Upping the pace to face the infosec 'Cold War'

2013 has become the year of cyber-espionage we were warned about. This online 'Cold War' demands a faster pace and a proper analytical basis, says Tenable Network Security

"We, as far as I'm concerned, are in an arms race. It's the same old thing as the good old days of the Cold War," says Dick Bussiere, principal architect for Tenable Network Security in the Asia Pacific region. "The Russians would come up with something, the Americans would come up with a countermeasure, the Russians would come up with something else, and it never ends. I think we're kind of in a situation like that."

We've heard the Cold War analogy before, of course, and in many ways it's apt. Despite this year's constant cyberwar hype, no-one has been killed yet. So far it's all been about espionage and, in the few incidents when there has been damage — such as Stuxnet's impact on Iran's nuclear weapons program, or the hit on Saudi Aramco's computer infrastructure — it's more appropriate to categorise it as sabotage rather than something more warlike.

The Cold War analogy is appropriate in another way, too. Unlike the almost gentlemanly pace of the arms race in the more leisurely age of horse, steam and steel, in 2013 new digital threats evolve overnight — and countering those threats requires systems administrators to adopt a new operational pace.

"Networks are living and breathing things. They don't sit still. Your vulnerabilities will change on a daily basis, for sure, and you need to be on top of that," Bussiere told a recent Corrupted Nerds podcast.

Tenable is advocating what the company sees as a "revolutionary" change in network security.

"We're kind of advocating that people perform vulnerability assessment, and remediation of vulnerabilities, as a constant and continuous process, rather than something that you do on a periodic basis," Bussiere said.

Traditionally, a vulnerability scan is something done to a regular schedule, often by an external contractor. A report is given to the IT department, and they deal with it — or not, depending on their workload, focus, honesty and corporate-political priorities. Either way, nothing further is done about vulnerabilities until the next scheduled scan, apart from routine Patch Tuesday-style software updates.

"That creates significant opportunities, of periods of time, in between assessments when vulnerabilities can sneak in," Bussiere said.

A look at the numbers makes the strategy clear.

In an typical week at the US National Institute of Standards and Technology (NIST), the National Vulnerability Database collects information on 70 to 80 new vulnerabilities. In 2011, there were 5289 new vulnerabilities. But, according to Bussiere, only 14 of them were true zero-day attacks, where the vulnerability was being actively exploited before it was publicly disclosed. With the remaining 5275 vulnerabilities — that is, for 99.7 percent of them — there was at least some warning that they existed before they were exploited.

"When a new vulnerability is publicly disclosed, the attackers are going to leverage that like crazy for a period of time. If you're very early, in terms of eliminating the vulnerability from your network, you're going to reduce the window [during] which the attacker can even get in in the first place," he said.

"If you are pro-active and very agressive, or treat it as a continuous process, rather than something you do at certain periods of time, your chances of closing vulnerabilities that people can exploit is very, very, very good."

It's natural that Tenable is promoting this strategy, because they make tools for the job: the Nessus vulnerability scanner, their SecurityCenter vulnerability management platform for enterprise-scale networks, and a passive vulnerability scanner that monitors network traffic for evidence of vulnerabilities and compliance violations in real time — something Bussiere says is vital in a bring your own device (BYOD) environment, given that users' own smartphones and tablets can be completely opaque to the organisation's scanning and device management processes.

"If you ever try to scan an iPhone using an active scanner, you're not going to see anything," Bussiere told <i>CSO Online</i> earlier this month. "However, you can determine what apps are being used on it just by watching the traffic being generated. You can learn a lot by just watching traffic."

Tenable's passive vulnerability scanner also analyses the trust relationships between systems to determine which devices are the highest priority for vulnerability patching — a process they call attack path analysis.

"Attacks can hopscotch from something to something else. So if I find a machine, perhaps an administrator's desktop machine, and he's constantly administering [a] particular web server, well, me attacking that administrator's desktop machine is a nice vector to be able to get to the real target," Bussiere told Corrupted Nerds.

Tenable has more than self-interest in mind, however. In September 2011, continuous vulnerability measurement and reporting was mandated as compulsory for all US .gov networks, following the successful implementation of the strategy by the US State Department.

The presidential Office of Management and Budget Director used the Federal Information Security Management Act (FISMA) to require all US government agencies to report their information security readiness monthly using an automated tool called CyberScope.

As SANS Institute director of research Alan Paller told security professionals in Sydney late last year, the State Department had been measuring the risk across its networks through automated vulnerability reporting, turning that into a metric that put the many different kinds of problems onto a common scale, and communicating that data daily.

He also noted that a typical systems administrator has just 20 minutes per day to spend on security-related tasks, so the State Department would also send their sysadmins a daily single highest-priority task — one that would take them less than 20 minutes to perform.

Using this process of continuous vulnerability measurement and measured risk reduction, the State Department patched 90 percent of its machines against one Internet Explorer vulnerability in just 11 days. The traditional methods used by the US Department of Defense, on the other hand, took four months to patch just 65 percent of its machines for the same vulnerability.

The State Department demonstrated "more than 94 percent reduction in 'measured' security risk through the rigorous automation and measurement" of the SANS Institute's Twenty Critical Security Controls for Effective Cyber Defense.

Similarly, the Australian Signals Directorate (ASD), formerly the Defence Signals Directorate (DSD), has shown that 85 percent of targeted intrusions can be defeated using their "Catch, Patch, Match" strategy.

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOOffice of Management and BudgetSANS InstituteTechnologyTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts