The Adversaries Live in the Cracks

The Adversaries Live in the Cracks

Why Systems Security Engineering Matters

Before I begin, I have one request. Please don’t shoot the messenger.

The Prelude                     

Once we get a chance to catch our breath after the recent cyber-attacks and complete our damage assessments, we will come to the conclusion that, once again, despite all of our best efforts, the “cyber adversaries” (the bad guys) continue to have the advantage over the “cyber defenders” (the good guys). There will likely be the usual “cyber sprints” to hurriedly fix things followed by calls for a cybersecurity commission or task force to figure a way out of this continuing onslaught. But if you really want to know why the cyber-attackers always seem to have the advantage in the current environment of highly complex systems and unbridled connectivity, the answer is staring us right in the face and it is very simple—the bad guys are using systems security engineering to “attack” our systems more than we are using systems security engineering to “protect” our systems. You may conclude this seems like an odd statement, but let me explain.

Complex Systems, Valuable Targets

A former Director at the National Security Agency once said “the adversary lives in the cracks” of our systems. What he meant by that statement is today’s complex systems are made up of hundreds of thousands of system components operating in a highly-connected, world-wide network. Those components can include software, firmware, and hardware as part of the “system stack”—all coupled together forming the world’s biggest and most attractive “attack surface.” The individual components each provide some type of functionality that, when combined with the other components, give the system its overall capability. That capability is used to conduct mission essential operations in public and private sector organizations across the country—including organizations that are part of the United States critical infrastructure. And, although complexity is often the price we pay for developing the needed capabilities, it is also “ground zero” for our vulnerability.

The Attacker’s View

While sophisticated, nation-state supported cyber-attackers have additional tools and means, the first job of most cyber-attackers is to obtain as much information about the system as is humanly possible—the objective being to understand the system architecture including what each component does, the interactions among components, component dependencies, and how information flows through the different components. This is the “roadmap” inside the system that dictates the path the attackers will take to be successful. Many times, attackers will exploit weaknesses or deficiencies in the individual system components (almost always commercial products) or in how those components are put together—thus, establishing a foothold in the system and then capitalizing on that initial success to execute the next steps in the attack. To accomplish this, the attackers have to be competent “systems security engineers.” By understanding what’s in the system and how the system works, the attackers can figure out clever ways to do the unexpected—including installing malicious code in otherwise trusted applications, corrupting system processes, and subverting the supply chain. They do this from a comfortable beachhead while “living in the cracks” of the system and suppliers up and down the supply chain—often going undetected for days, months, or years.

The Defender’s View

In a previous article, I made the point that compliance-based security and cyber hygiene activities alone were insufficient to protect our systems against sophisticated, nation-state adversaries. System developers employ a “strategic” and “proactive” approach to security—viewing security as a “system property” and achieving system security through the application of security design principles, development models, security architectures, and disciplined and structured systems engineering processes. Engineering involves making informed trades and decisions—which demand the application of rigorous systems analysis methods based on the cyber-physical characteristics of systems, the sophistication of the adversary, and the seriousness of the potential effect of the attack.

In the development process, systems security engineers spend a significant amount of time and effort understanding each system component and how that component operates as part of an overarching “system architecture.” The engineers look for expected and unexpected behaviors. They do “what if” analyses as the system component interactions and information flows are studied and various risks are assessed. Achieving security is an intentional by-product of the systems engineering process and not something that can be treated as an afterthought and therefore, either “added in” or “bolted on.”

Why Systems Security Engineering Matters

So, is it possible that we are continuing to be victimized by devastating cyber-attacks because we are not spending enough time “living in the cracks” of the systems we are building and engineering solutions that fundamentally reduce our susceptibility to such attacks? I don’t know the answer to that question but I think it is fair to ask. If our adversaries are spending more time in the engineering shop than we are, we cannot expect any better outcomes in the future. We are paying people to find holes in our systems and applications instead of investing in stronger, more penetration-resistant, and resilient systems and a trusted supply chain. The end result is a full employment plan for the hackers as the bloated attack surface generates a never ending supply of “zero-day” (or unknown) vulnerabilities.

The Bottom Line

In summary, systems security engineers attempt to make systems “securable” and “secure” from day zero. This attitude impacts the initial system requirements, how concepts of operation (CONOPS) are formulated, and the potential classes of solutions considered for the system. Failing to use an “engineering-driven” approach to build our systems will lead us to being more vulnerable to “zero-day” attacks. Systems security engineering gives us the tactical and strategic advantage we need. It takes time. It takes commitment. It is not easy. But if the events of this past week do not give us a serious cyber wakeup call, then we will see these types of attacks continue to escalate with consequences that are unthinkable.

And don’t forget, please don’t shoot the messenger.

A special note of thanks to Mark Winstead, Keyaan Williams, Victoria Pillitteri, and Tony Cole, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.

Tim Weil

Enterprise Security and Privacy Management - SecurityFeeds LLC

4 年

Ron - Is there another forum other than LinkedIn for this conversation? My view of the IT/ICT cybersecurity space is an industry that is oversized in products and services talking to CxO level management about acquiring more budget. The catastrophic APT hack of SolarWinds/Orion NMS/SAML makes the NIST 800-53 model look silly (after nearly 20 years of engineering and deployment). I have plenty to say about Secure System Engineering (with 100 RMF accreditations under my belt). LinkedIn is not the forum I would choose. Best Regards.

回复

Dr. Ross, So true.?If defenders are not intimately aware of and maintaining the same persistent presence in “the cracks” as well, then by definition, aka ‘the usual “cyber sprints” to hurriedly fix things’, the playing field is asymmetric. Much thanks to NIST for leading the way. The new SI-7 (17) Control for Software, Firmware, and Information Integrity is an important step forward.

回复
Sam Reddy

Vice President | CISO | Cyber & AI Risk Strategist | Zero Trust & Enterprise Security Architect | AI-Driven Cyber Resilience | Risk & Compliance Leader (CISA, CISM, CRISC, CGEIT, PMP)

4 年

Ron, you hit the nail with the hammer stating that - Compliance-based security and cyber hygiene activities alone were insufficient to protect our systems against sophisticated, nation-state adversaries. I have not seen any ‘cyber hygiene’ in many of the government systems; it’s just Simply compliance and check the box. Unless we change the way we all think deep into the roots of acquisitions to drive “information security” in the forefront of business capabilities - it’s hard to win game...

回复

要查看或添加评论,请登录

Ron Ross的更多文章

  • Systems Security Engineering Framework

    Systems Security Engineering Framework

    An Engineering-Based Approach to Protecting Cyber-Physical Systems Security, like safety, reliability and resilience…

    4 条评论
  • Secure-by-Design Is More Than Just a Cybersecurity Risk Problem

    Secure-by-Design Is More Than Just a Cybersecurity Risk Problem

    Building trustworthy secure systems has a great deal in common with building a house. It starts with a good…

    14 条评论
  • Making Zero Trust “Trustworthy”

    Making Zero Trust “Trustworthy”

    A little over a year ago, I wrote an article about assurance that attempted to make a convincing argument as to why…

    14 条评论
  • New Year’s Resolution: More Assurance, Less Seat of the Pants

    New Year’s Resolution: More Assurance, Less Seat of the Pants

    Using Assurance Cases to Demonstrate Systems Are Trustworthy Secure With today’s cutting-edge computing technologies…

    24 条评论
  • Yet Another Wake Up Call

    Yet Another Wake Up Call

    A Time for Reflection and Change in Our Cyber Protection Strategy We are once again confronted with another serious…

    22 条评论
  • Diving Below the Cyber Waterline

    Diving Below the Cyber Waterline

    The Danger of Existential Cyber-Attacks on Critical Systems and Assets In a previous article entitled “The…

    15 条评论
  • The Cybersecurity "Glass Ceiling"

    The Cybersecurity "Glass Ceiling"

    Adopting a Secure By Design Approach to Protect Critical Systems and Assets There is an emerging and troubling reality…

    11 条评论
  • Engineering Can Make Your Systems More Secure and "Stealthy"

    Engineering Can Make Your Systems More Secure and "Stealthy"

    In Bruce Schneier's recent blog post entitled "The Proliferation of Zero-days," he references the MIT Technology Review…

    9 条评论
  • A Bridge Too Far?

    A Bridge Too Far?

    The Power of Science and Engineering When we drive across a bridge, we have a reasonable expectation that the bridge we…

    13 条评论
  • Security Is Everyone’s Responsibility

    Security Is Everyone’s Responsibility

    Time for Stepping Up to the Plate and Requiring Accountability As the NIST team is entrenched in the 2021 update of SP…

    16 条评论

社区洞察

其他会员也浏览了