Chapter 1
Executive Summary
Effective cybersecurity is a critical capability for the defense and preservation of civil society. Cyber crime is one of the worlds largest and fastest-growing categories of crime. Cyber criminals are responsible for more than $1 trillion USD in stolen funds and other assets, with crime in some segments growing 300 percent per year. Cyber espionage is epidemic and pervasive; even the worlds smartest companies and government institutions have terabytes of intellectual property and financial assets being lost annually via the Internet. Concealed malicious actors even threaten our electrical power grids, global financial systems, air traffic control systems, telecommunications systems, healthcare systems, and nuclear power plants.
Chances are good that your current organization is being attacked right now: cyber criminals, civilian/military cyber warriors, and global competitors are deeply entrenched in your network. If you have information worth stealing, it is likely that the attackers are on your internal network, exfiltrating data from your end users, and controlling key administrative nodes. If organizations dont change the way they are defending themselves, personal identifying information, bank account and credit card numbers, and intellectual property that defines competitive advantage will continue to be stolen.
The threat is to all civil society. If cyber attackers scrambled all the data on Wall Street and Bond Street, wiping out all investments and retirement accounts based in the U.S. and U.K., the consequences are unthinkable. (And this scenario is a real possibility.) The goal of this book is to lay the foundation for solving this critical problem in earnest.
U.S. government policy experts are quite concerned about the strategic gap in cyber skills, claiming that in 2008 the U.S. had only 1,000 world-class cyber experts but would require 20,000 to 30,000 to adequately handle cyberspace offense and defense. I believe that estimate is quite low. There are 25,000,000 business establishments that need cyber defenses in the U.S. alone, according to the census bureau. Certainly, hundreds of thousands of technologists with the kinds of skills and education presented in this book will be needed to fully defend civil society.
Why Start with Antipatterns?
To successfully make a change, the first step is to admit you have a problem. The civilized world is in a dire predicament regarding cyber threats. Solving cybersecurity issues requires radical new ways of thinking, and, paradoxically, a return to first principles and common sensein other words, ruthless pragmatism.
Antipatterns employ psychological frameworks for solving problems whose causes involve habitual mistakes. Antipatterns require a mind shift from the dispassionate mindsets of mathematics and engineering into the judgmental milieu of enterprise architecture and organizational change.
NOTE Some people have criticized antipatterns as being anti-intellectual. Antipatterns are a way of thinking clearly about habitual causes, serious problems, and effective solutions.
Antipatterns have been summarized by the quip, Technology is not the problempeople are the problem. But, changing peoples minds is very difficult. So, you need powerful psychology to do that.
NOTE The classic paradigm of organizational change is: You send your people out on a rickety bridge toward a pot of gold and then start a fire behind them so they can never go back to old ways.
Antipatterns have ancient roots in governance, law enforcement, religion, and public administration. In a perverse sense, antipatterns are an adult form of name-calling used to control society. We invent pejorative names and make public examples of miscreants to prevent other people from misbehaving.
For the sake of clear definition, here are a few examples of modern-day social antipatterns used in general society: liberal (lily livered), racist (bigot), terrorist (violent extremist), convict (felon, violent offender), street criminal (thug, gang banger), drug addict (junkie), corrupt politician (crook), and all terms for sex criminals. Words have baggage. Even the term hacker has antipattern connotations.
Although this book does not emphasize the name-calling aspect of antipatterns, the goal is the same: to clearly articulate habitual mistakes (in IT) and then rapidly transition the discussion toward pragmatic solutions.
In this chapter, a basic form of antipattern is introduced. Basic antipatterns include two parts: (1) a description of the antipattern problem, and (2) a description of an improved solution, called a refactored solution . In some cases in this chapter, I present the antipattern without the refactored solution. Chapter 2 introduces the full antipatterns template.
Security Architecture
The cybersecurity crisis is a fundamental failure of architecture. Many of the networked technologies we depend upon daily have no effective security whatsoever. (See the "Networks Always Play by the Rules" antipattern in Chapter 2). The architecture of the Internet and the vast majority of deployed software create significant opportunities for malicious exploitation.
It is worth stating that if infrastructure and software technologies were engineered properly, they would be built to withstand known and manage unknown risks, and they would be significantly more secure than current-day technologies.
Chapter 3 introduces the Zachman Framework for Enterprise Architecture and applies it to securing enterprises. The Zachman Framework is a powerful intellectual tool that enables complex organizations to describe themselves, including their mission, business, and information technology (IT) assets. With this self-knowledge comes awareness of risks and mitigations, and ways of engineering security into solutions from inception. The Zachman Framework serves as an overarching structure that organizes the problem-solving patterns catalog in Chapter 3.
The following sections begin the discussion of cybersecurity antipatterns, including some of the most significant cybersecurity challenges, including education. Antipatterns can be construed as cynical depictions of the current state of practice. Negativity and cynicism are not the goal; there are many solutions and patterns for success.
Antipattern: Signature-Based Malware Detection versus Polymorphic Threats
The conventional wisdom is that all systems with up-to-date antivirus signatures will be safe. However, many popular antivirus solutions are nearly obsolete, with many missing the majority of new malware. Current signature-based antivirus engines miss 30 percent to 70 percent of malicious code, and nearly 100 percent of zero day infections, which, by definition, are unreported exploits.
Malicious signature growth is exploding from 5 new ones per day in 2000 to 1,500 per day in 2007 and more than 15,000 per day in 2009, according to Symantec (from a 2010 conference briefing on reputational anti-malware), which is an average of 200 percent to 300 percent cumulative growth per year. Malware variability has grown so rapidly that signature-based detection is rapidly becoming obsolete.
NOTE Each security industry vendor has its own sensor network for gathering and monitoring malware. Kaspersky Labs has seen flat growth in malware signatures since 2008, while other vendors imply exponential growth. Somewhere in the middle lies the truth.