Difference between revisions of "Cybersecurity Must Be Free"

From MgmtWiki
Jump to: navigation, search
(Solutions)
(Solutions)
 
Line 20: Line 20:
 
# [https://cveform.mitre.org/ CVE - Common Vulnerabilities and Exposures] The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
 
# [https://cveform.mitre.org/ CVE - Common Vulnerabilities and Exposures] The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
 
# [https://cwe.mitre.org/ Common Weakness Enumeration] a list of software and hardware weaknesses maintained by The MITRE Corporation
 
# [https://cwe.mitre.org/ Common Weakness Enumeration] a list of software and hardware weaknesses maintained by The MITRE Corporation
# [https://www.cisa.gov/known-exploited-vulnerabilities-catalog Known Exploited Vulnerabilities Catalog] from CISA contains a list based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
+
# [https://www.cisa.gov/known-exploited-vulnerabilities-catalog Known Exploited Vulnerabilities Catalog] from CISA contains a list based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to any enterprise.
 
# [https://attack.mitre.org/ MITRE ATT&CK®] is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  
 
# [https://attack.mitre.org/ MITRE ATT&CK®] is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  
  

Latest revision as of 15:39, 31 July 2022

Full Title or Meme

The arts and sciences of Cryptography or secret writing depends on secrecy. Those with a secret to hide want to protect it. Those that can break Cryptography do not want their adversaries to know about that capability.

Context

  • As long as secret writing has existed, adversaries have tried to detect when it is used and then to break the code and read the secret information.
  • During the second World War, the Allies were able to read many of the German and Japanese encrypted messages. It was critical to the continued availability of this that the Allies not let their adversaries know about the capability because that would cause them to further strengthen their encoding methods and so close off the information. This information was not released until 1974.[1]
  • The NSA and the UK had both created public key cryptography techniques but treated them with the same level of protection that was given to the Ultra Secrets of WWII. When the Diffie Hellman paper[2] was published in 1976, they were appalled that such information was public and warned the IEEE that allowing the export of such information was a "exporting technical articles on encryption and cryptology—a technical field, which is covered by Federal Regulations, viz: ITAR (International Traffic in Arms Regulations, 22 CFR 121-128)." And the presenting the information in an international symposium could be prosecuted.[3] The paper was presented. The prosecution did not occur.

Problems

  • The US Government seems to be of two minds on sharing Cybersecurity information with industry:
  1. The DHS hosts the Cybersecurity and Infrastructure Agency (CISA) which has a policy of Information Sharing and Awareness. All of the information is hosted on public data bases maintained by MITRE.
  2. The DoD operating thru the joint command of the NSA and the CSS investigates and hides cyberattacks that it can use for Offensive operations like that against the Iranian Nuclear Bomb initiative.
  • Biden's Executive Order on Cybersecurity is quite clear that it expects industry to share information with the government but makes no statement about the government sharing information with industry.
  • Governments around the world have been terrible about keeping secrets of any Vulnerability they have discovered and any Exploit that they have created.
  1. Joshua Schulte was a C.I.A. hacker creating novel exploits for the CIA and has been found guilty of the largest theft of classified information in the agency’s history.[4]
  2. The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.[5]

Solutions

The following publicly accessible data bases can be accessed by all:

  1. CVE - Common Vulnerabilities and Exposures The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
  2. Common Weakness Enumeration a list of software and hardware weaknesses maintained by The MITRE Corporation
  3. Known Exploited Vulnerabilities Catalog from CISA contains a list based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to any enterprise.
  4. MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

The following notices are provided by the CISA US-CERT program.

References

  1. Frederick William Winterbotham, The Ultra Secret Harper & Row (1974-01-01) ISBN 978-0060146788
  2. Whitfield Diffie, Martin E. Hellman, New Directions in Cryptography. (1976-11). IEEE Transactions on Information Theory. 22 (6): 644–654.
  3. Henry Corrigan-Gibbs (December 2014). "Keeping Secrets". Stanford Magazine – Stanford Alumni Association. (2014-11). https://alumni.stanford.edu/get/page/magazine/article/?article_id=74801
  4. Patrick Radden Keefe, A Juror Explains Why a C.I.A. Hacker Was Convicted New Yorker (2022-07-26) https://www.newyorker.com/news/news-desk/a-juror-explains-why-a-cia-hacker-was-convicted
  5. Eduard Kovacs, Shadow Brokers Release More NSA Exploits Security Week (2017-04-17) https://www.securityweek.com/shadow-brokers-release-more-nsa-exploits