Government Technology

Are Black Hats and White Hats Really Grey Hats?




Image by Pedro Nunes

August 8, 2013 By

I advise security companies that have demonstrated cybersecurity technologies far superior than those generally offered today, So why aren't we using them? The reasons have little to do with technology and a lot to do with people. Hackers sell security exploits daily on the open market while regulatory organizations take two years or more to write security regulations. Recent DEFCON and Black Hat conventions in Las Vegas clearly demonstrated that offense is far out in front of defense. So are we really trying to secure cyber? The answer is "yes and no" and there are good reasons for both. Let’s take a look at the two hats we wear while trying to find the balance.

Those Pesky Humans
There are a lot of serious mathematicians and scientists in cybersecurity. They develop rather complex systematic approaches to security solutions that do not like intermittent variables. You know -- people. Everything looks great until people enter into the digital process logic, then it all changes. 

Securing machine-to machine actions are relatively simple. You have a software logic map that does what it is supposed to do (although we don’t often audit them in security) and the machine action responds to the given audited logic commands. These process actions are often relatively simple and repetitious so they can be secured to assure that no changes have been made in the information system process.

The problem occurs when we start adding layers of software logic with access to hundreds of machines, thousands of devices and then add the human variable into the mix. Now it gets messy and the best mathematical algorithm in the world won’t fix this one. This is when you need a good process detection technology that can watch and audit both human and machine actions. These technologies exist and are what people are getting a little sensitive about lately in personal privacy.

Personal privacy aside, we must understand in critical process applications these same technologies actually need improvement if we are to obtain superior defensive cybersecurity. There is a big difference between personal privacy and information privacy in the workplace, and also which technologies should be used for those purposes.

Old Security Standards Methods Won’t Work
Remember when things were easier? A standards group put a thousand eyes on a problem, leveraged corporate and government money and made things the way everyone agreed they should be. Everyone got something and everyone was happy. But then the hackers showed up and made a mess of things by finding vulnerabilities only days after the security standards were released.  

For the first time since 2005, the U.S. National Institute of Standards and Technology (NIST) has revised federal cybersecurity standards. What took so long? Because writing regulations takes 24–36 months. Meanwhile new technologies hit the marketplace, including a supercomputer that can be purchased for $100. This means that new security regulations are already outdated by the time they are implemented. When you have massive standards and compliance bureaucracies on one side and an independent hacker with no rules or regulations on the other, guess who is going to be able to respond more quickly? The game has changed and so must the methods of approving and deploying cybersecurity technologies. 

Cybersecurity is different than most other technologies. The more people that know about the technology, the more vulnerable you become. Creating a bunch of college courses in cybersecurity offers the potential for lots more hackers. If it comes down to the ethics of being a white hat or black hat, the first priority today is 'where can I get a job and how much are you paying?' Government officials have learned this and are today playing catch-up by even hiring the black hats when needed. 

There is no easy answer to these cybersecurity problems but there is a clear understanding that trying to fix the problems won't be accomplished with standards, compliance and mandates. This process has proven very expensive and has offered little in the way of strong, defensive cybersecurity measures. Just trying to keep up with vulnerabilities has been hard enough and frankly, the exploit offense technologies are currently beating the security prevention and detection defense technologies every which way. The game has changed and we need a way to get game-changing technologies to the forefront of cybersecurity quickly, That won't happen by belaboring bureaucracies that just are not fast enough or smart enough to react to the rapidly changing world of cybersecurity.

Expensive Band-Aid Security
We will continue to have cyberbreaches by continuing to rely on Band-Aids to "fix" vulnerabilities we find in our software. These intentional and unintentional back doors are problematic in both old and new software. Intentional back doors are often put in software for simple maintenance and upgrades. These known vulnerabilities need to be continually monitored if we are to ever achieve any acceptable level of cybersecurity. We also have the secret back doors put there through collaboration by government agencies and the private-sector that have recently received some attention.

The biggest problem is the unintentional backdoors installed by getting product out rapidly without proper security audits or writing bad code. Whether it's intentional or unintentional, it’s all the same to a hacker. It’s a way in and today’s hackers can find these vulnerabilities so quickly with exploit software that security patches are at best just playing catch-up.

To make matters worse, there is an increasing and disturbing trend in finding and correcting security vulnerabilities. A recent article in the New York Times, “Nations Buying as Hackers Sell Flaws in Computer Code”, disclosed an open market on zero-day security flaws offering hundreds of thousands of dollars to hackers. Once discovered, these flaws can be immediately leveraged by hackers and taken advantage of through the sale of the information or threatened use in a cyberattack. The use of the information in zero-day exploits can be leveraged by both hackers and governments at will before anyone else knows the vulnerability exists. This is today's dangerous back-and-forth exploit game. 

Whether intentional or not, these security flaws have added up over the years and are continually being discovered. As the saying goes, "pay me now or pay me later."  We are now paying for years of software vulnerabilities and need to use defensive technologies to counter-attack these exploits as discussed in an earlier article, rather than just continue paying ransom for potential offensive hits.

Privileged Information and Trust
We seem to be having a little problem understanding what privileged information is and what it is not. Privileged information is that which should be protected from disclosure by single individuals, or from sharing metadata between government agencies and thousands of companies. Abuse of this kind can deprive the originator(s) from their rightful compensation of years of work, intellectual property or nation-state security. We do not properly protect privileged information and its rightful ownership. Cybertheft of intellectual property is reaching a trillion dollars in just the U.S., so there must be a change in the way information is stored and secured by both the public and private sectors. These changes may even be seen in a loss of trust and business by some of the largest data center providers in the world.

Still to be seen -- with the recent disclosure of government surveillance programs such as PRISM -- will be how U.S. cloud service hosting centers and the technology companies that support them will be affected. The Cloud Security Alliance revealed some disturbing results in its July 2013 survey. The survey questioned how the recent disclosure of programs such as PRISM impacts attitudes about using public cloud providers as well as any other broadly available Internet services. The results clearly demonstrated a decline in trust of U.S. cloud hosting service from foreign responders. For example, 56 percent were less likely to use U.S. cloud service providers. This concern goes much deeper with major software and hardware suppliers also being questioned and potentially taking a hit. 

One thing for certain, U.S. data centers and the technologies they provide will be under a lot of scrutiny in the future and have a lot of trust to regain and validate. A happy medium may be found in new private cloud services or even a return to private enterprise networks. One thing for certain, the status quo is no longer acceptable and trust must be regained.       

Conclusion
We live in an age where the technology marketplace has trumped security needs for decades and we are now paying the price. We are currently releasing millions of connected products and services with little concern for security while hackers easily find vulnerabilities and readily sell exploit capabilities. Our security approval processes have become a hindrance in releasing timely defensive cybersecurity capabilities that are hacked by the time the standards are released. Those responsible for the use of security technologies and the information these technologies provide require a high level of ethical responsibility and in turn require checks and balances of personal oversight.

Security only works when you are all in and all on the same page. The other choice is all out cyberwar which is a lot more devastating than most people realize. From secret state espionage to abuses in political power, cyberwar could devastate any country.  It would be to everyone’s advantage to find a middle ground and quit pretending we are all perfect. We are not. If you have been in the security business long enough, you probably have to admit your hat isn’t white or black. It’s really kind of grey.

Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure.
 


| More

Comments

Dennis Meharchand    |    Commented August 9, 2013

I absolutely agree with your statement "The game has changed and we need a way to get game-changing technologies to the forefront of cybersecurity quickly". Its going to be interesting to see where the NIST Cybersecurity Framework lands - the companies that have been selling products that don't work appear to be pushing for "no recommendation or inclusion" of products or technologies. My company has developed innovative technology (software and semiconductors)that work and we will need all the help we can get to move it to the forefront. Dennis Meharchand CEO, Valt.X Technologies

Stu Sjouwerman    |    Commented August 10, 2013

Excellent analysis! Well written overview of the problem, but not easy to solve. And yes a whole new way of getting truly effective products needs to get to the forefront. An example is the Australian government that requires Application Control (whitelisting) software on all computers. Another things that is sorely lacking is training for those pesky humans. My company provides Kevin Mitnick Security Awareness Training which is a critical piece of the defense-in-depth puzzle. Stu Sjouwerman Founder and CEO KnowBe4,LLC

Curt Massey    |    Commented August 10, 2013

STTarx; Hyper-Secure Global Intranet STTarx does not respond to port probes, effectively ignoring DoS perpetrator attacks, fake IP attempts, and all unauthenticated and unapproved network messages. Clients are concealed from the Internet by an orb of imperceptible security. Activity behind the STTarx “invisibility cloak” cannot be observed or ascertained by ANY unauthorized users. Curt Massey, CEO STT

Chris Blask    |    Commented August 10, 2013

Larry nails it with this comment: "This is when you need a good process detection technology that can watch and audit both human and machine actions." More than just instances of detection technology - which we both have already and need more of - we need to connect such deployed technologie to each other more rapidly in more ways. The answers to the challenges associated with the proliferation and interconnection of the rapidly developing systems and technologies we have all been building are not going to be found in slowing down and isolation. Rather, they will be found in the the rapid development, proliferation and interconnection of systems and technologies. Building more-perfect devices and deploying and managing them more perfectly are all admirably lofty goals worth pushing towards. Not trusting any of that to work and instead paying both deep and broad attention to all of it all the time is the pragmatic path that will keep us safe when we are inevitably less than perfect.

Michael Rogaczewski    |    Commented August 12, 2013

The writing is quite straightforward, but it easily draws profound things out. I agree that it is impossible to predict all human actions and artfully include answers to them in every new published software. We really should think about standardizing our current security models much more. Companies that provide security services are too independent and their actions are not helpful at all. They often think about the money in the first place and that is never good. However, in my opinion it is impossible to throw all hackers into the same bag titled "Grey Hats". There are few key differences which forbid that. For example White Hat would never destroy anything on purpose and Black Hats often do. Overall I really like the article, the concept is great and I am impatiently waiting for the next one.

Adriel Desautels    |    Commented August 18, 2013

Rock on man, you hit it right on the head! The game has changed but the people managing technology haven't. Many of them don't care about security, they only care about regulations and avoiding fines. The few that truly care about security are running fast enough to avoid getting eaten by the bear. That's largely because they are running a race where the majority of the athletes get winded by walking. Regulations should do more to hold network owners responsible. If you get hacked, you get fined...but they don't.

Larry Chaif    |    Commented August 21, 2013

Excellent article. I'm a dinosaur from the old mainframe days but I believe there are lessons learned that can be ported to today's software developers. Coding and testing standards and procedures should be updated, implemented and enforced. Many exploits take advantage of the same types of errors occurring repeatedly in software. Sharing non-proprietary information among companies to reduce bugs would benefit everyone. Rigorous regressive tests would help to weed out known exploit paths. If the people wearing hats of any colour can so easily find an exploit then why can't the developers and distributors? Simplistic, probably, but we have to start somewhere.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Public Safety 2019
Motorola conducted an industry survey on the latest trends in public safety communications. The results provide an outlook of what technology is in store for your agency in the next five years. Download the results to gain this valuable insight.
Improving Emergency Response with Digital Communications
Saginaw County, Mich., increases interoperability, communication and collaboration with a digital voice and data network, as well as modern computer-aided dispatch.
Reduce Talk Time in Your Support Center by 40%
As the amount of information available to citizens and employees grows each year, so do customer expectations for efficient service. Contextual Knowledge makes information easy to find, dropping resolution times and skyrocketing satisfaction.
View All

Featured Papers