Buildings don't fall down, why should network security

Network security pros should look at how security fails and what the consequences were

Over the centuries the building trades have learned from their mistakes and set up complex systems of checks and balances that not only works but could serve as a model for network security, attendees at the Security Bsides Boston 2014 conference were told.

Use of failure-mode effects analysis by the construction industry instills safety in the building process, something that could work to thwart network attackers by building in network protections in areas attackers have been known to exploit, said Michael Davis, CTO of Counter Tack during a Bsides keynote.

+ Also on Network World: Security-vendor snake oil: 7 promises that don't deliver | Patch Tuesday: Microsoft fixes Internet Explorer for the second time this month +

Network security pros should look at how security fails and what the consequences were, then build protections into future network designs, Davis said.

Failure Mode Effects Analysis was first used in the 1960s by NASA, he said, and has been employed in auto design. Cars have crumple zones less essential parts of the car that are designed to collapse during collisions in order to absorb the impact and protect passengers and more essential parts of the car.

That's a lesson network designers should emulate but don't, he said. "Nobody designs a network segment that can be turned over to the attacker entirely in order to save the rest of the network," he said.

Architects should study breaches, find the conditions that lead to failures and correct for them. This can be accomplished through analysis during design and implementing measures for mitigating the risks. Designers should ask, for example, what would it take to hit a particular server and what defenses would have to fail in order for an attacker to get through?

This methodology saved the Mars rover Spirit, whose flash became corrupted during its mission. Engineers had foreseen the possibility and instilled a secondary system in it that enabled controllers on the ground to re-flash and reboot the system, bringing the rover back to life, Davis said. The lesson? "Be prepared for the low-probability event with huge consequences," he said.

In network security the problems are extremely complex, he said. For instance, the Verizon Data Breach Investigation report says fixing nine security weaknesses can stop 95% of SQL injection attacks. But each of those nine problems connects to another nine that can ultimately lead to a successful breach. "You need to look at the chain of events, not just weaknesses in isolation," he says.

The complexity makes it extremely difficult to block all the problems, he said, so businesses need to calculate the business risk for each potential failure and address each in order of priority.

He proposes a formula for determining risk: Severity X Frequency X Detection = Risk Priority Number. Severity means the importance of the negative effect the attack can have on the environment (1 Not Severe, 10 Very Severe). Occurrence refers to the frequency with which a given cause occurs and results in failures and is based on historical data if possible (1 Not Likely, 10 Very Likely). Detection means the ability of the control scheme to detect and prevent a cause (1 Easy to Detect, 10 - Hard to Detect).

This type of analysis can improve the decisions businesses make about security, Davis said, and that's important because attackers hammering away at a network need to find only one way in and don't quit after the first try.

"We need to make better decisions," he said. "Attackers can make stupid decisions and fail and try again on another machine."

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags NASAMicrosoftsecurityendpoint securityWide Area Network

More about MicrosoftNASAVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts