Tuesday, January 3, 2017

Cyber Security

In the recent complaints about invasion of cyber networks, the DNC and Burlington Power, we see in all cases human failures on the party attacked. Whether it is use of personal or entity computers to access what should not be accessed, like web sites, images, attachments, it is generally the blatant carelessness and/or stupidity on the part of those invaded.

Cyber security has a multiplicity of ways to block intruders and even more so to attempt to overcome the incompetence of the users. We briefly review some of them.

1. Encryption

Encrypting messages is straightforward. There are a multiplicity of relatively secure means to achieve this. All this does is take what is created and allow it to be opened and used only by whom it was intended. It does not mean however that the receiver cannot then take it and let it become open due to their incompetence. Even if it is of printed form it can be reproduced and sent onwards.

2. Authentication

Authentication is the process of making certain that the entity seeking access is both authorized and who they say they are. Over the decades I have examined a multiplicity of authentication systems. All have some issues but many present viable necessities.

There are many authentication options now available, especially biometric ones. Many have evolved from the intelligence sector and can be readily applied in commercial applications. These authentication mechanisms can be used on both transmit and receive so that encrypted files require a high level of authentication. However, like all of these issues, the device which opens the file, after being authenticated may not be secure! It can be an endless chasing of the tail.

3. Outbound Control

Sending messages from a secure location to another secure location requires that the data being sent and its destination is authorized. One means of doing this is to employ a DPI, deep packet inspection, where not only are P addresses checked but packets are fully inspected. That means that an approach to send packets to some acceptable address via a tunneling mechanism, then sent elsewhere, could be determined. Also examining the type of data being sent and profiling it to IP address can also be accomplished and determine if data is being improperly downloaded.

In addition means to determine lists of insecure or threat IP addresses or even more complexly profiles of outbound traffic that meet threat profiles. Namely traffic that may be sending files which should not normally be sent to locations that may not be acceptable. This would mean an intelligent DPI process.

4. Inbound Control

This is the process of monitoring where traffic is coming from is critical. One can also use DPI here as a means to assess not only where the traffic is from, but what the traffic is. Messages have profiles and they should be used to throttle access.

5. Usage Monitoring

The key question is often; what is being used on the network? Thus, monitoring what applications are being used is essential. This may be complex but as with others it can be accomplished.

6. User Monitoring

Users have profiles. They have jobs that requires certain behavior at certain times. They type in a certain manner. Back in the days of Morse code one could identify a distant operator by their key usage patterns. The same can be done by keyboard, mouse, and other I/O interfaces. When they change then one must immediately suspect something and remediate.

7. Usage Flagging

Usage profiles can be developed. Metrics describing users can be developed and once a usage profile is aberrant then immediate remediation is necessary.

8. Network Segregation

In the later 1980s the ARPA Net was split into a commercial and military net. The result purportedly was a separate and non-connected set of IP networks. In the late 1990s when I deployed my Central and Eastern European nets I did so over independent private fiber links. One could have a secure and isolated network.

9. Private Networking

A key element in security is separating the network. Network segregation is the ultimate in that construct but a less costly and somewhat effective method is private networking. Take the power grid as an example. Any power company who controls their networks via some IP methodology should do so only on a separate secure private network. Lease circuits, block any outside access, and separate all facilities so that the control backbone is NOT a part of any public access. Any company utilizing the public side of the Internet for control of critical assets is asking for a disaster to occur.

10. Secure Operating Systems

Many of the concerns are from the outside in. However back in the 1970s there was a major concern from the inside out. Namely having a secure operating system. Who wrote the OS, what is hidden inside the chips, the file manager. Remember the chips come from a potential adversary. The OS may have bits and pieces from generations of old code.

Furthermore, this issue of security demands a secure platform in toto. Namely, having the right person, decrypt the secure data on what would be an insecure platform defeats the purpose. This is the classic issue of Red and Black environments. This is an old paradigm where everything secure was held within a protected environment with no communication between it and the outside world. However, this is quite difficult to achieve in current day operations. Namely, people all too often want to use their own computers or devices and it is at this point that security can and is often breached. It can be a secure person in a secure environment but with an insecure terminal.

11. Paper Trails

In the old days, we had paper. The paper was numbered, it was kept in a secure environment, and there was theoretically no means to copy it. Yet good spies would find a way to compromise the situation. But paper had its worth. A security check of a safe at random times allowed for some semblance of security. However, under the right circumstances one could photo the document if surveillance was inadequate. This could be mitigated by having multiple individuals in at the same time. However, that also could be compromised. Yet paper did eliminate a multiplicity of risks that electronic access presents.

The classic exception to this is in the tale of the Falcon and the Snowman, the story of the son of an FBI agent working in a secure facility at TRW who managed to feed the Russians massive amounts of data. The reason, just sloppy security controls.

12. Real Time Security Audits

Security audits were and still are essential. Trust goes just so far. When establishing a security policy and protocol one must further be certain people understand their responsibilities, that they are checked on meeting them and that there are substantial and immediate consequences for failure. Collusion with the auditors represents a risk, but it would require substantial efforts.

13. Real Time Network Monitoring

Networks should be monitored. Monitored for use, users, usage. Who is sending and receiving what and when and from/to whom. Profiles count and looking at the network as a totality is critical. Furthermore, there must be some sequestering of the network. The old aphorism, "Don't use pay toilets" reflects the fact that various infections can be obtained from truly open environments. If anyone, and especially unknowable actors can access the same facilities as the secure users, there is no security.

14 Training and Punishing People

Ultimately security of any type depends on people. As someone once said to me; "Trust no one, not even your father!". Brutal but all too often true. The tales of the Communists from Cambridge, Burgess et al, is a tale of assuming the "good old boys" or "one of us" means something. People range from stupid, to arrogant, to incompetent, to downright evil. They do not wear signs telling us what one or combinations they present. We all too often have to assume the worst. Trust is the basis of betrayal.