I copy from “Cyberwar: a Whole New Quagmire” written by Markus J. Ranum (emphasis mine):

“The best defense against something like Stuxnet could not possibly be a strong offense – how can you pre-empt something unknown that was released without attribution? Stuxnet was exactly adequate for its job. How do you prevent such a thing from working on you? You do exactly the opposite of what we’re doing everyplace: you in-house security, in-house IT, and begin to build your infrastructure so that there are unpredictable and unknown barriers within it, including critical sections that are air-gapped and closely monitored. Yes, that is expensive and inconvenient. The question is whether the alternative is even more expensive and inconvenient.”

And that is why outsourced government clouds will not work. We only have to wait until the first major event to see this. The lean behavior is to build people so as to control the infrastructure. Short term cost cutting practices are for bonus hunters who will be long gone (disclaiming any responsibility) when disaster strikes.

Won’t “free market” advocates love this, I wonder.


8 Responses to “in-house”

  1. Kostas P. Says:

    Again, oversimplified, at least this quote. What are unpredictable barriers? (IMNSHO there is no such thing). How will in-sourcing help build them? And air gaps…another myth!

    • adamo Says:

      In his very particular case, in-sourcing build unpredictable barriers by simply not using a SCADA system sold by the West. What you cannot buy, for whatever the reason, you build yourself. And that is why certain governments have requested (and gained access) to proprietary source code.

      Like it or not, outsourcing locks you on the service provider. And unlike me, you have not found yourself in the position to unlock the organization from an uneven relationship. What was interesting though in this case (and is in every outsourcing case gone bad) is that the people from both sides that were responsible for initiating the outsourcing were long gone taking with them credits for a successful deal, simply because the consequences of the lock-in had not yet emerged. With me being one of the two people who had foreseen the problems, and the only one who is still in the show, withstanding a lot of pressure, I think I really know what I am talking about. I really prefer to abandon stuff than to outsource most of the time.

      It is pretty simple come to think about it: Employees in the public sector outlive their management. They also stay longer in service than a contract lasts and definitely more than the average time an employee stays with an outsourcing provider. Any long term consequences will hit the employees, not those who while in office decided to outsource.

      As far as the air-gap thing goes, I only link it to the nuclear facility instance and in combination with a thorough in-house development (which in extreme cases may include the operating system too). While seemingly easy at first, air-gaps add more complexity to system management than one would expect.

      But by commenting here, you only get my opinion on in-house vs outsourcing. Comment over there so that Ranum responds with more details.

      • Kostas P. Says:

        “what you cannot buy, you build yourself” -> agree even though sometimes it’s equally “expensive”.

        I’m all in about demanding access to proprietary source code as a client for security reasons but we have a long and difficult way ahead of us until we get there (see oracle vs Veracode).

        Now regarding out- vs in- sourcing my experience is mainly from Greece and in 99.9% of the cases organizations do not have the expertise, money, manpower and time to secure themselves. The good thing is that they are starting to realize that, hence the increased demand for managed security services. You, Yiorgos (*you*, not your organization), are an exception; most possibly the single exception.

        PS: I commented here because at the time I hadn’t read Ranum’sentire post.

        • adamo Says:

          That is a problem we keep pointing out to management: Like every public sector organization they do not build people, and hence they are locked-in on us. Which is a lose-lose situation, since we acquire a lot of responsibility without actual authority, a train is not allowed to step us over and our career path has a very low fixed ceiling.

          • Kostas P. Says:

            Build on which people? The old ones that are just waiting for their retirement or the new ones that want to beat the previous generations in terms of laziness, especially now that they don’t get paid as much they used to?

          • adamo Says:

            The Greek Public Sector is notoriously efficient at creating an apathetic workforce. Engagement is the key. But I am not paid to create engagement. Others are.

  2. Marcus Ranum Says:

    @Kostas – By “unpredictable barriers” what I mean is policy-centric traffic analysis or blocks attached to alarms. These things are easy to build, and very very hard to avoid if you an outsider attacker. For example, if I know by design that my R&D network does not normally perform accesses into my SCADA systems (a good policy in general, don’t you think?) I can set an alarm in place to notify me if any particular one of my R&D systems begins to do what it should not. Building a network in this manner does not cost anything extra except in terms of clues and analysis.

    And air gaps are damned easy to build. Just build your critical systems to be standalone and leave them alone. Of course you’ll get wankers coming along saying “it’s inconvenient” and playing political games – but that’s not a security problem – that’s an issue of lack of management vision.

    (A good reference for these concepts, if you’re interested, is Richard Bejtlich’s ‘extrusion detection’ textbook)

    • Kostas P. Says:

      Traffic analysis and event correlation is not a barrier. It’s an alerting and thus reactive mechanism. If you want to be effective you need to spend an awful lot of time to build rules and policies.

      I agree about air gaps. Biggest problem: once you build it you think it’s secure and forget about it. Until after a while you realize that it’s not actually an air-gap because one of the wankers that you describe has found a way to go around it without telling anyone. Air gaps are silver bullet solutions and we all know that there’s no silver bullet in security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: