Network of the Future Technology Deepdive Explore the Tech


Comments
Security

Blockchain Enters the Cable Industry

Steve Goeringer
Principal Security Architect

May 3, 2018

A version of this article appeared in Broadband Library

Blockchain is one of today’s most discussed and visible technologies. Some technologists consider blockchain to be the most significant technological innovation since the dawn of the Internet. Many researchers have begun to see blockchain applied to Internet of Things (IoT) security, providing better consumer control and transparency of privacy rights and options, private and public sector voting, and more. And yet, to a significant segment of the population, blockchain remains a mystery. What is it? And how can it apply to the cable industry?

What Is Blockchain?

Finding a definition of blockchain that doesn’t involve a distributed database or a reference to Bitcoin can be difficult. Perhaps a simplistic but concise definition is that a blockchain is an immutable, distributed method of record-keeping for transactions—a ledger that is visible to the participating community.

  • Immutable means that the information that a blockchain contains cannot be changed.
  • Distributed means that the information is replicated among many participants (in Bitcoin terms, nodes).
  • Ledger implies that the blockchain records transactions.
  • Visible to the participating community means that every transaction recorded in the ledger is visible to every participant (user or implementer) of the blockchain.

In short, blockchain is a big deal. Its benefits are enabled through a synergy of cryptography—the application of math to protect data—and network algorithms that allow distributed systems to manage consensus. Combining these concepts, blockchain provides the ability to create a history of transactions that is significantly more expensive to change than it was to create. We’ve never had that ability before. Revisionist historians should be concerned!

Blockchain and Cable—Hype vs. Reality

To appreciate how blockchains can be applied to cable, we have to get past the hype. According to the hype:

  • Blockchains are the best technology to solve every trust and security problem in existence. That’s simply not true.
  • Blockchains are the secret to disintermediation, which allows the elimination of middlemen and the need for people to know who they’re dealing with. That’s certainly controversial, and it may be somewhat true. But how many people believe getting rid of the middleman works out well?

The reality is that blockchains allow us to create histories of transactions (which we used to call logs) with unprecedented integrity. Although that may seem somewhat boring, it is transformational. Transactions recorded on a blockchain become statements of fact. There are many use cases where this concept could build new types of relationships between operators and customers, between operators, and between regulators and the regulated. Information flows can now be synchronized with high fidelity. Transparency in business operations can be provided where legal and helpful.

2018—The Year of the Blockchain

Cable operators are developing capabilities now, but it’s too early to share successes and lessons learned. This year, 2018, is the year that cable starts to integrate blockchain solutions, but it will be quiet and subtle.

Should cable operators work together to create their own blockchains? Perhaps. Ensuring control of the software that enables a blockchain to work across multiple partners will be essential to the success of blockchain projects. Governance of the code base and the processes to develop consensus is at the heart of implementing blockchains. Although blockchain use cases are often subtle, they can also be business-critical once they’re mature.

Interested in learning more? Subscribe to our blog to stay current on blockchain and the cable industry. 


SUBSCRIBE TO OUR BLOG

Comments
Education

Diversity and Excellence – Investing in the Future with Colorado State University

Steve Goeringer
Principal Security Architect

Oct 30, 2017

Recently, I attended the Industry Advisory Board for the Computer Science Department at Colorado State University (CSU) and the Advisory Board for CSU’s participation in a National Science Foundation partnership on cybersecurity. As I prepared for these sessions, it gave me a chance to reflect on just how useful working with universities is to our industry.

CableLabs works closely with many of the best universities across the United States – from NYU to Georgia Tech to Carnegie Mellon University. With CableLabs headquarters located in Louisville, CO, we have particularly close relationships with regional institutions, including Colorado University and Colorado State University (CSU). Below, I talk about why working with higher education is so valuable and what it takes to create a great, productive relationship with a university.

How and Why CableLabs Works with Universities

A great deal of focus at CableLabs is on innovation. Working with universities can help us come up with ideas and solutions that the cable industry may never realize or consider. How? The answers: Diversity and leverage.

  • Bringing together people that have different life experiences and perspectives ensures we go beyond the obvious and come up with creative, effective ways to solve hard problems. Universities have hugely diverse faculty and student bodies working on interesting problems. As we expose professors and students to the opportunities and challenges the cable industry is addressing, we inevitably get innovative ideas that radically diverge from the way cable industry professionals think.
  • Each of the universities we engage is supported by a wide range of commercial entities and government institutions. This provides multiple opportunities to achieve leverage. We gain access to research funded by multiple organizations and develop the potential to achieve collaboration and synergy on challenges shared across industries.

In the process of doing this, we convey our own perspectives and experiences, exposing great minds to our industry and increase awareness of real-world problems. The synergy that results helps identify and foster new ideas that would rarely have developed any other way. Additionally, we help to create and maintain a talent pipeline that can provide well-developed professionals at entry and mid-level positions that can fuel broadband innovation for decades to come.

The security technologies team at CableLabs has worked closely with lead professors at CSU to realize these goals. We’ve developed close, continuous relationships with lead professors, who have, in turn, helped us foster great relationships with their researchers and students. By working closely together to understand problems and emerging technologies, CableLabs can very precisely target funds to help CSU develop resources and capabilities of unique value to the cable industry. Close collaboration ensures relevance and maximizes the chance of research success.

And, the story gets even better. Universities work with a wide range of government institutions, other universities, research laboratories and other businesses. Usually, a security idea relevant to broadband might have manifestations applicable to healthcare, manufacturing, transportation or other industry sectors. Consequently, CableLabs achieves great leverage. A little time and money can yield benefits that would cost millions if pursued in isolation.

What Results have we Achieved?

We funded CSU to join the National Science Foundation Industry/University Cooperative Research Center for Configuration Analytics and Automation (NSF I/UCRC CCAA – the government does like acronyms). The lead professor for CSU at CCAA is Dr. Indrakshi Ray. This program provides numerous benefits:

  • Gives us access to and influence in three major research universities
  • Leverages funding from many industry partners and the NSF. The security research of interest to cable includes IoT, Network Function Virtualization (NFV) and active network defenses (including deception technologies which makes it more expensive for hackers to attack networks)

We’ve contributed to two great projects, including funding infrastructure, ideas for implementation, and helping the lead professor, Dr. Christos Papadopoulos:

  • BGPMon: Helps large network operators detect security problems on the Internet and some CableLabs members are working with CSU now on the project
  • Netbrane: Uses big data analytics and some artificial intelligence strategies to detect and mitigate malware. Dr. Christos presented Netbrane last week to an audience at the SCTE ISBE Expo in Denver.

We’re also helping CSU create a lab for IoT security research. We’ve donated IoT devices and collaborated on IoT security considerations. Over the summer, we had an intern, Maalvika Bachani, who worked with Brian Scriber on IoT security to support our work with the Open Connectivity Foundation.

We’ve been collaborating with Dr. Indrajit Ray on trust systems. Dr. Ray is working on how we might extend the excellent public key infrastructure-based trust system used in DOCSIS further into the home and to better secure other verticals such as home automation, remote patient monitoring, managed security services and more.

What it Takes

Achieving this level of collaboration requires a focus on a long-term relationship that is about much more than money. It requires institutional support at the university and close collaborative relationships between researchers at both CableLabs and the university. This allows sustained support of projects that transcends individual personalities and provides the basis for co-authoring great papers that can influence our industry. Finally, it provides an opportunity for co-innovation with a technology transfer path that can get new ideas out into the market. All the while, capturing the imagination of students and building a talent pipeline that will continue to fuel innovation in the cable industry for decades to come.

You can find out more information about our university outreach in our blog post and video "Furthering CableLabs' Innovation Mission through University Research."

Comments
Security

ETSI Security Week: Securing Networks Requires a Global Perspective

Steve Goeringer
Principal Security Architect

Jun 22, 2017

Cyber attacks are on the rise and a threat to critical infrastructure around the globe. CableLabs along with other service providers and vendors are collaborating through European Telecommunications Standards Institute (ETSI) to ensure best practices are consistently deployed in regards to these attacks.

Take a look at any cyber attack and consider where the attacks come from and who their victims are. You’ll find that almost all attacks are international in scope, with both attackers and victims found across a transnational field devoid of boundaries. Securing our networks and services requires a global response and our evolving practices and strategies must have an international perspective. CableLabs does this by participating in multiple international organizations working hard to evolve our cyber security defenses. Last week, the ETSI hosted a series of focused workshops on network security at ETSI Security Week. CableLabs helped plan this event, and we contributed our insights in presentations and panels.

This annual event is attended by nearly 300 industry professionals and opens a dialogue to develop a common understanding in the industry of best practices. Workshops included public policy impacts on security practices, Machine to Machine/Internet of Things security challenges, securing Network Function Virtualization (NFV) architectures, and, no event is complete without some discussion of 5G. (For more information on 5G see Tetsuya Nakamura’s blog post here.) I presented our experiences in implementing NFV proof-of-concepts and Brian Scriber participated in a panel discussing operator perspectives. Materials shared at the event are available after registration on the ETSI portal here.

As shared here last fall, as well as introducing new security challenges, NFV also presents opportunities to improve the security of future networks relative to legacy infrastructure. Benefits of a well implemented NFV infrastructure enables:

  • More consistent security processes and controls
  • Easier and more rapid security upgrades and patching as threats evolve
  • Improved support for pervasive encryption
  • More cost-effective security and performance monitoring

With the correct implementation, NFV enhances security operations by enabling pervasive monitoring and more agile and flexible responses as cyber threats evolve.

NFV coupled with Software Defined Networking (SDN) enables the creation of an open and distributed architecture which enables operators to create “network factories”. Network factories are fully automated network architectures that are entire supply chains for exciting new services. We need to secure the network infrastructure, as well as secure the software supply chain from code creation to delivery as running code on the platform. This requires a different orientation from today’s operations. Fortunately, NIST has provided a framework for approaching the cyber security aspects of supply chains and it applies well to open and distributed architectures.

ETSI is a leader in providing foundational standards for NFV and is the single most influential body on NFV security best practices today. The ETSI NFV Architectural Framework sets the stage for what most other standards bodies and open source code projects are attempting to achieve. ETSI’s NFV reference architecture does not currently adequately identify all the supply chain cyber security aspects.  Consequently, we haven’t yet defined a comprehensive approach to establishing security associations between all of the components (which may be hardware or software).

Every connection in the network should be considered as a security association. Certain security functions must be implemented for each security association. Each security association should be:

  • Based on strong identity: This means there needs to be a persistent private key associated with a unique identifier and attested (signed) by a certificate or equivalent
  • Authenticated: Using some form of cryptographic challenge
  • Authorized: For both network and process access control and based on a network-wide policy
  • Isolated: From other sub-networks and workloads on virtualized servers
  • Confidential: Including encryption
  • Attested: The infrastructure and communications links are proven to be untampered

ETSI Security Week

Providing a basis for strong identity is proving to be challenging. CableLabs has used PKI-based certificates for strong identity for DOCSIS network now for 17 years with over 500M certificates issued. Yet, achieving consensus to replicate this success amongst the evolving solutions in NFV, IoT, and medical devices are taking time.

Security identity requires three components:

  1. The first element is a secret, which is usually a private key to support authentication and encryption.
  2. The second element is a unique identifier within the ecosystem. DOCSIS network security uses the MAC address for this purpose, but that is not applicable to all other domains.
  3. Thirdly, the identity must be attestable. This means creating a certificate or profile that is signed, which binds the certificate to the secret.

The path to success in implementing globally effective cyber security is to document best practices through specification or standardization with supporting code bases which actually implement those practices. CableLabs is proud to be a major contributor to ETSI’s NFV project. We lead both the ETSI NFV Operator Council and the Security Working Group and we are collaborating with other industry leaders to address these gaps. Further, we work closely with open source code groups such as OpenStack, OSM, OpenDaylight, OPNFV, and we watch emerging initiatives such as FD.io and ONAP. Through our SNAPSTM initiative, we are reinforcing standards work with practical experience.  If these initiatives mature, we will adapt the practices to cable specific solutions.

--

CableLabs is hosting the next ETSI NFV plenary meeting in Denver,CO from September 11-15, 2017. Participation is open upon signing the ETSI NFV participant agreement. Leave a comment below if you’d like to connect with the CableLabs team. We’d love to meet you there!

Comments
Security

  How The Dark Web Affects Security Readiness in the Cable Industry

Steve Goeringer
Principal Security Architect

Mar 16, 2017

The darknet, dark web, deep web, dark internet – exciting catch-phrases often referred to by analysts and reporters. But what are they? What is the dark web?

The dark web is a network of networks that overlays the Internet. One of the most common dark web networks is The Onion Routing Network, or Tor. Used properly, Tor provides anonymity and privacy to users. Anonymity is achieved when users’ identity is never revealed to others and their traffic cannot be traced back to their actual access accounts and associated Internet addresses. Privacy is achieved when users’ communications cannot be read by anybody other than the intended recipients. Anonymity and privacy are closely related but distinct ideas – privacy can be achieved without anonymity and vice versa.

CableLabs recently hosted a panel about the dark web at its Winter Conference.  The panel brought in subject matter experts from across the industry including Andrew Lewman of OWL Cybersecurity. Andrew was previously the Executive Director for Tor from 2009 to 2015. The panel investigated the technology and social impacts of the dark web, and particularly highlighted why cable operators care about this technology area.  The dark web is used by adversaries to sell and exchange malware and information used to attack networks, and also account information about employees and customers of companies. Cable operators monitor the dark web to see what is being sold and get indications and warnings of threats against them. This information is used to improve and augment the layers of security used to protect networks and customers.

The evening after the panel, Phil McKinney had the opportunity to talk with Andrew Lewman about the dark web – we are pleased to share that video.

How Does the Dark Web Work?

Tor provides an interesting case study. As stated above, Tor stands for “The Onion Routing.” The inspiration of the name is how The Onion Router protocol wraps packets of information in layers of security that must be successively peeled to reveal the underlying information. The method is, of course, a bit more convoluted in reality. Routes are defined by a proxy which makes an “onion” using layers of cryptography to encode packets. The packets from the initiator are forward packets. As a forward packet is moved through the network of Onion Routers, layers of the onion are successively removed. These layers can only be removed by routers with the correct private key to read that layer of the onion. To those that are router savvy, what is really happening is that the proxy creates a circuit using tunnels of tunnels until the endpoint is reached. If an intermediary device attempts to decrypt a layer of the onion with an incorrect key, all the other interior layers of the “onion” will be garbled.

Tor is, however, just one example technology. What other means do people use to achieve private and anonymous communications? The chat channels provided on popular console games are reportedly used by terrorists and criminals. An alternative technology solution that overlays the Internet is I2P. And there are many others.

Beyond the Dark Web

In addition to being aware of the dark web, CableLabs leads other security initiatives as they relate to device security and protecting the cable network.  CableLabs participates in the Open Connectivity Foundation (OCF) which is spearheading network security and interoperability standards for IoT devices.  CableLabs has a board position at OCF and chairs the OCF Security Working group. By ensuring that all IoT devices that join the cable network are secure, risks to both the network as well as the privacy of subscribers are taken into consideration.

CableLabs recognizes the importance that the cable industry will contribute to the larger ecosystem of IoT device manufacturers, security providers and system integrators.  We are producing a two-day Inform[ED] Conference to bring together cable industry technologists with these stakeholders.  April 12 will focus on IoT Security and April 13 will cover Connected Healthcare.  Please join us in New York City and we look forward to having you join us in this important conversation.

 

Inform[ED] IoT Security
Event Details

Wednesday, April 12, 2017
8:00am to 6:00pm

InterContinental Times Square New York
300 W 44th St.
New York, NY 10036

REGISTER NOW

 

Comments
Consumer

Insights from the 50th Consumer Electronics Show #CES2017

Steve Goeringer
Principal Security Architect

Jan 11, 2017

This year’s CES was another record breaking event and was well attended by cable industry representatives. The event staff reports over 177,000 people attended to view nearly 2.5 million square feet of exhibit space. Over the next several weeks, analysts and pundits will contemplate the trends and shifts that are ongoing in the industry. In the meantime, here are some thoughts on a few key areas.

Everything is being connected in dozens of ways. Connected everything is going to drive huge bandwidth consumption while also presenting interesting challenges. Wireless connectivity options abound, from traditional WiFi and Bluetooth to a plethora of ecosystem scale consortia options such as ZigBee, ZWave, Thread, and ULE Alliance. Cellular based connectivity is expanding with companies using lightweight modems to easily connect new products such as health device hubs and pet monitors to cloud services. With so many options, however, providing a consistent and securable home and business environment will remain challenging — no one hub will seamlessly connect all the devices and services that are out there, and no one security appliance will keep consumer networks safe.

There is a huge focus on health and wellness, with several hundred companies exhibiting in the Health & Wellness and Fitness & Technology Marketplaces. These focus areas were well exhibited by the large manufacturers such as Samsung, Sony, Intel, and Qualcomm as well. In discussions with product managers, however, it’s clear that we might not have learned too many lessons about the need to secure medical and fitness devices and services. Many vendors continue to integrate minimal security, relying on unsecured Bluetooth connectivity to a hub that often does not leverage any form of strong identity for authentication. Fortunately, the Open Connectivity Foundation will continue to provide a path for addressing this shortfall, and membership in the Foundation significantly increased this week. Moreover, several vendors are leveraging IoTivity which will provide clean paths to secure implementations for connected environments.

Smart, highly connected homes were also a major theme, again with hundreds of vendors showing completely integrated solutions, hubs, and thousands of end devices. Connected lightbulbs remained a continuous and omnipresent idea, as were security systems. However, it’s clear there is not any winning market strategy here yet. With dozens of vendors offering complete solutions and even more offering different controllers, it seems the market is fragmented! On the other hand, Brian Markwalter of CTA advises they expect to see 63% CAGR for the smart home market in 2017. It seems this is a great opportunity for service providers to pave the way to some convergence and integration simplification for home owners.

It’s hard to go to CES and not leave very optimistic about the future. There is so much good stuff coming that is going to impact all of us. From better screens to more agile and secure health care devices to safer cars to anything else you can imagine. And, there are so many ways to add value to mundane items just by connecting them to a network. Given Metcalfe’s law (“the value of a telecommunications network is proportional to the square of the number of connected users of the system”), the value of the cable network appears to be headed for much higher with the growth of so many connected devices. And, it’s clear that we’re going to need all the bandwidth to the home that DOCSIS can bring! Our challenge is ensuring easy and flexible use through good strategies and standards for interoperability and security.

As a member of the Open Connectivity Foundation, CableLabs is guiding the interests of the cable industry with major manufacturers whose devices will connect to the cable network. Additionally, Kyrio provides OCF certification testing services, making it possible for companies to securely connect IoT ecosystems in an interoperable manner.

 

 

Comments
Security

  Improving Infrastructure Security Through NFV and SDN

Steve Goeringer
Principal Security Architect

Nov 4, 2016

October was Cybersecurity Awareness Month in the US. We certainly were aware. In September, IoT cameras were hacked and used to create the largest denial of service attacks to date, well over 600Gbps. On October 21, the same devices were used in a modified attack against Dyn authoritative DNS services resulting in disruption of around 1200 websites. Consumer impacts were widely felt, as popular services such as Twitter and Reddit became unstable.

Open distributed architectures can be used to improve the security of network operators’ rapidly evolving networks, reducing the impacts of attacks and providing excellent customer experiences. Two key technologies enabling open distributed architectures are Network Function Virtualization (NFV) and Software Defined Networking (SDN). Don Clarke detailed NFV further in his blog post on ETSI NFV activities. Randy Levensalor also reviewed one of CableLabs’ NFV initiatives, SNAPS earlier this year.

Future networks based on NFV and SDN will enable simpler security processes and controls than we experience today. Networks using these technologies will be easier to upgrade and patch as security threats evolve. Encryption will be supported more easily and other security mechanisms more consistently than legacy technologies. And network monitoring to manage threats will be easier and more cost-effective.

Open distributed architectures provide the opportunity for more consistent implementation of fundamental features, process and protocols, including easier implementation of new, more secure protocols. This in turn may enable simpler implementation and deployment of security processes and controls. Legacy network infrastructure features and processes are largely characterized by proprietary systems. Even implementing basic access control lists from IP based interfaces varies widely, not only in the interfaces used to implement the control lists, but in the granularity and specificity of the controls. Some areas have improved but NFV and SDN can improve further. For example, BGP Flowspec has helped standardize blocking, rate limiting, and traffic redirection on routers. However, it has strict limits today on the number of rules practically supported on routers. NFV and SDN can provide improved scalability and greater functionality.   NFV provides an opportunity to readdress this complexity by providing common methods to implement security controls. SDN offers a similar opportunity, providing standardized interfaces to implement flow tables to devices and configuration deployment through model-based configuration (e.g. using YANG and NETCONF).

Standardized features, processes, and protocols naturally lead to simpler and more rapid deployment of security tools and easier patching of applications. NFV enables the application of Develop Operations (DevOps) best practices to develop, deploy, and test software patches and updates. Physical and virtual routers and network appliances can be similarly programmatically updated using SDN. Such agile and automated reconfiguration of the network will likely make it easier to address security threats. Moreover, security monitors and sensors, firewalls, virtual private network instances, and more can be readily deployed or updated as security threats evolve.

Customer confidentiality can be further enhanced. In the past, encryption was not widely deployed for a wide range of very good economic and technical reasons. The industry has learned a great deal in deploying secure and encrypted infrastructure for DOCSIS® networks and also radio access networks (RANs). New hardware and software capabilities already used widely in data center and cloud solutions can be applied to NFV to enable pervasive encryption within core networks. Consequently, deployment of network infrastructure encryption may now be much more practical. This may dramatically increase the difficulty of conducting unauthorized monitoring, man-in-the-middle attacks and route hijacks.

A key challenge for network operators continues to be detection of malicious attacks against subscribers. Service providers use a variety of non-intrusive monitoring techniques to identify systems that have been infected by malware and are active participants in botnets. They also need to quickly identify large-scale denial of service attacks and try to limit the impacts those attacks have on customers. Unfortunately, such detection has been expensive. NFV promises to distribute monitoring functions more economically and more widely, enabling much more agile responses to threats to customers. In addition, NFV can harness specific virtualization techniques recommended by NIST (such as hypervisor introspection) to ensure active monitoring of applications. Moreover, SDN provides the potential to quickly limit or block malicious traffic flows much closer to the source of attacks.

Finally, NFV promises to allow us the opportunity to leap ahead on security practices in networks. Most of the core network technologies in place today (routing, switching, DNS, etc.) were developed over 20 years ago. The industry providing broadband services knows so much more today than when the initial broadband and enterprise networks were first deployed. NFV and SDN technologies provide an opportunity to largely clean the slate and remove intrinsic vulnerabilities. The Internet was originally conceived as an open environment – access to the Internet was minimally controlled and authentication never integrated at the protocol level. This has proven to be naïve, and open distributed architecture solutions enabled by NFV and SDN can help to provide a better, more securable infrastructure. Of course, there will continue to be vulnerabilities – and new ones will be discovered that are unique to NFV and SDN solutions.

As Cybersecurity Awareness Month closes and we start a new year focused on improving consumer experiences, CableLabs is pursuing several projects to leverage these technologies to improve the security of broadband services. We are working to define and enable key imperatives required to secure virtualized environments. We are using our expertise to influence key standards initiatives. For example, we participate in the ETSI NFV Industry Specification Group (ETSI NFV) which is the most influential NFV standards organization.  In fact, CableLabs chairs the ETSI NFV Security Working Group which has advanced the security of distributed architectures substantially the past 4-years. Finally, we continue to innovate new open and distributed network solutions to create home networks that can adaptively support secure services, new methods of authentication and attestation in virtual infrastructures, and universal provisioning interfaces.

Comments
Security

Adversarial Engineering

Steve Goeringer
Principal Security Architect

Jul 13, 2016

Security engineering is one of few technical endeavors in which you deal with an adversary. There are a few other domains such as electronic warfare or fire prevention. Working against an adversary in this way is like playing a twisted game of chess. As the game begins, the security engineer is aware of most of the board and most of the pieces. The attacker discovers the board and pieces as the game is played. Both players invent new rules or change old rules throughout the game without telling the other player. Either player may introduce new squares to the board, new pieces to the game, or remove them. The twisted advantage that the attacker has is that they can use the security engineer’s pieces sometimes.

Security engineering makes for a rough game. The stakes are very high. Revenue loss and brand damage to companies can be huge. Ponemon Institute released a study in June 2016 that indicates the average cost of a data breach is $4 million while the average cost per lost or stolen record is $158. Of course, the actual and incidental damages of each particular breach is unique. The largest security events impact many millions of customers. Information is Beautiful provides a fascinating interactive graphic showing the history of the world’s biggest data breaches since 2004.

All in the mindset

Ultimately, attackers hijack the intended user experience to achieve personal goals — financial gain, extortion, fame, fun, harm. How does the security engineer cope? The security engineer needs to approach work with the mindset of their adversary – the attacker. I like to call this approach adversarial engineering. An adversarial engineer focuses on how to misuse or change a service or product with an eye towards what attackers (various kinds of cyber criminals) may want to do. This way, the adversarial engineer can better integrate mitigations and controls to keep hackers out.

Tools and strategies for adversarial engineering

The adversarial engineer understands and identifies security problems by thinking offensively and creatively about how to get a network or IT resource to provide access to data that shouldn’t be available or provide functionality that isn’t intended. The adversarial engineer employs some great tools and strategies, including:

  • Threat analysis — The adversarial engineer creates models of the architecture used to provide services. Hacking techniques can then be postulated on how malcontents might try to access the network, servers, databases, and other resources used to provide services. Threat vectors are identified so they can be can be systematically addressed, ensuring each vector is faced with multiple controls and mitigations to prevent hackers from achieving their goals.
  • Misuse cases — Network and IT services are dynamic and fluid, reacting to events and changing state as users interact with resources. Service designers create use cases that define how resources should behave and be used. The adversarial engineer needs to consider these use cases and develop “misuse” cases for each one. Once misuse cases are crafted, multiple controls and mitigations are considered and integrated into the overall solution to foil bad actors from hijacking user experiences and doing unintended activities.
  • Vulnerability scanning — Even well designed services can be vulnerable. The adversarial engineer discovers what they may have missed the same way hackers might — they use a variety of tools to scan network interfaces and computer resources for vulnerabilities. Classic examples of such tools are nmap developed by Gordon Lyon, aka Fyodor VaskovichMetasploit developed by HD Moore (now available from Rapid7), and Nessus (from Tenable Network Security). There are dozens of other tools available, sometimes packaged into entire environments such as Kali Linux (offered by Offensive Security). Some very advanced scanners look for completely new kinds of vulnerabilities using code analysis or by performing fuzzing.
  • Penetration testing — Once vulnerabilities are discovered, the engineer needs to go one more step. They need to find how vulnerabilities might be exploited by doing penetration testing. This is where the craft of adversarial engineering can get deeply technical. Hand crafted investigation is often applied. However, many penetration testing tools are packaged in the same environments as mentioned above under vulnerability scanning.
  • Pervasive monitoring — Not all intrusions can be stopped – the Internet, by nature and design, is a fairly open environment. Pervasive monitoring keeps tabs on services and their associated resources, continually watching to ensure that things are being used as expected and performing as designed. This helps to minimize the time intruders are in systems or networks and potentially decrease the damage done by intrusions. Often, hackers will find vulnerabilities that were not discovered by the adversarial engineer and new controls and mitigations will be integrated into the service infrastructure.

Mitigations and controls

What are the mitigations and controls that adversarial engineers consider? There are literally hundreds. The US government identifies over 300 fundamental controls in the NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“800-53”). There are several families of controls, summarized from 800-53 in the table below. Not all of these are applicable to commercial services, and commercial services often need more than what is applied by the government. A more concise list is maintained by the Center for Internet Security, CIS. These provide a minimum framework for effective cyber defense and are available at the Center for Internet Security website.

 

nist-800-53-security-control-identifiers

Figure 1: NIST 800-53 security control identifiers and family names

Applications must be considered as well. A good starting point is the Open Web Application Security Project (OWASP) who, similar to CIS, maintains a top 10 list as well.

The challenge in applying network and application controls is achieving defense in depth. Achieving a robust security strategy requires deploying controls and mitigations in multiple dimensions — in line, at multiple layers, and even in time. The adversarial engineer assumes controls may be compromised, so they will try to contain or at least slow perpetrators so they can be recognized and stopped.

Pervasive monitoring enables an agile operations strategy referred to as “kill-chains”. This is a “special forces”-inspired approach where you design multiple areas in your strategy where adversaries can be monitored, intercepted, and stopped. The idea was initially documented by Lockheed Martin to proactive detect and respond to persistent threats. Today, this is an increasingly applied strategy to provide an agile response to the ever-evolving tactics and strategies of hackers.

Its not ALL about bad actors

Network equipment fails. Applications do not always behave as designed. Mistakes are made. Sometimes, network attackers will at least partially succeed. Consequently, good networks are actually designed to fail well. The adversarial engineer also considers how resilient the network and security controls must be to achieve design goals. Systems and software will be deployed redundantly, sometimes to extreme levels, so that if something does fail, it doesn’t completely take down services. And, because things do break in the real world, graceful recovery after disruptions and outages must be designed.

What about CableLabs?

CableLabs ensures cable operators have multiple tools to apply adversarial engineering practices. For example,

  • DOCSIS® technology includes three areas of control and mitigation: authentication, encryption, and integrity. And, DOCSIS implementations allow for controls both in the network and also at the home or business.
  • CableLabs is developing new specifications that also provide for secure devices in the home, including access points, home routers, and even IoT devices.
  • CableLabs is developing extremely high speed wireless environments to extend the reach of network operators into communities, cities, and campuses, and security is a core consideration of these emerging technologies.
  • CableLabs is considering new ways to secure applications and hardware in virtualized environments and clouds.

Security engineering is challenging given the adversarial nature of the Internet and cable technology is meeting that challenge.

Comments
Security

The Future of Network Security

Steve Goeringer
Principal Security Architect

May 24, 2016

I recently attended a panel discussion that considered technology evolution over the next thirty years. Of course, predicting such long term evolution and revolution is daunting. However, it’s interesting that all three panelists chose first to look to the mid 1980s to provide guidance to forecast the mid 2040s.

As a forward-looking security engineer, looking into the past is a frustrating approach. In 1984, William Gibson wrote Neuromancer predicting hackers before we had hackers. In this work of science fiction, people would hack into a network represented in virtual reality and then gain illicit access to information and processors. The book developed a cult following and even today is often a major inspiration of criminal hackers. Four years later, Kevin Mitnik and Robert Morris were both convicted of what today we consider hacking. Kevin Mitnik was a hacker before we had a name for hackers – using social engineering, dumpster diving, phone phreaking, and various technical exploits, Mitnik gained access to the phone network and Digital Equipment Corporation’s computer network. He was eventually convicted of wire fraud. Contemprary with Mitnik, Robert Morris became notorious for development of the first computer worm and disrupted large swathes of what eventually became the Internet. Morris was the first person convicted under the 1986 Computer Fraud and Abuse Act.

Strangely, many of the vulnerabilities used in the 1980s by Mitnik and Morris remain the vehicles for exploits today. This includes social networking, poor passwords, vulnerabilities in operating systems, exposed open interfaces, and more.  When considering the evolution of network security over the next thirty years, it becomes easy to be very pessimistic. There have been many advances and tools and practices have evolved in network security. New solutions are introduced every year. Frequently, these are expensive and not widely applied. Often, new solutions are not cost effective – many even reduce overall costs – but they are not implemented or applied properly. And, often, those that actually get deployed in turn get hacked.

 

Security Conflicts Development

It’s important to consider why network security is challenging and why it has evolved in such fits and starts. The fundamental strategies to network security have been to limit access to resources and to minimize network connectivity. These are contrary to development of value in networks. Typically, the more people or devices that can access the resource, the greater the value of the resource. The increase in value may be exponential — Metcalfe’s Law asserts that the value of a telecommunications network is proportional to the square of the connected users of the system. Consequently, the more people and devices a network connects, the greater the value of the network. This reality creates a necessary dynamic tension that may never go away.

Why is this tension dynamic and necessary? Value is a neutral measurement — a network that is valuable to its creators and users may also be useful to somebody else. If so, somebody else may try to leverage that value for purposes for which the network was not created. This is what hackers really do -- they take over an asset that has value so they can apply that value to their own purposes. Consequently, network security exists as an exercise in adversarial engineering. Within the enterprise or service provider, this means that as network engineers continually strive to add value and new features to networks, security engineers are always considering how others can subvert new value and features by implementing controls that ultimately limit network functionality.

 

Technology, Personal Motivation and The Business Case

There are at least three other reasons the security challenge hasn’t really been met the past thirty years: technology, personal motivation, and the business case. I’m sure many people will find it hard to believe, but the fact is that the technology has not been available to secure networks. The problem has been our limited ability to exert strong personal and device identities for network authentication and authorization. Consider, for a moment, just how little your driver’s license has changed over the past thirty years. And consider that even with recent technologies, it’s still possible to get forged drivers’ licenses. It’s not that much different for networks — proving that a person is who you think they are, much less the devices being used are what you expect them to be, has been very elusive. Again, there have been many advances – they just haven’t quite been sufficient.

There have been fairly cumbersome solutions to personal and network device identification. They’ve been expensive and very limiting. Unfortunately, there really hasn’t been much personal motivation to apply these solutions. We really have only recently started to see network applications that mandated strong security. Just a few years ago, it was cheaper to use insurance or business mechanisms to address security lapses, or nothing at all. For example, when your credit card number is stolen, the credit card company doesn’t hold you personally liable.

Given a low personal motivation, it’s been hard for companies to support business cases to improve security. Network security engineers really work on a business approach similar to insurance; you assess risk, apply what you think are reasonable mitigations and accept the risks that can’t be reasonably mitigated. Given the adversarial environment of network security, it should be no surprise that sometimes (maybe often), the network security engineers’ assessments are not quite what we’d wish in hindsight.

Fortunately, there are reasons to believe these will be solved and this gives reason to believe that the next thirty years will see dramatic improvements in the value of our networks because we will solve some fundamental security challenges. The fundamental technology challenges have been personal identity, software validation, and hardware validation. These are being solved. The payment and medical industries are working on very compelling solutions to prove that a person is whom they claim to be, at least to a reasonable degree. Network operators will hopefully be able to leverage these abilities. We’ve had good solutions for trusted hardware and software systems for some time, but they have been somewhat expensive. The systems and solutions to make highly trusted computer software and hardware environments are becoming available now. And, we are getting new tools. For example, distributed ledger technologies record transactions so that we can measure trust and reputation in new ways. The result of this technology renaissance will be a much more firm basis for trust. However, there needs to be a reason that drives application of the improving technology.

Personal motivation is rising. First, more and more of our financial transactions are done electronically. People care about their money, and that drives strong motivation to do what is necessary to protect it. However, there are new motivators. With the advent of connected cars, homes, and medical devices, the nature of attacks can be much more personal. Targeted attacks at individuals are not new, but with the Internet of Things where everything is connected, the risks are both more direct and more widely applicable.

As a consequence, the business case for strong security is becoming much more compelling. As everything is connected, hacking becomes highly automated. One organization, RouterCheck, even coins the phrase “hack of mass destruction” as: “A computer hacking attack in which a large group of people are targeted based on their use of homogeneous computer networking equipment.”  Furthermore, as targeted attacks become more common, negligence will take on a much more personal and measurable character. Between the industrialization of cyber crime and increased liability for people’s well being, the business case for strong network security becomes much more tenable.

 

Can We See 2040?

So, what does the future look like? Mostly, it looks promising. Both the tools and the motivation to secure networks are becoming increasingly available. In fact, when you consider the growth rate of broadband in terms of customers and bandwidth against the growth of cyber crime, it seems that network operators have been gaining ground for a few years. Strong network authentication and authorization will capitalize on this trend. However, network security will remain challenging. The value of our networks will continue to grow; we will use them in increasingly interesting ways. There will continue to be a drive to subvert the network for nefarious purposes. The dynamic tension between network engineering and network security will continue. Network operators will continue to perform business in an adversarial environment. The need for network security will continue to be driven by human nature.

 

Comments
Consumer

Blockchains and the Cable Industry

Steve Goeringer
Principal Security Architect

Mar 1, 2016

Blockchain is the fundamental technology underlying digital currencies and new transaction processing solutions. Some technologists are generalizing the concept now and using the term distributed ledger technology, or DLT. Blockchain technology uses cipher-chaining to cryptographically link blocks of transactions. The most famous implementation of this approach is Bitcoin. Over the last couple years new trends and markets have emerged outside of the crypto-currency space. There are now several hundred start-up companies, open source projects, and collaborative industry efforts, each focused on different applications of this technology to a wide range of industries.

The cable industry’s interest in these technologies and solutions is increasing. This interest is being encouraged by highly public events across multiple industries, including:

  • R3 CEV is a group working on applying blockchain technology to the banking industry. Streamlining transaction processing between banks promises up to $20B in annual savings. R3 CEV recently completed a blockchain connectivity experiment linking 11 banks.
  • Nasdaq has packaged distributed ledger technology into an offering they are developing called Nasdaq Linq. Linq will be used to complete and record private securities transactions. Chain, a firm providing a development platform for working with blockchains, recently executed the first trades on Linq.
  • Microsoft is supporting blockchain solutions using Azure. Starting in early November 2015, several blockchain projects began using Azure. This includes R3 CEV based on an Ethereum model. More recent partners include MultiChain, Emercoin, Eris, CoinPrism, and BitPay. Azure’s support to date is optimized for development and testing which allows partners to focus on their solutions rather than virtualization support.
  • The Linux Foundation has started a new project called Hyperledger. This effort is well supported by companies and organizations across multiple industries seeking to advance blockchain solutions beyond common current implementations through a “cross-industry open standard for distributed ledgers.” Robert Mcmillan of the Wall Street Journal reports that IBM will be contributing code to the Hyperledger project soon.

These mainstream activities show that blockchain is rapidly evolving beyond Bitcoin.

Applicability to cable industry

The core concepts of blockchain are simple. Using cryptographic techniques, blockchains allow the creation of distributed transaction ledgers. In computer science terms, the ledger is an ordered linked-list that is cryptographically linked to previous entries on the ledger. Consequently, the ledger is secure in that it is extremely difficult to change or remove a transaction that has been added to the blockchain. Moreover, the older the transaction, the more difficult it is to change the transaction.

CableLabs believes blockchain solutions are widely applicable to the cable industry. Generally, applications fall into three categories:

  • Digital currency and payment systems
  • Transaction processing and records management
  • Augmenting security practices

Blockchains may be transformative in developing new customer experiences, reducing cost of media distribution, and securing the burgeoning device ecosystems our industry enables.

CableLabs activities

CableLabs has been tracking development of distributed ledger solutions closely. We continue to identify and investigate emerging technologies in this area and monitor over $1.3B invested in Bitcoin and blockchain companies (in 2014 and 2015). There are hundreds of new companies, open source projects, and various industry groups developing innovative capabilities that we monitor.

In addition, our security technologies experts are tracking the core technology elements themselves. This is essential to allow evaluation of innovative solutions based on blockchains and also to determine how best to architect and integrate these solutions into our industry.

Finally, we consider blockchain developments and concepts in our innovation efforts. In some cases, blockchain may allow or enable new capabilities and revenue opportunities that otherwise cannot be achieved. In other cases, blockchain complements an existing capability by reducing costs or enabling new features.

Recommendations

Blockchain technology is still emerging and not ready for off-the-shelf implementations, but it’s not too early to start considering how it may strategically benefit cable operators. Product managers should start tracking industry news and discussion groups for ideas on how they may benefit from blockchain solutions. Technology leaders particularly should do the same, but also start understanding how blockchain technology works. This will provide insight on how blockchain technology may improve security, provisioning, and device on-boarding processes.

CableLabs has also prepared presentations to help technologists understand Bitcoin, blockchain technologies, and ongoing industry initiatives. These are available to members upon request.

Steve Goeringer is a Principal Security Architect at CableLabs.

Comments