Catastrophic issues in security can occur, but there are ways to recover.
Speaking at RSA Conference in San Francisco, Bruce Schneier, CTO of Resilient Systems, highlighted the Sony Pictures attack as being an interesting case as it brings catastrophic risk uses to the fore, and not catastrophic as in a life ending sense, but in company terms.
He highlighted seven ways in which a catastrophic incident could be dealt with. Firstly he recommended keeping it internal to “incapsulate the catastrophic risk”, secondly consider that attackers on two axes of skills and focus and with someone who is low skilled but has a high focus would use a basic APT, but in the case of Sony this was low skills and low targets. “Why this matters for security is the difference between absolute and low security; it doesnt matter how good security is, be more secure than the other guy and in a high skill high focus they want you,” he said.
“The aAttackers wanted Sony and attackers have the advantage on internet, and never fail not to get in and against a skilled adversary, our defences don’t work.”
The third point was that Sony had bad security and a CISO who left before attack, while the fourth that there is a democratisaton of tactics, as we are not fighting a cyber war but we are seeing war-like tactics used in cyber conflicts. “The blurring between nation state and non-nation state is getting worse,” he said.
The fifth point was that attack attribution is hard and there is a broad distrust in the security community towards Government FBI. “Defence is difficult and who defends Sony, if it was North Korea it is the military, if it was hackers it is the police,” he said.
The sixth point is that incident response is difficult to figure out, while the final and seventh is that resilience is hard too, and you need to figure out how to survive and what may be the most cost effective strategy.
In terms of a solution, Schneier said that the two options were more surveillance as you cannot have one person with all of the capability, but that doesn’t work, while the second was more use control on copyright wars, on 3D printers and software defined radio and computers and cars. But, two decades of education means it does not work, so both fail.
Schneier concluded by recommending securing against technological threats and looking for defence points, and the second is a more agile response. “In a lot of cases we respond fast enough and do ok, but these are not disasters but we do need to do better,” he said.
“There are a lot of problems, so how do you determine what is worth it or not, as you don’t know what good enough security looks like. It is not like a natural threat, you can do maths on meteor strike so know what to spend on remediation, but it doesn’t mean we can do it as we are bad at this sort of risk.
“How do we defend against that sort of attack which wants to do as much damage as possible? It is not a question to worry about, but think about. Think about what they did and not who did it, and decent response – you might be forced to be transparent and what would you do if it became public? Just embarrassing or career limit embarrassing. The goal is resilience in the face of attacks. Just as I was saying since the 1990s – it is about prevention, detection and response.”
