In the film Red Dawn,the United States was invaded by Communists, forcing ordinary citizens and soldiers alike to take up arms and fight for their freedom. Although fictional, it was an epic tale of cooperation against a common foe, not unlike the situation that corporations and governments find themselves in today, fighting shoulder-to-shoulder with users to fend off the Internet-based attacks of determined adversaries. According to the most recent reports from uscollegeresearch.org, as of June 2011, about 73 percent of U.S. and 65 percent of global Internet users had been victimized by cyber criminals, mainly via social engineering.
The theme of this year’s BlueHat was, fittingly, “We fight for the user.” Whether that user is within our own corporate infrastructure, or is a customer, it is more important than ever for us to stay focused on security by regularly improving our Security Development Lifecycle (SDL), honing our security response, and helping each user avoid social engineering attacks, a leading cause of computer compromise.
BlueHat v11 focused on bringing real-world security threats and issues to light by taking us on a journey that began with discussions about real attacks and adversaries, as witnessed by Context Security. Context Security has performed penetration testing simulating targeted attacks, as well as responded to many victims of industrial Internet espionage and crime. The picture it painted of the adversaries and the targets reinforced the overarching themes and lessons learned at the conference around appropriate risk management and secure product development. The approach must go beyond tools and code review, and into more advanced threat modeling that takes the entire ecosystem into account.
BlueHat, as always, was filled with many memorable talks, which focused on risks that leverage weakness at the seams of deployment, at the interfaces between components, between applications and infrastructure, and amid the relationships of the “trifecta” (the platform, the apps, and the app store), as described in Matias Brutti’s talk. While we as platform providers make our products more secure, we realize that they are not always deployed in ideal scenarios or configurations, and that we must work closely with intermediary vendors like OEMs who are in a position to make changes to specific devices that may decrease the effectiveness of some of our security measures. Andrew Cushman reminded us in his keynote address that in an age of transition toward “The Internet of Things,” where IP-enabled devices (e.g., cars, appliances, medical devices) begin to far outnumber traditional computers and mobile devices, we need to work with the ecosystem to help provide end-to-end security assurance.
Adam Shostack’s talk about the statistics of how malware actually gets onto Windows machines demonstrated that social engineering accounts for 45 percent of compromised systems, versus 0-day exploits, which represents less than one percent of all attacks. Fittingly, Adam works on a team within Microsoft that is dedicated to helping us improve both Microsoft and third party user interfaces. With the work of Adam’s team, we can help users make smart security choices when faced with decisions like “should I proceed to this webpage even though there is an error in its certificate?” when they might not know what a certificate is or begin to guess what it does. Further, the user might not know whether or not the certificate’s issuing certificate authority (CA) was compromised, resulting in fraudulent certificates used in attacks, as was the case with DigiNotar this year and Comodo prior to that.
Moxie Marlinspike wrapped up the conference with a thought-provoking presentation highlighting the journey through the compromise of certificate authority, Comodo, and subsequent consequences (or lack thereof). The fact that the CA system of trust is rigid and does not recover well in cases where CAs are compromised is an issue that we as an influential participant in the ecosystem must consider, even though we did not create the CA system itself. Moxie challenged the audience to envision a new model where trust is agile and the decision of who to trust is made (and can be revoked) by the user.
No matter the threat, whether attacks are random or targeted, whether the attacker is unskilled or sophisticated, we must attempt to protect our systems, data and users. When attacks do occur, we must hone our ability to detect, contain and recover from them quickly. Working with our partners and customers is the best strategy for dealing with and adapting to these threats.
Many thanks go to all the speakers, attendees, organizers, and volunteers for a memorable and enlightening BlueHat v11. We will continue to work together, shoulder to shoulder, defending our Internet neighborhoods from invasion, as we fight for the user in a Blue Dawn.
Katie Moussouris
Senior SecurityStrategist Lead, MSRC Security Ecosystem Strategy Team
FollowKatie on Twitter at http://twitter.com/k8em0
Growth and change can come in big doses or small increments. That can be professional or organizational growth or technical or societal change. Since we started doing BlueHat waaay back in 2005, I’ve seen some significant change at Microsoft, experienced a fair bit of professional and personal growth, and witnessed stunning technical and social change.
This year I have a slightly different role in BlueHat.
As I reflect on this year’s BlueHat, there is a three letter (or occasionally four-) acronym that nicely tees up a number of topics – AFGO - Another Fun Growth Opportunity. Over the course of time, new attacks, new relationships, new positions, new technical or business challenges offer opportunities to expand our skills, tune our strategies, and take on new challenges. We see that despite the progress already made, there are still challenges ahead along with plenty of growing and learning available to the interested and the willing.
The BlueHat attendees are the interested and the willing. They come for the official program on attacks, threats, and technologies. More importantly, they come for the “hallway track”, the discussions that happen between like-minded security “apassionados”. This year’s program challenges the attendees to go beyond the easily understood remedies. Presentations on Targeted Attacks should give the attendees that visceral learning experience – AFGOs that challenge us to accept we have done great work and yet more remains in order to protect our infrastructure and intellectual property and that of our customers. Similarly, there are a number oftalks that explore the painful reality of “wait, I thought I did the right things” – You incorporated security into the development culture and operations, and yet your risk profile may still be higher than desired. Money spent and certifications earned don’t equal security – AFGO.
These days I find myself focused on two growth areas – one is anti-abuse as an engineering discipline and the other is the area of security policy.
Attackers are moving away from implementation errors such as buffer overflow attacks and towards abuse of the design seams of the networked system. This presents us with a more complex challenge that may not be as straightforward to eliminate with traditional security tools or testing. We must engineer anti-abuse solutions for Microsoft services that minimize customer impact and at the same time improve the customer’s trust experience and ease of use. We can do both, we have done it before. I see before us an opportunity for a second wave of security culture change within Microsoft as we harden our services to withstand abuse and enhance the user experience.
The helpful short hand I use to describe my work on Security Policy issues is that I am looking for solutions to non-technical security problems. I look to help governments and industry come up with reasonable, effective, and implementable policy/legislative/regulatory solutions to security problems. Talk about growth opportunities! Technical solutions are relatively straightforward, unemotional and fact based, while politics usually has to do with business model or personality. In the Office of Global Security Strategy and Diplomacy offers me an opportunity to leverage my technical background and bring my unique perspective to the strategy discussions of how countries and organizations manage the security risks at a global level.
Can’t wait to see you all at BlueHat.
Andrew CushmanDirector, GSSD, Microsoft Corporation