Can Cybersecurity Be ‘Solved’? Examining A More Secure, Hypothetical Future
I am a firm believer that we can clean up a lot of our technological problems, most of which we’ve caused ourselves, but the real question remains: Can we actually “solve” cybersecurity?
We can take a historian’s view on how the security arc closed in a hypothetical future to see how we might approach this problem in our present.
Passwords
Let’s start with passwords. It turns out passwords aren’t a great security measure because people generally use (and reuse) passwords that are easy to guess. Making this problem worse, many of the apps we use do a poor job of keeping these passwords secure. Once a password is leaked as part of a breach on one site, attackers begin trying it on others. If we’re going to make any meaningful progress, we’re going to have to fix this.
Actually, there is already really good progress on this front. We’ve figured out how to get rid of passwords as the main method of proving that people are who they say they are, such as by using hardware tokens (like FIDO keys), multifactor authentication and federated authentication (like OpenID Connect).
In the future, I believe these technologies will take over as the standard, and the days of using a password that you create yourself are coming to an end.
Software Vulnerabilities
Another major problem creating the security situation we have today is the staggering volume of vulnerabilities in the software we use—vulnerabilities that often allow attackers to gain full access to the system or our data.
So, how can we make it so that these software products are not as easily exploitable? One change is the use of memory-safe languages (such as Rust or Go), eliminating whole classes of software vulnerabilities.
We’ll also need to implement robust security controls that are used during software development and that can identify flaws and provide direct feedback to the developers while they are working. Another solution, better controls and governance over third-party components in use, whether open source or commercial, will cut down on “inherited” vulnerabilities (like Log4J).
Observability
The next problem that needs to be solved is an issue called observability: Do we have the ability to identify “malicious” or “unauthorized” activity within the system? This doesn’t just have to be a security feature. Too often, this logging is configured to only show errors or critical problems.
Even if a more verbose logging mode is available, the information conveyed is often incomplete or lacking in context. Organizations rarely consider this step an important component in selecting a software product or consider it “production ready.” Ask what a “normal session” looks like from the logs, and you get blank stares. Without this ability to baseline normal, we have a really tough time telling abnormal.
In our hypothetical future, we’ve come to realize that if a digital tree falls in a cyber forest, we’d better be able to hear it. Future systems will provide useful and detailed logs by default. This enhanced data collection also makes it easy to baseline “normal operations.”
Security analytic tools (a much-improved version of what used to be called SIEMs) can consume all this data in real time and apply hundreds of different AI-powered digital analysts to hunt for malicious activity, with the ability to respond when unusual activity is detected. Make sure the bells and whistles go off when they need to, uncovering a company’s security control blind spots.
If an attacker today can’t guess your password or exploit one of your internet-facing systems, they’ll resort to the most common initial access vector—email. It is hard to distinguish these targeted phishing attacks from real emails for a variety of reasons.
Whether the attacker sends a link to trick you into disclosing your password or downloading an attachment and running it, the goal is the same: get this message past all the security controls and convince you to respond.
In our future world, email follows very strict adherence to security guardrails, and an unsolicited email doesn’t even make it to the user’s inbox anymore. Very little traffic flows directly via standard SMTP email channels, most of coming through a specific app (like for your bank) and is verified before showing in your “inbox.” Today, the inbox is the quickest path to success, as we see over and over again that phishing emails are the source of many breaches.
And what about those attachments that contain the first stage of the attacker’s malware?
Well, in our more secure world scenario, almost everyone uses computers that can only install software from an app store, and these apps run in their own separate spaces, kind of like iOS and Chromebook devices today. No longer can software just be downloaded from any site on the internet and then installed or executed.
Solving Security
Here’s the million-dollar question, even if we make enormous strides by implementing all the above, technically speaking, in the security space: Have we solved security?
Sadly, the answer is no.
There will always be scams. People will still fall for fraudulent requests for money, give access to people who aren’t authorized and configure apps for convenience, not security. After all, people ignore plenty of red flags in other parts of their lives; why should this be any different?
Our best shot at solving security is to take as much of the human element into account as possible. In addition to employee training, we should build better apps to make the secure option the default, make it harder for attackers to pretend to be legitimate parties and make it easier to protect our accounts and data.
I’m certain we will continue building better technical solutions, but that won’t be enough to solve our cybersecurity problem. But we can all take steps to be more cyber secure; little fixes can make big impacts.
Often, these vulnerabilities exist in systems we expect to be internet-facing and, as a result, secure enough to perform that role. It’s hard to create a secure system when the pieces you use to build it turn out to have trapdoors in them.
Read the original article here: Forbes Tech Council: Can Cybersecurity Be Solved
About OnDefend
OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs, our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, please visit http://www.ondefend.com/
OnDefend Media Contact:
Lauren Verno, Vice President of Communications & Marketing
904-299-3669