IT@Intel Blog

IT@Intel

IT@Intel Blog : November 2007

Previous Next
Click to view Matthew Rosenquist's profile
0

To defeat cyber attacks, we must first understand their characteristics and how they come about. Deconstructing threats is a way of comprehending the factors which drive information security strategy. Without understanding the nature of attacks, an organization is destined to thrash about trying to effect change, only addressing symptoms and oblivious to the root causes of the problems.


In the Beginning
The most important aspect to comprehend is all malicious security threats and attacks begin with a person who has an objective. This represents the attacker, or sometimes referred to as the ‘Threat Agent'. Make no mistake, a virus is not the attacker. The author and implementer of the virus is the attacker. Eliminating a virus is a short term solution to the symptom of the problem, leaving the threat agent to find another method to achieve their objectives.

Threat agents are people and therefore driven by human nature. People compelled to expend energy manifesting in an attack on your organization have some desired outcome, a goal in mind. Their objective may be vague or precise, motivated by passion or logic, it may be inspired by emotional, intellectual, or economic needs. Their actions may target you directly or your organization may simply be caught in their sweeping net of activity. The permutations are mind boggling, especially when you take into account attackers include trusted persons intimately associated with the organization. Most importantly, they are thinking opponents who may plan, react, adapt, weigh options, and make decisions necessary to achieve their objective. Security success is heavily dependant on never losing sight of this key perspective. Attacks and threat agents are irrevocably tied together.


Building a Model
So if you have an attacker and their objective, the only component missing is the means for this person to achieve their goal. This path is the method. In reality, it most likely is a number of methods which are evaluated and one or more eventually employed. The term ‘vulnerability' is a catch-all phrase attached to express these methods. The term itself is far too broad to be meaningful. Anything can be a ‘vulnerability', including a security control itself. If you have a deadbolt on your door and someone kicks it in, an expert may declare the deadbolt is the vulnerability. Somewhat absurd, which is why I personally dislike using the term. So don't expect to see that word much from here forward.

What do methods look like? It depends on the attacker, what opportunities are available to them, and their objectives. If an attacker is seeking personal satisfaction through ego gratification of power, they may decide to employ a Denial of Service attack to show they can affect a target network. An accounts payable employee may secretly use their legitimate access to issue checks to collaborators for their personal financial gain. Again, the possibilities and permutations are as vast and varying as the people involved.


Threat Model
This basic model is straightforward. A threat agent, willing to effort an attack, has an objective in mind and selects one or more methods to succeed. Once committed, they initiate their plans and the game begins. Defenders may put up obstacles, close possible methods and the attacker, if still motivated, will respond.

http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-10761-1168/Threat+Model+6.bmp


Defeating the Attack
The game continues until the attacker succeeds, the attacker is removed or demoralized, the methods are rendered ineffective, or the objective is removed. Removing the attacker is a good but very difficult prospect, usually involving some type of law enforcement. More often the attacker is demoralized by making the prospect of achieving their objective very costly, so they either give up or move to an easier target.

Prevention activities are heavily weighted toward closing the most likely methods. A good strategy, which scales across many different attackers, but the simple fact is an attacker only needs one winning method to triumph. Much of the efforts to close different paths to the objective are intended to make it progressively more difficult for attackers to succeed. Not every path or vulnerability (ugg, hate that word) must be eliminated, only the ones which the attackers are willing to effort. The more inconvenient and inhospitable the environment is for the attacker, the better it is for the defending organization.

Lastly, removing the objective from temptation makes an attack pointless. The famous bank robber Will Sutton purportedly replied to the question "why do you rob banks?" with "because that's where the money is". The same no-nonsense principle applies to information security. Take away the objective, and the very reason for the attack is undermined.

Understanding the characteristics of attacks is paramount to good security strategy. It helps clear the fog of effectiveness and provides a perspective on how attacks can be stopped in a coordinated manner.

0 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, threat, matthew_rosenquist, rosenquist
Click to view Matthew Rosenquist's profile
3

Ethics represent the very cornerstone by which any security organization is built. Without them, a security team is doomed. They will not be respected only feared, they will not be supported only ridiculed or ignored. It is a downward spiral of failure for security organizations practicing unethical behaviors. Management and customers will lose faith, leading to a loss of funding, access and representation. Resources, tools, and overall capability will diminish, leading to loss of effectiveness and value, further advancing the loss of faith by management and customers. Concealment, inconsistency, indifference, or treading in the gray areas of ethics is just prolonging the inevitable trip on the downward slide to defeat. So how can it be, many security professionals have a casual attitude and apathetic commitment toward ethics?

I have been reading some disturbing stories about security professionals being unethical and in some cases fired or arrested for their activities. They stories aren't hard to find. Trusted security people breaking into systems and networks, deciding not to report criminal activities, or ignoring inappropriate activities to avoid complications are common examples of poor ethos. People violating policies they are employed to enforce and uphold is downright despicable. In many cases, what are worse are the comments left by readers, condoning inconsistent behaviors on behalf of security. Comments like "pick your battles", "follow your conscience", or you should only be ethical if others are, is very upsetting.


Reader Beware
I am a fanatic about ethics. I firmly believe ethics, following a code of conduct, is the foundation of every professional security organization. Without consistent ethical behavior, a security team is destined for failure, will open the organization to increased liability and sour future investments in security.

Okay, let me be the first to admit, I have it easy. The security professionals I have the pleasure to know and work closely with are of the highest moral caliber. I am fortunate to work in an organization which embraces the principles of ethics. We derive our support from the corporate principles which are ingrained within the company as a whole and are driven out to all corners. My company (I am a shareholder too) spends time to train, discuss, and reinforce ethics with all employees.

I support ethics in all vocations, but some are more important than others. Security personnel must be held to a higher standard, just as judges and law enforcement must be viewed as incorruptible. Ethics must also reign supreme in financial and medical industries as well. Nothing less is acceptable. We too, as security professionals, should be put under the microscope and make firm commitments to consistency and the highest level of behavior. Our organizations place trust and faith that we will be honest, capable, and perform our duty in an unwavering manner.


Intel's Security Operations Center - Code of Conduct
When I spun up Intel's Security Operations Center, every employee was trained on ethics and we developed a Code of Conduct to insure the expectations were clear and as a team we would all conduct ourselves in a conservative manner.

Intel's Security Operations Center - Code of Conduct
1. Provide diligent and competent service to principals

  • Provide timely, professional, and productive response to our customers, peers, vendors, business partners, and management
  • Act honestly, justly, responsibly, and legally
  • Act impartially to all groups, persons, and organizations

2. Protect and conserve Intel property, resources, and reputation
  • Preserve and protect the value of corporate systems, applications, and information
  • Operate fully within the law, observe corporate policy, and align efforts with standard operating procedures
  • Disclose waste, fraud, abuse, and corruption to appropriate management or oversight bodies

3. Promote and preserve company trust and confidence of the team
  • Take care not to injure the reputation of the team through malice or indifference
  • Be truthful and accurate in representation and all communications
  • Respect the trust, access, authority, and privileges the company grants you
  • Promote, comply, and reinforce company security policies, procedures, and intentions
  • Avoid conflicts of interest or the appearance thereof


Everyone is ethical, right?
Ever ask somebody if they are a good person or ethical? I will bet you will hear some variation of the same answer, "yes. Of course I am!". How many people openly admit or believe they are not ethical? So are you? Yea, exactly what I thought you would say.

So, Mr/Ms Ethical, you wouldn't be averse to answering a few ethics related questions? These are a subset of questions I ask when delivering the ethics class to our Security Operations Center. They should be easy for an ethical security minded professional such as yourself...

  • 1. You are conducting a confidential investigation of Employee ‘A'. An employee outside the team, asks "Are you investigating Employee ‘A'?"
You Answer:
A. Yes, we are
B. No, we are not
C. Maybe
D. I'm not sure/I don't know
E. Other: _____
  • 2. Policy prohibits any team member from installing software on Server ‘A'. In an emergency situation, senior management instructs you to install a critical piece of software on Server ‘A' to benefit the company.
You cite policy and:
A. Install the software
B. Refuse to install the software
C. Document the request and install the software
D. Document the request and refuse to install the software
  • 3. You are aware state law prohibits any team member from removing software on Server ‘A'. In an emergency situation, your management instructs you to delete a critical piece of software on Server ‘A'.
You cite state law and:
A. Delete the software
B. Refuse to delete the software
C. Document the request and delete the software
D. Document the request and refuse to remove the software
  • 4. Your manager instructs you to do something which is contrary to normal operating procedures. What do you do?
You cite the normal operating procedures and:
A. Do what is asked and report the incident to senior management
B. Refuse to do what is asked and report the incident to senior management
C. Document the request and do what is asked
D. Document the request, refuse to do what is asked, and report the incident to senior management

Life is vague. Ethics don't need to be.
We all find ourselves in unique circumstances which are complicated and tricky. Applying a code of conduct illuminates the right ethical path. Allowance of ‘flexible ethics' and ‘gray area' practices are ultimately self destructive and leads to instability and demise. Make a stand.


So what are the answers to the above questions? Well, as we all indicated we are ethical, their really is no need for me to provide the answers. We all know them.

3 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, ethics
Click to view Tim Casey's profile
0

In this videocast, I talk about some of the key tools used at Intel to understand current and future risks and threats (including secret agents!)

Some links to additional information are below...




What are the tools you use in managing risks? Are they off-the-shelf or developed internally? And do you ever get to wear a tux while at work?


Here are some links for more information:

My presentation on corporate infosec Wargaming for the upcoming Intel Premier IT Professional (IPIP) events:
Security Wargarming Best Practices

Our Threat Agent Library is available for anyone to use. A whitepaper describing it is here:
Threat Agent Library Helps Identify Information Security Risks

Matthew Rosenquist's latest blog on security is a great discussion about Security in Depth:
Defense in Depth Information Security Strategy

0 Comments Permalink Tags: corporate_security, information_security, matthew_rosenquist, threat_agent_library, wargaming, ipip
Click to view Laurie Buczek's profile
8

On Friday, November 2nd, 2007, our friend and colleague, Rob Carpenter, passed away suddenly. He was an incredible man, father and friend. His work with pre-testing and validation of new technologies for the Intel data centers will continue to live on. In fact, he had just filmed a follow-up video blog Intel IT 45nm test results on the Wednesday before his passing. With the permission of his family, we have posted the video He was passionate about his work and sharing his knowledge with others.

It may be out of the ordinary for one to find eulogies in a community sharing IT best practices, but Rob was and is a part of our community....the fabric of who we are. In honor and memory of Rob, I am republishing, with permission, some stories from his son Justin. Rob didn't want a formal memorial service, instead he requested that he be remembered with "fond stories over coffee with friends." Grab a cup of coffee.......

"My earliest clear memories of him are from the early days of his private law practice, and his postdoctorate work in applied mathematics on the side, in his early thirties. He was just as amazing then, brilliant, twenty years ahead of his market (already thinking about standardization of computer networks and how one scheduled protocols in a protocol-heterogeneous environment where "pipe is pipe and traffic is traffic," before many families even had microcomputers), His excitement and sincere enthusiasm was infectious, his integrity was already the stuff of legend, and he was never content to rest his mind.

Even at the time of his death, he was working on numerous projects with Intel, and at the same time, teaching a course at Berkeley's College of Divinity School of the Pacific in Benedictine contemplative meditation, serving as a volunteer subject matter expert in HAM and emergency radio technology, applying to be an oblate (layman participant in a Christian monastary, often part-time on weekends), avidly pursuing semi-professional photography as a hobby and passion, beginning to pen a second book unifying Christianity and Buddhism meditative traditions, and regularly conversing with me about my in-progress graduate work in the epistemology of mathematics. He never needed to read the texts I read; he simply asked for a two-sentence summary of their arguments, and could immediately form better arguments than the authors themselves.

When I was four years old, I asked him what he was teaching in the evenings to take him away from Mom and I during cartoon time in the evenings, and he explained that it was applied math for physics. I blinked, and said with a mumble that I didn't think I could do anything that hard, and he looked very surprised, sat me down at the dining room table, and proceeded to teach me algebra, basic trigonometry and the principles of calculus in two amazing hours. We started doing lessons instead of after-dinner TV, and by the end of the semester, he gave me one of the tests (no doubt simplified a bit) from his class. I passed it (with I believe an 89), and he said to me very seriously, "Justin, NEVER say that you can't do something that seems hard. You can do just about anything if you really try. I want you to promise me that you're not going to avoid doing things that look hard at first." I promised him that I wouldn't, and I find myself repeating that promise often, as the many grim realities of the current situation set in.

His courage was amazing. During early 1995, our family was under a standing death threat from two different crime syndicates due to my father's diligence as district attorney in prosecuting the people responsible for drug trafficking to New York through a Palenville airstrip. He never showed stress, never changed his routine beyond asking for a police escort at times. He'd sit calmly, albeit away from windows, with his ubiquitous glass of caffeine-free Diet Coke, and conversed with us from a room away. The conversations were like any other evening, just a little louder.

I learned yesterday, after speaking to some of his friends in law enforcement in New York, that the situation was much more serious than I ever realized, and that he had a strong reason to believe that his life was very much in danger that evening. As we sat and nibbled dinner in two rooms, our house was under armed guard. My mother and I never knew. You could never judge the severity of a problem by my father's composure, as it never faltered.

It has been difficult to explain to people why there is no memorial service or funeral planned. My father held a memorial service for my mother, but asked that he simply be cremated and scattered without ceremony. When I asked him about the needs of the living to gather and remember, he suggested that those who wished to remember him, as best I can remember the quote, "go out for coffee, or pie, or breakfast, and come together as the living in a moment of life." He explained that he did not want people in mourning clothes, with their eyes held low, listening to somber songs in a rented space -- that the way to remember life was by imitating life, not by entering the atmosphere and mood of death.

And so, there will not be one memorial service for my father, but many. There are moments of silence in Mt. Tremper where he attended the monastery, and a dinner in New York this weekend to toast, quote, "the finest district attorney the state has ever seen." There will be tears shared among his many friends at several Intel sites, and fond stories of him at the next Sierra Foothills ARC brunch. In Tampa, there has been a memorial every time I've opened my mouth to speak in the last five days.

There could be no one memorial large enough to encompass even most of the lives he touched, nor could even his closest fifty friends attend one, no matter where it was held. I considered holding one despite his wishes -- I am certain he would have understood the need of the living to mourn -- but I realized that his life was too big to bring into a room, or even a small concert hall. He had close, dear, personal friends in several countries and nearly every state, and every one of them was touched by his presence and would feel the need to be there. Robert Edmund Carpenter, the man so loved that his memorial service required an event space the size of the internet.

There will be many memorials, you see. Every time you and others sit and remember him to one another, tell stories about his life, be they funny or amazing, every time you remember something he told you, or share him as an example to others, you are celebrating his life. Every time there is pain, or better yet, a happy anecdote to share, we can come together and share it -- and you will hear, first- or second-hand, the anecdotes of others passed on for sharing.

This is, I think, why he wanted it this way. No one is left out, no one is "unable to make it," no one is forgotten, and the memorial takes as long as it needs to, for every story to be told, for everyone to be a part of it. When I think about it this way, I think he really had the right idea, and though I cannot imagine being even a pale shadow of the man he was, when I pass, I hope to be remembered the same way, through fond stories over coffee when I'm remembered now and then"

8 Comments Permalink Tags: it@intel, rob_carpenter