Security at the Speed of Thought

Gary C. Kessler
October 2000

An edited version of this paper with the same title originally appeared in the November 2000 issue of Information Security Magazine ( Copyright (c) 2000. All rights reserved.

"I bought a humidifier and a dehumidifier. I put them in the same room; let them fight it out." Steven Wright

The history of computers is a series of leaps that allowed us to solve problems that before couldn't be solved in a reasonable time frame — like when the answer might be relevant. The 1880 U.S. Census is a prime example. Compilation of the data was completed in 1886 and officials estimated that compilation of the 1890 Census would be completed in 1902, two years after the 1900 Census would have started. Enter Herman Hollerith, punch cards, and tabulating equipment, with which the 1890 Census was completed in 1892.

There are other examples. The development of the modern electronic computer during World War II was driven, in part, to develop ballistics tables for the military so that they could hit targets before the targets moved and to break cryptographic keys while the key was still being used. Supercomputer development in the 1960s and 1970s was fueled, in part, by a desire to calculate tomorrow's weather before next week.

But Internet time isn't measured in years or days or sometimes even hours. Today it is minutes or less. And it is way too fast for humans to understand some of the events going on around them, much less react and formulate a defense.

We used to come up with security defenses that could hold off the bad guys for at least long enough for us to mount a defense. Bruce Schneier has made the well-known analogy about bank safes that are rated based on how long a safe cracker would need to crack the safe with or without tools. The safe wasn't built to withstand an attack forever, just long enough for the police to arrive — assuming that the alarm went off.

DES leaps to mind. DES — and all crypto schemes — are susceptible to brute force attacks when cryptanalysis fails to break the mathematics. But 56-bit DES was "good enough" for many years because keys were changed frequently enough. But the EFF has shown that for a million dollars or so we can build hardware that can brute force a DES key is about a day. 3DES with a 168-bit key, however, will be safe for many years to come — until the next leap in hardware or cryptanalysis!

The advances in computing that have provided us with PDAs and watches more powerful than ENIAC are both the curse and bane of our security existence — computers today are both wicked fast and cheap. And that leaves us with a very large, complex problem. Today, everybody with a laptop or a desktop — and soon a PDA or a cell phone! — is a system manager. Everybody is a security manager. Everybody is a potential victim. And due to all of this intertwingling, one user's vulnerable system weakens other users. Networks may be comprised of "crash independent" computers (i.e., if one fails, the others don't), but not security-independent ones.

War dialers, DoS/DDoS scripts, viruses, worms, address scanners and other automated attack tools have made victims of us all in one way or another at one time or another. In the past, the criminal hacker had to target you before an attack. Today, just being jacked in to the network is enough. It doesn't require a knowledgeable hacker to go after you anymore; automated tools help criminal hackers find any target to exploit and attack. Viruses spread worldwide in hours. Tools to make viruses and launch DoS attacks are posted faster than the defenses.

And the defenses. Well, since the attacks move so fast and are automated, we need automated defenses. IDS have to detect anomalies in real-time and respond — even to intrusions that have never been seen before. Anti-virus mechanisms have to respond to new, unknown threats in real-time.

So the bad guy's tools are attacking my tools. Humans just push the button; the attack can go on by itself and people can barely keep up in managing the defense.

In the early 1970s when I was an undergraduate, I said in conversation that "computers were programming other computers." Then I realized that I had no idea what that statement meant, so I took a programming course. This was before "Colossus, the Forbin Project." Before "War Games." Before HAL.

But today that's the way it looks. Self-learning firewalls. Anti-virus software and IDS with heuristics and artificial intelligence. The software is learning faster than we are. And not only can't we prove any of the defensive software to be correct, we do know that all software — like all security — has flaws. All of the defensive software will have false positives and false negatives; too many of the former and we'll shut the software off while too many of the latter and the software is worthless. An attacker knows it's an attack but the defender doesn't so some attacks will slip through. And as in any war, the attackers don't require as much perfection as the defenders do.

These thought should not be interpreted as my throwing up my hands in defeat. Indeed, in the medium- and long-term, there are a variety of ways to make things better. But in the short-term...

Security may well be a process — and it is one that is flying by literally at lightning speed. Both sides launch our software and we let them fight it out.