Friday, March 12, 2010

Bazaar vs Cathedral

Damballa recently released a report entitled The Command Structure of the Aurora Botnet.  It's a good whitepaper.  I like this section:


... Botnet operators also increasingly trade or sell segments of the
botnets they build. Once sold, the owner of the botnet typically deploys a new suite of malware onto compromised systems. The CnC provides the link between various campaigns run by the botnet operators and the multiple malware iterations. Since Damballa focuses on malicious, remote-controlled crimeware that depends on CnC to function, we were able to determine the evolution and sophistication of the Aurora botnet and its operators with greater detail and accuracy than other
reports to-date. In general, Aurora is “just another botnet” and typifies the advanced nature of the threat and the
criminal ecosystem that supports it. It is important to note, however, that botnets linked to the criminal operators behind Aurora may have been sold or traded to other botnet operators, either in sections or on an individual victim basis. This kind of transaction is increasingly popular.


This isn't really new, it's been known that both kits and botnets are sold and rented in the black market.  Admittedly, it is pretty dastardly to have a potentially adversary utilizing this market, further obfuscating them and their goal.

This is one of the realizations of John Robb's Open Source Warfare.  In his book, Robb made a wonderful extension of esr's The Cathedral and The Bazaar into warfare and terrorism:


According to the perspective of the organized military, the problem with a a bazaar is that it lacks a center of gravity -- a centralized command center that can be destroyed or a single set of motivations that can be undermined through psychological or political operations.  It is virtually immune to these approaches. [...]

Finally, OSW networks are extremely innovative.  The bazaar atmosphere makes it easy for innovations to develop and peculate among the members.  They don't need a single operational genius, just a large number of average members working together.


The disturbing undertone of the Damballa report is not the "old-school" nature of the botnet, or the seeming reliance on black market, but the rapidity of advancement through sharing and innovation.  Targeted threats are prospering and growing in the chaos of  the Bazaar.  Certainly when compared to the order and structure of the Cathedral.  The Cathedral, in this case is us, the CND operators.  We innovate but are impaired with constraints that limit the speed of innovation and instinctually hoard, instead of sharing, vital information.

This threat is inside our OODA loop.

Monday, March 1, 2010

CIA Triad

Let’s start with a list:


  1. “Our new company policy must protect Confidentiality, Integrity, and Availability”
  2. “The goal of information security is the protection of the CIA Triad”
  3. “Before we design this architecture, we need to assess the Risk of Availability, Integrity and Confidentiality”


Where did the concepts of the CIA trinity come from?  So far I’ve pinpointed Confidentiality being addressed by LaPadula and Bell in 1976 in their mandatory access control model for Honeywell Multics.  This, as you may have guessed, was to address the problem of disclosure to classified data on information systems.
Next, I found Clark and Wilson work in 1987 on Integrity recognizing the commercial sector’s primary focus was on the Integrity of the data on their information systems (think: accounting data).
Both of these were derived as “multilevel security” (think: orange book, 1983) as an operating system design principle.  And the third leg that creates the triumvirate?  Availability.  I simply couldn’t find anything I could use as an authoritative source.  If I were to guess, the Morris Worm may have had influence on Availability reaching the status it has. (Am I wrong?)

So when did we accept the wisdom that CIA is the core to information security?  When did CIA become potential risk?  When did we make the conscious decision to apply system design principles to complex systems of systems, policy, and more? CIA is good it is good as an anchor while architecting a system.

I’m hesitant to say CIA is good in wider contexts.  Indeed, I cringe when it’s used outside of system design principles.  It’s oversimplification which has the Risk of creating blind spots in thought.  For instance, CIA does not address mis-use of the system, especially when that mis-use does not have a functional impact.  If a system has a loss of positive control (say, it’s part of a botnet) and begins sending spam out at a rate of 10 messages/minute, does it impact CIA?  See Tragedy of the Commons.

I’m also not convinced CIA can truly represent secure systems of systems (networks) in any meaningful (indeed, measurable) manner due to the asymmetric conditions.  Ignoring high complexity, the pace of change to networks is too rapid to create a secure state that can be enforced.  A simple addition of one device could completely unbalance any CIA which was perceived to be in place.