jump to navigation

Chris Mark published in Computing Security Magazine May 21, 2020

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

Computing Security magazine recently published an article I wrote on COVID19 and Threats, Vulnerabilities and Exploits.

“The suitability of security strategies is relative to the controls implemented to address risks; therefore, security should be viewed as a function of time and resources. Naturally, there can be no guarantee of security when threats are constantly adapting. Adaptive Threats are caused by something that can change its behaviour in reaction to prevention. As defences improve, threat actors adapt and so this cycle continues.

Adaptive Threats react to take advantages of vulnerabilities which are characteristics of design, location, security posture, operation and they render an asset, system, network, or entity susceptible to disruption, existing even if yet unidentified. An exploit is something that takes advantage of a bug or vulnerability and can be used to gain advantage of a susceptibility in a control. However, not all vulnerabilities are of equal risk or severity.

Furthermore, exploits and vulnerabilities are not mutually independent, and one can only exist without knowledge of the other…”.READ MORE!

Covid19: “The War God’s Face Has Become Indistinct” – China’s Unlimited Warfare Strategy April 14, 2020

Posted by Chris Mark in cybersecurity, Risk & Risk Management, terrorism.
Tags: , , , , , , , , , ,
add a comment

CT2013UPDATE-  Today (April 15, 2020) Fox News published an article supporting what has been proposed in this post.  Titled“Sources believe coronavirus originated in Wuhan lab as part of China’s efforts to compete with US the article lays out compelling evidence that China was attempting demonstrate that China’s “…efforts to identify and combat viruses are equal too or greater than capabilities of the United States.” The article states that evidence comes from classified, and open source sources and documents.  It further states that:

“…(China) blaming the wet market was an effort by China to deflect blame from the laboratory, along with China’s propaganda efforts targetting the US and Italy.”

For those who have not read Unrestricted Warfare referenced in this post, I would strongly suggest you consider reading.  The Fox News article is directly in line with China’s 1999 strategy of unlimited warfare against the US and European countries.

In 2013, I wrote an article for The Counter Terrorist  Magazine that identified the Chinese strategy of CyberWarfare. You can read the article here.

This followed a seperate article I wrote for the same magazine called “CyberEspionage” that identified China’s efforts to infiltrate the US.  Both identify the Chinese focus on unlimited warfare discussed below.ctmay2012

Today, while reading the news, I came across an article that stated that stated that the US State Department cables (read CIA and Intelligence) has stated that the Covid19 Virus may have originated the Wuhan Viral Lab (WVL) who were testing the Coronavirus in bats.  According to the Washington Post:

“As many have pointed out, there is no evidence that the virus now plaguing the world was engineered; scientists largely agree it came from animals. But that is not the same as saying it didn’t come from the lab, which spent years testing bat coronaviruses in animals, said Xiao Qiang, a research scientist at the School of Information at the University of California at Berkeley.”

No “Evidence” is distinctly different than “They did not do it”.  Keep in mind that in February, 2020, the US Government charged 4 Chinese Military members with the 2017 Equifax breach.

The question should be: “why would the Chinese launch viruses (if they did) and why would they hack US companies?”  The answer is actually pretty straightforward.   If you read the article from 2012, you will get much more information than in this blog post.

In 1990 the US engaged the Iraqi military in the Gulf War.  The Russians (then Soviets) tankmedinaand Chinese watched closely as the US went literally “toe to toe” with the World’s 5th largest standing Army (Iraqi).  96 hours later, the Iraqi Army was soundly defeated.  In particular was the Battle of Medina Ridge (also called the Battle of 73 Easting) fought on Feb 27, 1991. It was an absolute route. This convinced the Chinese that a “linear/kinetic war” with the US was unwinnable.

For this reason they embarked upon a new policy called “Unlimited/Unrestricted warfare”.

This is documented in the book called Unrestricted Warfare.  In first reading the document, I was shocked at what it contained.  In 1999, two Chinese Peoples’ Liberation Army (PLA) Colonels were tasked to write a document titled: Unrestricted Warfare that outlines China’s approach to war with the West.   In short, the document articulates a new definition of warfare that includes using all economic, political, and PR means to fight ‘sub wars’ and ‘pseudo wars’.

While we sit in the US laboring under our definition of warfare, our adversaries are redefining the battlespace.  Here are some quotes from the document:

“If we acknowledge that the new principles of war are no longer “using armed force to compel the enemy to submit to one’s will,” but rather are “using all means including armed force and non-armed force, military and non-military, lethal and non-lethal means to compel the enemy to accept one’s interests.”[i]

“As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.”[i]

In short, the Chinese manipulating currency, or the press or even paying a Harvard Professor to be an agent can arguably be considered a ‘pseudo war’ consistent with their strategy of unlimited warfare.  As more information becomes available, I would not be surprised to see that this is much more than an “accident” in a lab in Wuhan.  Look at the financial toll it has taken on the World and positions the Chinese to be much larger players.

[i] House of Representatives. (Kindle Locations 325-327). Kindle Edition.

 

[i] Wiangsui Qiao Liang and Wang. Unrestricted warfare. Beijing: PLA Literature and Arts Publishing House; 1999.

What Coronavirus can Teach us about CyberSecurity February 28, 2020

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , , , , ,
add a comment

The 2020 RSA CyberSecurity Conference was held recently in San Francisco, California. There were some notable companies that elected to not attend this over safety concerns related to Coronavirus.  On February 25th the mayor of San Francisco declared a state of emergency for their city over Coronavirus fears.

This state of emergency was declared is in spite of the fact that there are no confirmed cases of Coronavirus in the city. Mayor Breed, in discussing her prudent steps stated: “We see the virus spreading in new parts of the world every day, and we are taking the necessary steps to protect San Franciscans from harm…”

First identified in Wuhan, China in late 2019, Coronavirus (covid-19) has reportedly infected over 80,000 people worldwide and has resulted in over 2,700 deaths on several continents. Recently, the World Health Organization identified the newly identified Coronovirus as a potential “Disease X”.  “Disease X” was added to World Health Organization’s “Prioritizing diseases for research and development in emergency contexts” list of illnesses. This list includes such diseases as the Crimean-Congo hemorrhagic fever (CCHF), Ebola and Marburg virus disease, Lassa Fever, MERS, SARS, Nipah and henipaviral diseases, Rift Valley fever and Zika.  Importantly, “Disease X”:

(…represents the knowledge that a serious international epidemic could be caused by a pathogen currently unknown to cause human disease, and so the R&D Blueprint explicitly seeks to enable cross-cutting R&D preparedness that is also relevant for an unknown “Disease X” as far as possible) (emphasis added). 

What can the current Coronavirus situation teach us about cybersecurity?

Reflecting upon the situation in San Francisco and the WHO’s statements, it is possible to utilize the Johari Window to analyze the situation. The Johari Window[1]developed by psychologists Joseph Lutz and Harrington Ingram in 1955 and reintroduced to the American Public in  2012 when then Secretary of State in referencing Iraqi Weapons of Mass Destruction stated:

…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know…it is the latter category that tend to be the difficult ones.” (paraphrased)

The Johari Window identifies four panes of knowledge.  They include: The “known/knowns” where both the person and others know of a given situation. There is the “Known/Unknown” where the person knows and others do not know of a situation. Consider a personal secret that has not been shared with others. There is then an “Unknown/Known” where the situation is not known the person yet is known to others. In simple terms think of a surprise birthday party where everyone but the birthday boy/girl is aware.  Finally, there are “unknown/unknowns” where neither the party knows.  This is the truest example of an ‘unknown’ and represents, the most difficult situation to analyze because it truly represents a position of ignorance on both parties.

In 2016 the World Health Organization identified that there was a conceptual, although yet undefined threat that was both unknown to others and to themselves but they understood that, theoretically, existed and would present a major risk if and when it was eventually realized.  This, they proactively identified as ‘Disease X’. This was the ‘unknown/unknown’ in the Johari Window until the time that it was identified as Coronavirus.

It is now a ‘known/known’ threat although countries are still struggling to identify how to deal with the risk it presents. Until it was actually realized, however, there was little any country could do except wait until it was realized. Once it was identified, then actual defensive and protective measures could be put into place to address the threat.

In much the same way, organizations dealing with cybersecurity today are presented with the ‘unknown/unknown’ of the conceptual “Disease X” threat in cybersecurity.  This is any yet unidentified and yet predicted threat that may impact their organization in the not too distant future.  Companies are faced with attempting to develop security and continuity plans for a threat that they do not yet know exists and what specifically that threat encompasses.  On a nearly daily basis, however, a ‘Disease X’ arises in cybersecurity and companies are forced to react quickly and decisively to address such threats.  Adding to the threat is the fact that these threats are not naturally occurring and are, in fact, created by humans – intent on creating harm.

Compounding the problem of the ‘unknown/unknown’ is the idea of threat adaptation in known threats.  While not modified by naturally security processes, security strategies, like those of disease control must also deal with threat adaptation. Using the Coronavirus as an example, according to a South China Morning Post article posted on February 4th, 2020 Chinese scientists had already:

“…detected “striking” mutations in a new coronavirus that may have occurred during transmission between family members.” It further states that: “While the effects of the mutations on the virus are not known, they do have the potential to alter the way the virus behaves.”

It has been well established that Influenza virus ‘shift’ and ‘drift’ antigenically.  Without delving into the specifics of how these occur, according to the Center for Disease Control and Prevention, states that:

“When antigenic drift occurs, the body’s immune system may not recognize and prevent sickness caused by the newer influenza viruses. As a result, a person becomes susceptible to flu infection again, as antigenic drift has changed the virus enough that a person’s existing antibodies won’t recognize and neutralize the newer influenza viruses.”

While not a direct corollary to a natural viral drift or shift, human actors respond in a similar way when attempting to commit criminal acts. They ‘adapt’ to the changing security environment and are defined as ‘adaptive threats’.  According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:

“…threats intentionally caused by humans.”  It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.”

In short, as defenses improve, threat actors change their tactics, and techniques to adapt to the changing controls and prevent the established controls from identifying and protecting against the newly adapted threat.  As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections.  This cycle continues ad infinitum until there is a disruption. This recurring cycle is known as the Defense Cycle.

Consider medieval castles.  Originally, they were built of wood.  Those assaulting castles would simply use fire to burn the castles to the ground.  Castle makers then built Castles of stone.  Assaulters then created siege engines to knock down the walls or began digging under the walls to ‘undermine’ them.  Castle walls were made larger and stronger and were nearly impenetrable until cannons were introduced.  Even in situations where the attackers could not ‘storm the castle’ they would simply lay siege and starve the inhabitants until they capitulated.  This is a classic example of threat adaptation and the defense cycle.

In a more relevant and timely example consider a standard network with security controls applied commensurate with the identified risks. An attacker may try an attack against the network layer.  If this is ineffective and the incentive is great enough the attacker will likely modify their behavior and attack methodology to attempt to circumvent some other control.  This process continues until a resource has been compromised.

Applying the concepts addressed in this article, a newly identified or developed exploit is the proverbial “Disease X”.  As it has not yet been identified, the organization has no definitive defense against it. Once it is identified and known, then the company can begin identifying new controls to address the newly identified risk. The attacker will then, once again, modify their behavior.  As stated, this cycle can continue ad infinitum.

In 2020, organizations are dealing with myriad threats.  First there are the ‘unknown/unknowns” that represent the “Disease X”of the cyber attack world.  These may include new attack vectors, or zero day exploits.  Secondly, organizations are faced with defending against motivated, determined adversaries who are not only is focused on attacking networks and resources but are continually adapting their strategies as defenses improve.  While not a direct correlation, by looking at nature and how diseases impact our society, organizations can better understand their own security strategy and risk management practices.

 

%d bloggers like this: