Can We Call Cybersecurity's Failings a Crisis Yet?

by George Peabody 0

A month ago at the Visa Security Summit I heardthe phrase “breach fatigue” for the first time and it gave mepause. What does it say about us, and the situation we’re in, if wesimply cannot be concerned about our own cybersecurity? That’s oneform of breach fatigue.

I expect the other is unique to security professionals, the folkstasked with keeping their enterprises secure, their data assetsprotected behind firewalls, encryption methods, and one time passcodes and phrases. They have to be fatigued simply because of theunending and apparently increasing rate of attacks on enterprisesand organizations of all sizes. Fear over a long period of time istiring. That’s the variety of breach fatigue that online securityprofessionals share. It’s got to be rough.

Just this year, we’ve had Sony breached with over 130 millionaccounts compromised. Michael’s department stores discovered it hadhacked PIN pads surreptitiously installed, stealing card data andPIN numbers of customers. Even scarier, RSA (the security arm ofEMC) was hacked, in a compromise of material fundamental to its onetime password generator and token scheme that it sells to otherorganizations to improve cybersecurity. The fruits of that hack arenow apparently being harvested. Lockheed Martin has reported asustained and sophisticated attack on its industrial and militarysecrets that appears to use the knowledge gained from the RSAattack.

Oh dear. This is getting serious. RSA’s technique is usedthroughout the federal government and it is also used in banking,providing multi-factor authentication to commercial and consumeronline banking capabilities. Not good.

Just to add urgency to the picture, the Pentagon this week revealedit is defining cyberattack as a potential justification formilitary retaliation along the lines of “If you take my power gridoffline through a virus, I may do the same to yours with a cruisemissile.”

The stakes for cybersecurity are getting very high indeed.

One fact of life is clear. As a security method, user IDs andpasswords are just a Maginot line of our own imagination. They havebecome a very low barrier indeed. If a hacker can break into one ofour online accounts, it’s likely he can break into other sites,too. Brute force attacks against password files and there-identification process, the correlation of data from multiplesources like Facebook, LinkedIn, media sites and others, revealpasswords and the information needed to succeed in target phishing(“spearfishing”) attacks.

We need something better.

I’ve been one to accuse security vendors, in particular, andindustry participants in general of “silverbulletitis,” that toooften unbending belief in one single cure for all of our securityills. It doesn’t exist. But there are a few techniques that shouldgo a long way toward mitigating the problem.

Strong authentication that involves the risk analysis of multiplesignals is one method. The NFC chipset in a smartphone, its GPS orWi-Fi inferred location, its phone number and device identificationnumber, are all unique signals about the veracity of a device.Locally authenticated PINs, gestures, and biometrics improve trustthat the correct user is at the helm of the device. A process ofauthentication that assesses these signals and more is needed. Evena passcode that expires in 30 seconds doesn’t provide enoughprotective strength; it’s just a single signal.

Another technique is data encryption. It is increasingly being usedtoday to protect payment card data, to improve security and reducethe scope of PCI DSS audits. It performs the ReverseRumpelstiltskin of turning digital gold into digital straw.Enterprises and organizations of all sizes may need to more broadlyuse encryption. Based on the evidence before us, we’re not able tokeep the attackers out, so we have to devalue through dataobfuscation what we store.

These measures add expense. They also add a level of end userparticipation that has always met with resistance because securitymeasures can negatively impact convenience. The online checkoutprocess prays at the altar of convenience.

On the other hand, what’s habit and what’s convenient are oftenconfused. For the sake of privacy and security, we need some newhabits. And as for the cost, well…

Moore’s Law continues to operate. Computing power is gettingcheaper, more powerful, and more energy efficient, no matter wherein the network you want to apply it-in a mobile handset, in arouter, or in front of a database stored in the “cloud.”

Every segment of our society is under assault. As a society, we’regoing to have to do something about it. We need to wake up becausebreach fatigue isn’t going to work. We can’t snooze our way intoimproved cybersecurity.