Are you looking for practical cybersecurity advice for what works and what doesn’t? Learn the “dos and don’ts” from the former CISO of CIA in this recent interview with ActiveCyber.
I have been fortunate to interact with some of the leading security practitioners over my career and my latest interview guest, Bob Bigman, is one of those leaders. Bob recently retired from his post as the CISO at CIA, and works as an independent consultant for Fortune 50 companies to security start-ups. I was delighted that Bob accepted my invitation to interview, and Bob characteristically pulls no punches in his responses to my questions. Check out this extensive interview below.
Spotlight On Bob Bigman
» Title: Former CISO of CIA, President of 2BSecure in Bethesda, MD
» Email: 2BSecureinfo@gmail.com
» Website: 2bsecurellc.vpweb.com
» LinkedIn: https://www.linkedin.com/pub/robert-bigman/14/205/734
Read his bio below.
August 17, 2015
Chris Daly, ActiveCyber: Bob, your former agency recently experienced a move to the cloud. How does the movement to cloud-based processing and software-defined environments affect a CISO’s view on enterprise cyber protection?
Bob Bigman: Not significantly. The Agency had been using virtualized apps for many years now and the addition of a commercial platform cloud services offering (AWS) was not a major change. Of course, in addition to virtual hosts and networks, the Agency now had to secure a more significant hypervisor. They mostly used the AWS tools already available in the commercial space.
Daly: With increasing application dependencies across federated, cloud-based, and distributed environments, what do you recommend on how to bring these disparate systems and different actors together to form a cohesive defense?
Bigman: This is a great question and one that I often hear. I think we need to first realize that we cannot (easily) secure someone else’s system/network. I recommend that organizations consider a data security approach to federated application dependencies. With this approach, an organization uses advanced encryption and digital rights management / movement tools to ensure that outside entities cannot obtain unauthorized access to restricted data. If you look at products like Ionic Security, you will see this approach in implementation.
Daly: Malicious software can infect BIOS, firmware, and even become implanted in hard-to-scan areas of the disk drive. What proactive measures do you recommend when combating malicious software?
Bigman: Well, specific to protecting firmware and boot-loaders, the really only measure we currently have is to activate the TPM [Trusted Platform Module] chip to ensure a chain of trust up through the operating system load and attest to the validity of the kernel code base. Once up and running, I recommend using either micro-virtualization (e.g., Bromium) or a kernel protection product like Blue Network’s AppGuard.
Daly: Given the increased complexity from regulations, heterogeneous infrastructures, initiatives for cloud migration, advanced threats, volumes of data and the tempo of operations there seems to be a growing disparity in what is manageable versus unmanageable from a cyber risk perspective. What should IT managers and CISOs be prioritizing in their defense plan to bring cyber risk back under control?
Bigman: Fundamentally, IT and security managers need to rethink the architecture and services they provide and move the bar closer to enforcing broader deeper security. This includes making Internet access only accessible from a logically isolated DMZ, isolating the internal network with segmentation and data firewalls that enforce encryption and separate access control lists not tied to Active Directory or directory services.
Daly: Outdated measures and poor security practices around authentication have often been the Achilles heel of cyber defenses. What new approaches to authentication and cyber hygiene do you see emerging that can assist in reducing this problem?
Bigman: Yep, a significant issue. It is extremely hard to both establish and maintain a highly secure “hardened” network, operating system and application security profile. I have found that the few organizations who do this well have very rigid standard build images and rigorous configuration management governance and change control, especially for Internet-facing subnets/systems. I think there is an opportunity for organizations to achieve this goal in the cloud with the many tools available to securely manage configurations. The product Ilumio comes to mind in this space. As for authentication, given the weak level of operating system security, almost all authentication mechanisms are risky. The only one I place (some) trust in is a two-factor access token where a secured PKI certificate is ONLY ever stored on the hardened token.
Daly: DHS is moving forward as part of its Continuous Diagnostics and Mitigation (CDM) program with Attribute-Based Access Control (ABAC). What are your views on the strengths and weaknesses of this approach and what do you see as some of the challenges in implementation?
Bigman: So, I am not a CDM critic but, to date, it lacks a uniform set of principles and, more importantly, detailed specifications on what and how system security should be measured and monitored. I also fear that agencies are diluting their efforts at fundamental system/data protection (which is more important) to meet, yet unspecified, CDM mandates. Attribute-Based Access Control is a luxury (but potentially useful) approach that has not resulted in both standards and actual products.
Daly: In some ways it seems that developers and development practices have left security behind. What changes would you recommend to the development community to bring security into the forefront of development practices and across the life cycle of a system?
Bigman: So, I suspect you are referring to “code” development practices. Code development/management is at the same state as other aspects of system security. Performance, functionality and sexy software trump secure design every time. There are no commonly accepted standards for secure code development/support and open source is as insecure as proprietary software. The only company (I know) to invest in secure coding practices is Microsoft with the SDLC effort. We need a software security coding/support standard similar to the UL standard for ensuring safe electricity supply and use. Currently, software development is a free-for-all collection of whatever delivers customer functionality at the lowest cost with the lowest support overhead. It is an area crying out for real standards.
Daly: The use of cryptography to protect assets seems to be a two-edged sword. On one hand, strong cryptography is an accepted approach for protecting data-at-rest and data-in-transit, among other purposes. However, recent appeals by the FBI call for the curtailment of strong cryptography, especially for smartphones. What is your view on the use of cryptography for enterprise and consumer use?
Bigman: I support both the use of strong encryption to protect sensitive data AND a reasonable regulatory and technically secure mechanism to allow authorized government agencies to have escrow access to encryption keys.
Daly: In this ever-expanding world of software/hardware suppliers and use of open source software, there seems to be no limit on what goes into a platform by vendors. What are your views of the risks related to the ecosystem of today’s supply chain and what is needed to reduce these risks if you believe them to be excessive?
Bigman: So, among the many challenges that IT security staffs have to deal with is an increasing risk from supply chain management. There is increasing awareness that IT product vendors (including some IT security product vendors) are doing everything possible to stay connected to their products once it is connected inside the client’s firewall. Again, this is where regulatory requirements and standards should be developed that limits what and how IT systems can be electronically accessed and supported by vendors.
Daly: What expectations should CISOs have about the effectiveness of big data and data analytics to play in informing cyber decision-making to help detect and even predict attacks?
Bigman: Almost zero. Big data security analytics has been the most over-hyped security capability since white-listing. Does anyone even remember white-listing? If CISOs think that they can find/predict attacks inside their network based on data analytics, they will be frustrated. There are two hacking techniques that defeat the data analytics approach. First, zero-day attacks that exploit Return Oriented Programming use processes ALREADY authorized to run in memory. All the activity looks valid so there is nothing for the analytics to analyze! Second, sophisticated malware use connections that are already enabled from the internal network out to the Internet, often inside TLS / SSL pipes. Again, if the activity looks valid, there is nothing malicious for the analytical tools to report. If the connection is encrypted (e.g., via TLS) there is nothing for the analytical tools to even see!
Daly: What cybersecurity challenges do you see emerging from the Internet of Things (IOT) and what proactive measures do you recommend to manage these challenges?
Bigman: Well, it is obvious but more worrisome. The very same insecure TCP/IP networks and operating systems in our enterprise networks are running most IOT devices. It is a gold mine for the mischievous. Look for IOT devices that manage personal health and safety systems to become the next ransom-ware gold mine. The only reasonable solution here is for new standards (and Government regulations) to be established that requires the use of trusted networks and operating systems.
Daly: Deception is sometimes employed as a means to help deter attacks and to gain knowledge about an attacker’s TTPs. It is also used by the attacker to hide malicious payloads and to avoid detection. What level of effectiveness do you believe deception can bring to the defense of an enterprise and how and when should deception be most efficiently used and deployed?
Bigman: Absolutely zero. It is much like the honey-pot industry. Again, understand that due to inherent weaknesses in the security of contemporary TCP/IP network and operating systems, finding what is real from what is fake is child’s play. Deception might inhibit a “kiddie-script” hacker but will not have any impact on well-trained/experienced malware programmer. I would rather an organization invest in better security architecture, encryption, segmentation and authentication and not on hide-and-seek schemes.
Thanks Bob for sharing your significant insights across such a broad set of cybersecurity topics. I believe many of ActiveCyber’s readers will benefit from the deep knowledge and practical approaches you provide to create better and more active cyber defenses.
And thanks for checking out ActiveCyber.net! Be on the lookout for more articles, our inaugural newsletter, and more interviews coming shortly. Please give us your feedback on this interview because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email email@example.com if you’re interested in interviewing or advertising with us at ActiveCyber.
About Bob Bigman
Robert Bigman recently retired from Central Intelligence Agency (CIA) after serving a thirty year distinguished career. Recognized as a pioneer in the field of classified information protection, Mr. Bigman developed technical measures and procedures to manage the nation’s most sensitive secrets. As an information security trailblazer, Mr. Bigman participated in developing security measures for Government computers well before commercial industry found the Internet. He then developed creative solutions to allow the CIA to use the Internet to further its mission without exposure.
With twenty-five years of experience, Mr. Bigman worked in every area of information and data security, the last fifteen years as the Agency’s Chief Information Security Officer (CISO). As the Agency CISO, Mr. Bigman managed a large organization of technical and program officers responsible for the protection of all Agency information. As the CISO, his responsibilities included cryptography, information security policy/processes, standards and requirements, testing and network defense/response. Mr. Bigman also served as the Agency’s designated officer for all discussions with the information security industry and its commercial partners. Mr. Bigman has contributed to almost every Intelligence Community information security policy/technical standard and has provided numerous briefings to the National Security Council, Congress and presidential commissions.
In recognition of his expertise and contributions, Mr. Bigman has received numerous CIA and Director of National Intelligence awards. Mr. Bigman is now an independent cyber security consultant and president of 2BSecure in Bethesda, Maryland. He works with Governments and Fortune 50 corporations to help them build productive information security programs and resist sophisticated nation-state and cyber criminal penetration efforts. Mr. Bigman also provides cyber security program and technical training to global Government and private organizations. His training activities include cyber awareness programs for board of directors, cyber threats/vulnerabilities and secure design requirements briefings for IT system architects/engineers, cyber security policy training for IT security professionals and general cyber security training for all employee levels/types within an organization. Mr. Bigman is also the author of a comprehensive course entitled: “Building a High Performance Cyber Security Program.”
Having worked with Bob in years past, I have the highest regard for his expertise in IT security. He is the best.
I also have the highest regard for the late Ed Teller’s and the late Albert Einstein’s technological expertise. But expertise in one field does not guarantee expertise in all other disciplines.
Bob states that “I support both the use of strong encryption to protect sensitive data AND a reasonable regulatory and technically secure mechanism to allow authorized government agencies to have escrow access to encryption keys.”
I, too, support having my cake and eating it too. Except, it cannot be done. In the case of encryption, here is why support for strong encryption is inherently and fundamentally incompatible with allowing authorized government agencies to have escrowed access to encryption keys:
1. Once a back door (or front door) access is made technically possible, then history has shown that undesirables will sooner or later find ways to exploit it and gain unauthorized access to the encrypted material.
2. These “ways” need not be limited to technological exploits but can include the following obvious ones:
a. Once the person who is authorized to read file x is allowed to do so, that same person may just well read files y and z which are usually encrypted with the same key, even though he was never authorized to read those other files. That would be illegal, but very hard to prevent, and history is full of examples of such official misconduct. The cases of unauthorized access of taxpayers’ record by disgraced ITS employees that was reported in the press comes to mind.
b. Once a person who is authorized to read file x is allowed to do so during a given time period, very little can prevent him from doing so outside that given time period as well, long after the warrant for the original access has expired. That would be illegal but not preventable.
c. Once a person who is authorized to read file x is allowed to do so, no foolproof technological means exist to prevent that person from copying that file (e.g. by taking a photo of the computer monitor that displayed that file) and passing it on to others. Granted, that would be illegal, but not preventable. The name of Aldrich Ames comes to mind.
3. Then there is an administrative problem: assume that the access to encrypted files was rightly granted for counterterrorism purposes. Now, what if, among the files accessed, one file contained an admission by the targeted person that he stole $1 from the neighbor’s mailbox; this would be a federal offense; by US law, the Federal employee who sees this in the files decrypted for counterterrorism purposes has to report this federal “crime” (of stealing a dollar from the neighbor’s mailbox) to the police, even though this had nothing to do with the reason (counterterrorism) that such escrowed access was allowed. So, now, all of the sudden, escrowed access becomes a mechanism for getting full access to an individual’s life. This is called a police state.
4. Some may say, “well, we really only care about matters of national security. I respectfully submit that current US law, which compels federal employees to report any federal crime they uncover, prevents any federal interceptor from not reporting everything that was uncovered, even if it had nothing whatsoever to do with the purpose of the escrowed encryption access.
5. What if the Vatican had authorized escrowed encryption access, and found the late Mother Teresa’s admission that her faith in God was waning. What if the Pope of years past had used escrowed encryption access to discover that Galileo believe that the earth was not the center of the universe, as church dogma required? What if the Brits had used escrowed encryption to discover that Ben Franklin, George Washington and their cohorts were having impure thoughts about declaring independence from the Brits?
Independently from all of the foregoing, there is a overarching philosophical issue: If I whisper sweet nothings to my girlfriend’s (or whomever else’s) ear, the content of that communications is beyond the reach of any “authorized agency”; if not by law, certainly because of common sense. Now what if I whisper the same nothings over a paper cup with a string over 10 feet away? What if I use a telephone over a distance of a mile for the same sweet nothings? What if I encrypted my whispered words before sending them? Does that somehow permit “authorized government agencies” to listen in? Why?
In summary, I think that supporting the use of strong encryption AND the use of backdoors (whether through escrowed encryption or any other means) is realistically unattainable.