by RSS Derek Manky  |  Jul 02, 2009  |  Filed in: Security Research

Remember that magical, silver bullet I spoke of when discussing the U.S. cyber security plan and the future of cyber security? Well, there still is no such item in existence yet; and there likely never will be one key solution. Securing cyberspace is a global problem that can not be addressed by one plan such as this. However, if this plan is properly implemented, enforced and refactored it should be able to lead by example. It is always said that the Internet has no borders, which is an inherit problem to tackling cyber crime. Remember, this is a serious problem that spans our globe. If other governments followed suit to such an example, borders may indeed start to rise - but it will likely from a noticeably different public Internet than the one we know today.

The recently formed European Electronic Crime Task Force is an example of some of these ingredients beginning to mesh. This task force is currently composed of both the U.S. Secret Service and Italy's policing and postal services. These components were chosen as a core with experience/resources in monitoring and defense, and the initiative goes further to openly accept contributions from other private IT operators and academic institutions. This is yet another example of the required collaboration with the private sector which I mentioned in my previous post, and indeed welcome news. While this is just another small step forward, it does help lay the groundwork required to begin effectively tackling such a large, international problem. To further refine this, more components are needed (on an international scale) - and an active effort should be placed forward from all private sectors and all other accepted sources. Then, this initial groundwork can be expanded, detailed and re-factored in an effort to generate a global, authoratative task force. I think it is very important what unfolds in the coming months, years in terms of this development; too much complication and confusion can place this framework and the state of cyber security in general in a very fragile state. Going back to the U.S. cyber security plan, I have taken the broadly laid out five points outlined by President Obama and prioritized them respectively from 1 to 5 below with comments:

1) **A response plan in collaboration with local and state governments, private sector **This chimes in precisely on what I believe is the No. 1 driver towards effective cyber security. You can not have one individual person, regardless of their knowledge and experience, in charge of security - whether it is a government entity, or an enterprise IT administrator. The key is collaborating with existing resources to put all of the wheels in motion. Not only will this help with the response plan, it will directly help with proactive defense. I firmly believe part of this response plan should also be monitoring and reducing attack windows. Attacks blossom off their success because they are allowed to continue undetected months after a breach - President Obama even admitted so when his own sensitive data was compromised between a three month period (August to October).

2) An open and transparent strategy that includes metrics (milestones, progress measurements through performance) This is a very general statement that really applies to any projects through their lifecycle. However, I believe it is very important to act on this, perform reviews regularly through existing channels (see point #1 - collaboration) to address current issues and those that are on the horizon.

3) National cyber security awareness campaign from boardroom to classes Education is a vital piece to understanding the problems of the future, and I think educating all levels on these matters is always a good and effective proactive measure. Many succesful attacks that have been launched to date have been done through social engineering, preying on victims who simply are unaware of existing threats.

4) Private-public partnership strengthening without dictating private sector One of the major areas which is to be addressed is protecting critical infrastructure. Yet, this section of the plan seems to place that responsibility on the private sector itself. If there is no enforcement on what is seen to be one of the most important areas to safeguard, then I think a true opportunity is being missed to develop security around this area. The private sector has been perfectly happy using legacy protocols that serve their function, and I do not think that security will be brought to the forefront without any enforcement. As I mentioned previously, one of the main problems today with SCADA networks vulnerable attack are the fact that they are not closed circuit. They are not closed circuit because they have been bridged to the public internet, and therefor the threat landscape, since it is less overhead and easier to manage. With no enforcement of policy, these networks will continue to be vulnerable to attack.

5) Research and development Research and development is what got us into this mess in the first place: security was not placed in mind, and growth was important. Thus, software quickly became complex and integrated, allowing cyber criminals to attack. Even though it was not mentioned, I believe the key to R&D is in the secure development lifecycle - think of all the prevalent problems that could be easily addressed through design (XSS, buffer overflows, etc).

by RSS Derek Manky  |  Jul 02, 2009  |  Filed in: Security Research