Government Technology

Column: Cyber Attacks the Reality, the Reason and the Resolution Part 3




The smart phone may be the go-to personal control device that will multiply security access privileges under a single authentication. Photo from Shutterstock

June 19, 2013 By

We are connecting digital intelligence to our homes, businesses, critical infrastructure and national defense at such staggering rates that we had to come up with methods of collecting "big data." Individuals now have the ability to access terabytes of information, millions of apps and thousands of devices that have the potential of activating critical processes at the touch of a screen. Security has been a continual afterthought even in areas as sensitive as our power grid. Even when security is responsibly deployed, breaches still happen, disclosing the weaknesses of current security solutions. There is no one-size-fits-all in cyber solutions. Instead, the best of the pieces are assembled to achieve the best possible security.  Here are some good pieces of the security puzzle that when put together, offer resolution to the big problems faced today in cyberattacks.

Securing the End Points

Whether you want to secure your private conversations or a corporate database, you must first have a way to authenticate the human or machine initiating action. Sadly, this needs a lot of work. Fortunately, there is a lot of available technology to choose from.

With the password being just about dead, companies are reaching for other ways to effectively authenticate and validate this all-important initial process: access. From biometric human authentication to encrypted nano-sensors offering machine location-based identifiers, we have the technologies to securely authenticate the start of just about anything. With the computing power and popularity of BYOD, the smart phone may be the go-to personal control device that will multiply security access privileges under a single authentication. We are now just beginning to deploy apps and chip sets supporting these authentication capabilities.

When we communicate to a machine, the security beginning and end point is not a port or cable connected to some device. The points are often very complex microchips with coded processes within themselves. These trusted computer chips like BYOD devices can become part of the solution in cybersecurity -- and part of the problem. 

Don Thompson, CEO of MerlinCryption explains the potential threat of microchip foul play in cybersecurity. "Embedding malicious code or 'back doors' into microchips is a growing trend in espionage," says Thompson, "The rogue chip conspiratorially communicates critical intelligence back to its criminal host. It is paramount to procure only tamper-proof USA-made chips to be used in developing the circuit board, then reinforce the device with robust encryption. End-point encryption, coupled with multi-factor authentication thwarts attacks against data.”

Securing Data in Motion

The most common solution of moving secured information over the Internet is through Virtual Private Networks (VPN). A VPN extends a private network across public networks like the Internet by establishing a virtual point-to-point connection through the use of dedicated connections or encryption. These techniques add security to the information flow but are expensive and still have security vulnerabilities. Realizing these costs and the security concerns with VPNs, a team at STTarx developed a method of truly protecting data-at-rest and data-in-motion and also masking transmissions. Their networks are stealthy and impenetrable and messaging is immune to illicit decryption. This technique offers an economic and secure method of passing data through the Internet.

Curt Massey, the CEO of STTarx Shield, explains this unique process. "We never accepted the common wisdom that networks must always be vulnerable or that messaging must rely on increasingly complex and cumbersome encryption algorithms that would eventually be broken. We used a fundamentally different approach to solving both issues. Every pen tester for a period of years has walked away scratching their heads due to complete failure to either penetrate our networks or even capture our traffic. Those to whom we have given sample STTarx traffic have been completely unsuccessful in decrypting it. We enable other solutions to focus on protecting the internal network."

Securing the Process

Today we connect multiple levels of people, applications, software, hardware and networks to our enterprise, control systems and cloud computing. There are so many layers that we are beginning to lose control of what the business process and software logic action is supposed to be doing, even though it is secured and authenticated. This is why recent exploit attacks have been directed without detection toward system process software, not just networks and databases. We need a method of real-time viewing, auditing and even blocking multiple simultaneous process actions. Rajeev Bhargava, CEO of Decision-Zone found this same problem when trying to debug software programs which led him to the unique use of graphical anomaly detection as a new method of intrusion detection security. This is how he explains it.

"The conventional view of security is primarily aimed at securing an organization’s assets, including facilities, goods, IT infrastructure and information silos. However, the characteristics of the threat environment organizations are exposed to are changing. Whereas in the past solitary intruders sought entry into an organization's network and facilities and created minor damage; nowadays these attacks originate from highly organized groups and are aimed at obtaining services or money by disrupting or diverting the victim’s normal business operations. Sometimes this is an authorized and authenticated insider.

"Processes, by nature, consist of a number of tasks performed by different individuals, usually within different departments," said Bhargava, "making them vulnerable to mistakes, misunderstandings, miscommunications and abuse. A business process consists of a set of logically interrelated tasks, intended to generate an output beneficial to the organization. A process aims to create higher-value output from lower-value input, at a cost that is lower than the increase in value of the generated product. These processes have extreme value to a company and often are the reason they have a competitive edge. These process inputs are the same place where security breaches can be identified, audited and potentially blocked. Decision-Zone has built the ultimate process security application for validating/tracking these input actions against the business process logic assuring both process productivity and process security."

Conclusion

Disclosures of cybersecurity breaches are constant. The damage done, money lost and intellectual property stolen is staggering. State-sponsored attacks have been validated, banks robbed, intellectual property stolen, even attacks on your personal privacy. Studies have clearly stated the certainty that you have been breached or we will be breached. The companies that were researched and quoted above have clearly stated their cases, have tested their capabilities and together can offer resolutions to specifically address these security issues.

Knowing the reality and reasons behind cyberattacks, it’s time to stop talking and start offering resolution to these serious problems. In the last few weeks, with no uncertainty, we have recognized the immediate need for cybersecurity solutions from our personal privacy to national defense. There is no "it won’t happen to me" anymore. There is no more sticking our heads in the sand. We must immediately deploy prevention and detection technologies to our critical processes or frankly, we could lose it all.  

Larry Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and municipal critical infrastructure.


| More

Comments

Bob Carver    |    Commented June 19, 2013

Larry, Thanks for sharing. Nice series of articles. A Lot of my sentiments parallel yours. Keep up the great work. Bob

Hamieh    |    Commented June 19, 2013

That's awesome; I am impressed by the way you present these complicated security issues.

Christopher Etadaferua    |    Commented June 22, 2013

Thanks for your articulate approach to the topic Cyber Attacks and Resolution. Why i solemnly agree with you in the listed points; there is not a single solution to those threats. As long as the human factor is involved in development of technologies to try to stop the menace posed by hackers. There is weakness in any intelligence. Having said that there is no once and for all solution. A Continuous Monitoring Automation and Attack Surface harden technological advancement, should not be left to lack behind.

Larry Karisny    |    Commented June 23, 2013

Bob and Hamieh thank you for your support of this column series. Christopher, your point is well taken on the human factor of cyber security and the need of "Continuous Monitoring Automation and Attack Surface". I shared your views of the security weakness in the human factor until I found Decision's Zone anomaly detection technology. This technology is able to view and audit multiple machine and human actions simultaneously at the data input level. This capability can block a hacker because the attack action would be seen as not part of the accepted business process action input, therefore rejected.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Maintain Your IT Budget with Consistent Compliance Practices
Between the demands of meeting federal IT compliance mandates, increasing cybersecurity threats, and ever-shrinking budgets, it’s not uncommon for routine maintenance tasks to slip among state and local government IT departments. If it’s been months, or even only days, since you have maintained your systems, your agency may not be prepared for a compliance audit—and that could have severe financial consequences. Regardless of your mission, consistent systems keep your data secure, your age
Best Practice Guide for Cloud and As-A-Service Procurements
While technology service options for government continue to evolve, procurement processes and policies have remained firmly rooted in practices that are no longer effective. This guide, built upon the collaborative work of state and local government and industry executives, outlines and explains the changes needed for more flexible and agile procurement processes.
Fresh Ideas In Online Security for Public Safety Organizations
Lesley Carhart, Senior Information Security Specialist at Motorola Solutions, knows that online and computer security are more challenging than ever. Personal smartphones, removable devices like USB storage drives, and social media have a significant impact on security. In “Fresh Ideas in Online Security for Public Safely Organizations,” Lesley provides recommendations to improve your online security against threats from social networks, removable devices, weak passwords and digital photos.
View All

Featured Papers