Showing posts with label Defense in Depth. Show all posts
Showing posts with label Defense in Depth. Show all posts

February 21, 2018

From Malware To Malevolent People

So in virus protection on the computer, there are 2 common ways antivirus software works:

1) Signature Detection - There are known patterns of viruses and the antivirus software looks for a match against one of these. 

2) Behavior Detection - There are known patterns of normal behavior on the computer, and the antivirus software looks for deviations from this. 

Each has certain weaknesses:

- With signature detection, if there is a zero-day exploit (i.e. a virus that is new and therefore which has no known signature) then it will not be caught by a blacklist of known viruses.

- While with behavior detection, some viruses that are designed to look like normal network or application behavior will not be caught by heuristic/algorithm-based detection methods. 

For defense-in-depth then, we can see why employing a combination of both methods would work best to protect from malware. 

It's interesting that these same techniques for recognizing bad computer actors can be used for identifying bad or dangerous people. 

We can look for known signatures/patterns of evil, abusive, and violent behaviors and identify those people according to their bad actions.

Similarly, we generally know what "normal" looks like (within a range of standard deviations, of course) and people who behave outside those bounds could be considered as potentially dangerous to themselves or others. 

Yes, we can't jump to conclusions with people -- we don't want to misjudge anyone or be overly harsh with them, but at the same time, we are human beings and we have a survival instinct. 

So whether we're dealing with malware or malevolent individuals, looking at patterns of bad actors and significant deviations from the normal are helpful in protecting your data and your person. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

October 28, 2017

Deterrence Alone Is Not A Strategy

So there is a military doctrine that has been in place for decades. 

- MAD - Mutually Assured Destruction 

If you attack the USA with weapons of mass destruction, you'll get an overwhelming responses that will totally destroy your country. 

This was what supposedly held the USSR at bay during the cold war. 

And even recently, President Trump threatened North Korea that they would be "totally destroyed" if they try anything on us. 

The problem is that the MAD doctrine of deterrence assumes incorrectly that you are always dealing with rational actors and not with madmen.

Let's face it, their are plenty of crazies out there, and some of whom may be willing to go down in a "blaze of glory" as long as they stand up to the United States and die a heroes death for their radicalized or "subjected" people. 

Whether it's Iran or North Korea or others--we may not know what we are really dealing with here until it's too late. 

Life is not everything to these people--remember many a terrorist has died a martyrs death with the promise of 72 virgins in heaven awaiting them. 

To some, as Prime Minister Gold Meir stated:
"Peace will come when the Arabs will love their children more than they hate us!"

Hate by virtue of perceived injustice, required Jihad or "holy war," brainwashing or threats and the desire for a "glorious death" standing up to the infidels or the "great Satan...any of all of these can contribute to ignoring the consequences. 

Israel has tried to deter horrible homicide bombers/and other mad terrorists from performing their evil misdeeds on the civilian population by for example, demolishing the terrorist homes as a potent consequence that they know going into it, yet many terrorists still wear the explosive vests and detonate anyway.

Similarly, North Korea despite the President's threat that they "will be met with fire and fury like the world has never seen," brushed it off and shot off more volleys of ICBMs and threatened to engulf Guam in fire. 

- The point is that deterrence alone is not a strategy!

If our enemies can hit us with a devastating attack--whether WMD, cyber, EMP, or quantum attack-- that can inflict immeasurable harm on us--they may actually choose to take their best shot, rather than wait for us to hit them or continue to feel disrespected, subjected, inferior, and hopeless.

To someone on the radical fringes or the mental edge, maybe--just maybe--they will do the unthinkable and surprise us.

What good will our fire and fury counterstrike do us, when our cities are in ruin and our people dead and dying en masse. 

Revenge isn't so sweet when your family, homeland, and virtually everything you know and held dear is gone.

The only real military strategy is to be able to defend ourselves and AVOID getting a homeland catastrophe!

We need massive investment and expertise in missile defense, bio defense, cyber defense, quantum computing, and expansive hardening of our critical infrastructure.

Unfortunately, as naysayers to the threats abound, we are no where near where we need to be in protecting the homeland.

If one person falls from the high wire and smashes their head, what good is it that the other person falls and suffers similarly or worse. 

The point is not to fall, not to get hurt, not to die, not to have our country and way of life destroyed.

Deterrence does not guarantee this security to the country--especially when dealing with no shortage of radicalized nuts out there. 

Only a genuine defense that can STOP and counter the threats BEFORE a devastating attack happens and hits us is a strategy worth pursuing ...and THEN you can punch the other person squarely in their devil's face!

Without an adequate defensive strategy, get ready, because every high flying act eventually falls to the ground and hits their head hard. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

January 27, 2015

Trouble In Protection Land

The Secret Service is one of the finest agencies in the Federal government, but unfortunately, the "recreational" drone crash landing at the White House was a protection disaster this week.

(And it comes on the heels of knife-wielding assailants running wild through the front doors of the White House, people taking pot shots at the White House, and even planes crash landing there). 

This time it was perhaps, a small drone innocently passing low without a significant radar signature unto the White House grounds, but next time it may be a miniaturized drone the size of an insect that attacks the President or his senior staff in the White House itself. 

This could happen with a pin prick of poison or a small drone carrying explosives, biological, or chemical weapons. 

We are entering a new dimension of threats that are not easily addressed with existing technology. 

It is said the the President is proverbially protected by a bubble of defenses around him, but where we are going is that this bubble may need to become an actual physical bubble that nothing, not even an insect drone can get through. 

It may sound ridiculous, but it may be the only way (for now) to really protect against these threats that literally fly beneath our radar!

Perhaps at some future time, we will have our swarms of defensive drones that go after any attack drone, no matter how small or how many, but in the meantime, we must protect our critical leadership and assets. 

Almost two years ago, I blogged about robots, drones, and commandos in exoskeletons attacking the White House and our not being prepared with adequate defenses and counter-measures.

This week's drone crash should be making the alarm bells go off on this issue big time now!

We must move past reactive steps and a failure to anticipate and become true forward-thinkers, strategists, planners, enterprise architects, and futurists. 

The protection of our leaders, institutions, critical infrastructure, and people depend upon true out of the box thinking, not doing the same thing but on a different day. 

The time is now to think about protections from much more than traditional attack patterns to the wildest and craziest we can imagine--because our enemies are not hampered by the past and won't rest until they see what we won't. ;-)

(Source Photo: here with attribution to David Illig)
Share/Save/Bookmark

September 28, 2013

Insuring Against Cyber Attacks

More and more, our technology is at risk of a cyber attack. 

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy's unclassified network. 

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system. 

But the security breaches still often impose lasting damage, since you can't get the lost data or privacy information back or as they say "put the genie back in the bottle."

Also, you aren't always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack. 

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like "breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach."

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as "cyber espionage and attacks against SCADA industrial controls systems are usually not covered. 

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an "effective, market-driven way of increasing cybersecurity," because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack. 

Moreover, according to the DHS Cybersecurity Insurance Workshop Readout Report (November 2012) cybersecurity insurance or risk transfer is the fourth leg of a comprehensive risk management framework that starts with risk acceptance, risk mitigation, and risk avoidance. 

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.  

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery. 

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

April 21, 2012

Don't Throw Out The Pre-Crime With the Bathwater

The Atlantic (17 April 2012) has an article this week called " Homeland Security's 'Pre-Crime' Screening Will Never Work." 

The Atlantic mocks the Department of Homeland Security's (DHS) Future Attribute Screening Technology (FAST) for attempting to screen terrorists based on physiological and behavioral cues to analyze and detect people demonstrating abnormal or dangerous indicators.

The article calls this "pre-crime detection" similar to that in Tom Cruise's movie Minority Report, and labels it a  "super creepy invasion of privacy" and of "little to no marginal security" benefit.

They base this on a 70% success rate in "first round of field tests" and the "false-positive paradox," whereby there would be a large number of innocent false positives and that distinguishing these would be a "non-trivial and invasive task." 

However, I do not agree that they are correct for a number of reasons: 

1) Accuracy Rates Will Improve--the current accuracy rate is no predictor of future accuracy rates. With additional research and development and testing, there is no reason to believe that over time we cannot significantly improve the accuracy rates to screen for such common things as "elevated heart rate, eye movement, body temperature, facial patterns, and body language" to help us weed out friend from foe. 

2) False-Positives Can Be Managed--Just as in disease detection and medical diagnosis, there can be false-positives, and we manage these by validating the results through repeating the tests or performing additional corroborating tests; so too with pre-crime screening, false-positives can be managed with validation testing, such as through interviews, matching against terrorist watch lists, biometric screening tools, scans and searches, and more. In other words, pre-crime detection through observable cues are only a single layer of a comprehensive, multilayer screening strategy.

Contrary to what The Atlantic states that pre-crime screening is "doomed from the word go by a preponderance of false-positives," terrorist screening is actually is vital and necessary part of a defense-in-depth strategy and is based on risk management principles. To secure the homeland with finite resources, we must continuously narrow in on the terrorist target by screening and refining results through validation testing, so that we can safeguard the nation as well as protect privacy and civil liberties of those who are not a threat to others. 

Additionally, The Atlantic questions whether subjects used in experimental screening will be able to accurately mimic the cues that real terrorist would have in the field. However, with the wealth of surveillance that we have gathered of terrorists planning or conducting attacks, especially in the last decade in the wars in Iraq and Afghanistan, as well as with reams of scientific study of the mind and body, we should be able to distinguish the difference between someone about to commit mass murder from someone simply visiting their grandmother in Miami. 

The Atlantic's position is that  terrorist screening's "(possible) gain is not worth the cost"; However, this is ridiculous since the only alternative to pre-crime detection is post-crime analysis--where rather than try and prevent terrorist attacks, we let the terrorists commit their deadly deeds--and clean up the mess afterwards. 

In an age, when terrorists will stop at nothing to hit their target and hit it hard and shoe and underwear bombs are serious issues and not late night comedy, we must invest in the technology tools like pre-crime screening to help us identify those who would do us harm, and continuously work to filter them out before they attack. 

(Source Photo: here with attribution to Dan and Eric Sweeney)

Share/Save/Bookmark

November 20, 2011

The Moses Bridge, A Design Inspired By G-d

Really love the design for this "Moses Bridge" located in Holland.
The bridge is stretched out across a moat to reach a historic fortress built in the 17th century to protect against French and Spanish invasion.
It allows people to cross the parted water and reminds me of when the Jewish people left Egypt and crossed the Red Sea parted by G-d through the hands of Moshe.

The amazing design makes it hard to spot from a distance making it part of the fort's defensive camouflage.
I am not sure how they prevent the water flooding in over the walls when the water rises and drowning the proverbial evil Egyptian armies of yesteryear.
I think the greatest designs are inspired by the hand of G-d and this is one of them.

Source Photo 1: here and Photo 2: here

Share/Save/Bookmark

October 13, 2011

Increase Security On Your Google Account

After reading the article Hacked! in The Atlantic (November 2011), I looked into Google's new security feature called 2-Step Verification (a.k.a. Two Factor Authentication).

This new extra layer of security--adding "something you have" to "something you know"--to your sign in credentials helps to better protect you and your information in Google (i.e. in the Google cloud), including your emails, documents, and applications.

While a little extra work to login to Google--you have to type in a verification code that Google sends or calls to your phone (this is the something you have), it provides an extra layer of defense against hackers, criminals, and identity thieves.

To protect your Smartphone, Google provides "Application-specific passwords" that you generate from the 2-Step Verification screen and then you enter those into the specific iPhone, Droid, or Blackberry device.

You can sign up for 2-Step Verification from your Google Account Settings page and help protect yourself, your information, and your privacy.

In the future, I hope that Google (and other cloud vendors) will improve on this and use biometrics, to add "something you are," to the authentication process and make this even sleeker and more secure yet.

Stay safe out there! ;-)

Share/Save/Bookmark

September 9, 2011

Visualizing IT Security


I thought this infographic on the "8 Levels of IT Security" was worth sharing.

While I don't see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management - With limited resources, we've got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy - The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting - This is the eyes, ears, and mouth of the organization in terms of watching over it's security posture.

4) Virtual Perimeter - This provides for the remote authentication of users into the organization's IT domain.

5) Environment and Physical - This addresses the physical protection of IT assets.

6) Platform Security - This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance - This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management - This prevents unauthorized users from getting to information they are not supposed to.

Overall, this IT security infographic is interesting to me, because it's an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the "defense-in-depth" visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do's and don't, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)

Share/Save/Bookmark

May 2, 2008

Cyber Warfare and Enterprise Architecture

Security is a cross-cutting perspective in Enterprise Architecture, but I treat it as its own EA perspective because of its importance. And this is especially true in a law enforcement and defense readiness organization.

While security in EA is generally of a defensive nature, we must remember that as a nation, we must be ready to not only defend ourselves, but also to launch offensive operations and take out the enemy.

According to Military Information Technology Magazine, 9 April 2008, in an interview with Major General William T. Lord, the Department of Defense is standing up a new Cyberspace Command in the U.S. Air Force.

Why do we need this new Cyberspace Command?

There are many threats to us that emanate from cyberspace that include:

  • Cyber-criminals—looking to steal your identity or your money
  • Cyber-terrorists—“wants to disrupt, dissuade, or deter us from doing something
  • Nation States—“some of which are out to interrupt U.S. interests anywhere in the world.”

Cyberspace is a dangerous place, especially if you’re DoD; they “get about 3 million attempted penetrations” a day!

This is why defense in depth is so important, so that if an enemy manages to get through the perimeter of our network security, we can still stop them at the second or third tiers of our defensive capabilities.

In terms of offensive capabilities, sometimes you have to take the battle to the enemy. At times, it is necessary to “disrupt an enemy prior to the conduct of kinetic combat operations, [so] that the enemy could not figure out what its command and control system was, had false data, could not see an attacking force, and was making decisions based on information systems that been manipulated in advance of combat operations.”

To architect the defensive and offensive cyberspace capabilities necessary to combat our enemies, it is imperative to continuously build information sharing and partnership between the parties involved, such as the Departments of Defense, Homeland Security, Justice and the Director of National Intelligence. This is a core tenet of user-centric EA.

Just as we invest in the latest and greatest kinetic weapons to defeat our enemies, we must also invest in non-kinetic weapons including “our electronic warfare, space systems, and cyber-systems. As Major General Lord, stated: “it’s not always about destroying things, but about changing behavior, so that an enemy concludes that the costs of whatever they had in mind is too great and will stop. [Then again,] sometimes you have to be able to whack somebody in the nose.”


Share/Save/Bookmark