2013 has become the year of cyber-espionage we were warned about. This online 'Cold War' demands a faster pace and a proper analytical basis, says Tenable Network Security
"We, as far as I'm concerned, are in an arms race. It's the same old thing as the good old days of the Cold War," says Dick Bussiere, principal architect for Tenable Network Security in the Asia Pacific region. "The Russians would come up with something, the Americans would come up with a countermeasure, the Russians would come up with something else, and it never ends. I think we're kind of in a situation like that."
We've heard the Cold War analogy before, of course, and in many ways it's apt. Despite this year's constant cyberwar hype, no-one has been killed yet. So far it's all been about espionage and, in the few incidents when there has been damage — such as Stuxnet's impact on Iran's nuclear weapons program, or the hit on Saudi Aramco's computer infrastructure — it's more appropriate to categorise it as sabotage rather than something more warlike.
The Cold War analogy is appropriate in another way, too. Unlike the almost gentlemanly pace of the arms race in the more leisurely age of horse, steam and steel, in 2013 new digital threats evolve overnight — and countering those threats requires systems administrators to adopt a new operational pace.
"Networks are living and breathing things. They don't sit still. Your vulnerabilities will change on a daily basis, for sure, and you need to be on top of that," Bussiere told a recent Corrupted Nerds podcast.
Tenable is advocating what the company sees as a "revolutionary" change in network security.
"We're kind of advocating that people perform vulnerability assessment, and remediation of vulnerabilities, as a constant and continuous process, rather than something that you do on a periodic basis," Bussiere said.
Traditionally, a vulnerability scan is something done to a regular schedule, often by an external contractor. A report is given to the IT department, and they deal with it — or not, depending on their workload, focus, honesty and corporate-political priorities. Either way, nothing further is done about vulnerabilities until the next scheduled scan, apart from routine Patch Tuesday-style software updates.
"That creates significant opportunities, of periods of time, in between assessments when vulnerabilities can sneak in," Bussiere said.
A look at the numbers makes the strategy clear.
In an typical week at the US National Institute of Standards and Technology (NIST), the National Vulnerability Database collects information on 70 to 80 new vulnerabilities. In 2011, there were 5289 new vulnerabilities. But, according to Bussiere, only 14 of them were true zero-day attacks, where the vulnerability was being actively exploited before it was publicly disclosed. With the remaining 5275 vulnerabilities — that is, for 99.7 percent of them — there was at least some warning that they existed before they were exploited.
"When a new vulnerability is publicly disclosed, the attackers are going to leverage that like crazy for a period of time. If you're very early, in terms of eliminating the vulnerability from your network, you're going to reduce the window [during] which the attacker can even get in in the first place," he said.
"If you are pro-active and very agressive, or treat it as a continuous process, rather than something you do at certain periods of time, your chances of closing vulnerabilities that people can exploit is very, very, very good."
It's natural that Tenable is promoting this strategy, because they make tools for the job: the Nessus vulnerability scanner, their SecurityCenter vulnerability management platform for enterprise-scale networks, and a passive vulnerability scanner that monitors network traffic for evidence of vulnerabilities and compliance violations in real time — something Bussiere says is vital in a bring your own device (BYOD) environment, given that users' own smartphones and tablets can be completely opaque to the organisation's scanning and device management processes.
"If you ever try to scan an iPhone using an active scanner, you're not going to see anything," Bussiere told CSO Online earlier this month. "However, you can determine what apps are being used on it just by watching the traffic being generated. You can learn a lot by just watching traffic."
Tenable's passive vulnerability scanner also analyses the trust relationships between systems to determine which devices are the highest priority for vulnerability patching — a process they call attack path analysis.
"Attacks can hopscotch from something to something else. So if I find a machine, perhaps an administrator's desktop machine, and he's constantly administering [a] particular web server, well, me attacking that administrator's desktop machine is a nice vector to be able to get to the real target," Bussiere told Corrupted Nerds.
Tenable has more than self-interest in mind, however. In September 2011, continuous vulnerability measurement and reporting was mandated as compulsory for all US .gov networks, following the successful implementation of the strategy by the US State Department.
The presidential Office of Management and Budget Director used the Federal Information Security Management Act (FISMA) to require all US government agencies to report their information security readiness monthly using an automated tool called CyberScope.
As SANS Institute director of research Alan Paller told security professionals in Sydney late last year, the State Department had been measuring the risk across its networks through automated vulnerability reporting, turning that into a metric that put the many different kinds of problems onto a common scale, and communicating that data daily.
He also noted that a typical systems administrator has just 20 minutes per day to spend on security-related tasks, so the State Department would also send their sysadmins a daily single highest-priority task — one that would take them less than 20 minutes to perform.
Using this process of continuous vulnerability measurement and measured risk reduction, the State Department patched 90 percent of its machines against one Internet Explorer vulnerability in just 11 days. The traditional methods used by the US Department of Defense, on the other hand, took four months to patch just 65 percent of its machines for the same vulnerability.
The State Department demonstrated "more than 94 percent reduction in 'measured' security risk through the rigorous automation and measurement" of the SANS Institute's Twenty Critical Security Controls for Effective Cyber Defense.
Similarly, the Australian Signals Directorate (ASD), formerly the Defence Signals Directorate (DSD), has shown that 85 percent of targeted intrusions can be defeated using their "Catch, Patch, Match" strategy.