Where The Dragons Are

For a discipline operating on the forefront of today’s technology, security for both better and worse has its roots in an almost universal super-cultural experience of safety that even as our society becomes expressed more and more on essentially imaginary electrical oscillations on a network, continues to work invisibly behind the security decisions of nation states and individuals both.

In part, because of this latent intuition, it is easy to make security decisions, even good ones without an overarching thesis on how this decision operates within a wider ‘Security Landscape’ — the ‘Security Landscape’ that those adjacent to government or the military will simply call ‘Cyber’. People live risk every day, but our strategies for ameliorating it tend to be short sighted when applied to large information systems.

The security landscape, I put to you has a shape: an asymptotic curve over complexity (as a proxy of ease of use and ease of finding) and potential impact (or danger, if you wish).

The oft-cited adage goes ‘anything can be hacked’, but this tells a story too thin on details to operate on effectively. Yes, anything can be hacked, pretty much; but this saying really just encapsulates a fundamental axiom of risk: ‘anything can happen’.

But what happens tends to follow patterns that we would be prudent to use to the benefit of those we are securing.

The graph above describing this shape contains that infinity of “anything can be hacked”, but also contains information on this pattern — and as a result, contains every threat and every threat actor we would encounter.

To that point, at the low end, we have an infinity of low severity vulnerabilities. Here is the home of mischief makers and the needy. Things here are as simple as asking for money, or pretending to be a friend. These issues are rarely mission ending, but of course comprise the majority of attacks.

The other end, the other infinity is where the dragons are. These vulnerabilities are of great complexity, and potentially catastrophic impact which is only tempered by the difficulty of finding them. This is the home of the modern nation-state threat actor; comprising every vulnerability between attacks on nuclear centrifuges to hard-disk firmware rootkits, to payloads that silently turn phones onto record.

Then, at last, there is the oft-vaunted middle. Vulnerabilities here are relatively easy to find in the right technical hands, and can be pretty bad. This is the darling of the bug bounty industry, where there is an inevitable incentivisation of finding many and finding much.

All the attackers are here, but the defenders too, in their own special home. It’s useful, then, to focus on what a defence strategy provides in this landscape.

A graph of incidence vs complexity for a bug bounty program superimposed on a graph of potential impact vs complexity. Bug bounty programs can find a lot of medium severity issues, but low severity issues are often out of scope, or not worth the time; and more critical issues tend to have higher-paying grey market buyers.

Bug bounties for example follow a bell-curve on this graph with respect to incidence. If a bug bounty was your only strategy, I’d wager, like with many strategies you’d be blissfully — even if reasonably — unprotected from dragons, but, sadly, also unprotected from petty fraud.

It’s this way that the security we practice can provide a skewed idea of what our risks are. Professional security consulting can be all over the chart, but submitting to a cryptographic audit, for example is likely to leave you woefully unprepared for attacks of middle and low complexity, committing the classic mistake I like to call ‘porting to SE Linux and getting XSSed by a HackForums user with an online cheatsheet’. These attack categories exist in different complexity spaces, and improving one does not imply improvement in the other.

When you think about security strategy, I ask that you think of this graph. Who are we protecting from? How does our spending reflect the distribution of threats, and which threats we care about? Does your focus on complex callgraph / source-sink security analysis tooling leave you open in some other respect that could be improved by simple lint-based conformance checks?

As defenders, we get to decide where our fights happen and what over. Our product decisions shape this landscape, even on a system-by-system basis. As you define your threats and balance them with your needs, a good rule of thumb is to try to spend time, energy and money in proportion with where they sit on this graph.

In short, we all know where the dragons are fair knight, but few of us will ever need to fight one; and, as any good local smith will tell you: heat-resistant plate armour is going to cost you, and is not going to help as such with the poorly compensated locals and their conspicuously recently sharpened farm tools.



i’m trying http://twitter.com/zemnmez

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store