Cyber "Best Practices" Are About To Change
The solution to our cyber crisis is not as difficult to understand as most people think.
Opinion by Christopher Murphy
There is a lot of talk and media hype going on about cyber security, with a few suggested ways to reduce cyber breaches and to improve everyone's cyber security. All of the popular suggestions are nothing more than updated comments on old and unreliable solutions to a pervasive problem that will only get worse if we do not address the real problem. We think it is time to have an open and honest conversation about what is not working and talk about what can work, for all of us.
The public, business leaders and government officials are being inundated with new twists on yesterday’s failed cyber solutions. Cyber monitoring and insurance are being pedaled to concerned citizens as protection. After an individual has been violated, these companies inform them of the damage.
Congress and the President abdicated their responsibility to the American people in the Federal Cybersecurity Information Sharing Act of 2015 (CISA). The law encourages companies to share data with the government in return for immunity from damages caused by the company’s failure to properly secure data. When did sharing secrets make the secrets more secure?
Fingerprint, face recognition, optical scan and other forms of bio-data as a security factor have already been proven useless. Yet to deceive a public afraid of breaches, bio-data is put forth as a solution. The German Defense Minister had her fingerprint compromised from a photograph. A breach of a database using a fingerprint security protocol, compromises every stored fingerprint permanently.
Credit cards from a cellphone! Really! The credit card industry is finally moving to Chip & PIN to prevent the duplication of credit cards and then provides a way to duplicate credit cards on a cellphone’s “wallet”. This rabbit hole is just too ridiculous to go down and yet the industry is deploying it!
Security is not convenient, but it can be user-friendly. The purpose of security is to prevent unauthorized access. Consumer acceptance is not an excuse for failing to provide proper cyber security! The consumer will, in the end, do whatever is required to secure their identity.
Understanding the root cause of breaches is a must. That cause is the size of the attack surface and an uncontrolled access model. When any browser user can access a secure portal, the attack surface is every browser in the world. When we reduce the attack surface, we exponentially improve security.
A browser-based secure portal has an attack surface of approximately 6 billion devices with browsers. An organization with 100,000 known users is granting secure portal access to 6 billion devices. Reducing access to only known users would improve cyber security for this organization by 6,000,000% blocking 5,999,900,000 devices from ever accessing their secure portal!
In 2000 the Federal Reserve and the FFIEC recommended that two-factor authentication be required for all online financial transactions, both retail and commercial. It has yet to be required! Instead, revisions to that recommendation have lowered the requirements. They got it right and then for commercial expediency, they ignored their own advice.
Two-factor authentication is “something you have and something you know”. Anything less is multi-factor authentication, which is not close to the same thing. Chip & PIN credit cards provide two-factor authentication. The Chip in the credit card makes the something you have unique. The PIN is the something you know. Allowing cellphones to duplicate credit cards nullifies this security improvement.
It is time for a real solution! Cyber Safety Harbor provides an access method that provides two-factor authentication, controls the attack surface and removes public access. Using a serialized CyberID token as the only access method to secure portals provides “something” you have and limits access to only known users.
The solution to our cyber crisis is not as difficult to understand as most people think. All we need to do is agree on certain indisputable facts:
- Every computer must be considered compromised. (a basic security assumption)
- The term “secure public” server is an oxymoron that can no longer be ignored. If a server is “secure” then is has “Known Users” who have a right to access. If a server is “public” everyone has access.
- Data falls into three major categories: “Open” data, “Protected” data and “Secure” data.
- “Open” data is any data available without log in access.
- “Protected” data is data that requires security but does not have a Known User group. “Protected” data would include all data gathered, processed and stored on retail websites.
- “Secure” data has only Known Users. “Secure” data would include data retained by Insurance and Financial organizations where every client is known.
Understanding theses facts is required to address the cyber security issues organizations are currently facing. Standards must be deployed. Cyber Safety Harbor has done just that. The six Standards set by SecureAxcess technology and Cyber ID communities:
“Secure data can only be accessed through a non-browser method.” Browsers are installed applications and based on the first indisputable fact, all computers must be considered compromised therefore all browsers must be considered compromised. In addition “plugins can further compromise a browser and computer.
“Promotional websites and secure data storage must be maintained at unique IP addresses.” Data must be segregated into publicly available, “Open” data; “Private” data and “Secure” data. “Open” and “Private” data stays in a browser-based environment providing the widest potential audience for the hosting organization. “Secure” data and its access method must be moved to an IP address that has no relation to the public IP address and browser-based access.
“True two-factor authentication is mandatory when accessing secure data.” This should go without stating. Accessing secure data with knowledge alone has not and will not work. “Something you have and something you know.”
“Secure data that has been accessed cannot be written to any permanent storage device, including temporary data.” This is the most obvious standard of them all. Writing data to a local computer leaves data behind. Deleting written data at the end of a session does not remove the data just the directory entry pointing to the data.
“Access to secure data cannot be granted through any installed application.” Any installed software can be compromised and is therefore suspect.
“No data mining can be performed by the application providing the access to secure data.” The access method cannot spy on the user.
The solution is simple and must address all of these areas or it will fail! An Intern was booking a trip on expedia.com. The purchase was completed and the Intern went to Google maps to look for the location of his hotel. There was a pin in the hotel with the dates of the visits! How did secure data, entered on an https page, get used to put the pin in a map? The truth is, it doesn’t matter! Browser-based access is not secure, period.
Cyber Safety Harbor is deploying a cyber solution that exceeds the six standards above. We believe knowledge is also a problem. The decision makers don’t understand the problem, so they hired experts that are selling products. New innovations aren’t what they represent.
Cyber Safety Harbor has introduced private CyberID Community solutions to facilitate protection of “Secure” data. The premise of a CyberID Community is that only members of the community have a right to access. An organization deploying a CyberID Community can do so with minimal disruption to existing online services.
The first step to deploying a CyberID Community is analysis to identify deployment specific issues, but after analysis the deployment process is the same for most organizations. The process:
- Create a mirror of exiting browser-based website containing the secure portal.
- Deploy a plugin or proxy server that blocks all non-authorized access to the mirrored site. Requires CyberID for access.
- Modify existing client database adding an additional key field to store the CyberID public key.
- Modify existing browser code to require an active CyberID session.
- Ship CyberIDs to clients.
- Remove website portal and data from the browser-based environment
- Deployment completed
The CyberID retains all activity in volatile RAM while in use and monitors communication links for attack. Each token, regardless of the community it is related to, is exactly the same except for its encrypted serial number. The CyberID token has no knowledge about a community owner or token owner. The only visible difference between any two tokens is labeling.
How it works:
The client plugs their CyberID into a computer and clicks on start. The software on the CyberID segments RAM to create a Virtual Environment (VE) in which to work, a node comes into existence temporarily. SecureAxcess links to an authentication server to validate the token hasn’t been reported lost or stolen. If it has, it self-destructs. The authentication server returns location of the community owner’s portal to SecureAxcess. SecureAxcess then connects to the community.
The community’s proxy server identifies a CyberID is attempting to access the secure portal. The proxy connects to the authentication server verifying an active session and ID. Assuming the connection is valid the SecureAxcess triangulates servers and monitors for man-in-the-middle. If any attack to the communications is detected the SecureAxcess implodes removing all traces from RAM.
At this point, a CyberID session has been initiated, validated and security monitoring for the environment has been established. The community owner loads their logon and takes control of the client’s experience while SecureAxcess technology and the CyberID protect the session.
The client inputs credentials and the community owner validates the CyberID and credentials for validation and then provides access to service that is associated with the client. The communication link for data interaction is from the proxy to the client with the security session never having vision into its encrypted communications.
When the CyberID is removed from the computer the session breaks and communication between the authentication server, local computer and proxy is terminated. On the local computer the secured volatile RAM is flushed and released leaving no footprint behind.
This all sounds great. But what about increasing security for “Protected” data used and retained by retail websites such as payment data? The truth is that most Retail Websites have already deployed the “Best Practices” to secure their data. They cannot stop an individual with complete valid, stolen, credit card data from being used!
And yet CyberID security can prevent the use of this Credit card stolen data. Any organization issuing credit cards and providing account access via SecureAxcess can prevent fraudulent data from being used, putting a dent into $190 Billion in fraud last year.
The organization issuing the credit card provides two options at logon, “Access Account” and “Shop”. “Access Account” enters the secure portal but “Shop” just informs the company that you are currently online and intend to shop. This simple act renders stolen credit card data useless!
The individual goes to a retail site and makes a purchase. At checkout, the charge is sent for authorization. With CyberID security at the bank, the bank can verify that the individual is online and intends to shop. If they are not logged in, then even valid data is rejected because the data owner has not authorized online shopping. When stolen credit card data cannot be used, the incentive to steal it is removed.
Originally Published April 27, 2016 Cyber Defense Magazine e-zine
Christopher Murphy is Founder of Cyber Safety Harbor and CEO of Vir-Sec, Inc.
Company website: www.cybersafetyharbor.com