Read an Excerpt
System Assurance
Beyond Detecting Vulnerabilities
By Nikolai Mansourov Djenana Campara
MORGAN KAUFMANN PUBLISHERS
Copyright © 2011 Elsevier Inc.
All right reserved. ISBN: 978-0-12-381415-9
Chapter One
Why hackers know more about our systems
We live in a world comprised of systems and risk. —Clifton A. Ericson II, Hazard Analysis Techniques for System Safety Throughout history, each technological advance has inevitably become the target of those who seek to subvert it. —David Icove, Computer Crime
1.1 OPERATING IN CYBERSPACE INVOLVES RISKS
To be effective during an operation, organizations need to be agile, mobile, and robust with a flexible service-oriented user experience. Delivering this need means relying heavily on Web and Internet services technology that enables organizations and their clients to synergistically work together by automating end-to-end information exchange processes for seamless collaboration and operation of fully automated information systems that work 24/7 without human intervention. However, along with these enhanced information exchange capabilities come significant security, privacy, and regulatory concerns and challenges.
Cyber criminals have also undergone a remarkable transformation as they exploit the global scale and connectivity of cyberspace and convergence of services onto the Internet, where a significant amount of financial and business transactions are taking place [Icove 1995]. Cyber criminals evolved from lone hackers driven by curiosity and the desire to make a point about the freedom of information into sophisticated, transnational networks of organized criminals who commit large-scale online crimes for significant profit. Over the past three decades, hackers managed to accumulate an arsenal of cyber attack methods. According to the Inquiry into Cyber Crime, performed by the Australian Parliament [Australia 2010], cyber crime "operates on an industrial scale and has become an increasingly important issue for the global community."
Furthermore, cyber-warfare became a reality that cannot be ignored since the 21st century battlefield includes not only the corn fields, deserts, mountain passes, and pine woods, but also the virtual communities in cyberspace along the information highways and back-roads supported by computers and mobile phones, and the miles of fiber optic cables, copper wires, the numerous network equipment boxes, and the very airwaves of the electromagnetic spectrum [Carr 2010]. This includes the nations' critical infrastructure and enterprise information systems, all the way down to the desktops and laptops in businesses and homes. The critical infrastructure is composed of many sectors that are in every nation's core industries—chemical, telecommunications, banking and finance, energy, agriculture and food, and defense—and bring us the services on which we all depend—water, postal and shipping, electrical power, public health and emergency services, and transportation. Each sector is extremely complex and to varying degrees is dependent on all the others.
Cyberspace and physical space are increasingly intertwined and software controlled. Each of the systems can affect our safety and security, and they have a unique design and a unique set of components; additionally, they contain inherent hazards that present unique mishap risks. We are constantly making a trade-off between accepting the benefits of a system versus the mishap risk it presents. As we develop and build systems, we should be concerned about eliminating and reducing mishap risk. Security services need to be seamlessly integrated into this new environment in order to assist civilian management and military commanders in recognizing the new information security threats posed by Web and Internet services-enabled activity, calculating the residual risk, and implementing appropriate security countermeasures to maintain order and control. Some risks are small and can be easily accepted, while other risks are so large that they must be dealt with immediately. While the trust side of the security equation has received a great deal of attention in the world of security, this growing reliance on Web and Internet services raises security issues that cannot be mitigated by traditional authentication processes. Although it remains important to know whether to trust information, it is becoming imperative to verify that there is no threat-related activity associated with this information.
Developing effective approaches to verify that systems operate as intended, that information can be trusted with confidence, and that no threat-related activity would follow is a key component in achieving systems security posture needed to defend against current and future attacks.
In particular, as mentioned in the 2008 OCED/APEC report, malware threat "is increasingly a shared concern for governments, businesses, and individuals in OECD countries and APEC economies. As governments rely evermore on the Internet to provide services for citizens, they face complex challenges in securing information systems and networks from attack or penetration by malicious actors. Governments are also being called on by the public to intervene and protect consumers from online threats such as ID theft. The past five years have indeed brought a surge in the use of malware to attack information systems for the purpose of gathering information, stealing money and identities, or even denying users access to essential electronic resources. Significantly, the capability also exists to use malware to disrupt the functioning of large information systems, surreptitiously modify the integrity of data, and to attack the information systems that monitor and/or operate major systems of the critical infrastructure" [OECD 2008].
1.2 WHY HACKERS ARE REPEATEDLY SUCCESSFUL
Hackers seem to know more about our systems than we do. Does this sound strange to you? Shouldn't we—the designers, developers, implementers, administrators, and defenders—have the "home advantage"? Yet hackers keep finding means of taking over our systems. New security incidents are reported weekly, while software vendors are reacting to the incidents by issuing patches to their products. The industry seems to be trying to catch up with the hackers, hoping that the "good guys" will discover vulnerabilities quicker than the "bad guys" so that the software builders can patch systems before incidents happen.
For now let's assume that a "vulnerability" is a certain unit of knowledge about a fault in a system that allows exploiting this system in unauthorized and possibly even malicious ways. These faults are primarily caused by human error, poor requirements specifications, poor development processes, rapidly changing technology, and poor understanding of threats. Some faults are introduced deliberately through the supply chain and slip through into delivered systems due to poor development and acquisition processes. The industry came to the realization that with traditional system security engineering, error-free, failure-free, and risk-free operation is not usually achievable within acceptable cost and time constraints over the system life cycle [ISO 15443].
So why do attackers know more about our systems than developers and defenders? They are more efficient in discovering knowledge about our systems and are better at distributing this knowledge throughout their communities. How do hackers discover knowledge? Hackers relentlessly study our systems and invent new ways to attack them. Some hackers have the advantage of having access to the details of the entire development process of a system they attack and knowledge of the systems that have already been put into operation. Hackers study the source code whether they can obtain it by legal or illegal means, especially for the critical proprietary and network-based systems. But hackers also study machine code and study systems by interacting with them, where no code is required. Hackers take advantage of:
The fact that systems are often built from commercial off-the-shelf components, including a small number of the base hardware and software platforms;
Time flexibility – they are usually not constrained in their analysis of our systems, even though such analysis may be quite time-consuming, and;
Vulnerable legacy systems – a vast majority of systems are still legacy systems developed with lax security requirements.
However, what makes attackers extremely efficient is extensive knowledge sharing. Since this is an important aspect for consideration in a defenders community, let's examine how knowledge sharing is done.
Attackers vary in their knowledge and capability. It is an exaggeration to say that every attacker knows more about every system than any defender or developer of that system. In the attacker community, individuals have different skills and play different roles: there are few highly skilled security researchers (known as the "elite hackers"), and a larger number of less skilled attackers (known as the "script kiddies"). However, the attacker community—a nebulous assembly of groups of like-minded individuals—is very efficient in using computer communications, and social networks to share knowledge. In fact, the hackers of the early days started as the enthusiasts of the emerging computer technology, communications, and networking. Attackers have been able to accumulate significant amounts of knowledge on how to attack systems. In addition, there are individuals who transform the theoretical knowledge of the attacks into the attack scripts and tools—attack knowledge is rather practical, and tools do play a critical role in attacking cyber systems. So, theoretical knowledge is transformed into automated attack weapons that require little technical skills. Attackers are willing to share, not just their knowledge, but also their tools and "weapons," which become available to the individuals who are willing to launch attacks. As a result, an efficient ecosystem emerges, which amplifies the results of a few highly skilled hackers, and feeds a larger number of less skilled but highly motivated criminalized attackers. Hackers may not be systematic in what they do, but they succeed in industrializing their knowledge.
A large part of modern attack weapons is known as malware. According to an earlier cited OECD report [OECD 2008], malware is a general term for a piece of software inserted into an information system to cause harm to that system or other systems, or to subvert them for use other than that intended by their owners. Malware can gain remote access to an information system, record and send data from that system to a third party without the user's permission or knowledge, conceal that the information system has been compromised, disable security measures, damage the information system, or otherwise affect the data and system integrity. Different types of malware are commonly described as viruses, worms, trojan horses, backdoors, keystroke loggers, rootkits, or spyware. Malware shrinks the time between the discovery of vulnerabilities in software products and their exploitation and makes cyber attacks repeatable, which undermines the effectiveness of current security technologies and other defenses.
The skills within the defender community also vary greatly from the elite security researchers (who are sometimes hard to distinguish from the elite hackers) all the way to the administrators of home computer systems. However, the defender community lacks efficiency in their knowledge sharing due to too many barriers designed to retain competitive edge, expand market space, enhance offerings, etc.
1.3 WHAT ARE THE CHALLENGES IN DEFENDING CYBERSYSTEMS?
Defense of cybersecurity systems involves understanding the risks, managing the vulnerabilities, adding safeguards, and responding to the incidents. The foundation of this understanding is knowledge related to (1) what are you defending, (2) what are you defending against, (3) what are vulnerabilities you need to mitigate and (4) what safeguards are included. Defense is conducted throughout the entire life cycle of the system. While long-term strategy involves better security engineering to develop more secure systems, the cyberdefense community needs to defend existing systems by adding safeguards in the form of patches to existing system elements, adding new security components, improving security procedures, improving configurations, and providing training.
(Continues...)
Excerpted from System Assurance by Nikolai Mansourov Djenana Campara Copyright © 2011 by Elsevier Inc. . Excerpted by permission of MORGAN KAUFMANN PUBLISHERS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.