DETROIT – The current situation in security is a lot like what you’d face if you were out hiking and ran into a Grizzly. It’s a fact that a Grizzly runs a lot faster then a human, so you won’t be able to outrun it. But, you?ll always be safe, as long as you can outrun your buddy.
There are five security trends that should keep you one-step ahead of your competitors and potential enemies. Each is a national concern and each has had some work done on it. But, none of these has come close to reaching the level of visibility and impact that most of us expect.
These trends are all outcomes of the connectedness that we have developed over the past ten years. But they really came onto society?s radar after the terrorist attacks of 9/11 – five years that have brought us a lifetime?s worth of change. If you think back to May 2001, the Department of Homeland Security didn?t exist. Protection of the U.S. cyber-infrastructure was something they were making movies about, not discussing every day in Congress.
In 2001, the stereotypical image was the lone hacker eating Skittles and drinking Jolt cola while playing trespass games. Now computer crime is big business. In 2001, shows like DEFCON were insider events. Now you have the Mafia running hospitality suites and more people in attendance from the NSA then the local hacker community. In 2001, we didn?t have organized groups in places like the Ukraine, who view U.S. corporations as low-hanging fruit. Not to mention the various nation states who have already written the destruction of our cyber-infrastructure into their war plans.
Geopolitical realities and the Internet have turned cyberspace into the equivalent of Dodge City in the 1870s. As such, it is particularly important that our response is measured, practical and intelligent. The five security initiatives that will keep you one-step ahead of trouble include:
2. The Revenge of the Insect World: The Insidious Problem of SCADA Security
3. How capable is Your Staff Anyway? Certifying Professional Competence
4. Trusting the Folks in China (and down the street): Certification of Trust
5. They?re Robbing us blind: The Insider Threat
The Perils of Insecure Software: Ensuring Against Exploitable Defects
The most common cause of serious harm to information is exploitation of programming defects. Minor flaws in programming lead to all sorts of adverse consequences, which can give an attacker access to any target computer, or open the door to a host of malicious events.
Because of the serious risk that the presence of defects poses to our cyber infrastructure, the issue of improving software assurance practice has become a national priority. The national security issue is that software enables everything from defense to financial system and there is no way to guarantee that any of that software is free from exploitation.
Several Federal Authorities have spoken to this problem National Strategy to Secure Cyberspace ? Action/Recommendation 2-14: ?DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.?
President?s Information Technology Advisory Committee (PITAC) Commercial software engineering today lacks the scientific underpinnings and rigorous controls needed to produce high quality, secure products at acceptable cost. Commonly used software engineering practices permit dangerous errors, such as improper handling of buffer overflows, which enable hundreds of attack programs to compromise millions of computers every year.
PITAC – Report to the President, ?Cyber Security: A Crisis of Prioritization,? February 2005, Top 10 areas in need of increased support, including ?secure software engineering and software assurance? and ?metrics, benchmarks, and best practices?. GAO-04-678 Report, May 2004, Outsourcing, foreign development risks insertion of malicious code? Domestic development subject to similar risks.
In order to be secure your organization must be able to identify and eliminate ALL exploitable defects in its software. Because of software?s complexity, this task is comparable to ?finding a needle in a haystack.? In fact, the more accurate analogy might be ?finding a particular needle in a stack of needles,? since it is almost impossible to tell the difference between secure code and insecure code in a properly running system.
The problem is further complicated by the tendency for organizations to develop software through global outsourcing and develop software over un-vetted supply chains. The developing of software products this way increases the risk of unintentional or maliciously inserted defects. But that risk represents nothing compared to the ten bazillion lines of legacy code that most organizations are sitting on.
Legacy code has typically been maintained by a lot of different people, over a long period of time, when, security was not an issue. The status is usually undocumented and unknown and, without an unrealistic expenditure of time and resources, it is impossible to confirm that it is secure. Even worse, most of it is now Internet facing.
Sorting this mess out is not a trivial task But America will have to do it if we want to be able to trust any element of our cyber-infrastructure. Since legacy code, systems are usually hooked to newer systems, which are considered secure.
Guidance for doing that is contained in DHS?s Software Assurance Body of Knowledge (SWABOK). The SWABOK specifies best practices beyond those needed to simply develop and maintain software. The intent of the SWABOK is to specify all requisite assurance practices for development post-release sustainment, acquisition and supply. The SWABOK was formally released March 16 at the DHS-DoD co-sponsored Software Assurance Forum. To read it, click on BuildSecurityIn.US-Cert.Gov
The Revenge of the Insect World: The Insidious Problem of SCADA Security
Much like the insect world, programmable controls are everywhere and mostly unseen Programmable controls are small microprocessor based logic components they typically the control complex sequencing activities that automate real-world processes.
Programmable controllers and microcontrollers are an essential part of our everyday life: from our cars – to the factory robots that make them ? to the stoplights that regulate traffic ? and the pipelines that provide the gas. These controls are much simpler than a classic general-purpose computer and the programming that they embody is equally un-complex. Specifically, that programming lacks even the most rudimentary security functionality and so microcontrollers are easy to defeat.
In the 1970s, we started arraying these controls into process control systems. Over time, these became distributed. Since the 1990s, they have become ?intelligent? The term for a highly specialized intelligent control system is SCADA. SCADA stands for Supervisory Control and Data Acquisition. SCADA systems are part of the critical infrastructure. They are an intimate part of every kind of remotely controlled operational process from energy management to nuclear plants, manufacturing systems to pipelines.
SCADA systems receive data from their embedded process control components through data links. Those links represent the actual security problem. That is because they are becoming more and more Ethernet and TCP/IP based, which means that they are easy to access from anywhere and since security has never been a consideration with SCADA Most SCADA sy
