit, not you click the below link to fill the email upgrade form.

opening emails or xxxxxxxx.com/phpform/use/.php/form1.html

attachments that look
suspicious.” Technical Support Team
- Janet Napolitano, UC Berkeley, April 2011
A Thought Experiment

What if we’re doing cybersecurity wrong?

Probability of Compromise

1.0

You and me
talking in my
office with the
door closed.

No Lots of monitoring, applications,

Monitoring personnel, storage…
Amount of Monitoring

Strong Protection Strong Detection

Protecting Good Guys Catching Bad Guys
(CNN) -- A few years ago a disgruntled employee for a large multinational automotive
firm left the company -- but when he walked out the door, he also walked out with
plans for a new car model under development on a cheap USB drive.

When the plans were leaked, the cost to the company was an estimated $1 billion in
lost sales and increased research and development costs, according to a security
expert who worked on the case.

http://edition.cnn.com/2011/BUSINESS/06/06/cybercrime.cost/index.html?hpt=hp