Black Boar Security Inc.
Executive summary. We argue in this article that a good security team is as good in financials and psychology, as technology. Artificial intelligence can have the power to set stress levels. Illnesses may be caused by poor hygiene, weak immune system, but stress as well. A good CIO knows that security in the time of AI is important. It may even cause illness.
This is just a threat modeling approach from an imaginary security company.
Copyright© Miklos Szegedi, 2023.
The goal of security is to reduce risk. Risk is proportional to the likelihood of an event and the severity of such an event. Security tries to eliminate or mitigate risks with as low cost as possible.
Cost is important. If costs spent on security rise over time, then it may eliminate the gains in profits attributed to the elimination of the risk.
My approach is strictly from the business perspective, I do not care about any security standards. Hackers do not follow standards.
Not just that, security companies may affect the profitability of competing companies by giving different offers. If security spending is not elastic, and it is growing over time, the vendor has more power. It is the best interest of competing companies as a result to choose different security providers or employ multiple of them.
A monopolistic security company may adjust the profitability of its clients. It has a strong impact on market shares as a result. The case is similar to sales and marketing.
Government agencies as the ultimate monopoly have a tremendous impact on security. Their cost may be too high compared to the risks targeted, if they are not managed well.
Risk can be described as the mean number of events in a period. Let’s imagine ten thousand users and how many security related incidents happen in a year. The severity of each incident in engineering and legal cost is the right measure. Bad publicity may be a factor, however sometimes it is mere distraction to employees.
Number One: Strategy. The main purpose of security is to eliminate the impact of data leaks feeding back to company cash flow. Some leaks may be less harmful like a backup disk lost revealed twenty years later.
Number Two: Policy. Hiding errors has the highest risk. It does not just create a constant cost of keeping a secret. It also distorts decision-making. Any errors must be logged just like in case of medical office exposures to be investigated later. This also allows to eliminate too much investigation, so that staff can return to work. Hackers do not follow standards. Documenting what happened is more important as a result than rigorously following a current buzzword.
Number Three: Secrets. Passwords used to be the de facto standard. Using a password of someone else used to be a legal event like faking a signature. It protected against external people and internal sabotage. It never meant to protect against computer viruses or artificial intelligence. Their usage has faded as a result. They have very high costs as users have to remember. They also became long and obfuscated affecting the focus of employees when the shift starts. The number of password user interface related attacks is proportional to the number of potential attackers. This is limited and easy to contain.
Pin codes became the de facto standard that replaced passwords. They are shorter, and easier to remember. A simple blocking logic on three or more errors can prevent unauthorized use. It is enough to keep the legal standard. Pin codes are still alien to some.
Two factor authentication and passcodes improved security by changing pin codes every minute or so. By doing so an attacker has to take over a client device like a cell phone or cell phone network with a parking car and a router vulnerability. They can easily be caught as a result. Having the client device with the authentication app is a straightforward and simple solution for your users.
The strength of a secret is proportional to its length. Period. Watch out for weak random number generators. It is the cheapest way for attackers these days to target the code and change random number generators. The reason is that a cheap solution impacts any solution regardless of complexity like the choice of polynomial, elliptic encryption algorithms.
Number Four: Location. It is very important. A password could be revealed by watching by a colleague or planting a hidden camera. The security of the password could not be better than the security of locations where it is used. This can be overwhelming. Think about sales people traveling through airports, hotels, client meeting rooms. Locations make any strict password policies useless. Location assessment makes security easy by counting the potential events and the number of unknown people in the area.
Number Five: Code. Hashes used to be a form to verify secrets like passwords. Systems had a second line of protection not storing the password itself but the hash of it like a check sum of a digit of a credit card number. The hash is not enough to reveal the password, just to verify it. Still the password needs to travel through the network like the case of wireless keyboards.
The hash may also pass through the network making man in the middle attacks steal the hash not the password. The hash function call may be a direct target to attackers, especially if the random number generators for salts and/or initialization vectors are untrusted. Also, hashes used to be a good excuse for infrastructure staff in case of breaches. However, once the breach happens, the integrity of the system is questioned making any new hashes, or passwords useless. Hash complexity also implies password complexity making a hard time to users. It slowly became obsolete as a result. More and more people won’t take password complexity policies seriously. Relying on it as a mitigation measure means that attackers like hackers, governments, internal users are already inside your system, when it becomes important. There are numerous ways they can cause harm other than stealing hashes. They may change them, change the random number generator, plant ransomware, deleting data, etc.
Asymmetric key encryption is the standard with oAuth these days. However, most service providers serve single users making a solution questionable that is made so that many clients can reach a website. Why would you use a technique that may allow hackers, governments, and whoever steals their passwords to get to your systems, if the public key is not strong enough? Why would you want to generate and accept dozens of tokens, if there is a single user that is meant to use it, nobody else. It is so easy to set client machines to accept a new certificate authority that helps to impersonate your favorite shopping site without even their knowledge. Symmetric key encryption and authentication will probably be the norm in the decades that follow. Governments can rely on the justice system to get physical access within their jurisdiction.
Number Six: Artificial Intelligence. One way to handle such issues was to increase complexity. If none of your colleagues or legal could understand the ways polynomial or elliptic encryption algorithms work, then your system was considered safe, especially if they watch enough James Bond movies. The problem is that once an external mathematician creates a script to handle your secret obfuscated algorithm, they can use that indefinitely. You will have hard time to debug their behavior. Obfuscation and conservative complexity based approaches are a bond as a result. It is a constant cost in education and the bond is paid when an external actor eventually figures out the secret logic.
The case is even worse with artificial intelligence. Attackers that already know the weakness of a complex algorithm may gaslight, stress, and push the buttons of defendants to choose a known bad solution. When you are stressed, think about whether it is triggered by artificial intelligence to make a mistake.
Complexity used to be a good approach of superpowers in the Cold War to build complex systems to enforce their governance by the size of the organization. These approaches become a cost burden in the modern days with more democratic societies.
Think twice about clearances if you live in an open and transparent society. Clearance may be a benefit as an economic tool like licensing to set salaries and quality in an industry. It may also be a way for a few to set arbitrary rules to hide diverting public funds, and to harm democratic norms. You are a citizen and a voter. Period. Diligence is welcome especially in the current turbulent geopolitical times, but set your limits.
Artificial intelligence will beat you in complexity. Try to rely on better approaches.
Number Seven: Smart. Configurability was another way to ensure security. Linux systems could be configured and built millions of ways by taste of the administrator. Unique settings like eliminating DHCP and choosing fix IPs are a very cheap way to make the life of attackers complex.
Security is a game of Go. Empirical secrets that do not rely on the length of a random secret but a secret algorithm and complexity are dangerous. Complex artificial intelligence was built to beat the world champion human go players. It is a Gordion Knot. The smartest chief information officers beat the best go algorithms. Two tokens require six tokens to be surrounded. Four tokens in a square need sixteen tokens to be surrounded. A five by five square of twenty-five requires just twenty tokens to surround. Any other pattern takes precious time.
The solution of the Gordion Knot is not to cut it, but to ignore it, proving your positive intent to the ladies who created it, saving time as well. Smart chief information officers do not deal with Gordion Knots as a result but choose arbitrarily complex plain random numbers as API keys. They quit the go game early, or they do not even start. Go, the programming language has a similar approach saving in complexity making it faster and easier to review than the classics of Java, or even C++.
The likelihood of vulnerability of a platform like an operating system or cloud mesh is proportional to its complexity. Fifty million lines of code will likely have vulnerabilities not yet found. Adding fifty thousand lines of code will probably introduce more every month. Professional organizations hire developers as a result to maintain and know the codebase of twenty thousand lines each or more depending on the language and industry. They review and remember each line, even if a forced push changes two lines overnight. They rely on rational explanations. They rely less on secrets.
The case is even worse with hardware, especially trusted platform modules. You rely on the brand, you do not have the microscope to verify each of the billions of transistors. It is important to log the lot number of motherboards, printed circuit boards, jumper settings, and processors as a result as well as software, and configuration versions and cryptographic hashes of code. Statistics may reveal any hidden issues. The answer of the industry was concentration, but this raises geopolitical risks. The author expects that artificial intelligence will help us design streamlined hardware and operating system platforms in the future.
Conclusion. If you think about security, assess the risks. Check the number of potential attackers. Ransomware will likely target everyone, so you are likely to be harmed with tools that are general and easy to protect against with a professional security company.
Your sophisticated attacker can be revealed by their psychological intent other than money. Analyze them by Adler’s societal or Freud’s individual, or sexual approach. Trying to set hierarchy is the most common problem in 2023, AI can help to reveal the attacker. A good security team is as good in financials and psychology, than technology. A single tweak like disabling DHCP and a fixed IP can reduce the attacker’s chances by a magnitude for a very low cost.
Continued...
The article was revised on Septermber 8, 2023.