Cyber security has a multiplicity of ways to block intruders
and even more so to attempt to overcome the incompetence of the users. We
briefly review some of them.
1. Encryption
Encrypting messages is straightforward. There are a
multiplicity of relatively secure means to achieve this. All this does is take
what is created and allow it to be opened and used only by whom it was
intended. It does not mean however that the receiver cannot then take it and
let it become open due to their incompetence. Even if it is of printed form it
can be reproduced and sent onwards.
2. Authentication
Authentication is the process of making certain that the
entity seeking access is both authorized and who they say they are. Over the
decades I have examined a multiplicity of authentication systems. All have some
issues but many present viable necessities.
There are many authentication options now available,
especially biometric ones. Many have evolved from the intelligence sector and
can be readily applied in commercial applications. These authentication
mechanisms can be used on both transmit and receive so that encrypted files
require a high level of authentication. However, like all of these issues, the
device which opens the file, after being authenticated may not be secure! It
can be an endless chasing of the tail.
3. Outbound Control
Sending messages from a secure location to another secure
location requires that the data being sent and its destination is authorized.
One means of doing this is to employ a DPI, deep packet inspection, where not
only are P addresses checked but packets are fully inspected. That means that
an approach to send packets to some acceptable address via a tunneling
mechanism, then sent elsewhere, could be determined. Also examining the type of
data being sent and profiling it to IP address can also be accomplished and
determine if data is being improperly downloaded.
In addition means to determine lists of insecure or threat
IP addresses or even more complexly profiles of outbound traffic that meet
threat profiles. Namely traffic that may be sending files which should not
normally be sent to locations that may not be acceptable. This would mean an
intelligent DPI process.
4. Inbound Control
This is the process of monitoring where traffic is coming
from is critical. One can also use DPI here as a means to assess not only where
the traffic is from, but what the traffic is. Messages have profiles and they
should be used to throttle access.
5. Usage Monitoring
The key question is often; what is being used on the
network? Thus, monitoring what applications are being used is essential. This
may be complex but as with others it can be accomplished.
6. User Monitoring
Users have profiles. They have jobs that requires certain
behavior at certain times. They type in a certain manner. Back in the days of
Morse code one could identify a distant operator by their key usage patterns.
The same can be done by keyboard, mouse, and other I/O interfaces. When they
change then one must immediately suspect something and remediate.
7. Usage Flagging
Usage profiles can be developed. Metrics describing users
can be developed and once a usage profile is aberrant then immediate
remediation is necessary.
8. Network Segregation
In the later 1980s the ARPA Net was split into a commercial
and military net. The result purportedly was a separate and non-connected set
of IP networks. In the late 1990s when I deployed my Central and Eastern
European nets I did so over independent private fiber links. One could have a
secure and isolated network.
9. Private Networking
A key element in security is separating the network. Network
segregation is the ultimate in that construct but a less costly and somewhat
effective method is private networking. Take the power grid as an example. Any
power company who controls their networks via some IP methodology should do so
only on a separate secure private network. Lease circuits, block any outside
access, and separate all facilities so that the control backbone is NOT a part
of any public access. Any company utilizing the public side of the Internet for
control of critical assets is asking for a disaster to occur.
10. Secure Operating Systems
Many of the concerns are from the outside in. However back
in the 1970s there was a major concern from the inside out. Namely having a
secure operating system. Who wrote the OS, what is hidden inside the chips, the
file manager. Remember the chips come from a potential adversary. The OS may
have bits and pieces from generations of old code.
Furthermore, this issue of security demands a secure
platform in toto. Namely, having the right person, decrypt the secure data on
what would be an insecure platform defeats the purpose. This is the classic
issue of Red and Black environments. This is an old paradigm where everything
secure was held within a protected environment with no communication between it
and the outside world. However, this is quite difficult to achieve in current
day operations. Namely, people all too often want to use their own computers or
devices and it is at this point that security can and is often breached. It can
be a secure person in a secure environment but with an insecure terminal.
11. Paper Trails
In the old days, we had paper. The paper was numbered, it
was kept in a secure environment, and there was theoretically no means to copy
it. Yet good spies would find a way to compromise the situation. But paper had
its worth. A security check of a safe at random times allowed for some
semblance of security. However, under the right circumstances one could photo
the document if surveillance was inadequate. This could be mitigated by having
multiple individuals in at the same time. However, that also could be
compromised. Yet paper did eliminate a multiplicity of risks that electronic
access presents.
The classic exception to this is in the tale of the Falcon
and the Snowman, the story of the son of an FBI agent working in a secure
facility at TRW who managed to feed the Russians massive amounts of data. The
reason, just sloppy security controls.
12. Real Time Security Audits
Security audits were and still are essential. Trust goes
just so far. When establishing a security policy and protocol one must further
be certain people understand their responsibilities, that they are checked on
meeting them and that there are substantial and immediate consequences for
failure. Collusion with the auditors represents a risk, but it would require
substantial efforts.
13. Real Time Network Monitoring
Networks should be monitored. Monitored for use, users,
usage. Who is sending and receiving what and when and from/to whom. Profiles
count and looking at the network as a totality is critical. Furthermore, there
must be some sequestering of the network. The old aphorism, "Don't use pay
toilets" reflects the fact that various infections can be obtained from
truly open environments. If anyone, and especially unknowable actors can access
the same facilities as the secure users, there is no security.
14 Training and Punishing People
Ultimately security of any type depends on people. As
someone once said to me; "Trust no one, not even your father!".
Brutal but all too often true. The tales of the Communists from Cambridge,
Burgess et al, is a tale of assuming the "good old boys" or "one
of us" means something. People range from stupid, to arrogant, to
incompetent, to downright evil. They do not wear signs telling us what one or
combinations they present. We all too often have to assume the worst. Trust is
the basis of betrayal.
Posts
