Cyber War, Cyber Peace, Stones and Glass Houses

Copyright © 2015, Cigital
Cyber War, Cyber Peace, Stones,
and Glass Houses
…those who live in glass houses should not throw stones
@cigitalgem
Gary McGraw, Ph.D.
Chief Technology Officer

Cigital
• Providing software security professional services since
1992
• World’s premiere software security consulting firm
o 500 professional consultants
o Washington DC, New York, Santa Clara, Bloomington, Boston,
Chicago, Atlanta, Austin, Amsterdam, and London
• Recognized experts in software security
o Widely published in books, white papers, and articles
o Industry thought leaders

Copyright © 2015, CigitalCopyright © 2015, Cigital
Real Cyber Defense as Deterrence
• Defining “cyber”
whatever
• The offense problem
• “Active defense”
• Attribution
• Many vulnerabilities
• Payloads are easy
• Economics
• The NASCAR effect
• The defense solution
• Proactive defense vs.
cardboard defense
• Deterrence through
defense
• Build security in

CYBER CLARITY IS ELUSIVE
Separating the Threat from the Hype: What Washington Needs to Know
About Cyber Security, Nate Fick & Gary McGraw
http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf

Cyber Security
• How much of the cyber war talk is hype?
• What is real and what is cyber chimera?
Help policymakers find their
way through the fog and set
guidelines to protect the best of
the Internet and cyberspace,
both from those who seek to
harm it, and from those who
seek to protect it but risk doing
more harm than good.

Disentangling War, Espionage, and Crime
• Cyber espionage
• Much more common than
war
• Wikileaks
• Anonymous
• Operation Aurora
• NY Times hack
• Bad compartmentalization
makes easy targets
• Cyber crime
• Even more common
• 1 trillion dollars per year?!
(just ask Ross Anderson)
Building systems properly
from a security
perspective will address
the cyber crime problem
just as well as it will
address cyber espionage
and cyber war. We can kill
all three birds with one
stone.

Kinetic Impact as Decisive Criteria to be War
REALITY
• To qualify as cyber war, the
means may be virtual, but
the impact should be real.
• 1982 Soviet gas pipeline
explosion
• 2007 Israeli attack on Syrian
reactor
• 2008 Russia attacks Georgia two
ways
• 2008 USB drive infection in Iraq
(meh)
• 2010 Stuxnet attack on Iranian
centrifuges
HYPE
• Estonia dDoS attacks
• 2007 statue removal kerfuffle
• What would Google do?
• Brazilian blackout
• 2009 60 minutes story
• 100% hype
• China “hijacks” the Internet
• BGP mistake
• Bad design

US: National Security Dominates
The real and perceived
dominance of the U.S.
national security
establishment in setting
cyber security policy is
problematic
• Cyber security is not only a
military problem
• Cyber security recognizes no
geographic boundaries
• Snowden revelations did not
help this situation

Offense and Defense
defense means building
secure software, designing
and engineering systems to
be secure in the first place
and creating incentives and
rewards for systems that are
built to be secure
offense involves exploiting
systems, penetrating
systems with cyber attacks
and generally leveraging
broken software to
compromise entire systems
and systems of systems

THE OFFENSE PROBLEM

“Active Defense”
Having a good offense is NOT
the same as a good defense.
Panetta on cyber security, “We
need to have the option to take
action against those who would
attack us.”
Grandma on security, “People
who live in glass houses should
not throw rocks.”

Attribution Remains Unsolved (Ask Gandalf)

Olympic Games & Stuxnet
• The PAYLOAD is what
matters
• Inject code into a running
control system
• Siemens SIMATIC PLC (step
7)
• Cyberwar!!
• Natanz in Iran
• Sophisticated, targeted
collection of malware
• Delivery
• 1 0day (not 4)
• Stolen private keys
• USB injection
• Network C&C
How to p0wn a Control System with Stuxnet (9/23/10)
http://bit.ly/RmbrNG

Thread Hijacking in Online Games
• Used in early online game botting programs (circa
2004) but no longer
• Used successfully in Stuxnet in 2009
WoW.EXE
MAIN
THREAD
INJECTED
DLL
Loops hundreds of times per second
RenderWorld(..)
DETOUR PATCH

INJECTED
CODE PAGE
complete
MAIN
THREAD
MAIN
THREAD
HARDWARE BP
RenderWorld(..)
uncloak
MSG
super
branch
RenderWorld(..)
recloak
restore
CastSpellByID( .. )
ScriptExecute( .. )
ClearTarget( .. )
MAIN
THREAD

Vulnerabilities Are Pervasive

Disguise
Process Control
Process Disruption
deterministic
non-deterministic
(hacking)
Capability
atypical
Attack Complexity (From Ralph Langner)
http://bit.ly/TvWnuG

Economics (From Ralph Langner)
Nuclear sub fleet
Stealth fighter jet fleet
Eurofighter fleet, Leopard II tank fleet
Cyber weapons program / MIL targets
Cyber weapons program / CI targets
$90B
$40B
$10B
$1B
$100M
Non-state thresholdhttp://bit.ly/TvWnuG
Singular cyber attack against
national critical infrastructure
$5M

Offense is Sexy: The NASCAR Effect
Bad news
• The world would rather
not focus on how to build
stuff that does not break
• It’s harder to build good
stuff than to break junky
stuff
Good news
• The world loves to talk
about how stuff breaks
• This kind of work sparks
lots of interest in computer
security

THE DEFENSE SOLUTION

Cardboard Shield Defense
Today’s computer and
network security
mechanisms are like the
walls, moats, and
drawbridges of medieval
times. At one point, effective
for defending against isolated
attacks, mounted on
horseback. Unfortunately,
today’s attackers have
access to predator drones
and laser-guided missiles!

Poor Security Engineering

Proactive Defense
Secretary Panetta is mistaken:
“Through the innovative efforts
of our cyber-operators, we are
enhancing the department's
cyber-defense programs.
These systems rely on
sensors and software to hunt
down malicious code before it
harms our systems. We
actively share our own
experience defending our
systems with those running
the nation's critical private-
sector networks.”
• Security Engineering
• Software Security
• Build Security In

HOW TO BUILD SECURITY IN

Software Security Touchpoints

BSIMM: Software Security Measurement
• 104 firms measured (data freshness)
• BSIMM6 = data from 78 real initiatives
• 202 distinct measurements
• 26 over time (one firm 5 times)
• McGraw, Migues, and West

78 Firms in BSIMM6 Community

A Software Security Framework
See informIT article on BSIMM website http://bsimm.com
4 Domains 12 Practices

BSIMM6 as a Measuring Stick

BSIMM6
Results
Top 12
activities
• purple =
good?
• red = bad?
“Blue shift” =
practices to
emphasize

BSIMM By the Numbers

Defense as Deterrent
“the U.S. is in a good
position to outspend its
adversaries on proactive
defense. Proactive
defense can be our
differentiator and a
serious deterrent to war.”
Proactive Defense
Prudent Alternative to
Cyberwarfare
http://t.co/2901DHVh
• A first strike in a cyber
war is unlikely to be
decisive
• No matter how much is
spent on cyber-offense,
cyber-defense must be
addressed anyway
• Proactive defense is a
very good differentiator

Guidance for Policy Makers
• Focus on defense by
building security in
• Re-orient public private
partnerships
• Focus on information
users instead of
plumbing
• Let civilian agencies
lead
FIX THE BROKEN STUFF

WHERE TO LEARN MORE

SearchSecurity + Cigital’s Security Blog
• No-nonsense monthly security
column by Gary McGraw:
www.searchsecurity.com
• In-depth thought-leadership blog from
the Cigital Principals:
• Gary McGraw
• Sammy Migues
• John Steven
• Paco Hope
• Jim DelGrosso
https://www.cigital.com/blog/
• Gary McGraw’s writings:
www.cigital.com/~gem/writing

Silver Bullet + IEEE Security & Privacy
• Monthly Silver Bullet podcast with
Gary McGraw:
www.cigital.com/silverbullet
• IEEE Security & Privacy magazine
(Building Security In)
www.computer.org/security/bsisub/

The Book
• How to DO software security
• Best practices
• Tools
• Knowledge
• Cornerstone of the Addison-
Wesley Software Security Series:
www.swsec.com

Build Security In
• Join the BSIMM Community
http://bsimm.com
• Send e-mail: gem@cigital.com
• @cigitalgem

Cyber War, Cyber Peace, Stones and Glass Houses

Related slideshows

More Related Content

Cyber War, Cyber Peace, Stones and Glass Houses