The Cone of Destruction

Tuesday, April 12, 2011

Carter Schoenberg


For many of you, the term “Cone of Destruction” will not be readily identifiable as it is a term used in law enforcement where a fatal risk exists at the point where an entry team is the most vulnerable when breaching a site through a doorway.

With the evolution of firepower by consumers, law enforcement officers (LEOs) must break though the cone as quickly as possible or be sitting ducks.

If you have a point of entry that can only enable a single adult to enter one at a time, you must get past this point rapidly or be stacked up and made an easy target. Make sense?

So “why” or “how” is this relevant for cyber security?

As I look back on the many white papers and blogs ranging from a lack of qualified candidates, to mobile security, to cloud, to compliance, it hit me – we have created a “cone of destruction”.

Lets first look at qualified candidates and what does that really mean? Now that I work as an Information Systems Security Manager and have experience and insight from private and public sectors, I recall a prediction or rather a forecast that was made back around mid-2001.

Since the dot com bust, Universities were reporting significant decreases in applications for computer science. The mindset being, “why pay for a degree if there are no jobs?” The forecast also predicted an event that would rival 1998 where people with specialized IT skills could name there own price. What was not calculated into that forecast - outsourcing.

An overwhelming number of key positions that are cybersecurity centric are filled by foreign nationals because of their expertise and willingness to take a compensation package that is a fraction of what may be desired by Americans.

The US Government is facing great challenges right now as not only are cybersecurity skills in high demand but also, you must be able to qualify for a security clearance. Now you have ruled out the skilled foreign nationals.

What generally happens is a pool of candidates may be sought from US Air Force OSI or NCIS by the US Government but why should a candidate take a role paying a GS scale pay grade vs. a lucrative career with say; General Dynamics, Raytheon, or MITRE?

This is not to say it’s the large scale integrators fault but simply an observation that has merit. The government has responded by making the pay more attractive and competitive with the private sector.

However, the candidate must still undergo an Office of Personnel Management (OPM) process that is notorious for being lengthy and in some instances - overly burdensome. In all fairness, these issues over the past two years have been mitigated... slightly.  

Between the US Government and Critical Infrastructures (CI), a huge deficit in qualified talent exists right now. This deficit will begin to grow exponentially as cloud, mobile security and other technological evolutions develop.

One way to mitigate this risk is to continue to drive relationships between Universities, CI and the US Government. Programs are already developed by DHS and NSA for scholarships but service is generally rendered back to the military.

If a program can be established where a pool of candidates can be vetted by the Government, while in school, and then utilize these same candidates in not just government programs but CI as well, you at least are starting to develop a “lifecycle” of qualified candidates that can have first hand knowledge of today’s threats, understand how they present a risk based on discussions from secured communications with the government, and then best work with other graduating students in conjunction with private/public sector CISO’s, for a fraction of the cost a more senior employee with specialized experience would command.

If the new hires leave in five years for more pay, it should not matter as there would then be a revolving door of qualified candidates in the 22-25 year old range that have no student loans to repay and are still idealistic enough to embrace patronage for the US versus simply just compensation.

The next obstacles that help build the cone - mobile security and cloud. This is a result of the first issue – candidates and evolving technology that is “perceived” to be able to drastically reduce costs. Don’t get me wrong, academically speaking, it should lower the cost of ownership considerably.

As we continue to try to recover from the economic tailspin from 2009, I recently watched a very interesting commentary on a foreign news service. The topic was mechanization in the US. Evolved from the principles developed by Henry Ford, mechanization was designed to dramatically increase output while lowering the cost of production. Sounds kind of similar to cloud and mobile computing, right?

The problem for the US became the warm body. Why do we need people when you have robotics? Robotics does not stimulate financial growth for growth domestic product. Now that data centers are being reduced in numbers to reduce cost and to enable higher baselines on security and virtualization has become the cornerstone for reducing large infrastructure deployment, we have yet to calculate the end costs for incident response, disaster recovery, etc.

It may seem trivial or those factors will work themselves out but also recall that many organizations also outsourced call centers to India and Malaysia because an American may earn $10 an hour and they may earn $6.50 an hour.

Only problem, stats indicated an average call (American to American) is less than half the time (American to foreign national) because of language challenges. (i.e. the outsourcing actually cost more) Dell Computers had a hard lesson in this capacity.

There are increasing concerns about privacy and security for the cloud and mobile devices which will be enabled for cloud end-user integration. Please note this is not a FUD piece but to the topic of qualified candidates for InfoSEC, then take into consideration how many people you know, right now, that can adequately provide information security capabilities and review proposals and other business documents to effectively provide guidance to senior management on potential gotchas for Cloud and mobile computing?

Having exposure to both sides of the deal table I can tell you first hand, it’s not as many as you think. Even technology evolution comes back to qualified personnel that have tangible knowledge and experience that add “VALUE” and not simply, “Hey I can run IPS” or “I know forensics”. It’s just not enough anymore.

Do I think these “super students” will be positioned with all available knowledge and expertise, as things are now –no. If we did, would we have thousands to draw from? No. But these factors do not negate a business justified need that is echoes by national security concerns for the US and an ability to formulate options is critical. Options that can be exercised and repeatable.

Final obstacle, compliance. I have seen comments from a number of subject matter experts, whose opinion I trust emphatically, that we need to focus on security more than compliance. I think we can all agree to this but the question is how do you get around compliance so you can focus more on security? It’s a very tough question that is almost chicken vs. egg debate.

It might help if we explore the nature of compliance? Why does it exist in the first place? Because organizations continuously demonstrated either a lack of capability or lack of interest in applying best practices. Compliance to me is similar to the warning on a hair dryer “Do not use in a shower or tub”. To quote Seinfeld, “Really? Seriously? As stupid as this sounds, those tags/stickers will never ever be removed.

When we think about the catalyst for compliance (i.e. mandating a best practice) we must look at how compliance has evolved. So compliance is loosely defined as adhering to a rule or control that is specified and/or mandated. I heard a commentary from a New York Deputy Mayor that said it perfectly.

Let’s make five rules. If five rules are good, 100 rules are better. If 100 rules are better, then 1000 rules is great. As I started to laugh at the insanity of the argument, this same Deputy Mayor then followed up with a great scenario:

“You have a problem?"

“Well I have a rule that says you can’t do that”.

This is something I am sure most of us have contended with. Or perhaps the following:

“You don’t have PKI so you will fail X,Y, Z controls.”

“We do not have that kind of budget. So can we include that in our next budget proposal?”

“No. Your budget is being cut because you have not demonstrated being able to comply with X,Y, Z”.

It’s the tragic comedy that borders on making people that really try to do a good job suicidal.

Potentially the most discouraging aspect of compliance measures is the simple fact that had large organizations followed prudent best practices and implemented a pragmatic approach to security and data protection practices; it may have never come to this to begin with.

So think of an entry team for say SWAT getting ready to enter a drug dealer’s house. The first man (point) is compliance, second is Cloud and the third is the unqualified candidate. So picture the announcement “Police!” followed by a door being bashed in.

The point man makes his way in about three feet and then pauses inexplicably as he waits for documentation and proof that everything is proper and in triplicate, bumping into his back is the Cloud that is in limbo because of the compliance, and last through which is stuck in the door jam, the unqualified candidate not understanding why he is stuck in the door as he knows it might be fatal but has no authority to act.

Then all three SWAT team members are being ambushed by all the bad elements in the drug dealer’s home: Organized crime in Estonia/Russia/N. Korea/China, Insider threats, advanced persistent threats, compromised application stores. All unloading their firepower against an organization empowered to make change but made impotent by bureaucracy.

For our future success, the best and the brightest must make a collective effort to not only meet, but to act in a collaborative manner that adds value that can be measured for success in a two, five and ten year milestones.

Unfortunately, Americans maintain a culture of “get it done in two weeks or it has no value”. Odd that not training, not more ammunition (antivirus), not better firearms (IDS/IPS), but changing our culture on security and technology will save us from our own cone of destruction.

About the Author:

Carter Schoenberg has more than 17 years combined law enforcement and information security experience including: working in both public and private sectors ranging from working in Homicide to identifying low-slow attack vectors with the ISS X-Force to developing certification and accreditation best practices for CALEA as well as developed the Business and Market Strategy for Motorola’s Security Services. Currently, Carter Schoenberg is working in the capacity as an ISSO for the US Government and Adjunct Professor instructing undergraduate Terrorism and Cybercrime courses at Kaplan University.

This white paper is the property of Carter Schoenberg and Infosec Island and may not be reproduced without expressed written consent by the author.

Possibly Related Articles:
Information Security
Compliance Cloud Security Government Mobile Devices Cyber Security Infrastructure Information Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.