On August 26, 2015, I had the opportunity to keynote the Hacks in Taiwan conference (HITCon) in Taipei. HITCon is the largest security conference in Taiwan, and consists of both enterprise and community tracks, a bit similar than BlackHat and DEFCON in the United States. During the keynote, I shared my own experiences of how the security community can protect the “global commons” that the internet has become. These experiences come from my work responding to incidents, building and managing incident response teams, as well as my involvement as a board member of the Forum of Incident Response and Security Teams (FIRST). Below, I share some key takeaways from my talk.
New online services often meaningfully improve our lives. These opportunities create trust in the internet. Major breaches risk slowly eroding that trust, and reduce the potential the internet has for us and the next generation of online users, which is huge; according to the International Telecommunications Union (ITU), there are currently some 3.2 billion internet users, which is less than half of the world’s population. While some countries have very strong adoption rates, other large but developing countries only have a small number of internet users (such as Pakistan, with less than 15% of their population online).
Protecting the global resource that is the internet, and the trust people place in it, takes a community effort, and therefore involves all of us.
There are many examples from the internet’s common incident response history that illustrate how all of us are part of a changing, complex system. To secure that system, we need to draw from different disciplines: art, science, and engineering. We need to build aesthetic solutions to security problems — solutions that people really want to use. We need science, because for many of the security problems we face, there are no right answers, just better or worse ones. We need security scientists to experiment, test, and find new principles that engineers can use while designing solutions.
When dealing with a complex system, rigid processes and procedures often don’t work. Instead, we have to figure out what guiding principles make sense and help inform engineers as they make decisions. We’re good at this. We developed trade routes across the world not only to satisfy the need for a community of trusted trades, but also to create the infrastructure to move goods and a “lingua franca” that everyone could agree on. To protect the internet, we need similar tools: a strongly connected community of security responders, researchers, and defenders; capability within the community to investigate and understand new issues; and the standards to exchange data quickly, so humans can focus on the tough security questions rather than on the manual labor.
Here are a few of these principles:
During a security incident, you want to already have great relationships with partners that can help, rather than needing to discover them when an incident arises.
A great example of this is Stuxnet, the now-famous 2011 malware specimen which exploited no less than four 0-day vulnerabilities. The complexity of the malicious code was enormous, and it was only thanks to a cooperative effort of the response teams at Microsoft, Symantec, and Kaspersky, as well as many other security researchers, that all vulnerabilities could be quickly identified and addressed.
Security incidents often require a tremendous amount of specialization. Malicious code such as Duqu, considered to be the successor of Stuxnet, was first observed in Sudan, which is on the UN LDC (Least Developed Countries) list. Some countries have less resources to staff computer security incident response teams, and not all countries and companies will thus have the same capability to deal with highly complex incidents. When we know our weaknesses, we can partner with other incident response teams and researchers to make sure we fill the gaps.
As security engineers, we need to evaluate new standards, get involved when we think they need change, and (when they make sense from a security perspective) promote their adoption vigorously. Many of today’s problems, such as DDoS amplification attacks, could have been mitigated if standards from many years ago were more widely adopted today. However, to be successful, all standards need to reach a “tipping point,” where they start seeing sufficient adoption to matter. By being informed, contributing and driving deployment, we can help them get there.
Any vulnerability disclosed, through whatever means, is an opportunity for us to protect internet users. While there are definitely preferred methods, we should realize that the concern needs to be with the vulnerability as opposed to the method of disclosure, and that is where we need to focus our efforts.
Conferences such as HITCon offer fantastic opportunities for software and services vendors to connect with researchers and learn about the great work they’re doing. They think beyond the current state of the art in security to find new categories of vulnerabilities and weaknesses, and this is something we should cherish and promote.
At Fastly, we are working hard to build one of the best security teams in the industry and uphold the internet’s promise. If you’re interested in helping secure the edge at scale, look at our openings for infrastructure security engineers, application security engineers, and security researchers.