Software Supply Chain

Microsoft has published a paper on Best Practices for a Secure Software Supply Chain.  https://docs.microsoft.com/en-us/nuget/concepts/security-best-practices

You should not be surprised that it says Caveat Emptor.  It is all about how the buyer of software must manage the risk of any corruption in the supply chain.  It is silent on the supplier's, e.g., Microsoft, responsibility.  It simply assumes that some supplier in your supply change will ship you corrupt code, essentially with no accountability.

The issue first gained notice when a supplier, SolarWinds, having failed to manage the content of its product, shipped malicious code to all of its customers.  It's response, like that of Microsoft, was "Y'all be ca'ful, heah."  

Suppliers must be held accountable for all the code that they ship.  We have become so accustomed to poor quality code, and the huge cost of "patching" that comes with it, that this idea seems somehow foreign.  However, this issue is about code content, not quality.  

I do not propose to so reform the market that suppliers would be held accountable for implementation induced vulnerabilities in their code, for its suitability for its intended use, for its merchantabiity.  I only want them to be held accountable for malicious code, whatever its source, that they ship.  Managing the content of one's product, where it came from, may be related to, but simpler than that of ensuring that it is free of dangerous errors.  

I recently asked a colleague, a famous attorney, partner in a prestigious Washington law firm, why he thought that SolarWinds had not been sued for its gross negligence?  His answer was that the injured parties were enterprises, that they did not see themselves in the role of plaintiff.  

So called "software engineers" must be held accountable to the same standards that we hold all other "engineers."  Suppliers in the software supply chain must the held to the same standards as we hold other suppliers.  Software should not be synonymous with dangerous.  

Cost of Attack

For about a year now I have been arguing that we need to raise the cost of attack against our systems.  This is best justified by observing the rate of successful extortion attacks against our systems.  Few seem to be adequately resistant to such attacks.   

However, I am also mindful of the admonition of William Thomson, the First Baron Kelvin, who told us that if one cannot measure it, one cannot recognize its presence or its absence.  So, if one is to advocate for increasing it, one should be able to talk about how to measure it.   I use the mnemonic W.A.I.S.T.   These stand for work, access, indifference to detection, special knowledge, and time to detection and mitigation.  

The first letter stands for WORK.  The cost of attack will almost always include some effort on the part of the attacker, though, of course, some of this may be automated.  Take for example, a brute force attack against a password or a cryptographic key.  The cost is that of a trial multiplied by the number of necessary trials.  The number of trials required is a function of the number of bits, digits, or characters in the password or key.  One can increase the cost to the attacker by increasing the number of bits in the password.  (One can also reduce the value of success by changing the password or key after one use.)

For example, the cost of attack agains the Data Encryption Standard was defined as the cost of an exhaustive attack against the key.  While prohibitively high at the time of the publication of the standard, it was falling in proportion to Moore's Law, as was the cost of encryption.  Thus the DES implementers proposed Triple DES which raised the cost of attack by 2^56, is standardized for use until 2030 and will still be useful for some applications far beyond that.  

Note that the work of one person may be encapsulated in tools and procedures.  The cost of attack has decreased, been made more efficient, by attacker specialization and commerce.  One rogue may specialize in capturing credit card numbers while another may buy the numbers to monetize them in fraud. 

ACCESS is the second element of cost.  The attacker must have some kind of access to the target system.  Today that may be a network connection but in the early days, it meant physical access.  At a minimum an attacker must at least be able to send a message to the target system and observe its effect.  One can raise his cost by the use of physical isolation, "air gaps," gateways, firewalls, strong authentication, or encryption.  Note that strong authentication greatly increases the cost to the attacker while the ubiquitous mobile has been reducing its cost to the defender.  

INDIFFERENCE to detection is a little more subtle but so called "ransomware" illustrates it well.  Today's attacker believes that there is a low probability that he will be reported, investigated, identified, or punished for his attack.  We can increase his cost by increased monitoring, surveillance, and law enforcement.

SPECIAL KNOWLEDGE is often key.  It includes things such as user credentials, how applications work, such skills as programming, knowledge of the victims network architecture and others.  Interestingly enough, while it is often the most important thing that the perpetrator brings to the attack, it may be the one she herself least appreciates.  One will often hear hackers talk about the low cost of an attack, completely discounting the special knowledge and skill, often acquired over years, that they bring.  The attack looks cheap to them but would require much more of the other elements in the hands of another.

The defender may increase the cost of the special knowledge of the attacker by better operational security, so called OPSEC, choosing, identifying, changing, and protecting mission critical information.  We resist the acquisition of special knowledge about our systems, applications, and data by operating in a manner designed to resist the leakage of information about them that might be useful to an adversary.  These may include using code words, and changing key information.  Think TORCH, ULTRA, and MAGIC from WWII.  Think camouflage and disinformation.  Think product, application, and server names; better to call them "apple" and "orange," than "next generation product," "payroll" and "payables."  Think "trade craft."  

Finally there is TIME to detection and mitigation.  While some breaches can succeed in hours to days, others may require weeks to months.  Again ransomware attacks are of special interest.  The time from attack initiation to successful compromise of the victims entire network has been shrinking from weeks to days, in part from the tools, skills, knowledge, improved efficiency of the attackers.  The defender can reduce the time available to the attacker by improved surveillance, detection, and threat intelligence.  

Perhaps the most efficient way to reduce the time to detection and mitigation is out-of-band confirmation of all sensitive activity.  Kenneth Chennault, the President of American Express, told the President of the United States, that by confirming credit card charges using instant messaging, AmEx was often able to detect fraudulent transactions within sixty seconds.  

Note that these elements are fungible; an excess of any one, especially special knowledge, may decrease the need for the others.  If the attacker already has knowledge of a vulnerability, credentials, or applications, then the amount of work or time to detection required may be considerably less.  Increasing the cost of any one, increases the total cost.  Increasing them all proportionally mayincrease that cost exponentially.  

Three cautions:

• "An ounce of prevention is worth a pound of cure."
• "Never spend more mitigating a risk than tolerating it will cost you."  --Robert H. Courtney, Jr.
• At least collectively and over time, even criminals are rational; they will not pay more in the cost of attack than they can expect in the value of success.

Raising the cost of attack is efficient; the cost of attack goes up faster than the cost of the measures to achieve it.  While there is an upper limit, we are nowhere close to it.  The value of success has been going up very fast and the cost of attack has not risen proportionately.  The situation is now urgent and we have some catching up to do.  

2021 The Cybersecurity Disaster Year

 2021 has proved to be a disaster year for Cybersecurity.  Events have demonstrated just how porous our cyber infrastructure is.  Perhaps for the first year in history, compromises have grown faster than the increase in use, uses, and users might have suggested.  

CISA, the FBI and the NSA have warned in a joint advisory that Russian threat actors are actively exploiting and seeking to cause disruption to IT and OT networks, especially around critical infrastructure. The advisory outlines technical details of at least 18 vulnerabilities and malware attacks.

It may well have been worse than we know.  We know that many, not to say most, of our systems were vulnerable, to the corrupt supply chain (e.g. SolarWinds) or to vulnerable open source software (e.g. log4j), at least for the time it took us to appreciate and mitigate the exposures.  Few of us know that that window of opportunity was not used to covertly install backdoors into our networks for later exploitation.  It is at least possible, not to say likely, that hostile forces took the opportunity to stockpile compromises that they did not immediately have the motive or resources to exploit.  

it seems unlikely that our adversaries, particularly nation states, missed the opportunity presented to them by these exposures.  SolarWinds was an attack, planned and resourceful.  While we can identify and remove the SolarWinds code, it is near impossible to know about,  identify, or remove covert back doors installed using it.  

How can we mitigate the risk that such covert backdoors represent?

First, we must implement process-to-process isolation.  We can no longer operate a flat enterprise network.  We must structure the network so as isolate high risk applications, such as user owned devices, browsers, and e-mail, from sensitive data and services.  We can do this in part physically structure in the network, and in part by end-to-end application-layer cryptography.

We must implement strong process-to-process authentication ("zero trust") not just horizontally, that is system to system, but also vertically, up and down the stack. For example, the application must authenticate the database manager and the database manager must authenticate the application processes that use it.  It is urgent that we isolate covert compromises, backdoors, and vulnerabilities, before they are exploited and so that they do not put the entire enterprise at risk. 

Second, we must implement a policy of "least privilege."  While such a policy involves somewhat more administrative burden than the all too common laissez faire policy, security does not need to be free to be efficient.  It must only be cheaper than tolerating the risk.  If the covert backdoor has no privileges, it can do no harm.  

Third, we must demand that software come with a digital bill of materials.  When a vulnerability is found in widely used software, we must be able to quickly determine whether or not and where, we may have instances of that vulnerable software installed.  We should not have to beat the bad guys at scanning for the vulnerability.

Fourth, we must hold developers and suppliers of products that include software responsible for the content of that software, if not for its quality, at least for any malicious code which they ship.  While we may tolerate poor quality software and the now expensive patching regime forced on by that poor quality, that is not the same as tolerating malicious code which the supplier did not even write.    

I am tempted to go on but I want you to focus on the first and second.  These are policies that are specifically implicated by the risk that our networks are already compromised but they are not limited to that risk.  They are efficient because they address the entire range of cyber risks.  

Customs and Border Protection Facial Recognition Program

 Customs and Border Protection (CBP) compare a traveler's face to the photo on their passport to authenticate their identity and associate the traveler with the information in the passport.  Historically, this comparison has been done by the CBP agent.  The traveler presented his passport to the agent who opened it to the traveler's photo and compared the traveler's face to the photo. This has been a time consuming, somewhat cumbersome, and error prone process.  

Now this process has been automated.  The traveler faces a digital camera and a computer compares the traveler's face to faces in its database, the database of photos that were submitted along with applications for passports (or visas).  If a match is found, the traveler has been identified.  This process is more complete, faster, more convenient, uniform, and less error prone than relying upon the capability or skill of a human agent.  

For travelers who have just been on a cruise, this identity check is all that is required.  Having been so identified the traveler can go straight to baggage claim. International air travelers may still be interviewed by an agent who will ask all the questions that agents have always asked, such as where the traveler has been, where they are going, and the purpose of their trip. The computer will show the agent all the information that is associated with the traveler in the database.  

Tests of this technology conducted over months suggest that the technology correctly identifies about 98% of travelers entering our shores.  Any exceptions are resolved by an agent using the same methods and procedures CBP has always used.  

While CBP has taken steps to incorporate some privacy principles into its program, the Government Accounting Office (GAO) has criticized its notices to travelers about the technology and particularly their failure to adequately notify travelers that they may opt out of the program and enter through the archaic procedures.

The American Civil Liberties Union (ACLU) is "alarmed" about the program.  They fear that "DHS has already laid out - and begun implementing - a clear plan to expand face surveillance."  Of course, this program is not surveillance but merely automation of an established application.  The ACLU is concerned that facial recognition technology in general is "riddled with bias and inaccuracies," and "the program will likely result in harms ranging from missed flights to lengthy interrogations or worse."  Here the proof is in the pudding.  So far, travelers endorse the program for its speed and convenience. 

The ACLU also fears that facial recognition technology "threatens to supercharge DHS's abusive practices."  Certainly there have been abuses at the border.  I caution clients to be prepared for them.  However, most have been abuses of their authority by individuals.  While I have faulted DHS and CBP for their failure to caution against these abuses, I have found no evidence that they were the result of policy or programs.  In my sixty years in information technolgy, I can recall no useful technolgy that was not been abused or misused.  

As a security practitioner, I have preferred facial recognition, and speaker recognition, to such mechanisms as fingerprint (recently shown to be less reliable than we have believed for a century https://tinyurl.com/fingerprintreliability) or even the precision of DNA.  Facial and speech, are the only two "biometrics" that can be recognized by ordinary people, even infants, better than computers.  We are wired for it.  Indeed, it is only recently that computers have achieved parity with people in recognizing. All the other biometrics have relied upon experts to  interpret them for us.   

 Bank Info Security carried a report today that said:

Speaking at security firm Mandiant's Cyber Defense Summit, Anne Neuberger, who serves as the deputy national security adviser for cyber and emerging technology in the Biden administration, and Gen. Paul M. Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, outlined today's threat landscape, highlighting the ability of malicious actors to penetrate federal and corporate networks.

Both federal officials underscored the threat of ransomware on everyday commerce and its ability to alter and shape foreign policy. Asked to predict whether network defenders will be forced to combat ransomware five years down the road, Nakasone answered frankly, "Every day."

The two crimes that established the reputation of the FBI were "white slavery" and "protection."  The latter of course was extortion.  We do not hear much about either any more.  We should hope for the same result from law enforcement for ransomware.  I will continue to hope and work for political pressure.  I do not accept that government can simply wash its hands of the problem.     

That said, even if I am right, it is not likely to happen anytime soon.  It is clear that today's cybersecurity is not sufficient in the light of the rate of successful ransomware attacks.  I have argued that we need to raise the cost of attack against our systems roughly ten fold.  Start with strong authentication and work toward the so called "zero trust" model in which every process restricts access to itself, protects itself from any process that can see it, and authenticates every process with which it interacts.  

In addition one must implement new backup and recovery strategies.  Current strategies were based upon the assumptions that we would have to recover a small number of files from errors, device failures, or once in forty year catastrophes.  We now need strategies that enable us to recover entire enterprises in hours to days.  At a minimum plan to recover each essential application, not merely files, and to do it in the time appropriate for that application.  For some mission critical applications that time may be measured in minutes to hours.

Plan for a successful attack on third parties on which you are dependent.  Consider single points of failure and plan on how to use alternate sources.  

It is a target rich environment and not every enterprise will be breached but one should plan for an attack as often as every year or two.  This is a "bet your business" risk and hope is not a strategy.   

 

End of the Magnetic Stripe

In 1956 my senior colleagues in "Advanced Product Planning" at IBM Research wrote a "blue sky" paper in which they visualized our modern token based retail payment system.  They could not foresee the personal computer, the mobile computer, or the Internet but they did get cards right.  Frankly, I do not think they gave enough thought to the fraud that might come with it.  It was to be another generation before we began to worry about "Data Security and Privacy" as we called what we now call "cyber security."

While it is long over due, there is finally a plan with a date certain for removing the magnetic stripe from credit and debit cards.  https://www.mastercard.com/news/perspectives/2021/magnetic-stripe/    I have argued for a plan with a schedule https://tinyurl.com/paymentindustrysecurity and I should not whine about how far out it is. This is a major change and those few merchants who cannot yet process EMV, much less contactless, deserve some time to catch up.  However, 13 years seems a little much.  

As with other innovations in this space, the plan is for the US to trail the rest of the world.  We were the last to get EMV and we will be last to get rid of the mag-stripe.  There will continue to be a lot of fraud exploiting this fundamental vulnerability in the window in this plan, but better late than never.

Perhaps there is some difficulty in getting rid of this obsolete mechanism that I do not understand.  Mastercard is clearly not bringing to this effort the pressure that it brought on the industry to adopt EMV or the Payment Card Industry Data Security Standards (PCI DSS). 

Comment:   Now I feel better.  A colleague reminded me that we do not have to rely upon the brands to eliminate the magnetic stripe; the consumer may do it for use  Cards may well have disappeared long before Mastercard's unrealistic timeline for removing the mag-stripe.  

I am close to cardless already.  I carry one card; however, I rarely have to use it; I usually pay with my watch.  I use my card at my dentist and, of course, in restaurants.  (In Europe they do not even need cards in restaurants.  On a recent ferry trip, I asked if I could use Apple Pay.  The bartender simply put his wireless point of sale device on the bar, just like in European restaurants.) 

Because of the way I carry the one card, on two recent excursions into NYC, I simply forgot it.  When the waiter presented the check, instead of putting down my card, I simply put down my iPhone with an  image of my card.  The waiter took it away without comment and returned it without comment.  I signed the credit card receipt and we were done.  

Most of my retail transactions are done with my watch.  For e-commerce, I prefer merchants who offer PayPal, Apple Pay, or Google Pay.  Many already do.  More will do so as they learn that it protects them from fraud, perhaps at a higher, but efficient, transaction rate.  

As I think about, it is almost too late to worry about the mag-stripe.  The brands can do more to resist fraud by promoting check-out proxies, than by eliminating the mag-stripe.

Should Paying Ransom be Illegal?

 Today Bank Info Security raised this question at:  https://tinyurl.com/on-paying-ransom

It seems clear that, at least collectively, we are highly vulnerable to breaches and extortion.  In order to take part of the profit out of such extortion we need to raise the cost of attack against our systems ten fold.  Not only will that take time but it may also require additional motivation; too many enterprises are electing to accept, rather than mitigate, the risk.  We know how to increase security; we lack sufficient motivation.  

It seems equally clear that paying ransom may be good for the enterprise and the perpetrators while putting the infrastructure, society, and national security at ever higher risk.  We need to discourage such payments.  This includes not being able to assign the risk to underwriters, as AXA has already said.  Such insurance creates a "moral hazard."  

Historically, I have opposed "punishing the victim" as a means of encouraging better security.  We managed to discourage the old "protection" rackets without resorting to that.   However, something must be done; society cannot leave the acceptance of existential risk to any of thousands of enterprises.  

Consider sanctions for paying extortion that escalate over time on a steep, but announced, schedule.  This could increase the motive to improve security while allowing the time necessary to do it.  

Finally, as with the protection rackets, there must be a law enforcement component to our response.  We cannot put all of the responsibility for protecting society from this risk on the potential victims.  Part of this response might include funding law enforcement out of fines imposed.  Another part might include so regulating digital currency as to make it easier to "follow the money."  We may decide that we cannot tolerate anonymous receipt of funds.