Government Technology

Is Cybersecurity Officially Broken?




April 2, 2014 By Larry Karisny

NSA disclosures, RSA conference scientist boycotts, University white papers and even cybersecurity supplier contest challenges are validating the weaknesses of our current cybersecurity methodologies.

The old model of "good enough security" is being replaced by a new model of "0 trust security" upon which cybersecurity must be built. Mysterious scientific encryption algorithms combined with the subjective analyses of big data is no longer trusted or even effective in offering true security solutions. And yet we are connecting an explosion of software and devices that enhance or even take over human processes.

We need to deploy cybersecurity technologies that can effectively secure the billions of application process actions, or adversaries will continue to manipulate these application-based technologies that are now the focus of new cyber attacks. The question is how.

Hackers Get It
 
I have watched and privately disclosed successful attacks on wireless intelligent devices including smartphones, automobiles, homes and power-grid infrastructure. In doing so I was able to use what I discovered from hackers, then follow cybersecurity industry trends and methods of stopping these breaches.
 
Inside breaches are increasingly being used to penetrate authentication access to systems. Process applications software was being exploited to achieve breaches. Why go through the trouble of breaking complex mathematical algorithms with a supercomputer when it is much simpler to manipulate the processes and process application software to achieve the same results?  
 
While the cybersecurity mathematicians continue to pitch now 50 year old technologies that even MIT considers outdated, hackers simply use the system process application actuaries or action messages as points of exploit. There are three things we do not do very well when securing these action messages. We do not authenticate, view or audit these multiple message actions or the collaborative processes that occur in a typical information technology control or business process.  Instead, the majority of cybersecurity technologies focus on the protection of the network and data. Thus, they are not even looking in the right place to view or audit these process actions. Hackers know this and that is where they can most easily enter.  
 
Securing the Process not the Algorithm 
 
This new focus on cybersecurity at the action of a business or control system process is becoming a welcomed and understandable security methodology to CEOs and COOs around the world. CEOs who understand their organizational processes and actions do not understand how today's cybersecurity products and services work.
 
While mathematicians were making algorithms to scramble and secure data streams, the actual security end point is in actions and collective processes. True security is achieved by authenticating and securing the causal action of the business or system process in real time, not securing data transportation input and output while historically analyzing its causal actions and processes using data analytics.       
 
We today process multiple software message actions without authenticating or confirming the data-in-motion action. This is like turning the key in a car and just assuming the vehicle control system is doing what it is suppose to be doing. This same lack of system causal confirmation is why scientists have been able to demonstrated how an automobile control system can be hacked.  For 0 trust security to actually be achieved, we need methods of monitoring these software process application messages in real-time data with a data-in-motion firewall that can view and audit the causal messaging actions of any control system or process at the data input level.
 
There are real-time anomaly-detection messaging technologies that are beginning to be recognized. The problem in both of these solution approaches is the continued use of mathematical algorithms which are outdated, complicated and breachable. IoT devices often do not even have enough memory to store these complex algorithms. We are beginning to understand that causal actions are the real end points of cybersecuriity.  We now must find new way of securing them.        
 
Control or Lose Control of Digital Intelligence
 
I recognize the benefits of digital intelligence and the many forms it takes in hardware, software, apps and the Internet of Things (IoT).  I like my smartphone and the software apps it runs.  The problem is all these things can be hacked and we are irresponsibly connecting and interconnecting them without concern for security at a pace so fast we are losing control of what these digital devices are actually doing. We are automating without authenticating and actuating without auditing. We just touch an icon and assume the interconnected layers of network, hardware, software, apps and IoT are going to do what we want them to do. Hackers know this and just find the weakest link. 
 
Control systems and processes must have the capabilities to view realtime causal actions at the data-in-motion input level. Whether an authentication breach, network breach, data breach or software application breach, this same methodology must be able to quickly and accurately secure billions of application messaging actions and the interconnected processes they activate.  I discussed these methodologies in detail in my last article, "Time for a Cybersecurity Overhaul." Cloud applications and IoT devices today already have  a bad security track record that will only get worse if we do not change the way we ecure these new technologies that are now at the doorstep of our digital communities.
 
Conclusion  
 
Our digital age had brought us many wonderful technologies and I am not underestimating their importance. But like others in this industry, I am screaming "proceed with caution and find a way to secure this stuff before deploying it."  We have interconnected so many of these digital technologies we have lost control of what the actual business and systems process are doing. We are increasing the use of these technologies exponentially without proper security procedures in place -- like a manager hiring 10,000 employees and saying "don't worry I will never check or even have the ability of knowing what you are doing."
 
We do not understand the power of technologies we use every day.  Hackers do and exploit  these security technology weakness as current cybersecurity suppliers try to improve older technologies that are proving to have outlived their effectiveness. We can't move forward by just putting security patches on what we have and the industry is at last coming to that conclusion.  
 
I would like to offer my own cybersecurity challenge.  If you have a better cybersecurity methodology to secure the projected billions of apps and IoT my not for profit has already researched I will promote your security technology to thousands of my cyber security contacts and submit an article disclosing your capabilities. This much I know. We need to fix cybersecurity now or our digital age could come to a screeching halt.
 
Larry Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure.

| More

Comments

Tevan Green    |    Commented April 3, 2014

Great article! Interesting concept. Unfortunately, the decision makers are rarely tech savvy. We are too much of a first to market society and slowing down is not an option. We are moving faster and faster and this would require slowing down. Just my thoughts.

Ari Takanen    |    Commented April 3, 2014

Welcome to the 21st century! Cybersecurity is about quality of components, and collaboration between industries. When in 2003 I discussed SCADA vulnerabilities, response was "who knows about these?" Nothing was fixed until Stuxnet. Countries that have open collaborative security incident handling environment happen to also be the cleanest countries in the Internet. This is not a fight you can win with new security technologies. Those are just new borders and walls around inherently weak and vulnerable systems, basically designed to hide the facts that you are running the wrong choice of platforms and applications. SIEM systems and IDS that give you pie charts and other useless data will never help you to resolve the incidents. You need real actionable data without false positives. Want to know how this is done? Check out Codenomicon.

Judson Hall    |    Commented April 4, 2014

Thanks for your insight, Larry. It seems the worse the situation, the more those in control don't get it. The "they don't know that they don't know" syndrome is alive and well. Couple that with "It's not the problem that's the problem; it's how they deal with the problem that's the problem" mentality. I'm now starting to learn of all the major companies with sensitive data that are still on Windows XP. This is almost approaching scary. Keep the info and analysis coming. Maybe some day someone with Get It. Judson

Larry Karisny    |    Commented April 4, 2014

Tevan. Actually the solution I discussed is based on securing processes and CEOs and COOs understand processes and yes you are correct not the technology behind securing these processes. Ari. I think Codenomicon would do a good job of discovering these processes and Decision Zone could real time authenticate, view, audit and block causal anomolies at the data input level. Sound like a good partnership. Judson. Good point on ending support for XP. Between ATM's and Power Companies there is a lot of XP users out there.

Don O'Neill    |    Commented May 5, 2014

Clearly the situation is dire. The increasing dependence of industry and government on an immature software and Cyber Security profession whose promise exceeds its delivery has now become a source of risk that teeters at the tipping point. The convergence of software, national security, and global competitiveness interactions and their fragile dependencies are capable of unleashing a destructive synergy of propagating and cascading effects. They don’t play well together, and together they heighten complexity. All this, while both industry and government continue to play the role of free rider as users of software lacking both the ability and will to act while insulated by stove pipes that are deeper and more narrow. Executives and senior managers are disconnected from the realities they face. And sometimes they actually have to face these realities… look at Target and the recent resignation of its multi-decade CEO. However, shifting away from trustworthiness with mathematical foundations in favor of process if a step backwards. More than simply dumbing down the playing field, this approach will only succeed in removing the best players from the field leaving the residue of process practitioners to put a fine edge on process-based risk management approaches and practices.

Marc Ricker    |    Commented May 6, 2014

I suggest you consider a new way of software development. One that malware and hacker immune. Our best thinking got us to this point. That same thinking won't fix it. www.iqwaresolutions.com


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Fresh Ideas In Online Security for Public Safety Organizations
Lesley Carhart, Senior Information Security Specialist at Motorola Solutions, knows that online and computer security are more challenging than ever. Personal smartphones, removable devices like USB storage drives, and social media have a significant impact on security. In “Fresh Ideas in Online Security for Public Safely Organizations,” Lesley provides recommendations to improve your online security against threats from social networks, removable devices, weak passwords and digital photos.
Meeting Constituents Where They Are With Dynamic, Real-Time Mobile Engagement
Leveraging the proven and open Kofax Mobile Capture Platform, organizations can rapidly integrate powerful mobile engagement solutions across the spectrum of mobile image capture, mobile data capture and complete mobile process integration. Kofax differentiates itself by extending capture to mobility, supporting multiple points of constituent engagement. Kofax solutions dynamically orchestrate the user’s mobile experience from a single platform—reducing time to market, improving process perf
Public Safety 2019
Motorola conducted an industry survey on the latest trends in public safety communications. The results provide an outlook of what technology is in store for your agency in the next five years. Download the results to gain this valuable insight.
View All

Featured Papers