Monday, April 27, 2015

Thoughts on The Irari Rules

I’ve had the pleasure of knowing Ira Winkler and Araceli Treu Gomes for over a decade now.  Both are quality and insightful security professionals who raise the bar within our industry.  As such, I’ve enjoyed reading their joint commentaries on various security issues and challenges over the past few months.

Winkler and Gomes’ latest contribution to the fight are “The Irari Rules” (named after a combining of their first names).  The relevance of the Irari rules re: determining the true technical attack sophistication cannot be overstated;  it is easy for business leaders and other technology professionals to talk about a new level of sophistication in attacks when in reality we are seeing increased efficiencies and volume around highly predictable (and preventable) attack vectors.  That being said, Winkler and Gomes take a slight – and, in my opinion, erroneous – detour in their conclusions which may obscure some of the important messaging we all need to hear.

Think about what the Irari rules are advocating for a second:

  • Use anti-virus or anti-malware software
  • Patch your systems
  • Use multi-factor authentication
  • Change passwords frequently
  • Create detailed, realistic, holistic education programs
  • Turn on and monitor your alert mechanisms
  • Segment your networks
  • Aggressively manage user accounts and their privileges

None of this is rocket science -- nor is it anything that we as security professionals haven’t been saying for the better part of two decades, with arguably the same level of mixed (poor?) results.  Yet clearly something has changed within the ecosystem given that (a) the number of compromised records per breach has increased exponentially; and (b) concern regarding breaches has entered the mainstream consciousness.  So if it’s not the sophistication of the technical attack…what’s going on?

Winkler and Gomes posit that the “new normal” for organizations should be to “expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities.”  This would seem to support an argument for the efficacy of a more sophisticated attacker as opposed to a more sophisticated attack – which results in higher levels of risk overall to an organization.   Remembering the basic risk multiplicative of (T)hreat x (V)ulnerability x (A)sset-Value, a more sophisticated threat can make better use of existing vulnerabilities than casual aggressor.  Continuing the lock analogy used in their article, the issue isn’t whether the door is locked or not as most security is rarely so binary a calculus; rather, it’s the newness and maintenance of the locks in place.  While these locks may be sufficient to stop an opportunistic intruder, a focused intruder with moderate skills could defeat these locks (single factor authentication; static passwords; etc.) with relative ease.

There’s another factor in the risk equation that Winkler and Gomes have failed to consider:  asset value.   While consumers have not yet fully rationalized their willingness to achieve convenience and personalized service via providing personal data with their concerns over its use, the value of data to both individuals and corporations has increased dramatically.  As the value and proliferation of data within organizations increases, the security professional must reevaluate whether the locks remain sufficient and are sufficiently maintained to mitigate risks within the environment to an appropriate level. 

Winkler and Gomes conclude that “(c)laims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.” In this I agree…but only to a point.  Yes, claims of sophistication can contribute to obscuring the need for improvements, but the argument for improving programs isn’t in the elimination of obscuration but the removal of our profession's own obfuscation of risk issues.  Fundamental blocking and tackling within a security program is essential, yes...but even the best managed programs can’t bring risk to zero.  As we do the blocking and tackling to eliminate vulnerabilities, it is equally critical to acknowledge attacker (versus attack) sophistication as well as the marked increased in asset value regarding data.  In this environment, yesterday’s locks and windows (read:  yesterday’s security program implementation) won’t keep the bad guys away.

My two cents…

2 comments:

  1. I dont know if my other comment posted, but here it goes again. I think you are trying to over-interpret the article. The purpose of the article is to specifically identify whether an attack is sophisticated or not.

    If there is a conscious, Risk-based decision not to implement a common countermeasure, great. However, don't call an attack that results from exploiting the lack of the countermeasure, "Sophisticated".

    There is no deeper implication implied. Sadly as Ari and I write, something this basic is needed.

    ReplyDelete
  2. Great write up. I agree with it, but would offer a different take on it.


    The premise of "declaring" an attack sophisticated or not by creating a set of rules seems entirely irrelevant and is a useless metric of measurement. The sophistication of any attack can only be individually measured against the target and whether or not it succeeds. In theory, if an attack succeeds, wouldn't the attacker be more sophisticated as a matter of rule? The article discusses the Target and Sony breaches as examples of breaches that satisfy their set of "rules for unsophistication". It's not clear if the authors actually thought through their rules and their applicability beyond the Target and Sony examples, but the notion of a test for sophistication is laughable and shows a lack of thoughtfulness on the author's behalf.


    The problem with such broad and open ended rules means every breach ever reported violates one or more of those rules, meaning no breach has ever been "sophisticated" in the eyes of the two authors. For example, the Natanz/Stuxnet breach has always been considered very technically sophisticated, but rules 1,3,4,5,6 were violated meaning the attack was not sophisticated. The Edward Snowden/NSA breach violated rules 3,6,7 and therefore not sophisticated. The entire portfolio of attacks and methodology of the NSA contained in the Snowden leaks seem very technically sophisticated, but since one or more of the rules would have to be violated their use is also not sophisticated.

    If you actually put their rules to the test, the result is that any successful breach would have to violate one or more rules, meaning the authors think there has never been a single sophisticated breach. I'm sure this was not their intention. This is where context of the audience is important. The intended audience of the article will walk away thinking the Sony and Target breaches were not sophisticated at all, while any security professionals walk away with something completely different.


    The article, written for a consumer-centric journal with an audience very different from people that actually know security, lacks nuance and thoughtfulness by design. Similar to all those CNN or Buzzfeed articles that talk about "how to secure your digital life" that tell you to pick a better password and not use WEP and don't give out your vital details to people calling you from a Skype number. It's useless babble that no industry professional takes seriously.

    I know scant little about Ira, and have never heard of or read anything from his co-author and only did a cursory search of her bio. But if you've read his book (I have) or have seen him on TV, it's seems neither are really contributors to the world of security and solving security problems, but are essentially "security pundits" who weigh-in and write articles based on what they read in the news. So if you are looking for a thoughtul discussion with actual solutions, I'm not sure this pair will deliver.

    With that perspective hopefully you will take from this what I did, that it's a fluff piece geared towards a totally different audience than you or I.

    ReplyDelete