Bad Guys Everywhere
I’m a former gang cop, homicide detective and currently an organized crime detective for one on the largest police departments in the county. I’ve also been an Army officer for twenty years with two tours to Iraq. I don’t like bad guys.
This time last year I didn’t know much about digital security and to be honest, I still don’t. I do know this though: the war for information security is being lost on a global scale which means the bad guys are winning. That pisses me off.
That’s all great, Ranger, but why are you on this “nerd” website talking about InfoSec? Two reasons. One, as I mentioned before, I hate bad guys and two, because my brother is a nerd. My brother is also a former reserve police officer who has worked the same gangs in the same neighborhoods as I have. I know he hates bad guys too.
Translating Cyber to Cop
So after reading about the latest Fortune 500 company to get hacked, and the latest government agency to get hacked, and one of largest medical insurance companies being hacked, one of the largest hospitals in the country being hacked and the latest national retail store being hacked, etc., I called my brother and asked what the problem was. More importantly, what was he was doing about it? Using his “nerd” talk he broke it all down for me and completely lost me in the process. My awkward silence prompted him to try again, but this time he used cop talk.
Long-term memory is absent
I didn’t believe him. I told him that there was no way that the leading tools being used by the good guys in the War on InfoSec did nothing more than produce hundreds and hundreds of alerts and alarms on “suspicious” activity. Even worse each of these alerts, alarms or “crimes” were being dealt with as an isolated event? Again, no way! The law enforcement equivalent would be to ignore crime trends and to treat each and every incident of crime as unique and unrelated; it would be the same as ignoring the environment in which the crimes were occurring; it would be like categorizing all crime as just that, crime. A parking ticket would be no different than a murder; crime is crime. It would be as if every day were a new day and the crime from yesterday had no impact on today; patterns and trends would not exist; simple crimes scenes would become overly complicated and overly resourced. Surely this is not the sad state of affairs within the craft of information security, I asked. He said it was and has been for way too long.
Facts to Patterns
As a detective, my focus is on the facts, just the facts. Facts tend to group into patterns and hence complex criminal cases often use pattern or link analysis charts. A diligent detective must link series and groups of facts in a way that make sense. When done properly, this type of link analysis takes on a predictive nature. If A is true, then B must be true and if C is connected to B then D must be true and therefore the suspect is X. Without this sort of pattern analysis and being able to follow a fact pattern to its probable and natural outcome, few if any cases would be solved, truth never discovered, and criminals never held accountable for their crimes.
If you work in Info Sec, does that sound familiar? Cases never solved? Truth never discovered? Criminals never held accountable? The end result is what we have today; bad guys hack, steal, and disrupt commerce to the tune of billions of dollars a year with little fear of reprisal. To use some Army talk, Cyberspace is a permissive environment in which the enemy retains the initiative to attack at the place and time of their choosing. This is clearly a “fail”. How does our “advanced” global economy and American, arguably a global tech leader, attempt to “police” and “secure” critical infrastructure in a manner on par with the wild, wild west of California, circa 1850?
That’s a fairly strategic view and perhaps a bit obvious. I’ll provide a more tactical example from my law enforcement perspective. As a detective in an inner-city gang infested neighborhood, I have worked my share of drive-by shootings. If I were to work those cases using current Info Sec paradigms, I would fail in the same way most efforts to secure networks and the information within them are failing today. Next installment, we’ll take a look at how a drive-by shooting investigation might look using current Info Sec paradigms.
This is part 1 of a 5 post series. To read the other posts, please see the links below: