August 8, 2013 By Larry Karisny
I advise security companies that have demonstrated cybersecurity technologies far superior than those generally offered today, So why aren't we using them? The reasons have little to do with technology and a lot to do with people. Hackers sell security exploits daily on the open market while regulatory organizations take two years or more to write security regulations. Recent DEFCON and Black Hat conventions in Las Vegas clearly demonstrated that offense is far out in front of defense. So are we really trying to secure cyber? The answer is "yes and no" and there are good reasons for both. Let’s take a look at the two hats we wear while trying to find the balance.
Those Pesky Humans
There are a lot of serious mathematicians and scientists in cybersecurity. They develop rather complex systematic approaches to security solutions that do not like intermittent variables. You know -- people. Everything looks great until people enter into the digital process logic, then it all changes.
Securing machine-to machine actions are relatively simple. You have a software logic map that does what it is supposed to do (although we don’t often audit them in security) and the machine action responds to the given audited logic commands. These process actions are often relatively simple and repetitious so they can be secured to assure that no changes have been made in the information system process.
The problem occurs when we start adding layers of software logic with access to hundreds of machines, thousands of devices and then add the human variable into the mix. Now it gets messy and the best mathematical algorithm in the world won’t fix this one. This is when you need a good process detection technology that can watch and audit both human and machine actions. These technologies exist and are what people are getting a little sensitive about lately in personal privacy.
Personal privacy aside, we must understand in critical process applications these same technologies actually need improvement if we are to obtain superior defensive cybersecurity. There is a big difference between personal privacy and information privacy in the workplace, and also which technologies should be used for those purposes.
Old Security Standards Methods Won’t Work
Remember when things were easier? A standards group put a thousand eyes on a problem, leveraged corporate and government money and made things the way everyone agreed they should be. Everyone got something and everyone was happy. But then the hackers showed up and made a mess of things by finding vulnerabilities only days after the security standards were released.
For the first time since 2005, the U.S. National Institute of Standards and Technology (NIST) has revised federal cybersecurity standards. What took so long? Because writing regulations takes 24–36 months. Meanwhile new technologies hit the marketplace, including a supercomputer that can be purchased for $100. This means that new security regulations are already outdated by the time they are implemented. When you have massive standards and compliance bureaucracies on one side and an independent hacker with no rules or regulations on the other, guess who is going to be able to respond more quickly? The game has changed and so must the methods of approving and deploying cybersecurity technologies.
Cybersecurity is different than most other technologies. The more people that know about the technology, the more vulnerable you become. Creating a bunch of college courses in cybersecurity offers the potential for lots more hackers. If it comes down to the ethics of being a white hat or black hat, the first priority today is 'where can I get a job and how much are you paying?' Government officials have learned this and are today playing catch-up by even hiring the black hats when needed.
There is no easy answer to these cybersecurity problems but there is a clear understanding that trying to fix the problems won't be accomplished with standards, compliance and mandates. This process has proven very expensive and has offered little in the way of strong, defensive cybersecurity measures. Just trying to keep up with vulnerabilities has been hard enough and frankly, the exploit offense technologies are currently beating the security prevention and detection defense technologies every which way. The game has changed and we need a way to get game-changing technologies to the forefront of cybersecurity quickly, That won't happen by belaboring bureaucracies that just are not fast enough or smart enough to react to the rapidly changing world of cybersecurity.
Expensive Band-Aid Security
We will continue to have cyberbreaches by continuing to rely on Band-Aids to "fix" vulnerabilities we find in our software. These intentional and unintentional back doors are problematic in both old and new software. Intentional back doors are often put in software for simple maintenance and upgrades. These known vulnerabilities need to be continually monitored if we are to ever achieve any acceptable level of cybersecurity. We also have the secret back doors put there through collaboration by government agencies and the private-sector that have recently received some attention.
The biggest problem is the unintentional backdoors installed by getting product out rapidly without proper security audits or writing bad code. Whether it's intentional or unintentional, it’s all the same to a hacker. It’s a way in and today’s hackers can find these vulnerabilities so quickly with exploit software that security patches are at best just playing catch-up.
To make matters worse, there is an increasing and disturbing trend in finding and correcting security vulnerabilities. A recent article in the New York Times, “Nations Buying as Hackers Sell Flaws in Computer Code”, disclosed an open market on zero-day security flaws offering hundreds of thousands of dollars to hackers. Once discovered, these flaws can be immediately leveraged by hackers and taken advantage of through the sale of the information or threatened use in a cyberattack. The use of the information in zero-day exploits can be leveraged by both hackers and governments at will before anyone else knows the vulnerability exists. This is today's dangerous back-and-forth exploit game.
Whether intentional or not, these security flaws have added up over the years and are continually being discovered. As the saying goes, "pay me now or pay me later." We are now paying for years of software vulnerabilities and need to use defensive technologies to counter-attack these exploits as discussed in an earlier article, rather than just continue paying ransom for potential offensive hits.
Privileged Information and Trust
We seem to be having a little problem understanding what privileged information is and what it is not. Privileged information is that which should be protected from disclosure by single individuals, or from sharing metadata between government agencies and thousands of companies. Abuse of this kind can deprive the originator(s) from their rightful compensation of years of work, intellectual property or nation-state security. We do not properly protect privileged information and its rightful ownership. Cybertheft of intellectual property is reaching a trillion dollars in just the U.S., so there must be a change in the way information is stored and secured by both the public and private sectors. These changes may even be seen in a loss of trust and business by some of the largest data center providers in the world.
Still to be seen -- with the recent disclosure of government surveillance programs such as PRISM -- will be how U.S. cloud service hosting centers and the technology companies that support them will be affected. The Cloud Security Alliance revealed some disturbing results in its July 2013 survey. The survey questioned how the recent disclosure of programs such as PRISM impacts attitudes about using public cloud providers as well as any other broadly available Internet services. The results clearly demonstrated a decline in trust of U.S. cloud hosting service from foreign responders. For example, 56 percent were less likely to use U.S. cloud service providers. This concern goes much deeper with major software and hardware suppliers also being questioned and potentially taking a hit.
One thing for certain, U.S. data centers and the technologies they provide will be under a lot of scrutiny in the future and have a lot of trust to regain and validate. A happy medium may be found in new private cloud services or even a return to private enterprise networks. One thing for certain, the status quo is no longer acceptable and trust must be regained.
We live in an age where the technology marketplace has trumped security needs for decades and we are now paying the price. We are currently releasing millions of connected products and services with little concern for security while hackers easily find vulnerabilities and readily sell exploit capabilities. Our security approval processes have become a hindrance in releasing timely defensive cybersecurity capabilities that are hacked by the time the standards are released. Those responsible for the use of security technologies and the information these technologies provide require a high level of ethical responsibility and in turn require checks and balances of personal oversight.
Security only works when you are all in and all on the same page. The other choice is all out cyberwar which is a lot more devastating than most people realize. From secret state espionage to abuses in political power, cyberwar could devastate any country. It would be to everyone’s advantage to find a middle ground and quit pretending we are all perfect. We are not. If you have been in the security business long enough, you probably have to admit your hat isn’t white or black. It’s really kind of grey.
Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure.