[Dailydave] With great responsibility comes great power.

Ari Takanen ari.takanen at codenomicon.com
Sat Jun 30 03:35:06 EDT 2007 

Hello Lyndon,

> Date: Wed, 27 Jun 2007 12:02:12 +1200
> From: lyndon sutherland <lyndons at paradise.net.nz>
> Subject: Re: [Dailydave] With great responsibility comes great power.
> To: dailydave at lists.immunitysec.com

[snip]
> More seriously though, the paper "Cyber Warfare, An analysis of the
> means and motivations of selected nation states" from Dartmouth provides
> some insights:
> http://www.ists.dartmouth.edu/directors-office/cyberwarfare.pdf
> The paper is dated December 2004 so could be considered a little dated
> but certainly in my opinion worth a read.
[snip]

Thanks for the link! Browsing through the 142 pages of speculation,
they finally caught the key point in two lines on page 132: 

"Resolve currently known software and hardware vulnerabilities in
operating systems, server software, SCADA systems, and DCS systems."

One could even take this further and say: Identify all critical
systems (network equipment, operating systems, server software, client
software, SCADA systems, and DCS systems), and test them for
previously unknown security vulnerabilities using all possible
means. For those systems that are used in critical systems, resolve
all found or currently known software and hardware vulnerabilities.

The situation in cyber-war is very simple:

* attack capability: how many vulnerabilities (publicly known or
  unknown) you know about (accurate metric)

* defense capability: how many vulnerabilities (known or unknown) you
  have in your systems (estimate metric)

* threat: how many attack programs against those the opponent has
  (estimate metric)

Fix the flaws you have, and you are secure. Do not fix the flaws that
the opponent has, and you have ammunition. The strength has nothing to
do with the size of the budget. Unfortunately today you do not need to
spend any resources to have a cyberwar capability. Attacks are freely
available, and most defenses are down.

The greatest weakness today is that nobody is interested in testing
the defense capability. If I showed a SCADA vendor a bunch of
minus-infinity-day (well, it is not a zero-day if nobody but me knows
about it) flaws they asked me if their customers knew about these
flaws. You know what happens if I said their customers will never know
about those flaws. That was several years ago, and the flaws are still
there, waiting for their adversaries to find them.

Most vendors are not interested in investing into proactive
security. When the flaws are not known by anyone but a trusted party,
they will not be fixed. When the vendors will be made to understand
that this is the wrong attitude to security, we would not need public
disclosure any more. Eliminating public disclosure in one way or the
other would change the landscape significantly! People would have to
find their own vulnerabilities to be able to exploit them.

Best regards,

/Ari

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Dailydave mailing list