The field of IT Security rests on the conception that Information on a network can be secured.
What if that’s wrong, though?
What if, in point of fact, nothing can be secured?
What if saving information on any device means that anyone with a strong enough interest in knowing it probably does?
What if nothing is secure?
Well, then, that changes things.
Imagine, for a second, what it means if every piece of digital information in and describing your existence – banking records, digital photos, government records, social networks, e-commerce and location data – is easily available to anyone motivated enough to obtain it.
In the current state of information technology, that statement likely describes the actual state of information security.
It’s a broad brush, game-changing statement – what kind of evidence could one point to to possibly support such a claim?
All one needs to do is stay current with the news. One can start with all of the revelations that were provided by Edward Snowden — http://www.wired.com/2014/08/edward-snowden/ — including that all of the world’s major cellular, wireline, internet service and web organizations were systematically compromised by US Intelligence and that all of their content was siphoned off for later analysis.
Consider that for a second – A government agency that was able to build such a large security breach apparatus that it is able to suck up the entire Internet every day and save it all for later, just in case there turns out to be anything interesting in there. The extent of the lack of security was driven home by the fact that the cryptographers that the US government had graciously ‘lent’ to the organizations that constructed all of the current encryption tools were engaged for the sole purpose of implementing tools that were compromised before they were built.
The Snowden revelations are only the tip of the iceberg, though. Consider ‘Regin’ – another massive espionage toolset whose sole purpose is to systematically compromise whole networks using multiple attack and compromise modalities. http://www.wired.com/2014/11/mysteries-of-the-malware-regin/
The large scale compromise of the Sony Pictures network in the past week raised the game and the stakes to a new level. http://www.nytimes.com/2014/12/04/business/sony-pictures-and-fbi-investigating-attack-by-hackers.html?_r=0 In what was clearly a long-term, sophisticated attack, outsiders were able to compromise systems to such a significant extent that they were able to steal substantial amounts of digital property – completed but unreleased HD feature films, scripts — and to place agents on the network that had the potential to destroy other digital property stored on the network. IT Security experts have long feared the day when being ‘owned’ by the hackers would turn from a public relations embarrassment with secondary economic consequences to the next stage – where the primary intent was to do damage and cause direct economic harm to the target.
Today is that day.
The threat landscape to your information is so diverse that even things that seem utterly benign – charging a USB device off an available port on your computer, for example, is now a critical attack vector — https://www.yahoo.com/tech/e-cigarette-from-china-infected-mans-computer-with-103466334849.html .
If this sounds to you like a narrative of a technology in crisis, that’s because that’s exactly what it is.
So if you’re an IT guy with a network and a business to protect, what steps can be taken to at least give you a fighting chance?
Folks that I know in the intelligence business have told me that Russian Intelligence – the heirs of the old Soviet KGB – assessed this threat and went back to entirely analog communications methods. Pencil and paper. Postal Mail. Carrier pigeons. One can’t hack what isn’t stored or transmitted.
That may seem an extreme solution, but in certain cases, the principle might have applications.
In the short term, user education and the traditional defense-in-depth are the transitional solutions. Well educated users, who understand and can recognize social engineering, spear phishing and other first level compromise vectors, are the best way to keep things under lock and key. An in-house security team, or a skilled security services provider, who has an array of tools to detect and contain breaches in their early stages before the spiral out of control, is the second weapon.
In the longer term, though, some very fundamental technologies need to be completely rethought and reengineered before any acceptable level of security can be retaken from ill-intentioned Nation-State actors and cyber criminals. The IT industry as a whole needs a new architecture and new component technologies that are designed from the ground up to be secured, which the current toolset absolutely was not. Think of it as a roadmap for secure computing, and a roadmap which requires an overhaul of much of the networking and computing landscape.
Access and identity management – who are you and what can you see – needs to be completely rethought. Whether the solution is biometrics, two factor authentication or something we haven’t thought of yet, the notion that a text username and a password can get one access to any system or network resource is a concept whose fundamental failure is well understood.
Another fundamental technology – encryption – needs to be completely reengineered without any involvement from experts currently employed by the military or intelligence industries. Encryption tech needs to be secure in ways that the current protocols are not.
The Domain Name System (DNS) – is the roadmap of the internet. DNS was built from the ground up to be open and to support realtime updates. Many sustained hack attacks rely, not on compromising a target system, but on hacking DNS to redirect users to another compromised system without users being aware of it. Information that one would comfortably store on one’s own server becomes very uncomfortable if the server turns out to be someone else’s.
Operating systems – notably Windows, but Unix and Linux based OSs as well – need to be completely re-architected starting with kernel, privilege models and buffer structures which use security concerns as their foundational requirement. The very notion of a buffer overflow – enter enough crap and you’ll crash the command processor and be able to do whatever you want — that breaks overall system is a notion we’d like our children and grandchildren to be able to laugh at someday. To make that happen we need to ditch everything and start coding today.
Finally, security tools need to take a quantum leap forward in capability and accuracy. Current tools generate so many false positives that a dedicated team is needed to triage the alerts and determine which ones are genuine threats. A recent lab test of an intrusion detection tool – one I cannot name as my current employer is a partner – detected 93% of the attacks that were set loose on the control hardware. In an environment where 1 hacker success is all it takes to lose your company, 93% — while an extraordinary achievement, on one level, is completely, pitifully ineffective when viewed in terms of what these tools must really be able to do. Security Tools need to make quantum leaps to be able to analyze traffic and behaviors to reliably identify access, information theft and management privilege use by unauthorized individuals.
There was a time when I believed that all information stored on IT systems was secure unless something extraordinary occurred.
Today, I believe that nothing stored on any Information System is secure in any way.
The future belongs to those companies that understand that this is an existential threat to our civilization, and are willing to abandon everything that has gone before, and create the second revolution in Information Technology.
This time around, we need to get it right.
Until then, take good care of those carrier pigeons.