This is Part II of the post on Illusion of Cyber Security dealing with the question of Why?
Part I dealt with the illusion of cyber security and its relationship to knowledge and vulnerability.
Can a flap of butterfly wing in Brazil, really cause a tornado in Texas? – As most of you know the answer is yes. (Butterfly Effect , Edward Lorenz – 1972)
“Shallow men believe in luck or in circumstance. Strong men believe in cause and effect.”- Ralph Waldo Emerson.
I guess it might be my Indian upbringing and knowledge of Karma that makes me look at this problem through the lens of Karma, also known as the cause and effect relationship explained through action and reaction (as you sow, so shall you reap).
A good fundamental understanding of Threat, Risk, Vulnerability, Exploit and the interrelation between them is a good place to start this topic.
There are very good definitions available for Risk, Vulnerability and Exploit given by NIST SP800-30, The Common Criteria for Information Technology Security Evaluation (an ISO standard replacing ITSEC), ISO Guide 73 – Risk Management, ISO 31000.
Threat is an area where there is no real consensus on the definition in IT domain
Hence, I will focus on Threat. I believe the best way to explain Threat and its relationship to risk, vulnerability and exploit is through the philosophical concept known as Causality (also referred to as causation) or what is simply known as the cause and effect. In a cause and effect relationship, effects cannot be controlled once “the dice is rolled”, and will follow a logical consequence. Threat is an effect that flows from the “arrow of time” concept – the “one-way direction” or “asymmetry” of time.
Causality is the relation between an event (the cause) and a second event (the effect), where the second event is understood as a physical consequence of the first. Causality is also the relation between a set of factors (causes) and the corresponding phenomenon (the effect). Anything that affects an effect is a factor of that phenomenon. A direct factor is a factor that affects an effect directly, that is, without any intervening factors. Intervening factors are also called “intermediate factors.” In a complex system, intervening factors are the result of randomness or entropy, and many times, we humans are fooled by randomness (Nassim Nicholas Taleb 2005). In fact, we are very irrational beings and not very good at thinking probabilistically and understanding the probabilities of everyday random events rationally. We fail to see the “Black Swan,” unexpected events of large magnitude and consequence approaching, but are good at explaining them after the fact.
Aristotle was the probably the first to identify the four kinds of answers or explanatory mode to various “Why?” questions. Ancient Hinduism (Karma and Maya), Buddhism (Pratītyasamutpāda – dependent origination or dependent arising) and other philosophical systems had also tried to answer this question on the Cause (and effect). The best modern work on cause and effect is from David Hume (1711-1776) in his work A Treatise of Human Nature.
Hume wrote that one can never perceive the cause and effect, except by developing a habit or custom of mind where one comes to associate two types of objects/events, as always contiguous and occurring one after the other. A few key principles from his work are given below: The cause and effect must be contiguous in space and time.
- The cause and effect must be contiguous in space and time.
- The cause must be prior to the effect.
- There must be a constant union between the cause and effect. It is this quality that gives cause to the relationship between cause and effect.
- The same cause always produces the same effect, and the same effect never arises, but from the same cause.
- Where several different objects or events produce the same effect, it must be by means of some quality or property of the object or event, which we can discover to be common among them.
- The difference in the effects of two resembling objects or two resembling events must proceed from that detail in which they differ.
- When any object or event increases or diminishes with the increase or decrease of its cause, it has to be regarded as a compounded effect, derived from the union of the several different effects, which arise from the several different parts of the cause (The Lorentz Butterfly effect)
Now that we have an insight into the cause and effect phenomenon let’s look at some direct factors that cause realization of a cyber attack (the effect).
I would like to explain this with the well-known concept from Fire Safety known as the Fire Triangle (Fig 1). If a fire (damaging something valuable) is a threat, then three fundamental things (causes) are present, and when these three elements of a fire triangle are aligned, then the fire begins to rage and the effects of that fire can be observed. The three direct factors (elements) in a fire are heat, fuel and an oxidizing agent (usually oxygen). A fire naturally occurs when these three elements are present and combined in the right mixture, meaning that fire is actually an event (effect) rather than a thing.
Similarly, a Cyber Attack is an event (effect) rather than a thing. What are the three elements that when present in the right context that can start a cyber attack?
Of the three causes above we have no direct control over “Actor” and “Motivation.” We may have some control over the intervening factor or intermediate factor, for example the decision to make a satirical movie about a dictator eventualy becoming the motivation of a nation state to launch a major attack against a US corporation, or taking action on an employee that may lead to his/her desire to take revenge. However, we do have direct, complete control over the “Vulnerability”, and truly that is the only cause we have control over.
Between the Actor and Motivation, there needs to be “Intent” or what is known as “Mens Rea” in criminal jurisprudence. Mens rea (Latin for “the intending mind”) in criminal law is viewed as one of the necessary elements of a crime.
Between the Actor and Vulnerability, there needs to be an “exploit” or what is known as “Actus Reus” in Latin meaning “physical act of the crime.” One key element here is the “attack surface” for the vulnerability to be exploited. While attack surface reduction (including eliminating backdoors) is a good strategy, a total elimination of the attack surface is not possible.
Between the motivation and vulnerability is the value system that drives the motivation towards the criminal act.
All three elements need to present at the right time and the right amount to set the ball rolling on an attack. As all three elements come together slowly through the event horizon, the probability of the attack increases until the risk is realized. In the fire triangle there is a property of the fuel known as the ignition point, so too in cyber attack there is an ignition point that I would call as “Patient Zero”, or the very first intrusion. If you compare a cyber attack to a black hole, then the first intrusion is your “event horizon” or point of no return.
Once a threat is realized the race begins on how soon you can detect the fire (in cyber security, the cyber attack) and just like fire once started, the damage control from a cyber attack rests on a totally different set of response capabilities, and forensics capabilities to determine the attribution. (Who did it?), but unfortunately the damage is done at this point of time.
I hope you are now able to understand the relevance of the vulnerability quadrant (the knowledge of the vulnerability) in my previous post, in the context of the “logical consequence” and the arrow of time. In the arrow of cyberspace and time, entropy or randomness (as in information theory) is the only property that matters. Can we use predictive analytics to interfere with the randomness and change the arrow of time in our favor is a question for the future? Until then we will have to work on managing the direct cause of the cyber threat, namely the vulnerability and its underlying causes like design flaws, software bugs, attack surface reduction, minimizing the technology and human weaknesses etc.
If Vulnerability (including human vulnerability) is the only cause that we can control internally, shouldn’t we spend most of our efforts in eliminating the vulnerability to a point that matches the enterprise’s risk appetite and risk tolerance ?
I would like to close my post with a poem by Omar Khayyam in The Rubaiyat on the nature of the arrow of time, cause and effect and our actions.
“The Moving Finger writes: and, having writ,
Moves on nor all thy Piety nor Wit
Shall lure it back to cancel half a Line,
Nor all thy Tears wash out a Word of it.”
Capgemini has introduced a consolidated security service called Cybersecurity Global Service Line, integrating its expertise in cybersecurity.
We provide end-to-end advisory, protection, and monitoring services to secure your organization. To find out more visit www.capgemini.com/cybersecurity and SMACT blog series Putting cyber security at the heart of digital transformation
PS: After I wrote Part I of this post, The HP Cyber Risk Report 2015 reveals this following data on the 2014 breaches: Many of exploits discovered in 2014 targeted vulnerabilities discovered many years back, some even decade old. 60 % of the attacks in 2014 are due to exploitation of 4 critical vulnerabilities that were known publicaly since 2012. Are these attacks in 2014 due to ignorance of cyber security or illusion of cyber security?