Worth A Glance

Making predictions is hard, especially about the future. In descending order, when predictions come true, it is likely because of: 1) some undisclosed foreknowledge of the event; 2) discernible writings on walls, patterns, trajectories, trends, or nigh inevitabilities; 3) pure random luck; 4) voices, visions, and other sorts of esoteric transmissions. The recent introduction of S773, better known as the Cybersecurity Act of 2009 would suggest that last December’s article Quackery was the result of one or more of the above causes. I won’t say which, but I will admit that my neighbors have a black Labrador retriever.

The body of the Cybersecurity Act opens with 14 findings about how important and vulnerable our government and critical infrastructure (i.e. SCADA) information systems are, and how we lack “a coherent national strategy” for dealing with threats and incidents. That this is largely the same material we’ve been hearing and saying for as long as we’ve been in infosec should not dilute the message. What follows is not entirely the same toothless posturing that we’ve seen in the past… much of what is proposed is more than simply a new cause at which civil-liberties advocates (largely idle since the end of the Bush administration) will be able to disgorge their vitriolic righteous-indignation, and will likely cause concern among productive people, as well.

Section 3 begins the proposals, starting with the President appointing a Cybersecurity Advisory Panel comprising members from industry, academia, government, and interest groups whose overarching duty will be to advise the President on “matters relating to the national cybersecurity program and strategy” and to write reports at least every two years. It also offers-up taxpayer dollars to cover non-Federal members’ travel expenses, ensuring that participants will always get to fly first-class.

Section 4 has the Secretary of Commerce working with the Office of Management and Budget to create a security dashboard (something like a cross between this and one of these or this) for all Federal Government and Department of Commerce information systems. As long as it’s not done by the same visualization virtuosos who brought us this, then mandating the mythical single pane-of-glass will likely provide some benefit, so long as those who gaze upon it don’t tragically believe it to have the power to confer omniscience.

Section 5 proposes the Secretary of Commerce create Regional Cybersecurity Centers to “enhance the cybersecurity of small and medium sized businesses in United States” by disseminating “cybersecurity strategies, best practices, standards, and technologies” developed by the National Institute of Standards and Technology (NIST). Great idea, but as written, this section is trouble. First, it uses the term “best practices” which is immediately at least partially invalidating because “best practices,” in practice, are usually little more than tokenistic fantasies of the ill-informed or lazy. We should be encouraging understanding and critical thinking, not oblivious rote mimicry or distorted reinterpretations.

Next, since it doesn’t indicate that the training would be mandatory, it must be optional, and with “firefighting” being the normative mode of operation for most infosec people, it is likely that attendance will be low for non-mandatory training. Further, since there is no mention of a measurement of the effectiveness of the training (i.e. testing), it would be fair to assume that many of the people who do attend will merely be doing so either because their boss made them, or because they prefer a day in a classroom (or a vendor seminar, or a trade show, etc.) to a day at the office; not ideal conditions for learning.

In addition to training companies and enterprises, another of the activities of these funded, non-profit Centers is to “make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees.” Huh? Like a public library full of firewalls instead of books? What objective criteria will they use to select the gear that they will stock? Will they decline to stock the gear of those foolishly paranoid vendors who fecklessly try to avoid selling product to their competition? Will they offer both hardware and software? Will they offer technical support, or will the repeated burden (but only the one time revenue) fall to the vendor? Will they charge late fees?

While not entirely analogous, this section does bring to mind the recent controversy stirring over the Obama administration’s recent move to reintroduce the “comparative effectiveness” method of evaluating medical treatments (as part of the American Recovery and Reinvestment Act of 2009). Looking at the debate between proponents (who say “such studies are essential to curbing the widespread use of ineffective treatments and to helping control health care costs”) and opponents (who invoke the tritely lame slippery slope warning that the “movement could lead to inadequate treatment for some patients and even the rationing of health care”), it’s reasonable to expect that this section will similarly elicit accusations of “socialist cybersecurity”. Despite that fact that this section forces nothing upon anyone, we should be prepared for some such melodramatic rhetoric.

Section 6 charges NIST with creating a research program to develop metrics and “automated tools” for measuring the economics of cybersecurity, including the measurement of risk and the cost of defense. I imagine the good people at NIST will look at this and say “You want what? Why don’t you just ask us to calculate how much Thursday weighs while you’re at it.” Not to say that measuring risk is not possible (e.g. risk = threat * (vulnerabilities – countermeasures) * impact), but making the transition from this abstract to the concrete (i.e. a representation that people expect… dollars) is painstakingly particular, and nearly impossible to make simultaneously accurate and automated.

It’s easy to ask questions such as “how many servers do you have?”, “what is the estimated daily value of your Internet connection?”, and “do your workstations run up-to-date anti-virus software?” and for many, it will provide a better measurement of their assets and risks than they have ever before had. But what about the less-easy, ponderously imponderable considerations like “do you run any software written by a company who had one or more lazy, incompetent, disgruntled, or sleep-deprived-because-they-were-driven-by-their-capitalist-boss-to-meet-a-deadline employees on the development team, and/or that employed inadequate code-review procedures?“ or something like “do you employ any servers whose CPUs have undocumented or otherwise unprotected interfaces to microcode or System Management Mode code updates that might be catastrophically re-written by an attacker sending a maliciously crafted packet over the network exploiting the interaction of simultaneous vulnerabilities in your network card driver and your operating system’s System Management Interrupt handler?” Really, can you blame China for developing Kylin or Loongson?

NIST is also asked to “establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.” It’s laudable that they had the sense to say “known attacks”, and while there is certainly value to preventing known-attacks (e.g. even though it’s about 7 months old, given the number of unpatched systems it still reasonable to block Conficker), it ignores a natural, thoroughly neutering sequence:

1. A vulnerability is discovered, and an attack is created. At this stage, there is no way to ensure detection or defensibility. Encouragingly, even some preventative security vendors get this, and are working to expose the problem.
2. Once the attack becomes known, the specific attack becomes preventable, and the underlying vulnerability becomes remediable.
3. Countermeasures will be created. As they are circulated over time, exploitation begins to drop.
4. When sufficiently ineffective as to no longer provide adequate utility to its employers, the attack will be superseded (by variants and/or entirely new attacks).
5. Variant species of the attack will be manufactured. Systems on which the underlying vulnerability has been remedied will not be exploitable, but systems merely protected by some form of prevention will likely again become exploitable. These system will be condemned to a loop between step 2 and step 5 until the vulnerability is remedied, or until the attackers stop creating variants.
6. The reentrant cycle starts over at step 1.

Further, it asks that the Institute establish standards for “measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities” (such as CWE (Common Weakness Enumeration) and maybe CVE (Common Vulnerabilities and Exposures)),
“…computer-readable language for completely specifying the configuration of software…“ and “…security settings for operating system software and software utilities…” (like NIST’s FDCC (Federal Desktop Core Configuration), SCAP (Security Content Automation Protocol), or MITRE’s CCE (Common Configuration Enumeration) which attempts to map overlapping guidelines from NIST, NSA, DISA, and “…computer-readable language for specifying vulnerabilities in software…“ (OVAL (Open Vulnerability Assessment Language), or something akin to
CVSS (Common Vulnerability Scoring System), CWSS (Common Weakness Scoring System), or Microsoft’s Exploitability Index.

Surprisingly absent from section 6a is an area that is at least as practically essential as the rest. Allow me to correctively propose 6a (8):

“INCIDENT RESPONSE METHODS AND PROCEDURES – The Institute shall establish standards for technological and procedural preparedness in response to the inevitable security events that will occur even on the best defended networks, ensuring the ability to effectively determine the scope and detail of the breach.”

Cynics might say this seems a bit self-serving, a forensics company suggesting that forensics provisions be incorporated into law. Some might even invoke the poetically censorious words of U.S. Supreme Court Justice Oliver Wendell Holmes (from Abrams v. United States):

“If you have no doubt of your premises or your power and want a certain result with all your heart you naturally express your wishes in law and sweep away all opposition.”

Holmes then exposes the folly of mandating ideas into law by explaining that:

“…the ultimate good desired is better reached by free trade in ideas — that the best test of truth is the power of the thought to get itself accepted in the competition of the market…”

I do not agree that the free market for ideas is always the most effective or beneficial; for proof, simply ask the typical 5 year old if he’d rather have cotton-candy or broccoli for dinner, or even the typical 35 year old if he’d rather have potato chips or broccoli as a snack. Left to our own devices, we don’t always make the best decisions. Sometimes we need guidance, and there is no shame, freedom-robbing conspiracy, or overtly oppressive statism in such an admission. Yes, the suggestion might boost the sales of forensic technology vendors, but it (along with my recommendation to choose the broccoli) is entirely altruistic.

Section 6 next offers a prescription to achieve “representation in all international standards development related to cybersecurity“ and compliance with “standards based on risk profiles.” These read as conspicuous endorsements for a broader adoption of Common Criteria, while the focus on risk profiles seems a foreshadowing of the imminent transition from Evaluation Assurance Levels (EAL ratings) to Robustness assessments. This should, at the very least, be encouraging to the folks at Corsec and Infogard.

The final item in section 6 refers to section 6001(k) of the American Recovery and Reinvestment Act, which calls for a national broadband plan. It asks that the FCC “report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.” Of course, the immediate concern here will be that this stretches the scope of the act from Federal and critical infrastructure into the private sector, but before anything starts yelling about “nationalization” or “privacy invasion” or “economic or innovative suffocation”, consider that this is simply calling for a report and recommendations, not regulations. There is nothing wrong with the government helping to make private sector information systems more secure, so long as they don’t mandate security measures. Steering is good, rowing is bad, and this seems like some much needed steering.

Section 7 is one of the more controversial bits. It asks that the Secretary of Commerce institute “national licensing, certification, and periodic recertification program for cybersecurity professionals”. It goes on to mandate that within three years “it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.”

This is not as oppressive or Machiavellian as some might make it out to be. Suffice it to say, we expect licensure in most professions that require any skill, or wherein malicious or supremely incompetent practitioners have the ability to kill their patronage.

Section 8 calls for a review of the NTIA (National Telecommunications and Information Adminstration) IANA (Internet Assigned Numbers Authority) contracts. Not too surprising, considering recent issues with ICANN and unrestricted generic top-level domains, as well as Senators Snowe (R-Ma) and Nelson’s (D-Fla) concerns that “much of the progress ICANN has made could be jeopardized if its historic link to the United States is diminished” (yes, the same Snowe and Nelson who co-authored S.773).

Section 9 charges the Assistant Secretary of Commerce for Communications and Information to secure the foundationally critical DNS infrastructure against attacks, clearly a reference to DNSSEC. This is a much needed move, and at first glance the 3 year timeline might seem a little lax (especially considering that Verisign and ccTLDs such as Puerto Rico, Mexico, and the Czech Republic are already in pilots); but considering that DNSSEC is at the intersection of PKI, crypto, national interests, and commercial interests, all at a global level, then 3 years might not be enough time for resolution.

Section 10 calls for the Secretary of Commerce to develop cybersecurity public awareness campaigns. No firm direction or dates. I’m imagining 1970’s-style public service announcements. Maybe they can get Bob Dorough to do the music.

Section 11 (particularly 11a) attempts to boil the ocean. Followed by freezing it into ice cubes, sublimating them, condensing the vapor, electrolyzing it with palladium, and then powering Navy vessels with the output. In other words, this one is biting off a bit much. In essence: Section 11a proposes the NSF (National Science Foundation) research ways to build near-perfect software and protocols, guarantee privacy of data-at-rest and data-in-motion, provide attribution for internet communications, and thwart insider threats. Wow.

Section 11b and 11c more realistically call for secure coding research and education. 11d asks that grants be awarded for academic innovations in the area of modeling cyber attacks and defenses, and 11e-11l make some modifications to the CyberSecurity Research and Development Act.

Section 12 allocates some tens of millions of dollars to scholarships programs “to recruit and train the next generation of Federal information technology workers and security managers” with preferential treatment to those who’ve participated in the challenge described in section 13.

Section 13 asks the Director of NIST to establish cybersecurity competitions to “attract, identify, evaluate, and recruit talented individuals for the Federal information technology workforce” and to stimulate innovation of technologies “that have the potential for application to the Federal information technology activities of the Federal Government.” Although not stated explicitly, one would expect that such competitions would include both offensive and defensive components, with offense  (i.e. “hack this”) being somewhat easier to measure and judge, but with defense being of greater value to the initiative. However, it’s worthwhile to recognize recent reports indicating the emerging value of offensive operations, and to consider the effect such positions might have on the nature of such competitions (and on cybersecurity technologies, in general):

“We are not comfortable discussing the question of offensive cyberoperations, but we consider cyberspace a war-fighting domain,” said Bryan Whitman, a Pentagon spokesman as reported by the New York Times. “We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.”

Section 14 designates the Department of Commerce to “serve as the clearinghouse of cybersecurity threat and vulnerability information.” Section 14c seems the most functionally interesting piece of 14, stating that “within 90 days after the date of enactment of this Act, the Secretary shall publish in the Federal Register a draft description of rules and procedures on how the Federal Government will share cybersecurity threat and vulnerability information.” Assigning this role to Commerce (rather than NIST or DHS (via NCSD or US-CERT)) seems designed to reinforce the idea that cybersecurity will not come at some economic expense that might threaten our non-negotiable American way of life.

But it is section 14b (1) that is the most concerning component of this section. It states that the Secretary of Commerce “shall have access to all relevant data concerning such networks [Federal Government and private sector owned critical infrastructure information systems and networks] without regard to any provision of law, regulation, rule, or policy restricting such access.” That “without regard” bit might be more than merely irresistibly delicious fodder for conspiracy theorist nutcases; in this case they might have a point. This should probably be toned down.

Section 15 calls for a risk management report, including a feasibility study on “(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and (2) requiring cybersecurity to be a factor in all bond ratings.” I’ve talked about the potential role of insurance in infosec before, so it’s good to see (1), but the foreseeable difficulty of assessing and enforcing (2) is likely to limit its adoption and effectiveness.

Section 16 calls for a review and report on “the Federal statutory and legal framework applicable to cyber-related activities in the United States.” In other words, an exhaustive review of any acts or orders directly or indirectly cyber-related. Just one year?

Section 17 asks for a report “on the feasibility of an identity management and authentication program.” Yes, it’s the mark-of-the-beast law… the “with the appropriate civil liberties and privacy protections” verbiage fools no one.

Section 18 is, by far, the most troublesome section of the act. This is the one that has patriots issuing warnings that “Rockefeller is shutting down the Internet”. Section 18 gives the President certain powers and obligations, including that he “(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network” and that he “(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security.” First, even though it is inclusive of public-sector “critical infrastructure information system[s],” it is clear that this is not “the whole Internet”. Second, and more importantly, since this is not really currently feasible on anything but the smallest of scales, it seems that this is more a provisional tool in the event of a worst-case cyber-scenario than it is a potentially practicable commandeering of the Internet. Section 18 also says some other stuff, but no one notices.

Section 19 calls for a cyber-review every four years, starting in the year 2013 involving the Advisory Panel designated in section 3. This is not an agricultural report, this is a cybersecurity report… Quite a lot can happen in 4 years.

Section 20 calls for the Director of National Intelligence and the Secretary of Commerce to submit an annual cybersecurity report to Congress. Much better than quadrennial.

Section 21 encourages the President to work with foreign governments to create more cyber-bureaucracy, and to report on the initiatives to Congress.

Section 22 calls for the establishment of a Secure Products and Services Acquisition Board to work in conjunction with NIST and the OMB on devising standards for the “review and approval of high value products and services”. Of importance to software-vendors (and static and dynamic code analysis tool vendors) is the piece that says “[the] Board may consider independent secure software validation and verification as key factor for approval [of software].” It further says that “any proposal submitted in response to a request for proposals issued by a Federal agency shall demonstrate compliance” with the published standards.

Section 23 provides a definition of terms, including some disturbingly circular reasoning that basically says “critical infrastructure information systems are whatever the President says critical infrastructure information systems are.”

Will it pass? I won’t make a prediction on that one, but I will advise preparing for it.

Experts have issued a warning of an impending epidemic of swine flu warnings. The number of victims of these thinly disguised, commercially-motivated warnings is expected to exceed the number of victims of the actual swine flu by many orders of magnitude. “Be leery of anyone using the phrase ‘orders of magnitude’ in casual conversation,” cautioned Larry McWhortle, spokesperson for the Consortium of Industry Experts Consortium (CIEC), “it’s the third most overused credibility-enhancement term in the industry today, just after ‘heuristic’ and ‘statistically significant’.” People are being urged to be on the lookout for vendors shamelessly hawking their wares under the guise of helpful advice.

The CIEC’s undercover watchdog division spoke with representatives from several security and telepresence companies, collecting such candid comments as: “It sure was tough building a convincing ROI model for a quarter of a million dollar video conferencing system,” explained Louis Zephyr, General Manager of NimbusGear, “so being able to add ‘and it will help you not die’ has been quite a boon.” Larry Pawarpointe, Director of Product Management at security vendor MiasmaShield said “we predict a deluge of email spam campaigns, news and social media-linked phishing sites, and questionable pharmaceutical suppliers attempting to foment and capitalize on the swine flu scare.” He then added “And we just don’t think that’s fair. I mean, shouldn’t we get to capitalize on it, too?” Pawarpointe went on to explain that their AngeleDei N95 and N99 appliances can block all spam, phishing URLs, intrusions and malware “better than your box can”. Mark Atingei, a spokesperson from content-management vendor ProtectoBox said “to be honest, their box sucks… our technology has been proven to be at least 58% more effective at twice the speed and half the price.” Baited with questions about their technology’s effectiveness against polymorphic H1N1 variants, he offered, “oh yeah, our next firmware release will protect against all variants, H1N1, H-1B, all of them.”

McWhortle said that in addition to ignoring unabashedly self-interested pseudo-advice, that the CIEC also recommends avoiding the grip of panic-mongering mob broadcasts. “As much as you want to avoid unnecessary exposure to Mexico, confined places, and eschatologists, you should also avoid the seductive allure of misinformative chatter. Stick to reputable and trustworthy sources for your information, and don’t feed on or into the frenzy.” He added that the CIEC will be releasing more complete information on the phenomenon next month in the opaquely titled report “On the social and intellectual decay and morbid delectation of budgerigarish narcissism”.

Clear and Present Danger
It’s intriguing to watch this first significant intersection of an imminent pandemic and broadcast social networks. For all the heat that Twitter is taking for its role in inciting uninformed hysteria, there is a balancing number of accusations that the torrent of tweets is merely filling the void created by outdated and irrelevant methods of traditional government and media communications. While both sides can be argued cogently, a bigger concern is the potential for this new medium to be used not just as a channel for terrorism, but also as its actual weapon. For example, it’s not difficult to imagine concerted psy-ops efforts of terror-inclined human and botnet cohorts tweeting and retweeting messages about water supplies being poisoned, governments waging chemical warfare on their own citizens, or just asking supporters to bring all traffic to a debilitating crawl.

But it would be wrong to blame Twitter for the problem. To borrow a familiar rhetorical structure: “Twitter doesn’t cause stupidity, stupidity causes stupidity.” Twitter is just the latest form of mob broadcast, an easy way to quickly disseminate information, for good or bad. So given the potential for damage that any form of misused mob communications might have, it might not be unreasonable to look to a real-world precedent for handling this sort of propagation of fear: 1919’s Schenck v. United States. Presided over by Supreme Court Justice Oliver Wendel Holmes, Jr. this case is perhaps best known for giving us the phrase “(falsely) shouting fire in a crowded theater”. In effect, it and its descendants criminalize the act of inciting “imminent lawless action” (e.g. a riot) through speech designed to cause a panic, and is not protected under the (unfortunately frequently abused) First Amendment of the US Constitution. In other words, there’s hope that it could squelch some of the mindless nitwittery by making the worst offenses a misdemeanor. As a means of defense against the sizable potential for this most-recent method of mob communication to incite widespread panics, I expect such rulings to be inevitable. The lesson: Freedom remains more defensible when not abused.

Macrolife Imitates Microlife
One of the more interesting aspects of this hybridized, triple-reassortant H1N1 flu cocktail is the possibility that it can induce a cytokine storm. In oversimplified terms, this is a broadcast-storm-like feedback loop in a healthy immune system that causes exaggerated lung and systemic inflammatory reactions that can prove to be more harmful than the causal virus itself.

The potential for launching an indirect attack against a target by inciting its own immune system to do the bulk of the damage has long fascinated me… The human innate immune systems developed over a long-period of time in response to non-specific threats to which we’ve been chronically and protractedly exposed. It’s evolved to non-adaptively defend against certain pathogen-associated molecular patterns (think signatures), as well as against injury or trauma. This comes in handy when you are gored by a wild boar – the site on the injury becomes inflamed, blood flow is slowed, and you hopefully do not bleed to death. In fact, inflammation is one of the innate immune system’s favorite tactics. Unfortunately, modern life does not present many wild boar encounters, but our immune systems haven’t figured that out yet, so they still like to be inflammatory. Add to that the fact that our average modern diets consist of anywhere from 2-5 times more inflammation-inducing sodium than we really need, and it’s little wonder that we have a spate of auto-immune and inflammatory conditions and “syndromes.”

Just another natural fractal phenomenon, where the parts resemble the whole: virus incapacitates its target by overexciting the targets’ immune system, and news of virus incapacitates informative communication by overexciting the communication channels.

Advice: Afford important matters more than 140 characters. Eat less sodium. Buy stock in Roche.

Not a month after the Heartland breach, we now have reports of another malware-driven payment system breach of as-yet unknown proportions. Despite the proliferation of anti-threat devices and well-intentioned compliance programs such as PCI, we continue to see an increase in the number and cost of reported data breaches. The ITRC reported 656 breaches in 2008, an increase of 47% over 2007’s total of 446. As of today, Feb. 25, 2009, Privacyrights.org reports 57 data breaches, and DataLossDB reports 92 breaches, just 56 days into 2009. And Ponemon’s recent study shows that the average cost per compromised record is now $202, with the greatest cost coming from lost business.

These statistics should come as a surprise to no one, given the increasing organization, motivation, and sophistication of criminals. What should come as a surprise is the common public response to reports of such events: “How were they breached? They just passed a PCI audit!” – this is as sane and erudite as asking “How did she get spyware? She has a firewall!” or “How did he get cancer? He takes vitamins!”

But instead of an understanding that “compliance does not equal security”, we should instead expect an inevitable backlash against PCI and other such efforts, questioning their potency, bemoaning their expense, and demanding their reform. The same sort of pathological reasoning that has some people lament “ever since Obama’s been in office the economy has gotten much worse”. Despite the popular perception that all problems are easy to solve as long as they are someone else’s, complex systemic problems cannot be solved overnight, unless wholesale system replacement is an option. Of course, it generally isn’t, either for reasons of cost, or experiential immunity to Pollyannaism.

Some will argue that trying to regulate security is ineffectual at best and injuriously protectionist at worst. Yes, over-regulation and over-protection can be harmful, but employing such a one-size-fits-all perspective is simplistic and parochial. In reality, some things need protection. Saying that, I must also say that any good Darwinist should be opposed to the phenomenon of nanny statism. The intentional creation of dependency (whether well-intentioned, demagogic, or despotic) debilitates, whereas reasonable adversity, independence, and self-accountability fortifies. But even compassionless, godless Darwinists know that some things need protection. Putting our more-moral-than-thou, feel-good pretense aside for a moment: protecting some thing makes sense when it is temporarily infirm or in its infancy, but on the course to recovery or maturity. Examples of this would be protecting an emerging government or economy, or protecting an infant child. However, protecting the terminally weak does not make sense because there is no benefit (accepting that virtue is not a benefit, but rather is its own reward), only cost. Examples of this would be protecting irrecoverably diseased banks or businesses, or kind-heartedly administering chicken soup to someone with Marburg fever. Clearly, the effect of such misguided behavior is not only unproductive, but is actually destructive, as it prolongs suffering and imperils the healthy.

The point is not mercilessness, but rather that we are in the infancy of the information age, and to achieve information security at this vulnerable stage requires well-designed protection. Imperfect as the situation seems, the collection of regulatory and compliance programs designed to protect us as we move toward maturity were not divinely engineered, so they, themselves, must also evolve. And for all its incompatibility with our livelocked postmodern attention spans, we need to have patience as they go through their necessary iterations.

So what is the current state of regulation to defend against data breaches? The National Conference of State Legislators provides a set of breach notification laws that have been enacted by 44 U.S. States, DC, Puerto Rico, and the Virgin Islands (caveat emptor et creditor if doing business with companies in AL, KY, MS, MO, NM, or SD). Looking a little more closely at some of the states’ laws (a sample selected below for their incorporation popularity and proximity), it seems that government editions of Microsoft Word might include a “Data Breach Law” template:

Delaware:

12B-102. Disclosure of breach of security of computerized personal information by an individual or a commercial entity.
… Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Nevada:

NRS 603A.220  Disclosure of breach of security of system data; methods of disclosure.
… The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.

Utah:

(2) A person required to provide notification under Subsection (1) shall provide the notification in the most expedient time possible without unreasonable delay:
(a) considering legitimate investigative needs of law enforcement, as provided in Subsection (4)(a);
(b) after determining the scope of the breach of system security; and
(c) after restoring the reasonable integrity of the system.

California:

… The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law
enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

But how? How does the victim of a data breach determine the scope of the breach? By going back through logs – logs that likely contain information no more specific or telling than the IP addresses that accessed the affected web-server? IP addresses that were most likely, based on the malicious intent of the activity, obscured by Tor or proxies? Audit trails whose recording facilities rely on proper methods and paths of user access, but whose invocation is never triggered when the method of access is premeditated circumvention or vulnerability exploitation? Logs that were generated by the IPS, SIEM, or DLP platforms that have demonstrated blindness to the threat, having failed to detect or prevent it in the first place? This is reality. It will not be possible to rely on your firewall’s olfactory sense to help you determine how many records were affected in a breach that occurred last month when it detected nothing out of the ordinary.

Despite the well-intentioned constant reminders that traditional security tools will inevitably fail, I am not suggesting a decrease in risk mitigation efforts. Instead, the reminders should reinforce that we can’t expect technology to save us both from our adversaries and from our own doltishness; we need more effort to get the “people” and “process” components of mitigation caught up and working with the technology, not against it. Further, we should remember that risk can be managed in other ways, too, including avoidance (“I’m afraid of having my credit card stolen, so I won’t use credit cards”), acceptance (“I will drive in the HOV lane because the fine is only $35, and it saves me six hours of commute time”) and transference (“I will pay an insurance premium so that when a bad thing happens, my insurer will cover my expense”). Typically, as an industry we eschew (often justifiably) avoidance and acceptance, spend far too much time and money on technology-as-savior mitigation, and lack awareness of transference – frequently even erroneously classifying a mitigator like a firewall as “insurance”. But as we mature, there are real forms of transference that we need to more seriously consider.

Some insurance companies, such as InsureTrust, are providing “cyber risk management” products. While the concept might seem strange for those with an appliance-centric view on security, insurance is one of most effective and common ways of managing risk in our adult lives. If it’s not obvious why I say “adult lives”, consider that the question “how will you deal with costly medical expenses?” is generally answered differently by a 10 year old (“I just won’t get sick”) than by a 40 year old (“I will select my employer based on the health insurance package they offer”).

The Professional Liability Underwriting Society quotes Stephen Haase, CEO of InsureTrust who cautions that when responding to a data breach: “’One of the biggest struggles for companies is to determine the scope of the breach. So often the leadership of a company will rush to try to get out the notification on a breach,’ … However, Haase explained that making an announcement before the magnitude of the breach is clear can be a mistake. ‘You should not rush to notify. Going out too early without more of the concrete factors in place can do more harm than good.’”

This message is reiterated by the Executive Director of the Identity Theft Resource Center (“Preventing the Unpreventable: Best Practices to Minimize Exposure to Information Losses”) who says “the companies that are sued are not those that quickly disclose a breach but, rather, those that do so poorly.”

Observing trends in information security and antecedent paradigms, it’s reasonable to extrapolate that information security insurance is due to soon become more popular, first voluntarily, and later mandatorily. Initially, we should see increased adoption among a small set of business savvy IT practitioners and analysts. This will be followed by the evolution of mandates by financially interested consortia (think PCIv3), and finally at various government levels. At that point, much as we get discounts on our home and auto insurance for having smoke-alarms, fire-extinguishers, anti-lock brakes, and clean driving records, we can expect similar discounts (or conversely, increases) for every statistically material step we take to reduce (or magnify) our insurance company’s exposure.

Not to put too fine a point on it, but economics dictates that if “one of the biggest struggles for companies is to determine the scope of the breach” then most-favored insuree status should be granted not only to those with the most effective preventative measures, but also those with the most effective forensic measures.

The 1980’s marked the beginning of what many consider to be the Information Age. A quarter of a century into it, my waning hope that science might someday have a fighting chance against superstition is somewhat renewed by the fact that President-elect Obama is planning to appoint the first Chief Technology Officer for the United States. Beyond the immediate heartening we should feel from this gesture, I am further encouraged by a certain historical “coming of age” analogue: the regulation of the practice of medicine in the Industrial Age. Although past performance is no indication of future returns, history tends to repeat itself, mostly because human nature doesn’t change, at least not all that quickly.

In particular, I am reminded of the history of “nostrum remedium” (Latin for “our remedies”), better known as “patent medicines” that were prominent from the 17th to 19th centuries. Patent medicines were the pile of liniments, tonics, tinctures, and salves that collectively came to be characterized as “snake oil”. More broadly, patent medicines fell into the general realm of “Quackery,” (a pejorative labeling of unscientific claims to certain knowledge, skills, capabilities, or attributes) short for “quacksalver”, one who “quacks” or boasts about his salves.

The long and infamous history of quackery is morbidly fascinating. Perusing the chronicles of some of the more egregious, and shameful, and grievous offenses, a common response is to wonder how people can be so gullible as to fall for such chicanery. But consider the combined effect of such elements as:

• The unavailability or expense of honest medical practitioners, practices, and goods relative to the availability and affordability quackery (which doesn’t require such expenses as years of schooling, research and development, or testing)
• The desperation of those suffering from some disorder to identify a treatment or remedy, particularly when conventional and scientific methods continue to produce ostensibly trivial, profit-obsessed commercial advances, but fail to yet provide cures for real maladies
• The tendency for people to try to find shortcuts – it is much easier to take a pill or even undergo a surgical procedure than it is to exercise a degree of self-discipline.  This is intensified by phenomenon such as mass cultural “syndromization” (which dissolves that vestigial psychological nuisance, personal accountability), and insurance co-pays for semi-cosmetic procedures and fad drugs (which has the economic effect of making vital medical practice, treatment, and insurance even more expensive)
• The extent, irrespective of intent, to which pseudoscience goes to simulate adherence to the scientific method (i.e. observable, testable, measurable, repeatable, modifiable, verifiable)
• The “exceptionality of correctness” delusion – Typified by the culturally rampant concept of “I’m on a diet,” which is essentially as silly as saying “my network is on security”. You either have a nutritionally well-balanced diet or you don’t. Your information systems are either securely designed or they’re not. You can’t bolt on some piece of technology in pursuit of legitimate security any more than you can engage in some symbolic temporary deviation from an unhealthful diet in pursuit of fitness. Fitness is an ongoing process, a lifestyle. Security is also an ongoing process. But, alas, these systems are complex
• The fact that complex systems are, well… complex – You couldn’t describe this to a goldfish, but you could tweet “Bacon good, bread bad” with 119 characters to spare.

So what could protect a quarry that well-nigh demands to be preyed upon against unscrupulous predators endowed with unlimited supplies of elixirs and avarice? Only the bane of every system of supply and demand: government regulation.  The first signs of efforts to regulate the quack industry began in the early 19th century with the formation of U.S. Pharmacopeia in 1820, followed by the Drug Import Act of 1848 to stop the flow of adulterated medicines which were coming in from Europe. But it wasn’t until Abraham Lincoln established the US Department of Agriculture that there was a foundation for real improvement.

Irresistible Digression
Those who are “so scientifically illiterate” as to be inclined to indulge the supernatural might see auspiciously presaging similarities between President-elect Obama and Abraham Lincoln. But even though (much like divination) “Lincoln is a Rorschach test… Everybody finds themselves in Lincoln… Everybody finds what they want to find in Lincoln” it’s still worth noting that just as Obama is planning to appoint our Nation’s first CTO, Lincoln in 1862 appointed the first national chemist to what became the Bureau of Chemistry, the precursor to the FDA. Coincidence? Hardly. Using some tannaic period numerology, a simple gematria calculator, and far more time than I should have wasted, it’s simple to prove that this is no mere coincidence:

• בראק הוסינ אובמה – Transliteration of “Barack Hussein Obama”. Gematria value 488
• אברהמ לנכולנ – Transliteration of “Abraham Lincoln”. Gematria value 434
• טכנולוגיה – The modern hebrew word for “Technology”. Gematria value 139
• כימיה – The modern hebrew word for “Chemistry”. Gematria value 85
• 488 – 434 = 54
• 139 – 85 = 54
• חמאה – The biblical hebrew word for “butter”. Gematria value 54
• Proof!

Okay, so I took some liberties with the calculations… Partly because “chemistry” and “technology” weren’t big topics in the bible, although they were probably there in the way that microbes were. And if that seemed a strange illustrative detour, try this for perspective.

I’m from the government and I’m here to help
Anyhow, with Lincoln having set the ball in motion, a sequence of other milestones followed, frequently in response to what tends to be our greatest incitement to legislation: some sort of scare, outrage, or tragedy. For example:

• In response to contaminated vaccines that caused the deaths of 22 children, the Biologics Control Act was passed in 1902, which went on to establish the Center for Biologics Evaluation and Research (CBER), overseeing biological, as contrasted to chemical drugs.
• In 1910, “Dr. Johnson’s Mild Combination Treatment for Cancer” made false curative claims, and even shamelessly attacked the effectiveness of legitimate treatments (a common ploy of pseudoscience). When brought to court, the “treatment” was found to not be in violation of the Pure Food Act since it was not misbranded. In response to this loophole, Congress in 1912 enacted the Sherley Amendment to the Pure Food and Drug Act making a drug illegal “…if its package or label shall bear or contain any statement, design, or device regarding the curative or therapeutic effect of such article or any of the ingredients or substances contained therein, which is false and fraudulent.”
• Following the death of more than 100 patients caused by a treatment for infection distributed in a solvent that turned out to be toxic, the Federal Food Drug, and Cosmetic Act was passed by congress in 1938, giving authority to the Food and Drug Administration (FDA). It required that companies perform safety testing on their proposed drugs and submit the data to the FDA for review and approval before the drug could be brought to market. It also served as the foundation upon which a significant number of additional protective amendments stand.
• In response to the 1950’s Thalidomide tragedy that caused more than 10,000 birth-defects worldwide, Congress passed the Kefauver-Harris Amendment in 1962, requiring drug manufacturers to prove the effectiveness of their products before marketing them.

Conspicuously absent from the partial chronicling above is an event that deserves special attention: 1906’s Pure Food Act, which mandated that all food and drugs clearly and accurately list their contents. The Pure Food Act was the culmination of years of work by legislative, journalistic, and medical professionals who crusaded to expose the fraud and danger of patent medicines. Of particular interest was a scathing piece of muckraking journalism by Samuel Hopkins Adams titled “The Great American Fraud”, which exposed hundreds of dangerous patent medicines, products and their hucksters, documented the deaths of hundreds of their victims, and revealed that they contained mostly valueless inert ingredients, alcohol, and various toxic and addictive compounds. This multipart series from 1905 opened with the line “Gullible America will spend this year some seventy-five millions of dollars in the purchase of patent medicines.” (For reference, by today’s standards, $75 million would just barely pay for 90 minutes of interest on our national debt, but according to this Consumer Price Index calculator, $75 million in the year 1905 has the same “purchase power” as $1.8 billion in the year 2007. Still, this number is a fraction of analyst’s estimates on worldwide network security spending.)

Leaving no stone within the ecosystem unturned, the Great American Fraud also described the “selectivity” of advertising, and the corrupt nature of the relationship between the advertisers and publications:

“We see recorded only the favorable results:  the unfavorable lie silent.  How could it be otherwise when the only avenues of publicity are controlled by the heavy advertisers?  So while many of the printed testimonials are genuine enough, they represent not the average evidence, but the most glowing opinions which the nostrum vender can obtain, and generally they are the expression of a low order of intelligence.”

“If there is no limit to the gullibility of the public on the one hand, there is apparently none to the cupidity of the newspapers on the other… Pin a newspaper owner down to the issue of fraud in the matter, and he will take refuge in the plea that his advertisers and not himself are responsible for what appears in the advertising columns. Caveat emptor is the implied superscription above this department. The more shame to those publications which prostitute their news and editorial departments to their greed.”

Suffice it to say, the practical implications of such ethical considerations are not only timeless, but are even more relevant in today’s overabundance of and overdependence on the media for edification.

Regulate? Why?
While most legitimate practitioners and scientists in the medical industry presumably appreciate that regulation serves to separate the qualified from the unfit, sparing them the need to directly have to compete against the (often more attractive, and still, unfortunately, partly on the loose) riff-raff, the grass remains greener on the other side for some. In response to the general “regulation is bad” argument, I offer that this is not about regulation for the sake of bigger government, it’s about injecting some much-needed science into an increasingly critical system. There are instances where bad things happen (Enron) because of calculated villainy, and our knee-jerk response is to suffocatingly over-regulate, and there are unintended tragedies that occur, such as the 1937 Elixir Sulfanilamide incident’s still troublesome Diethylene glycol-tainted catalyst to 1938’s Federal Food, Drug, and Cosmetic Act, which make regulation seem indispensable. The difference? Regulation designed to protect against premeditated bad guys will fail to thwart the devious and lawless, affecting only the good and law-abiding, whereas regulation designed to protect against accidental harm caused by ignorance, incompetence, negligence, or superstition can prevent misfortune.

Some might be inclined to say that it’s not fair to compare medicine to information security – one is a matter of life and death while the other is simply a matter of bits and bytes. But as we move further into the information age, and become more, and more, and more, and more dependent on our information systems, we’ve “optimized” ourselves into a position where our military, our public transportation, our communication systems, our hospitals, our power plants, and our emergency services are all susceptible to attacks against our overstretched, outstripped information systems; Information systems that are inherently crippled with outdated protocols and a capitalist driven mandate for backward compatibility; designed at a time when systems weren’t critical and everyone was friendly; held hostage by rapacious commercial interests who chant “openness”, “transparent connectivity”, and “ease-of-use” just so as to not clog the pipes through which the money flows, and abetted by mountebanks and supernaturalists with a disdain for any scientific motions toward security. And unlike conventional warfare, these attacks can be launched remotely, anonymously, and with zero expense incurred by the attacker – in other words, an enemy that is both invisible and inexhaustible. When faced with actual threats from a foe with mythical potency, how do we respond? By employing whatever parlor tricks and panaceas we can that will create the illusion of security, just as long as it doesn’t hamper profitability. Regrettably, given current economic conditions and outlooks, we can probably expect the effect to worsen. <ahem>

Some say that regulation is not well-defined, thorough, or effective enough, and that too much continues to fall through the cracks, so that it’s not only an expense and hindrance, but inadequate, to boot. However, considering this as a condemnation of regulation would be akin to asserting that “there are still crimes being committed on the streets, so since the police can’t stop them all, we’d better get rid of the police.” On the contrary, this is a call for better standards, and as history shows, ongoing relevance requires adaptability and evolution. But it does raise the important question: “how much testing is enough?” There are still plenty of instances of drugs being approved and later recalled because of insufficient testing. Why? Simply, because not all conditions can be known in advance, and testing cannot be perfectly exhaustive or it will never be completed, meaning the product will never be brought to market, thus denying potential beneficial treatment to those who need it. Like the FDA, Quality Assurance (QA) departments in every information technology developer deal daily with this conundrum. To further complicate the task are such paradoxes as “customers demand more features, which increases complexity, which increases test-cases, test-time, and the overall potential for product failure” and “increasing economic pressures demand that we bring products to market sooner and more cost-effectively than the competition, which tempts cutting development corners, QA resources and test-time.” For the software development lifecycle itself, there are an overwhelming number of standards and frameworks available, and for the finished products there are better recognized industry certifications like FIPS and Common Criteria to help to ensure cryptographic integrity, to protect against attacks targeting development environments and supply-chains, and to weed-out fraudulent vendor claims. But the effectiveness of these methodologies and certifications are crippled by the fact that they are not universally understood or applied.

For the QA testing process itself, there is no answer to the question “how much testing is enough” because there will always be unknown unknowns. Even if we defined some set of sane minimally acceptable QA practices (e.g. peer code-reviews, static code-analysis, validation/sanitization testing, input-output comparison testing, stress/load testing, mutation testing) how could we ensure that vendors adhere to them unless regulated? Sure, economics suggests that those vendors who went to the expense of voluntarily producing and distributing such reports would earn a competitive advantage through the enhancement to consumer confidence that the practice would offer, but this naively presupposes that consumers know and care about such disclosures. Not to mention that as a strictly voluntary, unregulated practice there would be no assurance of the legitimacy of the claims. Imagine the value of Common Criteria evaluation assurances if self-certification was permitted rather than going through a licensed testing lab?

Economics of regulation
Of course, there will be costs to properly fund such a regulatory effort, both direct and indirect. There is also the Economics 101 “law of unintended consequences” argument against any form of regulation which basically states: more regulation = greater development/operating costs = decreased company profits = less incentive to innovate = fewer breakthroughs/advances brought to market = anti-capitalists kill babies. True as the fact that “sometimes interference with a system committed to protect a victim only makes that victim weaker” (e.g. the illusion of security), this argument is typically only invoked when convenient to the rhetorician, and only to the extent that it serves his agenda, for example, against affirmative action, rent controls, minimum wage, and equal opportunity employment. Certain economists have even gone so far as to argue against child-labor laws, asking “If child labor were legalized tomorrow, would you send your eight-year-old to the factories to bring home an extra $200 or so a month?” Absurdly, this asks the question only of an audience who, predictably, does not need the extra $200 a month – what about people for whom the $200 would mean the difference between paying the rent and eviction, feeding the family or going hungry? This sort of demagogic, one-dimensional logic would also suggest that “practicing moderate caloric intake could result in hunger, which could lead to binge eating and weight gain, therefore no one should eat in moderation lest they risk obesity.”  And if that’s not ridiculously myopic enough, why not invite this law’s pretend disciples to apply it to the administration of antibiotics when they or their loved ones contract strep or some other life threatening infection. After all, a well-known unintended consequence of antibiotics is that they create stronger, antibiotic-resistant pathogens. In other words, complex, multivariate systems are not black and white – sometimes applying this principle makes sense, sometimes it doesn’t.

It would be rationally and morally satisfying to see the discontinuation of the willy-nilly application of the “law of unintended consequences” to vital consumables. Consider what the state of medicine would be today without regulation… True, innovative new drugs might make it to market much more quickly and inexpensively, but then the average citizen would have to be a chemist to know what drugs, services, and procedures are safe and effective to use. Anti-regulationists will argue that no rational free-market enterprise would go to the extents necessary to develop, manufacture, and distribute a product for financial gain only to then lose their market to the ill-effects of an inferior product, such as reputational defamation, customer migration, or manslaughter.  But this line of reasoning, relying on economics in a vacuum, presupposes that it would be relatively prohibitively expensive to enter into the purveyance of said product. This is why these economist’s examples often use industries or products where there are obvious, practical barriers to entry, such as automobiles or airplanes. What they ignore is that today, but for the aegis of regulation, there are no such barriers to medicine or information technology. Anyone with little more than an exam-cram style education can mix herbs, vitamins or legal chemicals, can administer electrical stimulation or therapeutic massage (to be fair, cracking your bones does require 4,500+ classroom hours), can configure your mission-critical ESX server or router, and can use a melange of iptables, iproute2, spamassasin, and clamav to create a “UTM appliance.” But are these sufficiently safe and effective?

Buying anything on which critical systems depend (e.g. drugs, medical services, information technology goods and services) is not the same as buying a pair of jeans. While we can certainly expect free-market forces to eventually filter-out a particularly poorly made or ugly pair of jeans, the difference is that at worst, the fashion-illiterate might be ridiculed, but they will surely not suffer real harm, such as having their identity stolen, their database breached, or their health or lives compromised or taken as a result of their illiteracy. Anti-regulationists will then further argue that there is plenty of information available today to allow consumers to educate themselves, and that anything short of this sort of freedom is tantamount to a nanny state. Seriously, even with the Internet, do most people have the resources, namely, time and expertise, to diagnose themselves? To decide on the correct treatment? To select the most appropriate and effective network protection? Intentionally or unintentionally, through advertising or testimonials, deception or ignorance, unmoderated forums will invariably at times contain bad, biased, or incomplete information. And for perspective on the cost for the protection offered by regulation, the FDA has an FY09 budget of $2.4 billion dollars, the same figure as the cost of waging one week of the war in Iraq (the benchmark for downplaying the cost of anything we’d rather not pay for… The “B” word is reserved for monetary comparisons of 11 digits or more) .

Finally, every process has its byproducts, so we could expect variations of the inevitable lobby backlash, scandals (real and alleged), pursuit by ambulance-chasers, and every other idiosyncratically human form of corruption and parasitism. But we’re used to this, mostly because human nature doesn’t change, at least not all that quickly.

Science cures
“There are none so credulous as sufferers from disease. The need is urgent for legislation which will prevent the raising of false hopes of speedy cures of serious ailments by misstatement of facts as to worthless mixtures on which the sick will rely while their disease progresses unchecked.” (William Taft, 1911, on the need for greater protection against patent medicines)

Is it really a stretch to liken the current state of information technology to a disease sufferer, desperate for a cure?  Our quest for remedies and palliatives has spawned a new generation of quacksalvers making exaggerated, jargon-laden claims, and hawking goods and services of questionable worth. They are supported by symbiotic relationships of dubious ethicality with analysts and trade rags, overhyping by the media, and flagrant touting in commissioned reviews that present themselves as objective analyses. In some respects, many information security products are “real” just like snake oil is “real”; There might be some underlying validity at the component or principle level, but only thinly, and with limited practical value. And unlike medicine, information systems seem to derive little benefit from the placebo effect.

There are many legitimate and potentially beneficial instances of information security technologies, just as there are many legitimate and potentially beneficial drugs, but the safety and effectiveness of either of these technologies cannot be measured in isolation because they act on complex, dynamic, multivariate systems. The actual effects of many of the compounds taken as drugs are not known until they are metabolized by the various systems in the human body. Even then it is an iterative process as the “output” from one system (e.g. the liver) is circulated back to all other systems, where the process repeats until metabolism completes. And that does not even account for the subtle bioactive variances from one person to the next. To better understand this, technological advances are being developed to enhance our abilities to realistically model these systems, much the same way that HPC/supercomputing clusters are being employed to create “network situational awareness” models and visualizations in pursuit of network security. To some extent, the same recursive variability that exists in biological systems also exists in information technology systems, so without operative insertion into a live environment, it is no more possible to claim that “this firewall (or NAC, or DLP, etc.) will make me secure” than it is to say that “this drug will make me well”.  At best, we can attempt to reduce the risks of harm or ineffectiveness, first by scientifically proving the remedy to be safe and effective according to some generally agreed upon standard, and second, by ensuring that it is “used only as directed.”

Indeed, information technology is a profit-seeking, commercial enterprise, but as the lifeblood of the information age, isn’t it time we start taking information technology a little more seriously? Scientific rigor and discipline are not the nemeses of the free-market, and while not many relish the costs or ministrations of bureaucracy, the rational and objective monitoring, inspection, and supervision of critical systems can help to ensure the service and safety of those who depend upon them.

Announcements of exploitable OS and application vulnerabilities are so commonplace that we’re perhaps even more inured to them than we are to a perpetually ‘Elevated’ Homeland Security threat level. While the severity of the first threat is far outweighed by that of the second, the former is far more likely to be attempted or exercised, so much so that incidents of its occurrence should be considered inevitabilities. Despite this, there continue to be examples of failures to patch systems against newly announced vulnerabilities even when updates are made available very near the zero hour. Even days later, failures to patch leave systems vulnerable, and allow attackers to devise even more methods of concomitant exploitation.

But as the article states: “Microsoft patched the vulnerability with an out-of-sequence patch on 23 October. Trojans exploiting the flaw were spotted the day afterwards. Analysis of these strains suggested they may have been in circulation before Microsoft issued its patch.” What protection is there against exploits that are launched against a vulnerability before the vulnerability is remedied by the vendor? Fortunately, there are some extremely agile, automated defensive services, such as SonicWALL’s dynamically updated Unified Threat Management technology. For MS08-067,  SonicWALL published a Gateway AV update concurrent with the Microsoft announcement, meaning that subscribers to the SonicWALL service were protected against this exploit even before applying the Microsoft patch. Other security vendors provided similar updates with varying degrees of timeliness and automation, including the open-source community.

It’s that one point from the quote above, “[that strains of the malware] may have been in circulation before Microsoft issued its patch” that is cause for concern. While zero day protection is effective against considerate attackers who wait until after the zero day patch or pattern-update has been released, what about exploitations or events that occur prior to that? At that point it becomes an issue of incident response, step 1 of which is generally “contain the damage” – but other than hoping there are detectable traces of infection, how is it possible to identify something that occurred in that past?

In homage to this prescient NSFW Onion piece, it’s time for someone in the information security space to say “Zero Day Threat Detection? A whole lot of good that does when something happened yesterday… Good luck detecting bits and bytes after they’ve faded into the ether. Well, we’ve just turned the Ethernet into the Perma-net: Let’s see someone try to evade Negative Day Threat Detection.”

In seriousness, efficient prevention is still usually far more useful than detection, but since failure is inevitable why shouldn’t we employ tools to aid in incident response? With the elements of storage getting bigger and cheaper all the time, why not put the ever increasing capacity and decreasing cost to just that use? Then, when it’s discovered that something of-interest  (any “unknown unknown” such as data-leakage, a database breach, a network outage, or a malware event) has occurred in the past, it becomes possible to retrospectively detect it and determine its severity and scope.

For the MS08-067 example, it would be possible to determine if any systems were affected prior to October 23rd by using the Emerging Threats pattern to search for instances of the offensive executable that might have traversed the network over the past two weeks by issuing a simple DeepSee query like “within:2w filetype:exe hex:C84F324B7016D30112785A47BF6EE188”














Negative Day Event Detection – Take information security up to 11