Cybersecurity is Relative at Best

*Note: This article was originally published by the author on August 25, 2019.

Credit: Go Physics

Einstein’s General Theory of Relativity has many applications to the space-time continuum with far-reaching consequences that we have only just begun to understand as a species and incorporate into our way of thinking and pedagogy. What you may not have considered though is that there are many parallels between science and cybersecurity and indeed with Einstein’s general theory of relativity and cybersecurity. Information assurance (IA), information security (INFOSEC), or cybersecurity, whatever you prefer to call it (it’s all the same thing), is a derivative of computer science the same way that digital forensics is a derivative of criminal forensics. With IT and the Internet, in particular, we’re talking about newer 20th-century technologies being overlayed onto much older 18th and 19th-century scientific principles which explain how the universe functions.

Contributions to science were made by many more scientists than just Einstein alone. There are scientific concepts and processes at play within all computer systems, operating systems, and software applications which even among many cybersecurity professionals are not widely understood or studied. Cybersecurity is still a very new field of study in the greater context of scientific study, it is developing at an exponential pace in a desperate attempt to quantify and mitigate cyber-attack risks that continue to plague the world economy.

For as long as man has been in existence, the duality of good versus evil forces has been at play. It is no different from computers and the ever-expanding capabilities of the Internet. Crimes that were once perpetrated in person, can often now be perpetrated thousands of miles away from the victim thanks to technology. So then, the question becomes how science can be used by a fledgling cybersecurity industry to minimize the vast majority of cyber threats since we’ll never completely eradicate risk altogether? The world economy and national security of every country are counting on the cybersecurity community to come together and figure out solutions to this complex problem.

Traditionally, cybersecurity researchers have been very quick to point out a particular vulnerability or 0-day (i.e., an unknown major software/hardware/firmware vulnerability). They have claimed credit for the discovery of said vulnerability by publishing white papers, sending out Tweets, publishing blog articles, and presenting slideshow presentations at security conferences catapulting the presenters of these discoveries to near-instant “rockstar” status and rightly so as these discoveries involve some highly sophisticated discovery techniques and expert-level understanding of information technology underlying processes for which researchers deserve credit for. Some cybersecurity researchers may contend that finding solutions to cybersecurity vulnerabilities is not their job and there is something to be said for that line of logic.

However, there needs to be an improved, streamlined process for how software vulnerabilities are reported and responded to that is adopted internationally. The industry already has more security conferences, consortiums, and professional organizations than it knows what to do with. But forming and adopting a universal process for how cybersecurity vulnerabilities are reported and responded to is a complicated endeavor requiring international political support and cooperation which explains why it has until now been a “bridge too far to cross.”

However, as some have begun to realize, only presenting problems is not entirely helpful and have asked if we aren’t missing something in all of this excitement? More specifically, where are the solutions to these vulnerabilities, and what is gained by coveting this temporary knowledge of a particular vulnerability? It all comes down to human psychology and individual motivations, an extremely subjective topic. For instance, is the decision to present a particular vulnerability mostly about bug bounty money, perhaps the fame, is it for revenge, or is it about improving the overall security of the Internet?

I suspect in many cases it involves a little of each. However, as we steadily creep along toward the year 2020, I don’t believe it is enough to merely present vulnerabilities and not also present solutions. The cybersecurity industry as a collective needs to develop an internationally accepted and selectively comprised committee that vulnerabilities are submitted to and that is able to study the problem and publish practical guidance for industries to respond to. Some industries are quicker than others to update IT infrastructure, patch systems, and employ cybersecurity professionals to help reduce cyber threats. However, others continue to do the bare minimum and continue to suffer disproportionate losses. It has become laughable, in fact, with each new day seemingly revealing new data breaches.

The Internet and everything connected to it is vulnerable, this is a fact that the world is reminded of constantly.

Some cybersecurity researchers do present solutions for the vulnerabilities they discover and for that they should be duly rewarded. However, often what the cybersecurity industry witnesses are merely vulnerabilities heaped upon more vulnerabilities that are published to the masses in the form of news articles after countless other breach and vulnerability news articles. People have long started to drone out these types of news releases. “Oh, look here, we got another breach!”

In some cases as with the Internet of Things (IoT) product vendors, there appears to be a general lack of incentives to manufacture IoT products using a secure design approach, and instead, the approach chosen by IoT manufacturers seems to be to flood the markets with insecure products (i.e., crappy products) to make as much money as possible before government regulations are passed requiring vendors to improve security protocols. The consistent law of human nature at play here is and always will be:

Law of Nature: Humans are inherently lazy and they demand convenience over security

The Relativity of Security

Credit: NPR

Taking a scientific approach or applying a lens filter such as Einstein’s General Theory of Relativity helps cybersecurity defenders and digital forensics investigators view the current reality objectively, enabling them to best arrive at a logical conclusion of what we believe are the facts surrounding a particular event or anomaly. However, with cybersecurity, we are not so much concerned with gravitational and astronomical forces of the universe that keep planetary orbits in alignment but focus more so on attempting to mitigate known and even unknown risks to computer systems and networks that are constantly being scanned for, probed for, and exploited by cyber threat actors.

E=mc²

Dissected, Einstein’s theoretical formula consists of E (energy), m (mass), and c² (i.e., the speed of light multiplied by itself). Moreover, as Einstein’s theory relates to cybersecurity, if we choose to view cybersecurity through the lens of scientific research, we may be so inclined to apply certain filters to common problems encountered within the cybersecurity realm that can help us as cybersecurity defenders to organize our thoughts, research methods, and streamline our defensive strategies against the unpredictable and chaotic nature of attackers.

That is to say, not unpredictable in the sense that if we know there is a vulnerability it will eventually be exploited, but unpredictable and chaotic in we don’t exactly know how or when a system, application, or Internet protocol will be abused and exploited. Is there a “sweet spot” length of time or a specific defensive approach that will help our systems remain secure more so than others? Adopting a complicated risk management framework “check-in-the-box” compliance mindset does not equal total security as we have seen time and again. “But they passed their last audit!!” No one cares, compliance does not equal security. Remember that. Continuous monitoring and threat hunting is a requirement if your system has any chance at all of remaining “secure.”

Chaos Theory, Game Theory, and Nash equilibrium have been applied to help manage risk and guide incident response which I believe is a useful step in the right direction towards understanding the adversarial mindset and what type of incident response should be used. However, they do not address reducing the cyber threat. Remember, we can never fully eliminate risk, only mitigate and reduce it.

Just as one can compare the differences between Western medicine and ancient Eastern medicine, one attempts to treat the symptoms and the other the root cause of illness. You will always be behind in cybersecurity if you are only treating the symptoms of illness (vulnerability). Accepting risk, outsourcing, or transferring risk to another party does not protect your data or systems. We must treat the root cause of how systems are engineered, and how Internet protocols function together and attempt to securely design them from scratch to reverse current exploit trends.

Quantitative Risk Analysis

Credit: The Conversation

For instance, if we take the increasing phenomenon of data breaches one might think that cybersecurity practitioners and organizations are lost when it comes to defending computer systems because breaches are occurring at an alarming rate. This would be a false assumption, however. That is to say that no matter how much effort you put into protecting an information system, the fundamental manner in which computer systems, software code is written, and Internet protocols function together is full of holes (i.e., vulnerabilities) that are in some measure exploitable given improper circumstances. We know why these data breaches keep happening. Cybercrime can be traced back to money as with many other types of crime.

In risk analysis, we have previously established protocols such as:

  • Asset Value (AV)
  • Exposure Factor (EF)
  • Single Loss Expectancy (SLE)
  • Annualized Rate of Occurrence (ARO)
  • Annualized Loss Expectancy (ALE)
  • Cost/Benefit Analysis of Countermeasures

To compute Annualized Loss Expectancy, use the formula: ALE= SLE * ARO. Nearly everything boils down to money in the end, so this formula is useful for risk managers to decide whether to spend money on a particular security control to prevent “loss” or not. It might not make sense to spend $40,000 on a particular security control (e.g., next-generation firewall) for a system comprised of administrative-level information as opposed to an operational system that has an uptime requirement of 99.999%. However, if that administrative-level information system contains Personally Identifiable Information (PII), then damages resulting from a data breach could far exceed $40,000. These are the types of factors that should be considered in risk analysis.

If we apply a scientific lens or frame of reference such as Einstein’s General Theory of Relativity and adapt it to cybersecurity it might look something like this:

Energy= Mass (Adversary Capabilities — skills, resources, knowledge) x Speed of (e.g., not light in this case, but the speed of implementing software upgrades and security patches as published by software vendors). Further refined and adapted to our use case of data breaches, we could also hypothesize that:

Breach (Exploit)= Asset Value * Single Loss Expectancy / Adversary Cost Factor (Effort & Cost — represented on a scale of 1–10 of desirability to an unknown threat actor) x (Speed of Execution or C is the Time it takes a threat actor to exploit a vulnerability)² can be represented using this weighted equation to derive a risk percentage ranking where adversarial cost factor is calculated for how much effort and resources are required to successfully penetrate a system’s defenses and time is calculated as the speed of execution that particular vulnerability is able to be exploited on a particular system given variable circumstances such that:

But, I Checked All the Compliance List Boxes?!? WTF!

Nope. Wrong Answer! Try again.

The fact is that given enough time and resources, any computer system can be hacked. It essentially boils down to work factors which we’ll call effort, and cost. If by your efforts to protect a system, you expend X amount of cost and Y amount of effort through a layered defense comprised of best practices, then there tends to be an unrealistic expectation that your system is adequately protected. However, if a system owner starts neglecting software upgrades and security patches, then it’s only a matter of time before the “Pwn-Zilla” monster strikes.

Employing competent cybersecurity professionals is, in fact, the ONLY way your computer systems will stand a chance against cyber intrusions and attacks. I think by now we’ve figured out that computers and network IT infrastructure components do not come securely configured out of the box. Using a robust, tried and tested risk management framework (e.g., NIST Risk Management Framework, NIST Cyber Security Framework, CIS Top 20, COBIT, ISO 27001, PCI DSS) that allows for the implementation of a layered defense is critical to the success of any cybersecurity strategy.

What should be understood, though, by every corporate executive is that sometimes even the implementation of a robust risk management framework won’t be enough to stop the cybercriminals or cyber threat actors if your systems are being targeted by highly-skilled, nation-State adversaries who have the time, skills, and resources (equipment and funding) to launch Advanced Persistent Threat (APT) attacks. THEY WILL SUCCEED eventually. It is a fact.

Your cybersecurity defenses cannot withstand such an onslaught. In the murky world of cyber espionage, these APT risks often are coupled with insider threats and foreign spy agents on the ground that assist in the attacks. Trust me, if the government, military, and corporate systems which employ state-of-the-art technology and highly skilled cybersecurity professionals can be hacked, then you best believe your “rinky-dink” Local or Wide Area Network (LAN/WAN) can be hacked and it will be trivial to skilled threat actors. As stated previously, it all comes down to motivation and factors of work and cost.

Setting the Conditions for Success

Which house are criminals more likely to break into? The house that looks like a fortress with guard dogs, an alarm system, video cameras, and a frickin’ moat around the house with a draw bridge with signs stating “Beware: Gun Owner Lives Here,” or the house with all of the windows and doors unlocked, and no visible security whatsoever? There’s no question which house will be robbed first. It doesn’t mean that Mr. Fort Knox’s house won’t eventually get robbed, but the cost factor to pull off such an attack will be substantially higher. It’s the same for computer systems folks.

Harden your systems to the point where the cost factor is too high for adversaries to want to break into your system(s). You do this by following cybersecurity best practices (i.e., anti-virus, firewalls, auditing logs, etc.) and implementing a robust and well-established risk management framework such as those previously mentioned. But this alone won’t be enough to prevent a data breach.

Those cybersecurity professionals you hired also need to be given the authority and budget to upgrade software and install security patches in a timely fashion across your organization’s networks. You need to reduce the threat surface area by uninstalling applications and removing services from your systems and servers that you don’t absolutely need to operate. Otherwise, these things present unnecessary risk to your business or organization and why would that ever be acceptable?

In conclusion, I think the cybersecurity industry and commerce, in general, can benefit from viewing cybersecurity threats through the scientific lens of relativity. Your system cybersecurity is relative to a number of factors, some of which you have control over (e.g., the type of security controls you decide to implement on a system) and others that you don’t control (e.g., such as adversarial motivations).

Thank you for reading! If you enjoy these articles and want to support me as a writer, you can become a Medium member. For $5 per month or $50 per year (a better deal), you receive unlimited access to Medium stories. If you use my referral link, I receive a small commission. Cheers!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ian Barwise

Ian Barwise

experienced privacy & security engineer **stepping away from blogging for an undetermined amount of time to focus elsewhere**