By Gregory Hale
A security researcher focuses on finding vulnerabilities and then providing analysis behind the problem, but once that issue ends up discovered, the next level to create a secure environment means the user needs to be able to put it into perspective.
“If you want to show how vulnerabilities bring effect, that is difficult (from a researcher’s perspective),” said Billy Rios, founder of security research firm WhiteScope during his Tuesday keynote at the ICSJWG 2016 Fall Meeting in Ft. Lauderdale, FL. “When you bring vulnerabilities to an operator they need to see what could happen. They need to know what the effect is with all the vulnerabilities. We understand the analysis very clearly. We understand the vulnerabilities very clearly. We may even know some of the effects, but do we know how it works within the system? What effect would it have on the total operation.
In case in point was in 2010 when officials lost communications with nuclear weapons. In a very quick manner, the top Air Force officer notified the chairman of the joint chiefs of staff, who then notified the secretary of defense who then informed the president. At that time, “the president asked a simple question: Could this have been caused by a cyber attack? No one knew the answer,” Rios said.
At that point, Rios ended up assigned to the cyber security mission of finding that answer. “After months of work, we learned a lot; we learned a lot about how the world works. We did an analysis of the vulnerabilities. But in the end, the mission was not about the vulnerabilities or any kind of analysis, it was about the effects of what could happen.”
That mission, or project, led to a greater awareness of what could happen from our Commander in Chief.
“We never heard the President of the United States talking about cyber security to other countries (before).”
That was just the beginning.
Sanitize Before Disposal
It is not often when somebody starts off a talk at a conference with a security moment, but at the start of the ICSJWG 2016 Fall Meeting, it seemed apropos.
At the beginning of his talk Billy Rios, founder of security research firm WhiteScope, started off with a security moment saying when people trade in, sell or scrap their old devices, they should sanitize them because it will carry information you may not want others to see.
He later talked about purchasing a voting machine and said a perfect case in point for sanitizing a device was when he broke into one of his machines he learned it was last used in the last presidential election as he found a digital ballot for selecting a presidential candidate.
In another case to point out perspective, in a research project Rios found 1,418 vulnerabilities in a medical device.
Rios and fellow researcher Mike Ahmadi in collaboration with CareFusion discovered the vulnerabilities. They obtained the Pyxis SupplyStation through a third-party that resells decommissioned systems from healthcare systems, and the vulnerabilities ended up discovered using an automated software composition analysis tool.
Of those vulnerabilities, 715 fell in the CVSS range of 7-10, indicating a severe vulnerability; 606 were in the 4-6.9 range, indicating a moderate vulnerability, and 97 in the 0-3.9 range, indicating a low level.
Whatever the vulnerability score of 7 or higher, what do you do when there is an issue in medical? Numbers may not help you understand risk.
“You cannot put cyber security on a Bell Curve,”Rios said. “It is an “extremistan” incident. It is not naturally occurring. It is hard to plot.”
The term “extremistan” comes from a book entitled “The Black Swan,” where the author, Nassim Nicholas Taleb, writes about the differences between the “tyranny of the collective, the routine, the obvious, and the predicted” or “mediocristan” and “the tyranny of the singular, the accidental, the unseen and the unpredicted” or “extremistan.”
“You have to understand when you can plot something on a curve or when you can’t,” Rios said. “Know when you are doing one or the other.”
What also comes into play is what happens when you find a flaw in something like a medical device or even something in a critical part of a process. Yes, you need to know there is a flaw and you need to know what you have to do to fix it, but you just can’t stop using the device if somebody’s life depends on it, or if it is part of a critical aspect of a continuing process.
Another case is with voting machines.
Rio said he was able to purchase a used voting machine on eBay for $100.
“I have two voting machines in my office,” Rio said. “I can do whatever I want with these machines. I can learn how they work. I can learn their creases. We can take the software off the device and learn about the machine.”
Rios said while he can learn the vulnerabilities and analyze the machine, he does not know the impact of what a hacked machine could bring, that is more for the voting experts. “We don’t know (the effect), but if you are an operator of that system, you know.”
That is how an operator can help pull together information from a researcher. They need to work together to give complete context to the situation.
In the end, whether it is a discussion between IT and OT or the President of the United States, perspective needs to end up communicated in the proper language of who you are trying to inform.
“We need to learn how to talk to one another. (In the nuclear weapons mission), we didn’t know how to shape our talks in terms POTUS (President of the United States) should understand. We need to be able to talk in the language of people we are working with.”