What We Call Security Isn’t Secure!

two-factor-authentication.gif

Two factor authentication

You put in your login and your password. Then you do it again but a different way. Maybe this time it sends you an unencrypted SMS. Or maybe you need to look up some numbers on a card you have.
Then again, maybe you need to append some numbers that you’ll find on a digital token. Or maybe you give your fingerprint or eye-print or a bit of hair, that’s supposedly more secure. And we need cybersecurity. It’s important. And what we’re getting isn’t working. Because what we call cybersecurity isn’t security. For example, the concept of multi-factor authentication being more secure comes from it being harder. It’s mathematically harder to guess and it’s physically harder to copy. And because it’s harder it takes more time, which introduces more entropy into the authentication process, which means less guesses possible in a given time, generally time enough for security to be alerted and respond.

But is harder more secure, or does harder just limit the number of people willing to try to break it? Harder makes the pool of criminals shallow and small. At least until one of them makes a tool that makes it easier for other criminals and starts growing the pool. Well, it’s probably no shock to you that the security industry can’t agree on a definition of security. Imagine if the horse industry couldn’t agree on what is a horse. Imagine if all those members of the horse industry from those who race them to those who make Jell-O could alter the definition of a horse for commercial gain. 
Well, that’s the security industry and unfortunately there’s no genetic map of security we can look at to match the fact of the thing to the definition. So in the end we get many definitions of security. These include risk and how you feel and variations of vulnerability, protection, degrees of harm, and crystal power. Which is probably how something like 2-Factor Authentication has entered the security playbook.

So how should we define cybersecurity? Just give me 5 minutes so I can show you something:

We have a threat and we have an asset. The threat is threatening the asset. We don’t need to mess around with how vulnerable the asset is. We don’t have to wonder what are the chances the threat will harm, steal, hide, or otherwise abuse the asset to figure out its risk. We don’t do those things because 1. It’s not necessary in most cases and 2. There’s no way to do it reliably until we study them and there’s no time. No, we need to keep the threat away from the asset. How do we do that? Ever work in a factory? Or visit one? I once worked in one of those huge factories where there are parallel yellow lines painted on the floor to show me where to be without my work clothes on that’s an appropriately OSHA-ly distance away from the machines.

As I walk in and machines are spurting molten lead and grinders are chopping animals into wet regret and arcs of electricity are leaping skyward, I stay inside the yellow lines to be separated from INTERACTING with the machines.
So in its basic definition we can say the separation from the machines made me secure. Did I have risk? Sure, there’s always risk like the toilet seats accidentally sprayed with methyl parathion the month before I started.

But I worked there. I had to interact within reach of the machines. So I cross the yellow lines to get to work massaging the blue stuff that looks like silly string into the bunny’s eyes before using the drill press. To do it safely we were all given protective work-wear. For my area I had to wear steel-toed boots, a leather apron, tinted goggles, a respirator, elbow-length, rubber gloves, and an anti-static bracelet on my neck. This protected me, the asset, from the threat of injury that the machines like the sand blaster can cause. Then we can formulate “safety” in fancy, college textbook English as “operational controls, which reduce the interaction with the threat”.

So, the key take-away here in all my fancy operational career talk is about “interaction with the threat.” If you don’t do it then you have security, and if you limit it you have safety.

Dark Matters: http://ow.ly/PYoFi

 

« EU Cyber Police Take on Islamic State Propaganda
Combat the Insider Cyber Threat »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYBERPOL

CYBERPOL

CYBERPOL's mission is to facilitate the widest possible mutual assistance between all cyber crime law enforcement authorities to help mitigate global cyber threats.

Lawley Insurance

Lawley Insurance

Lawley is a full-service, independent insurance agency. Specialty insurance products include Cyber Security.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

Cyjax

Cyjax

Cyjax monitors the Internet to identify the digital risks to your organisation, including cyber threats, reputational risks and the Darknet.

Cyber Security Audit Corp (C3SA)

Cyber Security Audit Corp (C3SA)

C3SA specializes in architecting, operating, managing and improving defensible and resilient IT infrastructures for Canada's public and private sectors.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

Arctic Wolf Networks

Arctic Wolf Networks

Arctic Wolf Networks delivers the industry-leading security operations center (SOC)-as-a-service that redefines the economics of cybersecurity.

Cloudsine

Cloudsine

Cloudsine (formerly Banff Cyber Technologies) is a cloud technology company specializing in cloud adoption, security and innovation.

Qmulos

Qmulos

Qmulos’ real-time continuous monitoring risk management suite, Q-Compliance, provides a massively flexible and scalable solution to optimizing operational security.

Cyber Security Cloud (CSC)

Cyber Security Cloud (CSC)

Cyber Security Cloud provides web application security services worldwide using world's leading cyber threat intelligence and AI technology.

Pragma Strategy

Pragma Strategy

Pragma is a CREST approved global provider of cybersecurity solutions. We help organisations strengthen cyber resilience and safeguard valuable information assets with a pragmatic approach.

Cytek

Cytek

Cytek is a leading provider of cybersecurity and HIPAA compliance for dental practices and other industries.

ZainTech

ZainTech

Zaintech is a regional digital & ICT solutions provider offering comprehensive digital solutions and services to enterprise and government customers in the MENA region.

OxCyber

OxCyber

OxCyber's mission is to ignite and encourage cybersecurity and technology growth in the Thames Valley through meetings, webinars, in person events, workshops and mentorship programs.

MARS Suite

MARS Suite

MARS Suite is your all-in-one solution for cyber protection & compliance. Cybersecurity and risk management is what we do best. And we’re making it simple and easy.

appNovi

appNovi

appNovi inventories everything to map the attack surface, identify missing security agents, and prioritize vulnerabilities based on exposure.