Tuesday, December 3, 2013

Offensive Security - to play or not to play?

It has been quite a while since I have written after being accustomed to writing almost weekly to twice weekly in other blogs.  Well, suffice to say that not much has been moving me to write lately.  That is not to say that there haven't been things happening in security.  There have been happenings, but it's all seemed so banal.  Maybe it is just that the noise has risen so high that the constant din makes it seem that nothing is happening.  Signal acquired.

I watched a show called Chasing Madoff and it was once again one of those moments where several major concepts coalesced in my mind to form an article.  Something worth saying.

One of the many very compelling points of the Chasing Madoff program was the fact where the SEC was given an investigation wrapped up with a bow on it and on numerous occasions flatly refused to do their job.  They refused to investigate when all they had to do was confirm the facts that were documented for them.  The idea then struck me with clarity...why should they?  They have no real incentive.  No recourse if they don't do their job.  Well, you could argue that what did happen, could happen...global markets collapse, governments go bankrupt.  Of course, if you are lucky (or unlucky, depending on your point of view) enough to be a government employee, you still get paid even though the government shuts down, so whether you do your job or you don't, you still get paid.  We've seen this very recently.

"The average person should be aware that when you get a brokerage statement it is only a piece of paper representing what that person thinks they own." -- quote from former Madoff Account holder #41-245711, from Chasing Madoff.

This has been a personal point that I have made to people in deep conversations about the macro implications of computer security for many many years.  The vital numbers that we believe in to live our lives daily are simply bits and bytes in a computer database.  Whatever those bits and bytes say, people believe.  Today the database says you have $1000 in your checking account, tomorrow it says you are overdrawn by $500.  Even though you did nothing, you are suspect and have to prove your innocence.  Intelligent people willingly acknowledge this, but fail to really absorb the information about what it means.

So what does it mean?  I would suggest that, at a minimum, you doubt just about everything that says the system works if you study hard and play by the rules.  There exists overwhelming evidence that rich people are rich because they cheated the system at some point in time or are actively cheating the system to gain or maintain their wealth.

By now you are certainly saying...so this is a blog about security, right...why the remedial history lesson on finance and wealth?

What's changed since then? (and what does it have to do with security?)

Having had numerous personal experiences and other, what I call 'near-miss' experiences, with regulators, this kind of willful ignorance by regulators goes on every day.  The Madoff incident was not a freak occurrence.  It is an everyday happening in nearly every industry that I have seen that has government regulatory controls.  It is obvious that no lessons have been learned from the Madoff incident because the system remains, for all intents and purposes, intact and without any noticeable change.

If the designated protectors refuse to protect you and do the job that they are supposed to do, what options do you have?

I was asked the following question in a job interview recently:  "What is your stance on active defense?  How do you feel about attacking those that attack you [in cyberspace]?"  Aside from the fact that it was definitively one of the toughest questions that I have EVER been asked in a job interview, it is also a very pressing issue that involves all security practitioners today.  Much more so than I even had thought about up until that day.

Essentially, if there are those that refuse to play by the rules, how far is reasonable to push beyond those same accepted norms in retaliation using like weapons and tactics?

Until I actually spent many hours pondering this very question, I previously dismissed it with a simple answer - 'not smart, too high of risk.'  For the record, this was not the answer that I gave that day in the interview.  Prior to that day, however, there just seemed to be too much to lose if you were an organization of any size:  Legal repercussions, impact to reputation, regulatory response...

Risk...what risk?

Hold it right there....  Regulators?  They are virtually useless, so there goes that risk.  So what about the other risks?

Legal?  What is an evil government going to do if you strike back at their theft of your intellectual property or data?  Surely they would mount a legal claim that you attacked them after they stole your information?  Ok, that is out.  Tell someone that they stole your data and you are attacking them and your response is illegal?  No, that won't work either.  Where could they possibly file such a claim?  No single country has proven legal jurisdiction over another in such international border matters, especially when it comes to the very fuzzy area of cyberweapons and attacks.  People don't care about a cyberattack even remotely as much as a real bomb going off.  Which is to say that if it isn't a real bomb in their back yard, they just don't care.  So there goes the legal risk.  Well, that leaves issues of risk to reputation.

If you are in a situation where you are considering striking back at someone for stealing valuable data, you are already through the looking glass when it comes to reputation.  Maybe you have an obligation to report that you lost some personal data, but that is about where it ends as far as this concern goes.  The marketing snow-job machine takes over and whitewashes away most of your worries.  A bit of credit protection here, a vague press release there and you are virtually absolved.

If traditional issues of risk are gone, what's left?

Well, once you get rid of the traditional business risk, there is nothing left but battlefield tactical and strategic risk.  What remains are troop and weapon strength assessments coupled with defensive strength due to your position and posture.  Very few security practitioners have experience with such assessments so your traditional trusted advisers are likely to be far outside of their element here.  Aside from the tactical battle assessment, you would need a strategic assessment as well.  How long is this fight likely to last?  Will it escalate or will the adversary go and find some low hanging fruit elsewhere.  Is your adversary's weapon skill limited to long period research weapons or are they able to fashion improvised weapons and use guerrilla tactics?  This is getting into the deep weeds quick.

If you choose this course and properly recognize that the traditional business rules of risk simply do not apply, you cannot be so foolish to think that no rules of risk apply.

And always remember the final question of traditional war as it is quite applicable here....does anyone really win?