conquering cybercrime starts with a paradigm shift in security thinking
Everything that is the problem today in the realm of security, especially “cybersecurity”, comes from thinking that is rooted in the Dark Ages.
There is so much wrong with the way we think about security and the approach we take to handle it today, but I have come to the conclusion, that they can all be traced back to one fundamental mistake: we use the wrong model when thinking about security, especially computer and network security.
We try to protect our digital assets the same way a fortress or castle would protect its valuables by way of a thick impenetrable wall or a moat – a security method that is thousands of years old.
The fortress model of security suggests to us that what we are trying to defend, is separated from the rest of the world and that along its boundary we have built a protective wall. Within such a wall there is a zone of safety for us – like that of the inner court yards of a castle protected by the large seemingly impenetrable outer walls.
It’s reasonably easy to see how this model could be applied to security mechanisms. My account on a multi-user system is set apart from everyone else’s and is protected with a password. My Local Area Network (LAN) is separated from the internet at my router and contained within my firewall and so forth. One could understand why the fortress method would be favourable approach for defence, however this is 2018 and not 1018.
The Consequential Results
A number of problems arise from thinking of security in terms of boundaries and barriers, especially as the area within the boundaries becomes larger and more complex with cloud computing and the amount of data produced and consumed on a daily basis – not even to mention the humans’ part in it. The method of attacks have changed completely since the early days of viruses. We need to prepare for attack from the inside out. Attacks come in any shape or form at any given time from sources that we trust – making the big firewall obsolete.
It would be like protecting your guests at a party with bulletproof vests, disguised security guards and safe rooms all over the property instead of relying on a secure outside parameter wall and single entry access controlled gate. With the threat already inside, the parameter means nothing.
Security becomes integrated
Programming a computer is straightforward: keep hammering away at the problem until the computer does what it’s supposed to do. Large application software and operating systems are a lot more complicated, but the methodology is basically the same.
Developing reliable software is much harder, because the software needs to work even in the face of random human errors and mistakes. Significant research has gone into reliable software design, and there are many mission-critical software applications that are designed to withstand human mistakes.
Developing secure software is another matter entirely. Security involves making sure things work, not in the presence of random faults, but in the face of an intelligent and malicious adversary trying to ensure that things fail in the worst possible way at the worst possible time . . . again and again.
Security engineering is different from any other kind of software development.
Fortress thinking allows us to think of digital security as independent, and not as an essential part of every working part of the system, including the human mistakes and behaviour.
Today, as networked computers appear everywhere, there is no longer a place for unsecured software. One of the largest cyber attacks ever, which affected Twitter, the Guardian, Netflix, Reddit, CNN, Wired and many others, was launched using a botnet of compromised security cameras and DVRs.
We must break the escalation cycle that locks cyber intruders and their targets in a state where targets are permanently resigned to attacks and intruders are at liberty to exploit and disrupt networks without much risk of suffering consequences. We must act offensively by directly addressing the “elephant in the room:”
malicious threats are the norm, not the exception.
This places us at an advantage because it immediately provides a new context of looking at the pervasive problem.
We need to plan our defences as if the threat is already within the safety of the fortress walls, in areas that we find trust and comfort.
If we perceive threats as the norm, as they are in a city or an ecology, then it becomes far less acceptable to ignore security, to try to handle it later.
“Security engineering needs to go from being different from every other kind of software development
– to being an element of every part software development.”
Security is reactive, not proactive
One of the biggest failures in the way security is currently treated, is that so much of it is reactive, and while it’s not the only cause, the Fortress mindset contributes to the problem in a number of ways. Taking a reactive stance puts the defender at a disadvantage. The attacker need only succeed once, while the defender must succeed every time. Business owners are pro active when it comes to the physical protection of their business by means of alarms, locks, security cameras etc, but reactive in their digital security where attacks hurt them the most – a phenomenon I just cannot wrap my head around.
The hard reality here is that businesses are at much higher risk of digital or cyber attacks than any form of physical attacks, so surely digital security should take primary focus.
Threats are hidden in the shadows
If success or failure is viewed in terms of whether the wall maintained its integrity then all of our attention is focused on building and maintaining the wall. It would be far better, on the other hand, to take a more holistic approach, to familiarise ourselves with all of the known problems both beyond and within the wall. What are we doing here “inside” that may be making an attack more likely to succeed or more harmful if it does?
How do we manage our digital files and those of our clients?
How do we handle billing?
What types of attachments am I sending via email that could cause damage should they be found in the wrong hands?
What can we do to the infrastructure of our local networks and our computers to keep any intruders from being able to do major harm?
What have we been doing wrong that gives them an advantage?
Complete safety is assumed to be possible
The thinking goes, “If only the wall is tall enough, thick enough, impenetrable enough, then we would be completely safe”.
Any single breach, any one attack is seen to be a defeat, an unacceptable loss. Every flaw, every weakness becomes existential, and must be addressed, and in the end, that is an impossible task.
If, instead, we realise that there will always be problems, then the task becomes identifying the severity, probability and cost of remedying or mitigating each. We, thus, turn to risk analysis and trade-offs. In addition to focusing on how to prevent all breaches, we can develop a plan for minimising them as well as plans for how to deal with the inevitable failures.
We get caught up in arms races
We apply the wrong tools, and when they don’t work we build a bigger hammer. Since the problem is still there, the other side just looks for its own bigger hammer or a different angle. This is a futile effort, one based upon false assumptions and wrong thinking.
“Security that can be installed is not true security.”
True cybersecurity is a combination of a skill and the application thereof in our day to day environment, and while there are tools and weapons that can be used in aid of the skill, … they are not, themselves, important.
If we take a systems view, rely on threat analysis and awareness, teach ourselves, our users, and customers the skills of threat avoidance, then we can escape the cycles of a cyber arms race.
Cybersecurity for the new generation
So, what are the lessons to take away from this?
First, that the comforting notion of an impenetrable barrier as the basis of security is no more sensible in the realm of cyber security than it is for the modern city or state, nor for a living body.
There are far too many “ports” in any given “wall”, and the “interior” is far too complex, with too many actors for that to be a viable strategy. Further, simple models of untrusted enemies, and innocent denizens don’t cover the reality. Threats from inside, both witting, and especially unwitting, are a source of a large portion of the risk.
The design of the infrastructure “inside the wall” is important. Businesses should compartmentalise, separating servers, networks, computers and accounts that are outward facing and most vulnerable from systems, services and accounts dedicated to internal use, and containing key assets.
It is inevitable that any enterprise will be breached. The only question is, what assets will be vulnerable when that happens. Defence in depth, with layers of protection is important.
Enterprises, small businesses and families at home need to realise that insiders are one of the biggest risks. Social engineering, “phishing attacks”, attractive apps with trojan horses, and careless talk all put the integrity of our systems at risk. Sharing passwords, opening attachments, downloading software that comes unsolicited and the like are threats that generally outweigh the “barbarians at the gates”.
One of the most vulnerable points in any business is the emailing of digital files. Email get intercepted, banking details on invoices get replaced and recipients loses a lot of money.
Tools like ydox was developed to provide an integrated security approach that protects businesses against cyber attacks by changing the way people look, think and talk about digital security.
Safeguarding your business agains cyber threats simply starts with a mind shift towards an integrated human inclusive way of thinking.
by Carl Wallace | CEO of Digital HQ