Cyber "Best Practices" Are About To Change

The solution to our cyber crisis is not as difficult to understand as most people think.  

Opinion by Christopher Murphy

There is a lot of talk and media hype going on about cyber security, with a few suggested ways to reduce cyber breaches and to improve everyone's cyber security.  All of the popular suggestions are nothing more than updated comments on old and unreliable solutions to a pervasive problem that will only get worse if we do not address the real problem.  We think it is time to have an open and honest conversation about what is not working and talk about what can work, for all of us.

The public, business leaders and government officials are being inundated with new twists on yesterday’s failed cyber solutions. Cyber monitoring and insurance are being pedaled to concerned citizens as protection. After an individual has been violated, these companies inform them of the damage.

Congress and the President abdicated their responsibility to the American people in the Federal Cybersecurity Information Sharing Act of 2015 (CISA). The law encourages companies to share data with the government in return for immunity from damages caused by the company’s failure to properly secure data. When did sharing secrets make the secrets more secure?

Fingerprint, face recognition, optical scan and other forms of bio-data as a security factor have already been proven useless. Yet to deceive a public afraid of breaches, bio-data is put forth as a solution. The German Defense Minister had her fingerprint compromised from a photograph. A breach of a database using a fingerprint security protocol, compromises every stored fingerprint permanently.

Credit cards from a cellphone! Really! The credit card industry is finally moving to Chip & PIN to prevent the duplication of credit cards and then provides a way to duplicate credit cards on a cellphone’s “wallet”. This rabbit hole is just too ridiculous to go down and yet the industry is deploying it!

Security is not convenient, but it can be user-friendly. The purpose of security is to prevent unauthorized access. Consumer acceptance is not an excuse for failing to provide proper cyber security! The consumer will, in the end, do whatever is required to secure their identity.

Understanding the root cause of breaches is a must. That cause is the size of the attack surface and an uncontrolled access model. When any browser user can access a secure portal, the attack surface is every browser in the world. When we reduce the attack surface, we exponentially improve security.

A browser-based secure portal has an attack surface of approximately 6 billion devices with browsers. An organization with 100,000 known users is granting secure portal access to 6 billion devices. Reducing access to only known users would improve cyber security for this organization by 6,000,000% blocking 5,999,900,000 devices from ever accessing their secure portal!

In 2000 the Federal Reserve and the FFIEC recommended that two-factor authentication be required for all online financial transactions, both retail and commercial. It has yet to be required! Instead, revisions to that recommendation have lowered the requirements. They got it right and then for commercial expediency, they ignored their own advice.

Two-factor authentication is “something you have and something you know”. Anything less is multi-factor authentication, which is not close to the same thing. Chip & PIN credit cards provide two-factor authentication. The Chip in the credit card makes the something you have unique. The PIN is the something you know. Allowing cellphones to duplicate credit cards nullifies this security improvement.

It is time for a real solution! Cyber Safety Harbor provides an access method that provides two-factor authentication, controls the attack surface and removes public access. Using a serialized CyberID token as the only access method to secure portals provides “something” you have and limits access to only known users.

The solution to our cyber crisis is not as difficult to understand as most people think. All we need to do is agree on certain indisputable facts:

  • Every computer must be considered compromised. (a basic security assumption)
  • The term “secure public” server is an oxymoron that can no longer be ignored. If a server is “secure” then is has “Known Users” who have a right to access. If a server is “public” everyone has access.
  • Data falls into three major categories: “Open” data, “Protected” data and “Secure” data.
  • “Open” data is any data available without log in access.
  • “Protected” data is data that requires security but does not have a Known User group. “Protected” data would include all data gathered, processed and stored on retail websites.
  • “Secure” data has only Known Users. “Secure” data would include data retained by Insurance and Financial organizations where every client is known.

Understanding theses facts is required to address the cyber security issues organizations are currently facing. Standards must be deployed. Cyber Safety Harbor has done just that. The six Standards set by SecureAxcess technology and Cyber ID communities:

Secure data can only be accessed through a non-browser method.” Browsers are installed applications and based on the first indisputable fact, all computers must be considered compromised therefore all browsers must be considered compromised. In addition “plugins can further compromise a browser and computer.

Promotional websites and secure data storage must be maintained at unique IP addresses.” Data must be segregated into publicly available, “Open” data; “Private” data and “Secure” data. “Open” and “Private” data stays in a browser-based environment providing the widest potential audience for the hosting organization. “Secure” data and its access method must be moved to an IP address that has no relation to the public IP address and browser-based access.

True two-factor authentication is mandatory when accessing secure data.” This should go without stating. Accessing secure data with knowledge alone has not and will not work. “Something you have and something you know.”

Secure data that has been accessed cannot be written to any permanent storage device, including temporary data.” This is the most obvious standard of them all. Writing data to a local computer leaves data behind. Deleting written data at the end of a session does not remove the data just the directory entry pointing to the data.

Access to secure data cannot be granted through any installed application.” Any installed software can be compromised and is therefore suspect.

“No data mining can be performed by the application providing the access to secure data.” The access method cannot spy on the user.

The solution is simple and must address all of these areas or it will fail! An Intern was booking a trip on expedia.com. The purchase was completed and the Intern went to Google maps to look for the location of his hotel. There was a pin in the hotel with the dates of the visits! How did secure data, entered on an https page, get used to put the pin in a map? The truth is, it doesn’t matter! Browser-based access is not secure, period.

Cyber Safety Harbor is deploying a cyber solution that exceeds the six standards above. We believe knowledge is also a problem. The decision makers don’t understand the problem, so they hired experts that are selling products. New innovations aren’t what they represent.

Cyber Safety Harbor has introduced private CyberID Community solutions to facilitate protection of “Secure” data. The premise of a CyberID Community is that only members of the community have a right to access. An organization deploying a CyberID Community can do so with minimal disruption to existing online services.

The first step to deploying a CyberID Community is analysis to identify deployment specific issues, but after analysis the deployment process is the same for most organizations. The process:

  • Create a mirror of exiting browser-based website containing the secure portal.
  • Deploy a plugin or proxy server that blocks all non-authorized access to the mirrored site. Requires CyberID for access.
  • Modify existing client database adding an additional key field to store the CyberID public key.
  • Modify existing browser code to require an active CyberID session.
  • Ship CyberIDs to clients.
  • Remove website portal and data from the browser-based environment
  • Deployment completed

The CyberID retains all activity in volatile RAM while in use and monitors communication links for attack. Each token, regardless of the community it is related to, is exactly the same except for its encrypted serial number. The CyberID token has no knowledge about a community owner or token owner. The only visible difference between any two tokens is labeling.

How it works:

The client plugs their CyberID into a computer and clicks on start. The software on the CyberID segments RAM to create a Virtual Environment (VE) in which to work, a node comes into existence temporarily. SecureAxcess links to an authentication server to validate the token hasn’t been reported lost or stolen. If it has, it self-destructs. The authentication server returns location of the community owner’s portal to SecureAxcess. SecureAxcess then connects to the community.

The community’s proxy server identifies a CyberID is attempting to access the secure portal. The proxy connects to the authentication server verifying an active session and ID. Assuming the connection is valid the SecureAxcess triangulates servers and monitors for man-in-the-middle. If any attack to the communications is detected the SecureAxcess implodes removing all traces from RAM.

At this point, a CyberID session has been initiated, validated and security monitoring for the environment has been established. The community owner loads their logon and takes control of the client’s experience while SecureAxcess technology and the CyberID protect the session.

The client inputs credentials and the community owner validates the CyberID and credentials for validation and then provides access to service that is associated with the client. The communication link for data interaction is from the proxy to the client with the security session never having vision into its encrypted communications.

When the CyberID is removed from the computer the session breaks and communication between the authentication server, local computer and proxy is terminated. On the local computer the secured volatile RAM is flushed and released leaving no footprint behind.

This all sounds great. But what about increasing security for “Protected” data used and retained by retail websites such as payment data? The truth is that most Retail Websites have already deployed the “Best Practices” to secure their data. They cannot stop an individual with complete valid, stolen, credit card data from being used!

And yet CyberID security can prevent the use of this Credit card stolen data. Any organization issuing credit cards and providing account access via SecureAxcess can prevent fraudulent data from being used, putting a dent into $190 Billion in fraud last year.

The organization issuing the credit card provides two options at logon, “Access Account” and “Shop”. “Access Account” enters the secure portal but “Shop” just informs the company that you are currently online and intend to shop. This simple act renders stolen credit card data useless!

The individual goes to a retail site and makes a purchase. At checkout, the charge is sent for authorization. With CyberID security at the bank, the bank can verify that the individual is online and intends to shop. If they are not logged in, then even valid data is rejected because the data owner has not authorized online shopping. When stolen credit card data cannot be used, the incentive to steal it is removed.

Originally Published April 27, 2016 Cyber Defense Magazine e-zine

Christopher Murphy is Founder of Cyber Safety Harbor and CEO of Vir-Sec, Inc.

Company website: www.cybersafetyharbor.com

« Pentagon Wants to ‘Fingerprint’ The World’s Hackers
SpyEye Masterminds Begin 24 Year Sentence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Axis Capital

Axis Capital

AXIS Insurance’s Professional Lines Division is a leading underwriter of technology/cyber coverage and other specialty products around the globe.

Atomicorp

Atomicorp

Atomicorp, the leader in Secure Linux, is a developer of solutions for the protection and support of cloud, virtual, shared, and dedicated web hosting environments.

Entrust

Entrust

Entrust is a global leader in digital security, identities, payments, and data protection.

Mako Networks

Mako Networks

The Mako System is an award winning networking and security service designed specifically for SMEs and branch offices of larger organisations.

TeachPrivacy

TeachPrivacy

TeachPrivacy provides computer-based privacy and data security training that is engaging, memorable, and understandable.

Xage Security

Xage Security

Xage is the world’s first blockchain-protected security platform for Industrial IoT.

Eseye

Eseye

Eseye is a global specialist supplier of cellular internet connectivity for intelligent IoT (Internet of Things) devices.

Ashley Page

Ashley Page

Ashley Page offer a unique cyber insurance and risk management solution - Cyber+Insure.

Hubraum

Hubraum

Hubraum is Deutsche Telekom’s tech incubator, helping startups to create new business opportunities in areas including data analytics, AI, robot process automation and cyber security.

F1 Security

F1 Security

F1 Security provides a family of web security solutions including web application firewalls, web shell detection solutions, and web shell scanners.

Apollo Information Systems

Apollo Information Systems

Apollo is a value-added reseller that provides our clients with the complete set of cybersecurity and networking services and solutions.

Nuts Technologies

Nuts Technologies

Nuts Technologies are simplifying data privacy and encryption with our innovative and novel data containers we call nuts based on our Zero Trust Data framework.

CampusGuard

CampusGuard

CampusGuard focuses on the cybersecurity and compliance needs of campus-based organizations including higher education, healthcare, and state and local government.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.