Through the looking glass...why security keeps getting harder, pt. 3

From an ever expanding attack surface to human nature itself, the difficulties of security only seem to increase. This is the third in an ongoing series examining the factors that serve to hamper security efforts.   Here, then, are yet more reasons why security is harder than ever, and only getting harder. 

  

No system is safe

 

Ten years ago, we used to say the only truly safe system was one that's never been connected to the Internet. That changed after Stuxnet proved even disconnected networks could be compromised. Now it appears the only truly safe system is one that's never been turned on.  What's absurdly frightening is that it's no longer just infected thumb drives  doing the damage. Now radio waves can be used to compromise systems with no physical contact necessary at all.  While the type of specialized equipment and resolve to conduct these attacks will keep it in the realm of the nation states for the short term, the validity of these attacks has now been proven. And once that Pandora's box has been opened, it's only a matter of time before attackers and researchers alike figure how how to make these attacks more widespread. All you have to do is look at the rise in SCADA vulnerabilities after Stuxnet to see the pattern this will follow. If it's vulnerable, they will come.

  

The Extremity of Response continues to rise

 

One of my favorite security aphorisms of all time (because it's true) is "Security is a process, not a product." When that process can now include Black Ops teams dropping from helicopters, it's gotten extreme. There are obviously different levels of response required depending upon what information needs to be protected, and many ways to manage risk effectively. However, future efforts are going to require that physical and cyber security become more entwined, simply out of necessity. 

 

I've often written about how the weak point in enterprise security is more often than not the personell. Where corporations are too often falling down is in instilling the proper sense of paranoia in their employees. In this world, we know that no single security product can solve the challenges. It takes communication, repeated testing, and intelligence - both in software and citizens.

 

Political gridlock impacts security efforts as much as it does everything else

 

Every year, it seems there is an attempt to pass comprehensive security legislation. And every year, it goes nowhere because it expires when that session of Congress does.  I do remain hopeful for this year simply because the bill is 'ready' in January for once, and because recent high profile retail breaches have changed the debate. Regardless, the damage from lack of national standards has already been done. Here's one of many examples.  Competing state breach notification requirements create a ridiculously complex system. There are currently 46 competing  state level breach notifications, and 4 states that have none. California, for instance, requires verbose disclosure, while Massachusetts instead seeks to limit information by disclosing less. Just figuring out what breach triggers what state legislation is a time consuming process, to say the least.  And that takes resources away from security efforts at a time when they're needed most...after a breach.

 

The Internet of Things expands the attack surface...again

 

New technologies serve to increase productivity and can improve a myriad of things. I, for one, get lost approximately 75% less than 10 years ago thanks to the Maps application on my phone. New technology always comes with a hidden security cost, though. It's simply the nature of the beast in the modern era, especially when things never intended to be 'wired' are suddenly web enabled. We've seen that with the dramatic rise of mobile application vulnerabilities over the last 5 years. Now your fridge wants to spam you.fr.jpg

 

While that's a slightly humorous first example, the attacks won't stay innocuous for long. They never do. Maybe it's as simple as raising the temperature and spoiling food. Maybe it's serving malware instead of ice cubes. Whatever becomes of appliance based attacks, the cleverness of potential attackers will only be limited by the functionality of the appliance itself. For some reason I can't shake the image of my refrigerator being leveraged to spy on me as a hack of some diet based control system that employs a camera to monitor overeating. Is it really that farfetched?

 

 

 

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.