What We Call Security Isn’t Secure!

Uploaded on 2015-07-21 in NEWS-Cybersecurity News, FREE TO VIEW

two-factor-authentication.gif

Two factor authentication

You put in your login and your password. Then you do it again but a different way. Maybe this time it sends you an unencrypted SMS. Or maybe you need to look up some numbers on a card you have.
Then again, maybe you need to append some numbers that you’ll find on a digital token. Or maybe you give your fingerprint or eye-print or a bit of hair, that’s supposedly more secure. And we need cybersecurity. It’s important. And what we’re getting isn’t working. Because what we call cybersecurity isn’t security. For example, the concept of multi-factor authentication being more secure comes from it being harder. It’s mathematically harder to guess and it’s physically harder to copy. And because it’s harder it takes more time, which introduces more entropy into the authentication process, which means less guesses possible in a given time, generally time enough for security to be alerted and respond.

But is harder more secure, or does harder just limit the number of people willing to try to break it? Harder makes the pool of criminals shallow and small. At least until one of them makes a tool that makes it easier for other criminals and starts growing the pool. Well, it’s probably no shock to you that the security industry can’t agree on a definition of security. Imagine if the horse industry couldn’t agree on what is a horse. Imagine if all those members of the horse industry from those who race them to those who make Jell-O could alter the definition of a horse for commercial gain. 
Well, that’s the security industry and unfortunately there’s no genetic map of security we can look at to match the fact of the thing to the definition. So in the end we get many definitions of security. These include risk and how you feel and variations of vulnerability, protection, degrees of harm, and crystal power. Which is probably how something like 2-Factor Authentication has entered the security playbook.

So how should we define cybersecurity? Just give me 5 minutes so I can show you something:

We have a threat and we have an asset. The threat is threatening the asset. We don’t need to mess around with how vulnerable the asset is. We don’t have to wonder what are the chances the threat will harm, steal, hide, or otherwise abuse the asset to figure out its risk. We don’t do those things because 1. It’s not necessary in most cases and 2. There’s no way to do it reliably until we study them and there’s no time. No, we need to keep the threat away from the asset. How do we do that? Ever work in a factory? Or visit one? I once worked in one of those huge factories where there are parallel yellow lines painted on the floor to show me where to be without my work clothes on that’s an appropriately OSHA-ly distance away from the machines.

As I walk in and machines are spurting molten lead and grinders are chopping animals into wet regret and arcs of electricity are leaping skyward, I stay inside the yellow lines to be separated from INTERACTING with the machines.
So in its basic definition we can say the separation from the machines made me secure. Did I have risk? Sure, there’s always risk like the toilet seats accidentally sprayed with methyl parathion the month before I started.

But I worked there. I had to interact within reach of the machines. So I cross the yellow lines to get to work massaging the blue stuff that looks like silly string into the bunny’s eyes before using the drill press. To do it safely we were all given protective work-wear. For my area I had to wear steel-toed boots, a leather apron, tinted goggles, a respirator, elbow-length, rubber gloves, and an anti-static bracelet on my neck. This protected me, the asset, from the threat of injury that the machines like the sand blaster can cause. Then we can formulate “safety” in fancy, college textbook English as “operational controls, which reduce the interaction with the threat”.

So, the key take-away here in all my fancy operational career talk is about “interaction with the threat.” If you don’t do it then you have security, and if you limit it you have safety.

Dark Matters: http://ow.ly/PYoFi

 

« EU Cyber Police Take on Islamic State Propaganda
Combat the Insider Cyber Threat »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Intercede

Intercede

Intercede is a cybersecurity company specializing in digital identities, derived credentials and access control, enabling digital trust in a mobile world.

MadSec Security

MadSec Security

MadSec Security is a leading consulting company whose expertise are information and cyber security.

Rwanda Information Society Authority (RISA)

Rwanda Information Society Authority (RISA)

RISA is at the forefront of all ICT project implementation, research, infrastructure and innovation within the ICT sector in Rwanda.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

Internet Infrastructure Investigation

Internet Infrastructure Investigation

Internet Infrastructure Investigation offers a bespoke Internet Governance Solution to your brands online infringement problems.

Noventiq

Noventiq

Noventiq (the brandname of Softline Holding plc) is a leading global solutions and services provider in digital transformation and cybersecurity.

Nubeva Technologies

Nubeva Technologies

Nubeva provide a breakthrough TLS Decrypt solution with Symmetric Key Intercept to gain the visibility needed to monitor and secure network traffic.

NetApp Excellerator

NetApp Excellerator

NetApp Excellerator is NetApp’s global start-up program that aims to fuel innovation by partnering with deep-tech start-ups.

Robo Shadow

Robo Shadow

Robo Shadow are trying to bridge the gap between the top tier organisations that can afford everything and everyone else who has to “Make it up as they go along” when it comes to Cyber.

Ross & Baruzzini

Ross & Baruzzini

Ross & Baruzzini delivers integrated technology, consulting, and engineering solutions for safe, sustainable, and resilient facilities.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

Verisign

Verisign

Verisign is a Global Leader in Domain Names & Internet Security, providing protection for websites and enterprises around the world.

Beacon Technology

Beacon Technology

Beacon Technology offers a comprehensive platform consisting of XDR, VMDR, and Breach and Attack simulation tools.

Hummingbird International

Hummingbird International

Hummingbird International, LLC offers services for the collection, audit, computer recycling and safe disposal of laptops, monitor/LCD, hard drives, and IT disposal.

XONA Systems

XONA Systems

XONA is The Zero Trust user access platform for the OT enterprise. Secure operational access to critical systems - from anywhere.