Friday, June 03, 2016

Two Views Of Our Dystopian Post-Stuxnet Future

The Register - Air-gapping SCADA systems won't help you, says man who knows -

Isolating SCADA systems as a means of protection has been suggested by some as a defensive tactic after hackers briefly took out elements of the power grid in the Ukraine last December.
Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.
“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”


Tech Republic - Former NSA and CIA director recommends managing consequences instead of vulnerabilities -

When it comes to information security, vulnerability management (i.e., stopping the bad guys from gaining access) has been less than successful. To put a point on it, Fortune's Robert Hackett quotes Michael Hayden, former director of the NSA and CIA, and currently a principal at the Chertoff Group, as saying at a recent computer security conference, "They're going to get in. Get over it."
...
 Hayden then proceeded to explain why managing vulnerabilities is untenable, and the focus should instead be on consequence management using the above Risk Equation. (ed.  Risk = threat x vulnerability x consequence)

Read both articles, but keep in mind both parties are trying to sell you a product.  Of the two approaches I find Hayden's to be more realistic:

The Risk Equation focuses all the attention on risk. In real life, that means threats, vulnerabilities, and consequences/costs are only important in that they are components in determining risk. Those inclined towards math will notice something interesting about this equation — when any one of the factors (threats, vulnerabilities, or consequences/costs) is zero or nonexistent, there is no risk.

Tippett adds, "By drilling down into each component, you'll often conclude that there's no risk — or at least no imminent risk — because at least one component of risk is zero or near zero."
probably because it reflects a) my general view of life, and b) because it reflects the way I was instructed in Risk Management (both formally in my Enterprise Risk Management class and informally over the years in the military).  The thing is that when you use this approach you don't put all your eggs in one basket.  You look at the risks and try to mitigate each one to as close to zero as possible.  Sometimes you can't and you look at mitigating the consequences.  

An example, where I used to work our network was airgapped, but we assumed it would be breached so we looked at what would happen if an attacker was able to breach and installed controls, such as AAA, Network Monitoring Tools, Anti-malware, Regular patching, etc.  Basically we just went down the SANS 20 and everything that we could implement we did, and then we started looking again, but we never assumed we were secure because we had done one thing.  If we had formally drawn out the risk tables and done the Risk Equation we would have been trying to get as close to zero as possible.  I think one of the problems in the world of IT security today is that too many people talk about thing like defense in depth but then implement one control and call it good or they just declare a solution worthless looking at it only in isolation not as part of an overall solution.  To go back to the military again it's like setting up a defensive perimeter without establishing overlapping fields of fire and without the platoon leader going outside the wire to check the emplacements from the incoming side.

Disclaimer:  There are a lot of people out there far more qualified than me to talk about this stuff, this is just my view as one lonely guy looking at an issue from his small vantage point.  I am not trying to specifically criticize anyone or any group / profession, just spelling out how I try and approach things like this.  I may be completely full of shit if so feel free to point out where and how, I am always willing to learn.


Post a Comment

OSCP and Defcon26

First - I was thinking my OSCP course started on the 27th, nope it starts on the 19th.  I would have missed it except i decided to double ch...