Michael Duff, Assistant Vice President and Chief Information Security Officer at Stanford University, outlined strategies to close the gap between our collective security posture and the rapidly accumulating security challenges.
“How can we win this [cybersecurity] war?” asked Duff at the outset of his keynote presentation at the 2017 Chief Information Security Officer Leadership Forum held on June 20 in San Francisco. “What I’d like us to do in this session is go through a thought exercise together to come up with the answer to this question. The gap between our collective security posture and the accumulating security challenges we face represents risk, and that gap continues to widen,” Duff pointed out.
“Why are we losing the battle?” Here are a few of the reasons Duff has identified:
• Strong financial motivation: monetization of cyber attacks
• Organized crime ecosystem: botnets for rent, vulnerability markets, PII markets, labor resources
• Widely available advanced hacking toolkits. “Anyone in this room can contact shadow brokers to obtain these tools and in some respects become as sophisticated as any of the world’s leading intelligence agencies,” he noted.
• Proliferation of network devices and sensors ( including IOT)
• Limitless supply of software vulnerabilities
• Effectiveness of social engineering
“Anyone in this room can contact Shadow Brokers to obtain these tools and in some respects become as sophisticated as any of the world’s leading intelligence agencies.”
The net effect of these challenges is:
• a vast and rapidly growing attack surface
• a dramatically expanding pool of adversaries
• increasingly powerful tools available to adversaries
• more attacks and greater efficacy
• successful attacks have a larger impact
“In order to maintain a constant risk level over time, our security posture needs to be closer to perfect every day. The margin for error is monotonically shrinking to zero,” stated Duff.
The three areas of focus necessary to win the war are prevention, detection, and resilience. “Prevention is where the bulk of our investment needs to remain,” he said. “I invite you to think about information security and protecting against threats from an economics perspective, charting the effectiveness of the attack methodologies versus the corresponding costs to the adversary. Phishing and ransomware are highly effective strategies that cost the adversary almost nothing. On the opposite end of the spectrum, breaking crypto-keys and engineering new vulnerabilities into software are generally less effective and much more costly strategies. We need to focus our resources on the former.”
“Phishing and ransomware are highly effective strategies that cost the adversary almost nothing. On the opposite end of the spectrum, breaking crypto-keys and engineering new vulnerabilities into software are generally less effective and much more costly strategies.”
Duff went on to explain that the most common causes of cyber incidents include social engineering, credential compromise, malware installed by a trusted user, software vulnerability exploitation, and misconfiguration.
Recognizing software vulnerabilities as a large component of the aggregate attack surface, Duff discussed how to reduce this threat:
• A revolution in software development is needed. “We spend a staggering amount of time on patching and vulnerability management,” Duff observed.
• Better developer training and vulnerability detection (static analysis, fuzzing)
• New programming languages and IDEs that prevent vulnerabilities. “We need new languages and development environments that prevent a vulnerability from being introduced into the code. This is an unsolved problem in computer science,” he said.
• Provable security. “This is the holy grail in security.”
“My mantra is ‘opt-in security doesn’t work.’ When two factor authentication was optional at Stanford, our adoption rate was 3%. In late 2013 we made it mandatory for all user accounts with no exceptions, so our adoption rate has been 100% ever since. Default security is fundamental to winning the war,” Duff said.
Duff emphasized that we must have strong authentication, which means:
• Static passwords are no longer sufficient.
• There needs to be protection against credential harvesting and offline password cracking.
• “Client certificate-based authentication combined with two factor is the only answer,” he stated. “This approach provides that rare combination of improved user experience and greater protection. You get a device, you install a certificate on it, and that’s it for the life of that device. You’ll never need to enter your static password.”
“Client certificate-based authentication combined with two factor is the only answer.”
Insulation from threats, a necessary component of a winning strategy, is improved by:
• Positioning protection as close as possible to the asset (e.g., host-based firewall, application whitelisting, encryption)
• Sandboxing (micro VMs)
• Ephemeral systems (single-use servers, freshly minted from golden image every time)
• PAWS (heavily fortified, dedicated administrator workstations; no web browsing, no email; credential hygiene)
Another requirement for winning the cybersecurity war is immediate intrusion detection and instant recovery. Detection involves application whitelisting, sandboxing, detecting behavioral anomalies, out-of-band sensors, and real-time sensor data analysis with automated responses. Recovery involves backups, virtualization, and ephemeral systems.
Duff concluded by summarizing what’s not working in cybersecurity today:
• Opt-in security
• Blaming the adversary. “It’s our vulnerability that was exploited, so the fault is ours.”
• Hacking deterrence (via law enforcement). “There are just too many hackers out there for this to have any real impact.”
• Assuming internal networks are secure
• Password length and complexity
• Using identifiers (Social Security Numbers, birthdates, etc.) as authenticators
• User experience complexity
• User awareness. “Awareness training isn’t working in the long term, and it won’t win the war. Our user community shouldn’t have to be information security experts,” stated Duff.
ABOUT MICHAEL DUFF:
Michael completed his undergraduate and graduate degrees in computer science and physics at MIT. While there, he founded an electronic medical records company and later served as CTO of the acquiring organization. Michael then devoted a year to teaching undergraduate and graduate computer science courses as a Visiting Instructor at Miami University in Ohio before relocating to the Bay Area, where he led the information security program at SRI International in Menlo Park for the next 11 years. Michael joined Stanford University in May of 2012 and ascended to the Chief Information Security Officer role in November 2013.