Wednesday, March 13, 2013

Why Commoners WIll Always Be On The Defensive

In the past year, one of my most requested talks is called "The More Things Change, The More They Stay the Same". I show examples of cyberattacks over the past 20 years, how the root causes are the same and how we're still fighting the same battles after 20 years with no tangible success. I ask "what have we [security types] been doing these past 20 years?". I mention how an entire industry has been created to "combat" cyber attacks but again, there's no economic incentive to really solve the cyber security problem.

A recent article in Forbes, "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits" by Andy Greenberg (http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/) talks about a particular firm that sell 0-day exploits to anyone who has the money. A quote from the article caught my attention: "Who’s paying these prices? Western governments, and specifically the U.S., says the Grugq, who himself is a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more."  

As other writers have noted, there is now an economic incentive to NOT fix a bug in software. So, the new paradigm is to not fix 0-days, rather, it's to sell them or pressure software vendors to not fix them in order to give the nation-state an advantage.

Yeah, I know. This is nothing new. But here's what this does to the common security folk like you and me. We can't afford to pay for 0-days therefore we have to live with the consequences of having 0-days present in software we buy. We don't know if there are 0-days in software we buy therefore we have to implement reactive defense tactics

While nation-states hoard 0-days for cyber warfare, "civilian" organizations are left vulnerable to effective, successful cyberattacks.  In other words, "civilian" organizations have no choice but to design reactive cyber defense strategies since we can't "prevent" an attack that exploits a software vulnerability inside our net.