Teaching network security for the SANS Institute, I am frequently asked, "Will our networks ever be secure and safe for all to use?" My simple answer is: No. We will never be able to achieve total network security. I tend to use real "doors" as an analogy to make my point. Doors have been built and refined for thousands of years. Nevertheless, burglaries occur daily, even though we know how to build safe, burglar-proof doors. With the growth of the Internet, and its increasing importance for commerce, we have to keep in mind what is a reasonable means to achieve sufficient security. Absolute security should not be the goal.
A big focus on security solutions has been patching, firewalls, virus filters, and other forms of technical security. This has been the low hanging fruit for many years, but it’s easy to exploit their vulnerabilities. Today, however, some of the most damaging exploits use "social engineering" techniques, or what is better described as "cognitive hacking," where trust becomes a casualty in an online business transaction. You don’t know that a business partnership wasn’t as trustworthy as it seemed until it is too late.
Although enhanced technology is helping to identify valid business partners in online transactions, the fundamental problem of trust in that partner still remains. The abstraction of these transactions makes it even harder to understand and trust the process. Eventually, this problem may be solved. Over time, users will better understand how online transactions work as they become more familiar with the process. Visualization and user interface technologies may make the process more transparent.
If network security problems are here to stay, then the real question is: Will these problems impede progress or even lead to abandoning network based commerce? Some scenarios predict a cataclysmic network security event leading to irreparable damage to the infrastructure. These events are sometimes described as a "super worm," assuming an automated attack that will infect and disable a large percentage of the current network infrastructure in very short time. While such an event cannot be excluded, it may be neither the most damaging nor the most likely scenario.
More damaging than a single event like a "super worm" may be the constant erosion of trust by smaller, individual events. For example, the broader scope of network security may be eroded if more people fall for simple exploits like phishing; more consumers become disappointed by ineffective and expensive anti-malware products; or a significant growth in bidders who are scammed in online auctions. For any number of reasons, current e-commerce enthusiasts may abandon the technology one at a time, adding up to a slow but fatal decline in e-commerce.
At this point, the latter scenario is not yet a reality, but it’s a possibility. Efforts to push more responsibilities to the consumer and continued use of inadequate authentication techniques will lead to more disillusionment of online security. When you enter a store, you expect sincerity, reliability, and competence from the sales clerk. These principles must be applied to online commerce in order to build consumer trust. However, with the hasty implementation of online commerce, competence is missing in many cases. To achieve a level of sufficient network security, lessons learned from the real world cannot be forgotten.
I see two separate -though partly overlapping- issues here: security and reliability, and I agree that for both there is an analogy between the real and online worlds that goes a long way. Cars will break down/PCs will crash, houses will get robbed/online scams will take place.
The human factor and trust have an equal influence in both worlds, and the risks and consequences for individuals are similar. Another similarity is that often real incidents need to happen before anything changes. We've seen this with air traffic and we'll see this with network security. I don't think that a cataclysmic event can ever occur, since 'the network' is so distributed, redundant and heterogeneous that it's unlikely that even a coordinated attack will have a bigger impact than, say, the Northeast blackout of 2003.
I optimistically believe, however, that IT security and reliability will always have better prospects for improvement than their physical counterparts. You can always use longer encryption keys, better authentication methods, etc. Hardware and software vendors will continue to improve the security and reliability of their products, and IT departments will keep improving processes. In contrast, there's a limit to the extent to which you can protect your home against burglary, or your wallet as you carry it around on the street.
When an IT security issue is identified, experts across the industry jump on it, and any patch can be deployed globally. I bet auto makers wish they were that lucky, instead of having to recall thousands of cars each time.
Bottom line is, wherever you do business, there's always a risk of falling victim to scams or a breakdown of the procedures and systems that are supposed to protect you. I believe that consumers will recognize this, and will not massively
turn away from online transactions when they trade off the benefits and
the risks.
I have a shirt that says it all:
Social Engineering Specialist: Because there is no patch for human
stupidity.
Sadly enough this is quite true. I've done PC tech support for small businesses
through my own business and I'm regularly able to walk into an office, sit down
at the problematic terminal and ask for the username and password. If I
require more permissions I get the administrator user/pass. I'm not
questioned simply because there is a problem that they would like fixed ASAP.
Realistically, all it takes is confidence in what you are doing and they
assume you are supposed to be there and cooperate as much as they can.
the issue of "connected devices" scares me. Ira Winkler wrote his thinkerNet article about power grid hacking. But it goes beyond key words like SCADA. You don't have to hack SCADA or the power grid if you can just turn on all air conditioners or all toasters in a city at the same time. The question becomes: Did you apply latest patches to your toaster this month?
A few months ago I was sitting in a plane (as I happen to do a lot lately) next to an engineer for a large electronics company. This company had to shut down 3 major production lines for a day due to a virus. The costs for this incident ran into the millions. The reason: some PCs along the production line didn't get patched in time. A lot of high end industrial equipment is actually build around COTS PC hardware. However, the equipment is just "special" enough that standard patches can not be applied without doing some extensive regression testing. After all, these PCs are in charge of your life line!
cognitive hacking is hard to stop, and will require time as well as a concerned effort by everybody involved. I think the answer has a few components:
We need to start with solid authentication technology. Real two factor authentication for banks is a must. (and second passwords or site-key images don't qualify). Right now, e-mail is hardly ever authenticated. These technologies have to be implemented on the server if possible, not on the client (remove them from user control).
Next, the user needs strong visual queues. This is something for the UI experts to think about. Microsoft did improve the queues provided by Internet Explorer 7. We will have to see if it helps.
Finally, we have to get "real sites" to work better! Part of the problem is what sometimes is described as "entropy". Even valid and trusted sites tend to behave oddly at times. This desensetizes the user. As an example: If you Office application crashes, do you notify your security department that you are hit by a possible exploit, or do you check it of as "yet another bug"?
The fundamental problem is that we can not push all the responsibilities to the user. The user, who pays for anti-malware, internet access, software, hardware, banking feeds and all that is now asked to also fix all the problems created by the people receiving all this money. I sometimes say that if you can teach it to a user, you can also teach it to a script. Saying that its better, easier and usually more reliable to find a technical solution.
Excellent article. I agree that “cognitive hacking,” is one of the most damaging exploits of the Internet. The Internet has been suffering from this problem for years. I remember reading about reports several years ago when cognitive hackers used to distribute bogus press releases about public companies to influence their stock prices.
Obviously, the Internet’s open nature and the rapid dissemination of information makes it ripe for cognitive hacking. It seems impossible to stop a cognitive hacker from spreading disinformation in order to spur a reaction—good or bad—in his favor. So, what kinds of security countermeasures exist to combat this tactic?
Great article. The issue of trust and identity is fundemental to the discussion of how the Internet, and underlying network, needs to evolve to become more than a best-effort mechanism to deliver email, share photos and chat. With the traditional network, you picked up the phone, dialed your bank, and knew that the person answering the phone was a bank employee. That level of trust and identity does not exist yet in the IP world.
The pace of innovation of new services, applications and mechanisms to connect is exciting, leading many to leap so they can take advantage of cost and productivity gains without understanding the security risk that comes along with each new advance. Microsoft's recent announcement on Unified Communications (UC) is a good example. The company announced their UC new strategy and talked extensively about the benefits of enabling new connections, with all different types of networks under the Microsoft umbrella. Are there benefits? Probably but the news didn't talk about the security risk of opening networks to a variety of new devices, network types and partners. Securing these new network borders is a good place to start.
Another example is how people are now using more sophisticated handheld communication devices (phones, PDAs, etc.) to access the corporate LAN. Sure, these increase productivity but most IT departments enable the connection without including these devices in their overall security plan. Again, leaping before you look.
These issues will get solved eventually but Johannes is dead on, we'll be chasing security issues each time the network and Internet evolves.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The smartphone market reached a significant milestone, a breakthrough that may cause vendors to celebrate but could strain the capabilities of IT service desks.
In the fall of 2011, around 160,000 students in 190 countries enrolled in a Stanford-sponsored online course about artificial intelligence. About 23,000 completed the course and got certificates, including 248 who got a perfect score. The university offered the same course the old-fashioned way to students sitting in Stanford classrooms. None of the those students got a perfect score.
As Mitch Wagner discussed today, Yahoo is acquiring Tumblr. The big Internet debate at the moment is whether Tumblr will be good or bad for Yahoo. Regardless of their stances on the future of Yahoo itself, many claim that Yahoo will somehow ruin Tumblr.
Has China stolen a march on the West, developing an Internet architecture that is not only based on IPv6, but is also inherently secure from both internal and external attack?
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
