Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Through the looking glass...why security keeps getting harder, pt. 3

markpainter ‎01-29-2014 12:30 PM - edited ‎07-07-2015 09:27 AM

From an ever expanding attack surface to human nature itself, the difficulties of security only seem to increase. This is the third in an ongoing series examining the factors that serve to hamper security efforts.   Here, then, are yet more reasons why security is harder than ever, and only getting harder. 


No system is safe


Ten years ago, we used to say the only truly safe system was one that's never been connected to the Internet. That changed after Stuxnet proved even disconnected networks could be compromised. Now it appears the only truly safe system is one that's never been turned on.  What's absurdly frightening is that it's no longer just infected thumb drives  doing the damage. Now radio waves can be used to compromise systems with no physical contact necessary at all.  While the type of specialized equipment and resolve to conduct these attacks will keep it in the realm of the nation states for the short term, the validity of these attacks has now been proven. And once that Pandora's box has been opened, it's only a matter of time before attackers and researchers alike figure how how to make these attacks more widespread. All you have to do is look at the rise in SCADA vulnerabilities after Stuxnet to see the pattern this will follow. If it's vulnerable, they will come.


The Extremity of Response continues to rise


One of my favorite security aphorisms of all time (because it's true) is "Security is a process, not a product." When that process can now include Black Ops teams dropping from helicopters, it's gotten extreme. There are obviously different levels of response required depending upon what information needs to be protected, and many ways to manage risk effectively. However, future efforts are going to require that physical and cyber security become more entwined, simply out of necessity. 


I've often written about how the weak point in enterprise security is more often than not the personell. Where corporations are too often falling down is in instilling the proper sense of paranoia in their employees. In this world, we know that no single security product can solve the challenges. It takes communication, repeated testing, and intelligence - both in software and citizens.


Political gridlock impacts security efforts as much as it does everything else


Every year, it seems there is an attempt to pass comprehensive security legislation. And every year, it goes nowhere because it expires when that session of Congress does.  I do remain hopeful for this year simply because the bill is 'ready' in January for once, and because recent high profile retail breaches have changed the debate. Regardless, the damage from lack of national standards has already been done. Here's one of many examples.  Competing state breach notification requirements create a ridiculously complex system. There are currently 46 competing  state level breach notifications, and 4 states that have none. California, for instance, requires verbose disclosure, while Massachusetts instead seeks to limit information by disclosing less. Just figuring out what breach triggers what state legislation is a time consuming process, to say the least.  And that takes resources away from security efforts at a time when they're needed most...after a breach.


The Internet of Things expands the attack surface...again


New technologies serve to increase productivity and can improve a myriad of things. I, for one, get lost approximately 75% less than 10 years ago thanks to the Maps application on my phone. New technology always comes with a hidden security cost, though. It's simply the nature of the beast in the modern era, especially when things never intended to be 'wired' are suddenly web enabled. We've seen that with the dramatic rise of mobile application vulnerabilities over the last 5 years. Now your fridge wants to spam you.


While that's a slightly humorous first example, the attacks won't stay innocuous for long. They never do. Maybe it's as simple as raising the temperature and spoiling food. Maybe it's serving malware instead of ice cubes. Whatever becomes of appliance based attacks, the cleverness of potential attackers will only be limited by the functionality of the appliance itself. For some reason I can't shake the image of my refrigerator being leveraged to spy on me as a hack of some diet based control system that employs a camera to monitor overeating. Is it really that farfetched?







0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all