optimizer

Blog

  • A digital preservationist manifesto

    Think about how you experience the past.

    You read books, look at pictures, visit locations. In all of these cases you are looking at a snapshot of the past. Some remnant, but not the living fullness. We catch glimpses of what it was like to live in an era or be somewhere at it’s prime

    So much of computing today builds on the technology of yesteryear and yet the best way to experience that tech is screenshots and maybe old books. Blogs often have interesting information but whatever environment the author was looking at is not often available to the reader. Depending on how long it has been, it may not be available to the author either.

    Go read a review of iOS 1 from 2007. You can’t experience that today. Even if you managed to find a phone with that version of the software, the networks it interacted with no longer exist.

    The wayback machine has the right idea for websites but is scoped to static content. Virtualization lets us preserve isolated systems but you want more, a window into the past where I can see that solaris thin client desktop. Interact with it, browse the late 90’s web with it. You want to be able to browse a university network in the mid 2000’s with Internet Explorer 6 on Windows XP SP2. You want to be able to walk through the original New York Pennsylvania Station.

    The cost of inference will drop over time. Already we see AI video becoming more and more commodity. The next frontier is fully interactive AI experiences. Google has made great progress on project Genie which allows for interactivity with virtual worlds. You will be able to extend this by generating code/simulating pages that will replicate the experience of using a digital device and or being in a place and time.

    Think beyond current tech, future robots, holograms and things we haven’t thought of will be used to bring the past alive. This means that history will be experienced through inference. This could be you asking chatgpt a question about a historical figure or experiencing an interactive simulation.

    As amazing as this will be, how do you know it is accurate? Who controls the inference? How was the model trained? What are you seeing that was influenced by someone else?

    In the distant past, oral history could be changed with low energy. Find the one or two historians and persuade them something else happened. This even happened organically as oral traditions tend to drift over generations. Initial written language helped, but still it was the victors who got to write the history so you must keep that in perspective. Widespread book publication individualized access to both reading and writing books which meant that the Truth was more likely to be out there. Now we get to the information age where digital versions of history are widely available, however we are beginning to see more and more people experience history through secondary, tertiary and whatever level LLM inference is.

    This means that the ability for bad actors to influence what you know is even easier. How do you know if the information you are reading is from a primary source or even a trusted source? How do you know if it is even the same as it was last year?

    Changing a physical copy of a book at a library – hard

    Changing a transcript of a book on a website — easy

    How can you trust the past?

    The impact and reasoning behind actions in the past are subjective but there were events that happened at specific times and we have capacity to know them. Similar to a penetration test where you initially see just pieces of the network and eventually come to know the entirety of it as you gain more access and collect more data.

    This is an integrity problem in computer security. We have lots of data and want to ensure that it remains unchanged going into the future. This becomes important not just for future historians but for anyone that wants to learn about humanity over time.

    What do we need?

    • A fertile ground for AI agents wielding microtransactions to pay for it.
    • A storage base layer for the actual artifacts – digital reproduction of the object itself or a representative value. The point is that it must be preserved.
    • A storage layer for the models which are trained on the base layer
    • A storage presentation layer for the artifacts of those models.
    • Cryptographic security of all artifacts on all layers that both keeps them from drifting over time and ensures immutability.
    • Decentralized control that means no one entity controls it. This is for humanity, by humanity.

    Why? Learn from the past. Comprehend our history. Know the future.

  • What should you do to be secure?

    There are a variety of activities that you as a cyber defender could do. This leads to a bewildering number of options across price points and against different types of threats. Large organizations often have strict regulatory requirements and/or know that they have to guard against all threats but for smaller organizations it is less clear. There is risk of many things and yet only a handful keep coming back. Security Energy simplifies this process to the essence of knowing how much security you should have for the threats you will face.

    What threats will you face? Cyber threats are driven by ROI and incentives just like other forms of human behavior. If there is no incentive to go after your organization, then the specific treat doesn’t exist for you. The most common incentive is naturally money since it is portable and transferrable for all the historic economic reasons. In the cyber real, the easiest way to monetize a breach is to use your own computers’ encryption ability against you in the form of ransomware. How much could a cyber attacker get from you in such a situation? To answer this, you must step into the shoes of a cyber attacker for a moment.

    Research of disclosed breaches indicates ransoms average 3-4% of the target organization annual revenue and have a “success” rate of 2-10%. Both numbers have high variance depending on source so this is a perfect opportunity to use a Fermi Estimation where swings of 2-3x are acceptable and most errors will cancel out. Femi estimations treat everything in orders of magnitude to emphasize big differences. I..E Whether a ransom is $1000 or $2000 doesn’t really affect much for cyber capabilities, but $10,000 vs $1000 is significant.

    Using the Fermi estimation, a typical individual making $100,000 per year would be subject to a $3000 ransom if attacked. Using a success rate of 3.3%, yields an expected value of $100 for each such person attacked. Since the attacker is motivated financially to get a positive ROI, they must “spend” less than $100 per target.

    (In case it’s not clear, another way to look at a success rate of 3.3% is that an average of 30 people must be targeted in order to get a single $3000 payout. This is an inverted form of a custom acquisition cost if you have a sales background.)

    The threat actor may not spend $100 directly, they may take some time crafting emails, writing malware or configuring infrastructure.  Influence Energy is defined as the logarithm of the total time and/or money spent on an attack against a single target. $100 is also a good order-of-magnitude approximation of 1 hour of time for someone with moderate computer skill so in tabular form Influence Energy looks like this.

    Influence EnergyAttacker HoursAttacker $Ransom $Target Rev $
    011003000100M
    110100030M1MM
    210010M300M10MM
    31000100M3MM100MM
    4100001MM30MM1B
    510000010MM300MM10B

    A level 0 attacker could spend more time and/or money to increase their Influence Energy and thus chance of success but more than 2-3x increase would risk negative ROI against a $100,000 target. A ten-fold increase in capability would bring this attacker to level 1 where they would be able to go against bigger targets. This can continue with 10x increases to level 2, 3, and beyond but each increment has an exponential increase in cost so fewer and fewer threat actors are capable of climbing the ladder. Influence Energy level 5 would be the domain of large organizations, think state sponsored with enormous budgets and personnel going against large, hard, and valuable targets.

    With Influence Energy defined, you have a quantitative band for what kinds of resources an attacker will use against an organization of a given revenue amount. Importantly, this is a finite list! Many people are convinced from security FUD that cyber attackers have endless budgets and time but unless you have something on the order of $100 billion in value to face a theoretical level 6 cyber-attack, your adversary has resources roughly limited by what’s on the chart.

    Now to bring it full circle of how to be secure, you must look at what mitigations are needed for each level of influence energy. Security Energy is a measurement of people, processes, and technology that can mitigate threats at a given level of influence energy. For example, security energy level 3 is the optimized set of defensive techniques that will mitigate all attack techniques at Influence Energy level 3. This means that no matter what capability an IE3 attacker brings, it will be stopped by a defender prepared with security energy 3.

    Security Energy includes time employees put in directly, technology purchased from others, and skill development through education. It can be measured by checking the organization’s security posture and processes against a reference set for their organization worth and the corresponding set of influence energy capabilities.

    Combining security energy levels with target revenue yields an at-a-glance risk profile and suggested spend on cyber defense. This spend is not just on cybersecurity as device lifecycle and proper IT management are also key parts of mitigating threats.

    Security EnergyTarget RevDefense Spend
    0100M$500
    11MM$5000
    210MM$50M
    3100MM$500M
    41B$5MM
    510B$50MM

    Implementing this minimal set of defense techniques still requires effort, but it can still be done in a quantitative, finite method and at the end you will be secure!

    Follow this blog for forthcoming updates on specific actions needed for Security Energy levels 0-2. Get in touch today if you need help understanding where you are and if you can’t wait to find out what you need!

  • Prioritization

    You are staring at a 10,000 row spreadsheet of vulnerability scanner results…that’s 10,000 after filtering for high risk.

    You are tasked with managing vulnerabilities on a large network and have a background in penetration testing. Naturally you assume this network will be subject to a nation-state adversary combing through every corner to extract juicy secrets. They will take advantage of every vulnerability to disrupt operations, steal data and intercept payments.

    You present your findings to your leadership who have…mild concern…but of course kick it back to you to chase down whatever is “most important.” You’ll have to figure out which ones are worth fixing. You might try spending hours chasing them down, incurring cost for the company, and end up preventing zero cyber-attacks if they were the wrong ones. Going after everything clearly won’t work.

    A better approach is to perform threat modeling of vulnerabilities starting with the most likely to be attacked. This makes the obvious starting point anything accessible from the internet. These are the vulnerabilities with the most exposure to attackers; they can access it right now. These servers and websites should get scanned every few weeks to coincide with web site changes.

    For internal systems, you need to look at what is the most likely scenario for them to be hit. Probably in your org it isn’t actually an APT, it is more likely to be Helen in Sales downloading a ransomware installer that looks for systems to spread to. With this threat model in mind, you focus on outdated operating system vulnerabilities that are common targets for malware.

    For any that remain (probably still a big list!), you look for vulnerabilities that would be easier to exploit for a low-sophistication attacker who managed to plug into the network at a remote site. You prioritize simple code execution vulnerabilities which would allow trivial system takeover with only a web browser.

    You do NOT focus on further isolated subnets for things like research or manufacturing. The additional segmentation means there are an even smaller set of threats that would make it to them and they should be assessed through a separate project.

    Vulnerabilities that matter are not random IPTV devices that might allow layer 2 access to another system. Vulnerabilities that matter are forgotten Windows systems that needed to be patched ahead of a “minor” ransomware outbreaks…this is how you will safeguard your company, not by getting to zero scan results!

  • Security Ethos

    I was ready to close out the Webex call and instead the break in silence reshaped my security ethos. “Wait, can you explain that again?”

    It was March 2017 and pre-pandemic remote meetings were audio only. I was used to speaking into the void so I couldn’t read body language or see gaping jaws among the 20-odd IT managers watching my monthly presentation about software patches.

    The March presentation included a demo of a decade-old MS exploit called netapi (MS08-067 IYKYK) which allows a “specially crafted network packet” to execute code as administrator on a Windows Server 2003 system in default configuration. Typing a few commands into my Linux terminal resulted in a Windows command prompt and ability to install malware.

    The Manager on the call was shocked that I had never entered the password for the system and it was irrelevant with the exploit. He was an experienced IT manager responsible for thousands of critical systems making money for the company. He had never been clearly shown the impact of a failure to patch.

    Up until this moment, I had assumed that everyone needed to be a CISSP with gobs of knowledge to be able to accurately measure risk. Clearly everyone could read a security bulletin, infer how severe it was, and articulate what types of threats would use it. The question from that manager, and subsequent follow up showed me the need for more effective communication about security.

    The netapi exploit was long-ago patched and not applicable to newer operating systems but it demonstrated the risk of that type of exploit. One of the security bulletins in March 2017 was for an exploit dubbed ETERNALBLUE (MS17-010) which also affected Windows systems in their default state. I directed the corporate IT managers to expedite patching this on any applicable systems knowing that the network was a target-rich environment. It was only a matter of time for a threat actor to leverage this vulnerability for some kind of worm.

    The company did an accelerated patch of the March 2017 patches. When May rolled around and the news cycles spun up about a ransomware strain called WANNACRY causing damage to organizations like the Nissan and the UK National Health Service. I was confidently able to tell the CISO that we would be unaffected.

    I incorporated more cyber demos in the coming months, always relating them to new patches and vulnerabilities in the news. The internal audience grew and to date no vulnerabilities have caused problems. My drive in security changed from finding the most advanced exploits to understanding why different security threats exist and showing people the best way to prevent them.