Science of Cybersecurity Blog..
The official blog from Science Of Cybersecurity—on subjects pertaining to all aspects of Computer Security; including Cybersecurity Science, news stories, products and events/happenings that we found interesting and/or thought-provoking.
Processing Atomicity / Complexity
NETWORKED computers, mobile phones, tablets and other digital devices (in general) have advanced to the stage where they are—quite literally—beyond the (complete) understanding of any single human, or even a large organisation of humans. Our degree of personal familiarity with and/or localised knowledge of—all of the vast multitude(s) of low-level implementation details (and their combined/aggregated effects for a particular data-processing path) may be very small/non-existent.
And so we must take it on faith—that the top-level ‘marketing’ promises of what these (potentially) boundless processing units do—is (always) identical to what is claimed for them. But it may often be the case—that even the designers cannot foresee how the individual processing units will work in reality—and/or what will be the precise outcomes of there operation in any specific use-case scenario.
We have processor ‘chips’ containing billions of components, working on computers containing hundreds of millions of lines of code—code that exists inside many different kinds of programs (that may or may not be running on the same device simultaneously—and often sharing memory and system resources etc). Plus we often have remote-actors (humans, programs) using networked machines and influencing local events and processes etc; and everything connected to hundreds of millions of other networked computers etc.
These complexities and fragmentary logic paths— render into a fiction the atomicity of personal computers, device(s), programming operation(s) etc.
What to do? Perhaps only to—combat lack-of-knowledge/uncertainty—with constant data-gathering, knowledge acquisition etc; and by employing specific monitoring system(s)—both automatic and human types. Plus by reading related news stories, and by staying up-to-date on the latest security exploits/defence-techniques/ reports/surveys etc.
Practical Steps to Protect from Data-Breaches
- Think broadly and deeply about security. Apply techniques such as defence-in-depth, and/or provide multiple access-controls that force an attacker to navigate several gateways before gaining entry to private areas/data.
- Use multi-factor authentication for system admins and users (possibly including biometric techniques).
- Think outside of the box and beyond purely organisational boundaries. Look at exploits that relate to partner organisations and large-scale data bridges/data-feeds etc. Think about datum-copies—how many are there, who can see, know and/or change a copy, how long do they hang around. Consider also systematic pathways to copies—consider unusual and non-obvious pathways—including both at-rest and live copies.
- Employ methods to prevent Hackers performing system reconnaissance; especially in terms of how users /parties/systems interact with customers plus the centralised/remote systems—including centralised name resolution, POS gathering of information etc.
- Take steps to avoid Malware installation on system or customer/end-user computers. Think about/consider: locking/blocking/concealing related routes.
- Protect all kinds of system/data portals (i.e physical/virtual access-nodes/devices)— wherever they may be located.
- Protect all hardware/software aspects of Primary/ Secondary Network(s). For example check for vulnerable domain controller(s) that could then be used to obtain access to POS systems etc.
- Protect all communication links networks from being compromised. For example lock-down all non-essential NetBios sharing over all computer access-ports. Consider also environmental leakage etc.
- Block all communication methods not expressly used by legitimate system communications—ie. block FTP plus limit entity network access.
- Employ continuous Risk Management + Threat Modelling assessments/strategies/operations for all aspects of the organisation.
- Avoid reliance on standard security “fallbacks” and/or stove-pipe mentality. For example, Payment Card Industry Standard—or PCI—compliance alone is not a risk management strategy. Only assets related to payment card processes are considered. Assets and implementation details that may pose the greatest risks to the organisation may fall outside of this scope and therefore not be adequately addressed if PCI alone drives business security decisions.
- “A security system is only as strong as its weakest link”. Do not relay solely on bunker-style defences alone, consider also small-scale attacks such as decoys and human betrayal aka Snowden. If you install a large, strong gate at the front of your property, but a hole exists in the back fence large enough for a thief to enter, the gate can easily be bypassed.
- Many businesses that have experienced recent major breaches—employ encryption strategies. Unfortunately, encryption is often not properly implemented and deployed. Encryption in and of itself does not protect systems. A robust security strategy is required which protects entire systems in a comprehensive way in order for encryption to be effective. For example, an encryption algorithm and large key may become useless if you have the encryption key stored with the data. The hackers or malicious insiders will simply gain access to the system and use the key to unencrypt/decrypt the data. Encryption is only one small (but important) piece in the larger jigsaw of comprehensive information security. Remember that unsafe employee working practices are often the most frequent (initial) entry method for any attacker.
- Consider why your central server data may be vulnerable, and what you can do to mitigate the risks surrounding any data-breach. Perhaps assume that a breach has already occurred, and consider if this compromises everything and why? Find ways to limit impact to a small number of records.
- Consider what information needs to be held centrally, and what does not need to be held in that way. As long as data is centrally stored, hackers will continue to reap massive windfalls. Perhaps the way we secure personal data needs to be flipped on its head. Instead of being centrally managed, the security of sensitive user account data could be (partially) decentralised/distributed.