[BreachExchange] Fix Computer Security by Acting like Macy’s

Fri Jun 24 14:59:16 EDT 2016

http://www.huffingtonpost.com/david-b-black/fix-computer-security-by_b_10635918.html

The methods for achieving effective cybersecurity for a large class of
applications are simple and obvious, but almost never implemented. If the
methods were implemented, they would prevent the kind of massive,
high-profile data loss that has been increasingly in the news. The methods
make common sense to most normal people - but as we all know, computer
“experts” are anything but normal. The industry needs to get it together,
stop spending massive amounts of money on futile efforts to secure consumer
data, and start implementing common-sense measures that work!

The current approaches to CyberSecurity are fundamentally flawed

That’s why they don’t work! It’s like if you’re playing pool, missing a lot
of your shots, and spend lots of effort gesturing, jumping and grunting as
your shot fails to achieve its objective - do you think your problem is not
jumping vigorously enough or grunting loud enough? That’s what most
enterprise responses to cyber-insecurity amount to. Increasing the money
spent on things that don’t work won’t suddenly make them start working.

The basics

No matter what methods we use, if we continue to deploy large numbers of
security guards who are nearing retirement against small, smart,
fast-moving ninja bad guys,we’ll lose. If we continue fighting the last
war, we’ll lose. If we continue to think that this game is all about how
high and thick the walls of the castle are, we’ll lose.

New approaches, new methods

They’re not really new - like most good ideas, they’ve been thoroughly
proven in other domains. We know they work. It’s a matter of adapting them
so they apply to our computer systems.

A lot of smart computer people have worked on the security problem for a
long time. The issue isn’t something abstruse like better encryption
algorithms. It’s simple!

"First, realize that anybody who walks in the door could be a bad guy.

Second, monitor and track the valuable stuff that you don’t want walking
out the door."

Both of which, believe it or not, we fail to do today inside computer
systems!

How retailers do it

Retailers with lots of low-value goods like grocery stores have store
monitors and checkout areas. Anyone could be a thief, so people are
assigned to monitor actions accordingly. Some goods may be valuable and
easy to hide, like razor blades. Those are often displayed, but require a
store employee with a key to let you get them.

Clothing stores frequently have security tags on every single item. The
tags are removed using a special tool during the check-out process. If you
try to walk out of the store with an item that is still tagged, alarms ring
and security people grab you.

Stores with very high value goods like jewelry stores have locked cases,
and a heavily human approach to security. Basically, at least one person
watches each customer (and sales person!) with jewels at all times. They
are disciplined to manage the number of items that are outside a locked
case carefully. While the guards watch the customers (i.e., the potential
thieves), what they really do is watch the jewelry. They track each item
until it’s been bought or safely returned to its case.

The retail approach to securing valuable items is clear: using whatever
combination of automated and human means that make sense, track every
valuable item, and assure that when the item goes out the door, it has been
cleared to go out with the person it’s going out with.

Applying Cybersecurity methods to retail

What would retail look like if we used the kind of methods used by computer
experts?

First, every store would be surrounded by thick, high walls. No display
windows! There would be strictly controlled ways of getting in - think TSA
security at an airport. Further imagine that the world was awash with fake
and stolen ID’s, so that while getting in the store legitimately is odious,
for a skilled bad guy, not too hard.

Now imagine that once you’re in, there is no one watching the goods, there
are no security tags on the clothes, no security cameras and no guards. You
can grab a string of shopping carts, pile them high with goods, and wind
slowly through the aisles. At check-out - well there is no check-out!
You’ve been thoroughly vetted on the way in, after all, so you must be OK.
When you’re done “shopping,” you can just leave! With your mountains of
goods!

Of course, most visitors to this imaginary store are legitimate. They put
up with the horrible entrance gauntlet because all stores have something
like it. They get what they need and somehow arrange with the store to pay
for it. There’s nothing to stop thousands of bad-guy visitors from walking
out with thousands or millions items each, or millions of visitors to walk
out with normal-sized shopping carts. Whatever works.

You might think I’m exaggerating. I wish I were.

Applying Retail methods to Cybersecurity

It’s a bit more technical and less visual to see how retail methods can be
applied to computer systems, but the basic concepts are clear. While
current cybersecurity focuses on perimeter defense (like TSA security for
stores), the retail approach would be a bit looser. After all, if the bad
guys get in but can’t get away with anything valuable, they haven’t
accomplished much, have they? How proud is a bank robber who’s broken into
the safe but can’t leave with the dough? How fruitful is his career of
crime if, every time he passes the demand note to the teller, she just
smiles and says “next customer, please?”

Applying the retail method to computers requires a completely new approach
to tracking what visitors do when they’re inside the computer. While
tracking their actions is important, what really needs to be done is track
the “goods,” the valuable data items. The retail approach would differ
according to the value of the items. If they’re like clothing, each item
would be checked on the way out to make sure it’s authorized to leave. If
they’re like jewels (for example, personal information), each item is
watched like a hawk the moment it’s “picked up” by a “customer” (program).
Does the customer have a couple of jewels? That could be OK, but we’re more
alert. Does the customer have ten or more? Quietly circle the customer,
watch the doors, and make sure there’s no escape.

The method needs to be extended to apply to the unique circumstances of the
computer. Computer bad guys can easily assemble thousands of confederates
to do their bidding. The bad guys can dress and act however the boss wants
them to. However, they are unlikely to act just like normal shoppers. But I
don’t want to take this too far in a blog post - we’re coming up to the
edge of methods I’d rather not disclose.

Conclusion

Computer systems, corporate and government, will continue to be breached at
an alarming rate, which is of course much higher than is publicly
disclosed. More money will be spent and people hired. More standards will
be set, regulations promulgated and enforced. As should be obvious by now,
most of the money will be wasted, most of the people will accomplish
nothing, and the regulations will increase costs while making things worse.
Unless something changes.

The problem of cybersecurity can be solved. But it can only be solved if:
we acknowledge we’re at war and act accordingly; we apply within the guts
of our systems common-sense methods whose principles are clear, obvious and
proven in other domains; and we start acting as though we actually want to
solve the problem, as opposed to the current strategy of denial, cover-up
and blame-shifting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160624/70fb58c7/attachment.html>