Managing Network Security

Time-Based Security

by Fred Cohen


Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Winn's New Book:

I just got a chance to read the draft version of Winn Schwartau's new book titled Time-Based Security and I thought it would be worthwhile reviewing the book and discussing some of the issues he covers.


A Book Review

It's a first for me to put a book review into one of these issues, but I think it's a good starting point for this issue.

First and foremost, in my personal view, Winn has out-done all of his previous books and articles and other publications and presentations combined with this new one. While it still has all the quirks that makes it a Winn-er, his book has five winning qualities:

Having given you the good points, it's only fair to mention a few limitations:

From this, it would seem that my opinion is 50-50 on the book - but - it's not. It's 80-20... In my view 80% of everything Winn says in this book is on the mark... and the 20% that isn't - isn't the important part for the non-technical reader. Anybody in information security would be well advised to read this book... - and - so would anyone in management - with a critical eye.


Fred's Content Summary

Several people I have talked to indicated to me that Winn's book could be summarized in about 5-10 pages without loss of content. If we ignore the examples (a foolish thing to do), we can probably get it down to one page - as I have done here:

And now - for my summary (-) and critique (+) of the book:


Time is Fundamental

In a course I was giving on strategic gaming for information security earlier this week, I told the participants that time was a key issue in the particular scenario. I heard what to me was a strange question from one of the participants. She asked: "What do you mean time is the key" - or some such thing. It was strange to me because - as my answer reflected - time is fundamental.

In fact, time is so fundamental that we often ignore it in our teachings and publications on information protection. It is almost too obvious to say - and that's why we don't say it often enough.

Imagine how information security would be if there was never a rush about anything. Someone breaks into your network, but since time is not important, we'll just ignore it till we have the time to deal with it. It would be a simple and cost effective matter to ignore everything forever - because time didn't matter. And for the attacker, the same thing holds. Suppose you can guess authentication codes forever and never get caught. Eventually, you will come across any authentication code ever used and be able to do anything any authorized user could do.

Getting back to the course, I explained to the participant and the rest of the group that in the particular scenario, time was everything. The losses were piling up at a rate of $100M per day, so playing for time while losses were temporarily stopped was a very good idea. More time means more of a chance to mitigate the harm. Less time for the attacker means that it's harder for them to get their job done. I expanded on the point by noting that - as is well known in the military - if you can get inside the opponent's decision cycle, they will be making decisions about what you did yesterday, not what you are doing now.

In thinking about Winn's book, I thought it would be worth reviewing the previous articles in this series that referred to issues of time - just to demonstrate how much time plays into things.

I don't want to go all the way back - but I think the point is made. Time issues are a common thread throughout the security trade and issues that we deal with constantly. In some sense, Winn has done us all a big favor by bringing them together in his book because it may help many of us think about it more clearly.


Understanding Issues of Time

Time is money - so the saying goes. The question is, how much money does how much time cost or benefit in different situations. The connection between time and money in network security is very non-linear and very situation-dependent. For that reason, when we diagram security situations for the purpose of analysis we often use graph structures (i.e., pictures with nodes and links between the nodes). Nodes denote the different situations (often called states) while links denote the different things that attackers and defenders can do in each situation (often called moves). As the situation changes, the financial value of moves change.

At a strategic level, defenders try to design defenses so that under the attack strategies and tactics anticipated for the threat profiles that are of concern, the return on investment in protection is optimized. We can use local optimization - the most common analytical method - or global optimization - which is quite complex and difficult to do.

At a tactical level, defenders normally try to make moves that will optimize their moment-to-moment performance - even though these moves may be more harmful in the long run than other moves that would be indicated by global optimization.

Attacker strategies tend to concentrate on how they will try to traverse the graph. Sophisticated attackers will likely have an attack graph planned out with options for different situations and an overriding objective. Less sophisticated attackers simply try moves until they find something that seems to work and see what they get and where they can go from there. Tactics for the sophisticated attacker include stealth, taking advantage of normal responses of the defenders, and so forth. Tactics for the less sophisticated attacker consist of trying things that have worked before.

The notion of prevention, detection, and response, is particularly useful when considered in terms of time issues. In the graph model we can think of prevention as a method for stopping attackers from making transitions in the attack graph - in other words - from changing from one situation to another. Detection can be considered in terms of noticing that the situation has changed (i.e., transitions in the graph or the situation being in a particular node). Response can be thought of as a process of changing the situation to a more desirable one (i.e., forcing a desired state transition).

Time in this model acts to change the situation. For example, if an attacker has induced a situation where information is being corrupted, time will tend to cause the corruption to be more complete and the loss to be worse. In the case of denial of services, the longer service is denied, the greater the loss, and thus the situation goes from bad to worse - perhaps eventually getting to the point where it no longer matters. If information is being leaked, time causes more and more to be leaked and less and less held in confidence.

Time can also act for the defender. If an attacker spends time attacking and fails to reach a desired state, it costs the attacker time and money while the defender prevents a loss. Slowing down the attacker and speeding up the defenses both give advantage to the defender. Even if the attacker reaches a state where there is a loss, the defender who is able to detect and react quickly may mitigate most of the loss.

If we look at the costs of prevention, detection, and response, one of the most noticeable things we find is that preventing all of the state transitions is very expensive and when we try to do it the resulting inhibition of legitimate business function becomes oppressive. Detection has its own problems, the chief one being that detection can never be done perfectly in practice. There are always false positives and false negatives and detection takes time. Even if we had perfect and instantaneous detection, our ability to effectively respond is limited by the fact that we don't know how to do appropriate response based on the situation and response itself takes time.

It seems clear that if we are to measure time in terms of money, we need financial models of situations. This in turn requires a system of modeling in which the model changes as dynamically as the environment it models. The model must be fed financial and security information on an ongoing basis and the set of prevention, detection, and response capabilities must be adapted with time to meet the changing business environment.


We're Not Up To It... Yet...

As much as I would like to see this happen, I fear that the security community is not yet up to the task at hand. We don't have the time or money to build accurate models of situations and adapt them with time to determine what optimal set of prevention, detection, and response capabilities to place where.

Even if we had the modeling capability - something I have been working on a lot lately - we don't yet have good detection capabilities - in fact, many of our current capabilities are laughable. But even if did have better detection capabilities our ability to respond today is extremely limited - not by the lack of technologies - but by our lack of understanding how to use them.

While we lack understanding today, I don't think this will last very long. There are research teams throughout the world that have been looking at these issues for the last several yeas and journal and conference papers on these issues have started to appear. The understanding we are now forming for information protection appears to be solid and is based on many years of work understanding physical security - which deals largely with the same combination of prevention, detection, and response.

I am fairly confident that we will have the theoretical means to analyze these situations in the near future, and we have them to some extent today. But it is not the theory that will be the real barrier. The real barrier will be our ability to apply the theory to the rapidly changing environment that makes up the face of computing today.

It is my feeling that the time has just about passed when large corporations will continue to buy poor quality computerized solutions that have to be replaced every year or two. In the security game, enough major companies have invested in poor technology that they are starting to become properly skeptical. But until the rapid pace of changes in the computing industry slows, I find it hard to believe that we will be able to do the necessary security engineering to constantly change our protection to reflect the daily changes in the computing environment and do so efficiently and with a proper mix of prevention, detection, and response.

Having shown my skeptical side, I want to end on an up beat. The next wave of automated defensive tools for networks is about to show up - and it looks a whole lot different from the current face of things. It is based on fully distributed automated response systems that detect attempted intrusions and act to mitigate their effects in real-time. The effect on performance of networked systems is nominal, the installation is simple and quick, and the defenses are very inexpensive to implement and operate.

Unlike the fortresses of old, they allow completely open environments, and unlike the fortresses of old, they are not intended to stop anything from ever happening to your networks. Rather, they are designed for a running battle in which attackers have their successes and defenders have theirs as well. Under this new wave of defenses, we no longer have a hard outer shell and a gooey center in our network defenses. Instead, it's land mines and snipers through and through. You enter at your own risk, and even the insider doesn't know what's save and what's not.


Roll-up:

Time-based Security has been here since security was here and will likely be here for as long as security is a field. There is little here that we have not seen before, but as a collection taken in a new light, there is real value in this perspective.


About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /