Cyber War, Cyber Peace, Stones, and Glass Houses

Gary McGraw, Ph.D. Chief Technology Officer, Cigital

…those who live in glass houses should not throw stones…
© 2012 Cigital

Cigital
!! !!

Founded in 1992 to provide software security and software quality professional services Recognized experts in software security and software quality !! Widely published in books, white papers, and articles !! Industry thought leaders

© 2012 Cigital

Cyber clarity is elusive

Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security, Nate Fick & Gary McGraw http://www.cigital.com/papers/download/ mcgraw-fick-CNAS.pdf

© 2012 Cigital

© 2012 Cigital . and from those who seek to protect it but risk doing more harm than good.Cyber security How much of the cyber war talk is hype? What is real and what is cyber chimera? Help policymakers find their way through the fog and set guidelines to protect the best of the Internet and cyberspace. both from those who seek to harm it.

The kinetic impact criteria HYPE !! Estonia dDoS attacks !! 2007 statue removal kerfuffle !! What would google do? !! Brazilian blackout !! 2009 60 minutes story !! 100% hype !! China “hijacks” the Internet !! BGP mistake !! Bad design REALITY !! To qualify as cyber war. but the impact should be real. the means may be virtual. !! 1982 Soviet gas pipeline explosion !! 2007 Israeli attack on Syrian reactor !! 2008 Russia attacks Georgia two ways !! 2008 USB drive infection in Iraq (meh) !! 2010 Stuxnet attack on Iranian centrifuges © 2012 Cigital .

aspx?p=1636983 © 2012 Cigital .informit.The truth about stuxnet Sophisticated.com/articles/article. targeted collection of malware !! Delivery !! !! 1 !! The PAYLOAD is what matters !! Inject 0day (not 4) !! Stolen private keys !! USB injection !! Network C&C code into a running control system !! Siemens SIMATIC PLC (step 7) !! Cyberwar? !! Natanz in Iran How to p0wn a Control System with Stuxnet (9/23/10) http://www.

000.000+ play MMORPGs !! Clients and servers are massively distributed !! Time and state errors are rampant MMORPGs push the limits of software technology Modern distributed systems in other domains are evolving toward similar models !! Cloud !! Saas Time and state errors are the XSS of tomorrow © 2012 Cigital .000 people subscribe to WoW !! 16.000 simultaneous users on six continents !! 10.000.Online games are a bellwether !! !! !! !! Online games (like World of Warcraft) have up to 900.

DLL interpositioning no longer works?! !! !! Used in early WoW botting programs (circa 2004) but no longer Used successfully in Stuxnet in 2009 WoW..EXE! INJECTED! DLL! MAIN THREAD ! RenderWorld(.) ! DETOUR PATCH! Loops hundreds of times per second! © 2012 Cigital .

.) ! MAIN THREAD ! recloak! restore! © 2012 Cigital .) ! HARDWARE BP! uncloak! MAIN THREAD ! branch! complete! CastSpellByID( .... )! ScriptExecute( . )! ClearTarget( ..super! MAIN THREAD ! INJECTED! CODE PAGE! RenderWorld(. )! MSG! RenderWorld(.

penetrating systems with cyber attacks and generally leveraging broken software to compromise entire systems and systems of systems !! defense means building secure software. designing and engineering systems to be secure in the first place and creating incentives and rewards for systems that are built to be secure © 2012 Cigital .Offense and defense !! offense involves exploiting systems.

and crime !! !! Cyber espionage !! Much more common than war !! Wikileaks !! Anonymous !! Operation Aurora !! Bad compartmentalization makes easy targets Cyber crime !! Even more common !! 1 trillion dollars per year Building systems properly from a security perspective will address the cyber crime problem just as well as it will address cyber espionage and cyber war. © 2012 Cigital . espionage. We can kill all three birds with one stone.War.

Washington’s focus is distorted © 2012 Cigital .

moats. and drawbridges of medieval times. Unfortunately. effective for defending against isolated attacks.Fake defense: castles are passé Today’s computer and network security mechanisms are like the walls. today’s attackers have access to airplanes and laser-guided bombs! © 2012 Cigital . At one point. mounted on horseback.

The NASCAR effect Good news The world loves to talk about how stuff breaks !! This kind of work sparks lots of interest in computer security !! !! Bad news The world would rather not focus on how to build stuff that does not break !! It’s harder to build good stuff than to break junky stuff © 2012 Cigital .

national security establishment in setting cyber security policy is problematic !! Cyber security is not only a military problem !! Cyber security recognizes no geographic boundaries © 2012 Cigital .S.National security dominates the conversation !! The real and perceived dominance of the U.

Balancing cyber security policy © 2012 Cigital .

Guidance for policy makers Focus on defense by building security in !! Re-orient public private partnerships !! Focus on information users instead of plumbing !! Let civilian agencies FIX THE BROKEN STUFF lead !! © 2012 Cigital .

Building security in Develop incentives for companies to engineer security into software rather than rely on endless patches after vulnerabilities become apparent. How do we do software security? © 2012 Cigital .

mobile code is hard Extensibility !! Systems evolve in unexpected ways and are changed on the fly The network is the computer.The software security challenge The Trinity of Trouble !! !! !! Connectivity !! The Internet is everywhere and most software is on it Complexity !! Networked.NET © 2012 Cigital . ! …is this complex program ! This simple interface… ! . distributed.

1 NT (1997) (1998) (1999) (2000) 2K (2002) (1990) (1995) (2001) More code.0 Win 98 NT 5.0 Win XP 3. more bugs Millions of Lines © 2012 Cigital .Software Vulnerabilities 10000 8064 9000 7236 8000 7000 5690 6000 4129 3784 3780 5000 4000 2437 3000 1090 2000 1000 0 2000 2001 2002 2003 2004 2005 2006 2007 Windows Complexity 45 40 35 30 25 20 15 10 5 0 Win Win Win 95 NT 4.

From philosophy to HOW TO circa 2006 !! Integrating best practices into large organizations !! Microsoft’s SDL !! Cigital’s touchpoints !! OWASP adopts CLASP © 2012 Cigital .

Touchpoints adoption !! !! !! !! !! Code review !! Widespread !! Customized tools !! Training ARA !! Components help !! Apprenticeship !! Training Pen testing !! No longer solo Security testing !! Training Abuse cases and security requirements !! Training © 2012 Cigital .

& Migues PlexLogic © 2012 Cigital .BSIMM: Software Security Measurement !! !! !! Real data from (42) real initiatives 81 measurements McGraw. Chess.

Intel! + 14 anonymous firms © 2012 Cigital 24 .

BSIMM3 as a measuring stick Compare a firm with peers using the high water mark view !! Descriptive (not prescriptive) !! Incredible insight for planning !! © 2012 Cigital .

!! Top 12 activities !! green = good? !! red = bad? “Blue shift” practices to emphasize !! activities you should maybe think about in blue !! © 2012 Cigital .

© 2012 Cigital .What about the government? The government is way behind.

Where to Learn More © 2012 Cigital .

com/justiceleague In-depth thought leadership blog from the Cigital Principals !! Scott Matsumoto !! Gary McGraw !! Sammy Migues !! Craig Miller !! John Steven © 2012 Cigital .com No-nonsense monthly security column by Gary McGraw debuts in April www.SearchSecurity & justice league !! !! !! !! www.searchsecurity.cigital.com/~gem/writing !! www.cigital.

com/silverbullet © 2012 Cigital .org/security/bsisub/ !! !! www.cigital.IEEE security & privacy + silver bullet !! !! Building Security In Software Security Best Practices column edited by John Steven www.computer.

swsec.com © 2012 Cigital .Software Security: the book !! !! !! How to DO software security !! Best practices !! Tools !! Knowledge Cornerstone of the AddisonWesley Software Security Series www.

Build Security In !! !! http://bsimm. we need to choose security.com !! !! “So now. when we face a choice between adding features and resolving security issues.com WE NEED GREAT PEOPLE See the Addison-Wesley Software Security series Send e-mail: gem@cigital.” -Bill Gates © 2012 Cigital .

Sign up to vote on this title
UsefulNot useful