Reactive security
Copyright© Miklos Szegedi – 2020
I have worked in various stages of the computer security ecosystem in the past twenty years. I see four informal levels of approaches.
The first level is the experimental level. If you play with a cloud account, develop some software or create something called a honeypot to catch malicious actors, you do business at this level. These systems are usually accessible at some level. They may contain heavy logging, to catch any attackers. They are also useful to collect up to date information abut the current ecosystem and actors. The worst case is when attackers have on demand access through a persistent threat. They can steal data and manipulate employees or sabotage production.
The second level are commercial systems. These require compliance to strict regulations like CCPA, GDPR and various industry standards. This is the typical level for public cloud or financial systems. Any issues incur civil liability and thick fines or penalties. The purpose of security is legal compliance and the wrongdoing has mainly financial impact.
The third level are military and government systems. They protect lives not just money. There are two basic attributes of these. One is cost. Everything is payed from taxpayer money so you have to be careful how you spend the money. The other is that the government has tools for retaliatory measures. You can see these in the news from Hellfire rockets to mild diplomatic disputes and trade talks. This does not mean that the code is written with the blood of innocent engineers. It may still be something to consider when joining the space. There are two drawbacks if you plan to work in this space what I heard from colleagues. One is the heavy secrecy that may require you to create a specific subsidiary, so your employees are not harassed by polygraph and other checks. Secrecy on the other hand limits the amount of workforce, so the average tenure tends to be longer. The other issue is that government systems are usually a zero sum game, so you won’t see vast amount of profits but you get scrutiny due to spending of taxpayer money. Because of the cost and life saving attributes, these systems tend to be simple and robust, however you may see gaps due to the zero sum game. It is also noteworthy that you should never design the system relying on just punitive measures even if it is just a lawsuit. It may make you lazy and you may miss important issues.
The fourth level is what I call the essential civil services. These are essential services related to rights of well being or justice. Some examples are healthcare, law enforcement records or statistics. These are so essential to the integrity of the society that they need to be well protected. On the other hand they do not pose threat to other countries for example, so you have a reasonable expectation of integrity and trustworthiness. These systems need to be very robust, since they are protected by constitutions and international law as civilian services. In fact the mission requires that constitutional rights are protected with constitutional methods.
The usual basic requirement is integrity. There are various ways to protect the integrity of the code. You may use private or public code bases. Public codebases are theoretically more secure as more people can view them. You need to be careful about this offer. It may happen that the user base is scattered across many products or versions, so that each version does not get enough scrutiny. Private, closed source products bring the trust through the brand of the provider. Customers can still request the source code or get it deposited at a third party trustee. However, in any case you need to go beyond code integrity and check the integrity of the whole deployment and operations, since this is where it is the easiest to tamper with the codebase. The rule of thumb is that the more widespread the code is the better security and reliability you get. The most reliable cars are the compact ones like the Civic, since the manufacturer collected data from millions of them over the decades sold.
Data integrity can be achieved by logging. Journaling file systems, time machine or Hadoop were typical systems where you just grow your data and you can roll back to any state in the past, if needed. You can even create a consistent state, if the data is corrupted due to software errors by changing the indexes and filters. There are two basic caveats of journaling data. One is that there are different legal requirements and retention policies to different data types, so you may need to delete some blocks early on customer request or keep some blocks longer due to legal requirements of a lawsuit. The other one is size. Currently you get 5TB for $100 but this will get even better. Tech used to be driven by the cost of developing technology. Now that many things were invented we have all the Lego(TM) cubes to play with at the lowest cost possible. Data and big data will not go away, however I think we will collect more company logs than data of external customers. This will embrace security, reliability and cost efficiency.
All in all you always want to avoid tampering with the data even if you do not use a journaling technique. This may be done with various methods. The most basic ones are replication and backups, so that you can compare and fix hardware and software issues later. Role based access control is a typical and compliant way to give access to your databases however the most successful companies use zero trust. It stands for giving as much permissions to everyone as they need to get their job done. Attribute based security checks the integrity of the code by reviews, signatures and crypto certificates.
Giving data access is another issue. Problems can include CCPA, GDPR compliance, court orders. Role based access control (a.k.a. authorization) helps in this case as well. Industry or military espionage can leverage code errors that role based control does not protect against. There are also different standards and levels of authentication to identify the user and the role to check the authorization. Simple passwords are getting out of fashion these days. They bring the user out of context and they cost time and focus. Another authentication factor like a text message or geofencing and time fencing bundled with machine learning helps much for mainstream. Network protection like enforcing the use of VPNs from home also helps some. Biometric authentication is also popular although it may have civil rights implications in many jurisdictions. Journaling solves many problems.
Attackers may not just tamper with or retrieve data. They can deny the service with massive workloads. They may just do little inconveniences to sabotage production. Fuzzing is a technique to change attributes of code behavior randomly to run into rare issues. Unfortunately the discovered problems can be used to inject random errors that seem legitimate albeit with bigger probability. This may keep support personnel busy and reduce profitability and help competition.
Occasional lagging, delaying and reordering mail, not too loud background noise may help or worsen productivity especially, if they are controlled by machine learning. However, legal and human rights reasons need to be clarified before any Internet of Things usage. A simple machine learning tool that improves focus may affect breathing. Breathing may affect eye pressure and it may even impact diseases like glaucoma. It is not just a machine with an LCD anymore. It is better to request consent in case of any scientific experiment by the employer. It is better to notify employees that they work with people with diplomatic protection or if there are limited means to find them legally liable. The Department of Homeland Security is already master in filtering terrorists, they have no tools to protect your legal rights against those who are “more equal”.
It is better to ask any prospective employers whether machine learning or mental distress is used by the company to improve performance or push employees to leave voluntarily. Just think about the case of United Airlines when a passenger was beaten to give up a paid space to an employee.
Hardware protection is another evergreen area of computer security. Unfortunately this is the most complicated. Hardware encryption of disk content, UEFI boot signing and TPM chips for encryption are very useful to reduce risks, in case the hardware is decommissioned or stolen. (Yirka, 2020) Recent vulnerabilities showed on the other hand that they are very costly to fix. If the hardware is designed for example to have a debug jumper that allows only limited random numbers, the manufacturer should make sure that these burn a fuse to permanently if the jumper is removed to disable the feature in production systems. In any case hardware is difficult to debug. Only honeypot systems and network monitoring can help to find malicious opcodes or exploits. Customers can only rely on brand trust in this case.
It is useful to have transparent monitoring of data centers to ensure trust and security. While the author of this article does not have any proofs of this concept, I think it is better to build trust among team members. It provides the basic security as opposed to distant and opaque security teams. Also, it may happen that people start copying Twitch to tamper with an environment. All these just increase cost and reduce profits. Some jurisdictions like the EU give extra privacy for employee equipment as they are liable personally with their resumes even after the termination of the employment.
Social engineering in Silicon Valley is well known. There are so many professionals with different background, they only way to thrive is zero trust. Traditional background checks are the only fully legal way to filter candidates, however a simple redirection or CA trust change in an HR system can compromise the hiring strategy. Even in case of an established team malicious organizations can manipulate, disinform, or threaten team members. Transparency is the only protection to ensure trust within an organization. Social media is very useful to ensure transparency. While political speech is limited in workplaces, social media can take over this role. You can like, watch and follow whoever you wish reducing HR and legal costs of your employer to deal with political and personal speech in the workplace. Facebook may actually bring more profits through redirecting this communication than just by providing marketing. Shadow banning on the other hand is a dangerous practice that might open up insider trading lawsuits.
This article describes the reactive patterns of computer security. I will focus on the proactive ones in the follow up. Continued …
Yirka, Bob. (Oct 7 2020). Vulnerability found in Apple’s T2 security chip. TechXPlore