This document discusses cyber security and defense. It is authored by Gary McGraw, Chief Technology Officer of Cigital, a leading software security consulting firm. The document summarizes that effective cyber defense requires a proactive approach through secure software engineering practices rather than reactive approaches like cyber offense. It advocates focusing on improving security by "building security in" from the start rather than exploiting existing vulnerabilities.

1. Copyright © 2015, Cigital
Cyber War, Cyber Peace, Stones,
and Glass Houses
…those who live in glass houses should not throw stones
@cigitalgem
Gary McGraw, Ph.D.
Chief Technology Officer

2. Copyright © 2015, Cigital
Cigital
• Providing software security professional services since
1992
• World’s premiere software security consulting firm
o 500 professional consultants
o Washington DC, New York, Santa Clara, Bloomington, Boston,
Chicago, Atlanta, Austin, Amsterdam, and London
• Recognized experts in software security
o Widely published in books, white papers, and articles
o Industry thought leaders

3. Copyright © 2015, CigitalCopyright © 2015, Cigital
Real Cyber Defense as Deterrence
• Defining “cyber”
whatever
• The offense problem
• “Active defense”
• Attribution
• Many vulnerabilities
• Payloads are easy
• Economics
• The NASCAR effect
• The defense solution
• Proactive defense vs.
cardboard defense
• Deterrence through
defense
• Build security in

4. Copyright © 2015, Cigital
CYBER CLARITY IS ELUSIVE
Separating the Threat from the Hype: What Washington Needs to Know
About Cyber Security, Nate Fick & Gary McGraw
http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf

5. Copyright © 2015, CigitalCopyright © 2015, Cigital
Cyber Security
• How much of the cyber war talk is hype?
• What is real and what is cyber chimera?
Help policymakers find their
way through the fog and set
guidelines to protect the best of
the Internet and cyberspace,
both from those who seek to
harm it, and from those who
seek to protect it but risk doing
more harm than good.

6. Copyright © 2015, CigitalCopyright © 2015, Cigital
Disentangling War, Espionage, and Crime
• Cyber espionage
• Much more common than
war
• Wikileaks
• Anonymous
• Operation Aurora
• NY Times hack
• Bad compartmentalization
makes easy targets
• Cyber crime
• Even more common
• 1 trillion dollars per year?!
(just ask Ross Anderson)
Building systems properly
from a security
perspective will address
the cyber crime problem
just as well as it will
address cyber espionage
and cyber war. We can kill
all three birds with one
stone.

7. Copyright © 2015, CigitalCopyright © 2015, Cigital
Kinetic Impact as Decisive Criteria to be War
REALITY
• To qualify as cyber war, the
means may be virtual, but
the impact should be real.
• 1982 Soviet gas pipeline
explosion
• 2007 Israeli attack on Syrian
reactor
• 2008 Russia attacks Georgia two
ways
• 2008 USB drive infection in Iraq
(meh)
• 2010 Stuxnet attack on Iranian
centrifuges
HYPE
• Estonia dDoS attacks
• 2007 statue removal kerfuffle
• What would Google do?
• Brazilian blackout
• 2009 60 minutes story
• 100% hype
• China “hijacks” the Internet
• BGP mistake
• Bad design

8. Copyright © 2015, CigitalCopyright © 2015, Cigital
US: National Security Dominates
The real and perceived
dominance of the U.S.
national security
establishment in setting
cyber security policy is
problematic
• Cyber security is not only a
military problem
• Cyber security recognizes no
geographic boundaries
• Snowden revelations did not
help this situation

9. Copyright © 2015, CigitalCopyright © 2015, Cigital
Offense and Defense
defense means building
secure software, designing
and engineering systems to
be secure in the first place
and creating incentives and
rewards for systems that are
built to be secure
offense involves exploiting
systems, penetrating
systems with cyber attacks
and generally leveraging
broken software to
compromise entire systems
and systems of systems

10. Copyright © 2015, Cigital
THE OFFENSE PROBLEM

11. Copyright © 2015, CigitalCopyright © 2015, Cigital
“Active Defense”
Having a good offense is NOT
the same as a good defense.
Panetta on cyber security, “We
need to have the option to take
action against those who would
attack us.”
Grandma on security, “People
who live in glass houses should
not throw rocks.”

12. Copyright © 2015, CigitalCopyright © 2015, Cigital
Attribution Remains Unsolved (Ask Gandalf)

13. Copyright © 2015, CigitalCopyright © 2015, Cigital
Olympic Games & Stuxnet
• The PAYLOAD is what
matters
• Inject code into a running
control system
• Siemens SIMATIC PLC (step
7)
• Cyberwar!!
• Natanz in Iran
• Sophisticated, targeted
collection of malware
• Delivery
• 1 0day (not 4)
• Stolen private keys
• USB injection
• Network C&C
How to p0wn a Control System with Stuxnet (9/23/10)
http://bit.ly/RmbrNG

14. Copyright © 2015, CigitalCopyright © 2015, Cigital
Thread Hijacking in Online Games
• Used in early online game botting programs (circa
2004) but no longer
• Used successfully in Stuxnet in 2009
WoW.EXE
MAIN
THREAD
INJECTED
DLL
Loops hundreds of times per second
RenderWorld(..)
DETOUR PATCH

15. Copyright © 2015, CigitalCopyright © 2015, Cigital
INJECTED
CODE PAGE
complete
MAIN
THREAD
MAIN
THREAD
HARDWARE BP
RenderWorld(..)
uncloak
MSG
super
branch
RenderWorld(..)
recloak
restore
CastSpellByID( .. )
ScriptExecute( .. )
ClearTarget( .. )
MAIN
THREAD

16. Copyright © 2015, CigitalCopyright © 2015, Cigital
Vulnerabilities Are Pervasive

17. Copyright © 2015, Cigital
Disguise
Process Control
Process Disruption
deterministic
non-deterministic
(hacking)
Capability
atypical
Attack Complexity (From Ralph Langner)
http://bit.ly/TvWnuG

18. Copyright © 2015, CigitalCopyright © 2015, Cigital
Economics (From Ralph Langner)
Nuclear sub fleet
Stealth fighter jet fleet
Eurofighter fleet, Leopard II tank fleet
Cyber weapons program / MIL targets
Cyber weapons program / CI targets
$90B
$40B
$10B
$1B
$100M
Non-state thresholdhttp://bit.ly/TvWnuG
Singular cyber attack against
national critical infrastructure
$5M

19. Copyright © 2015, CigitalCopyright © 2015, Cigital
Offense is Sexy: The NASCAR Effect
Bad news
• The world would rather
not focus on how to build
stuff that does not break
• It’s harder to build good
stuff than to break junky
stuff
Good news
• The world loves to talk
about how stuff breaks
• This kind of work sparks
lots of interest in computer
security

20. Copyright © 2015, Cigital
THE DEFENSE SOLUTION

21. Copyright © 2015, Cigital
Cardboard Shield Defense
Today’s computer and
network security
mechanisms are like the
walls, moats, and
drawbridges of medieval
times. At one point, effective
for defending against isolated
attacks, mounted on
horseback. Unfortunately,
today’s attackers have
access to predator drones
and laser-guided missiles!

22. Copyright © 2015, CigitalCopyright © 2015, Cigital
Poor Security Engineering

23. Copyright © 2015, CigitalCopyright © 2015, Cigital
Proactive Defense
Secretary Panetta is mistaken:
“Through the innovative efforts
of our cyber-operators, we are
enhancing the department's
cyber-defense programs.
These systems rely on
sensors and software to hunt
down malicious code before it
harms our systems. We
actively share our own
experience defending our
systems with those running
the nation's critical private-
sector networks.”
• Security Engineering
• Software Security
• Build Security In

24. Copyright © 2015, Cigital
HOW TO BUILD SECURITY IN

25. Copyright © 2015, CigitalCopyright © 2015, Cigital
Software Security Touchpoints

26. Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM: Software Security Measurement
• 104 firms measured (data freshness)
• BSIMM6 = data from 78 real initiatives
• 202 distinct measurements
• 26 over time (one firm 5 times)
• McGraw, Migues, and West

27. Copyright © 2015, CigitalCopyright © 2015, Cigital
78 Firms in BSIMM6 Community

28. Copyright © 2015, CigitalCopyright © 2015, Cigital
A Software Security Framework
See informIT article on BSIMM website http://bsimm.com
4 Domains 12 Practices

29. Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM6 as a Measuring Stick

30. Copyright © 2015, CigitalCopyright © 2015, Cigital

31. Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM6
Results
Top 12
activities
• purple =
good?
• red = bad?
“Blue shift” =
practices to
emphasize

32. Copyright © 2015, CigitalCopyright © 2015, Cigital
BSIMM By the Numbers

33. Copyright © 2015, CigitalCopyright © 2015, Cigital
Defense as Deterrent
“the U.S. is in a good
position to outspend its
adversaries on proactive
defense. Proactive
defense can be our
differentiator and a
serious deterrent to war.”
Proactive Defense
Prudent Alternative to
Cyberwarfare
http://t.co/2901DHVh
• A first strike in a cyber
war is unlikely to be
decisive
• No matter how much is
spent on cyber-offense,
cyber-defense must be
addressed anyway
• Proactive defense is a
very good differentiator

34. Copyright © 2015, CigitalCopyright © 2015, Cigital
Guidance for Policy Makers
• Focus on defense by
building security in
• Re-orient public private
partnerships
• Focus on information
users instead of
plumbing
• Let civilian agencies
lead
FIX THE BROKEN STUFF

35. Copyright © 2015, Cigital
WHERE TO LEARN MORE

36. Copyright © 2015, CigitalCopyright © 2015, Cigital
SearchSecurity + Cigital’s Security Blog
• No-nonsense monthly security
column by Gary McGraw:
www.searchsecurity.com
• In-depth thought-leadership blog from
the Cigital Principals:
• Gary McGraw
• Sammy Migues
• John Steven
• Paco Hope
• Jim DelGrosso
https://www.cigital.com/blog/
• Gary McGraw’s writings:
www.cigital.com/~gem/writing

37. Copyright © 2015, CigitalCopyright © 2015, Cigital
Silver Bullet + IEEE Security & Privacy
• Monthly Silver Bullet podcast with
Gary McGraw:
www.cigital.com/silverbullet
• IEEE Security & Privacy magazine
(Building Security In)
www.computer.org/security/bsisub/

38. Copyright © 2015, CigitalCopyright © 2015, Cigital
The Book
• How to DO software security
• Best practices
• Tools
• Knowledge
• Cornerstone of the Addison-
Wesley Software Security Series:
www.swsec.com

39. Copyright © 2015, CigitalCopyright © 2015, Cigital
Build Security In
• Join the BSIMM Community
http://bsimm.com
• Send e-mail: gem@cigital.com
• @cigitalgem