Cyber "Best Practices" Are About To Change

Uploaded on 2016-05-10 in FREE TO VIEW

The solution to our cyber crisis is not as difficult to understand as most people think.  

Opinion by Christopher Murphy

There is a lot of talk and media hype going on about cyber security, with a few suggested ways to reduce cyber breaches and to improve everyone's cyber security.  All of the popular suggestions are nothing more than updated comments on old and unreliable solutions to a pervasive problem that will only get worse if we do not address the real problem.  We think it is time to have an open and honest conversation about what is not working and talk about what can work, for all of us.

The public, business leaders and government officials are being inundated with new twists on yesterday’s failed cyber solutions. Cyber monitoring and insurance are being pedaled to concerned citizens as protection. After an individual has been violated, these companies inform them of the damage.

Congress and the President abdicated their responsibility to the American people in the Federal Cybersecurity Information Sharing Act of 2015 (CISA). The law encourages companies to share data with the government in return for immunity from damages caused by the company’s failure to properly secure data. When did sharing secrets make the secrets more secure?

Fingerprint, face recognition, optical scan and other forms of bio-data as a security factor have already been proven useless. Yet to deceive a public afraid of breaches, bio-data is put forth as a solution. The German Defense Minister had her fingerprint compromised from a photograph. A breach of a database using a fingerprint security protocol, compromises every stored fingerprint permanently.

Credit cards from a cellphone! Really! The credit card industry is finally moving to Chip & PIN to prevent the duplication of credit cards and then provides a way to duplicate credit cards on a cellphone’s “wallet”. This rabbit hole is just too ridiculous to go down and yet the industry is deploying it!

Security is not convenient, but it can be user-friendly. The purpose of security is to prevent unauthorized access. Consumer acceptance is not an excuse for failing to provide proper cyber security! The consumer will, in the end, do whatever is required to secure their identity.

Understanding the root cause of breaches is a must. That cause is the size of the attack surface and an uncontrolled access model. When any browser user can access a secure portal, the attack surface is every browser in the world. When we reduce the attack surface, we exponentially improve security.

A browser-based secure portal has an attack surface of approximately 6 billion devices with browsers. An organization with 100,000 known users is granting secure portal access to 6 billion devices. Reducing access to only known users would improve cyber security for this organization by 6,000,000% blocking 5,999,900,000 devices from ever accessing their secure portal!

In 2000 the Federal Reserve and the FFIEC recommended that two-factor authentication be required for all online financial transactions, both retail and commercial. It has yet to be required! Instead, revisions to that recommendation have lowered the requirements. They got it right and then for commercial expediency, they ignored their own advice.

Two-factor authentication is “something you have and something you know”. Anything less is multi-factor authentication, which is not close to the same thing. Chip & PIN credit cards provide two-factor authentication. The Chip in the credit card makes the something you have unique. The PIN is the something you know. Allowing cellphones to duplicate credit cards nullifies this security improvement.

It is time for a real solution! Cyber Safety Harbor provides an access method that provides two-factor authentication, controls the attack surface and removes public access. Using a serialized CyberID token as the only access method to secure portals provides “something” you have and limits access to only known users.

The solution to our cyber crisis is not as difficult to understand as most people think. All we need to do is agree on certain indisputable facts:

  • Every computer must be considered compromised. (a basic security assumption)
  • The term “secure public” server is an oxymoron that can no longer be ignored. If a server is “secure” then is has “Known Users” who have a right to access. If a server is “public” everyone has access.
  • Data falls into three major categories: “Open” data, “Protected” data and “Secure” data.
  • “Open” data is any data available without log in access.
  • “Protected” data is data that requires security but does not have a Known User group. “Protected” data would include all data gathered, processed and stored on retail websites.
  • “Secure” data has only Known Users. “Secure” data would include data retained by Insurance and Financial organizations where every client is known.

Understanding theses facts is required to address the cyber security issues organizations are currently facing. Standards must be deployed. Cyber Safety Harbor has done just that. The six Standards set by SecureAxcess technology and Cyber ID communities:

Secure data can only be accessed through a non-browser method.” Browsers are installed applications and based on the first indisputable fact, all computers must be considered compromised therefore all browsers must be considered compromised. In addition “plugins can further compromise a browser and computer.

Promotional websites and secure data storage must be maintained at unique IP addresses.” Data must be segregated into publicly available, “Open” data; “Private” data and “Secure” data. “Open” and “Private” data stays in a browser-based environment providing the widest potential audience for the hosting organization. “Secure” data and its access method must be moved to an IP address that has no relation to the public IP address and browser-based access.

True two-factor authentication is mandatory when accessing secure data.” This should go without stating. Accessing secure data with knowledge alone has not and will not work. “Something you have and something you know.”

Secure data that has been accessed cannot be written to any permanent storage device, including temporary data.” This is the most obvious standard of them all. Writing data to a local computer leaves data behind. Deleting written data at the end of a session does not remove the data just the directory entry pointing to the data.

Access to secure data cannot be granted through any installed application.” Any installed software can be compromised and is therefore suspect.

“No data mining can be performed by the application providing the access to secure data.” The access method cannot spy on the user.

The solution is simple and must address all of these areas or it will fail! An Intern was booking a trip on expedia.com. The purchase was completed and the Intern went to Google maps to look for the location of his hotel. There was a pin in the hotel with the dates of the visits! How did secure data, entered on an https page, get used to put the pin in a map? The truth is, it doesn’t matter! Browser-based access is not secure, period.

Cyber Safety Harbor is deploying a cyber solution that exceeds the six standards above. We believe knowledge is also a problem. The decision makers don’t understand the problem, so they hired experts that are selling products. New innovations aren’t what they represent.

Cyber Safety Harbor has introduced private CyberID Community solutions to facilitate protection of “Secure” data. The premise of a CyberID Community is that only members of the community have a right to access. An organization deploying a CyberID Community can do so with minimal disruption to existing online services.

The first step to deploying a CyberID Community is analysis to identify deployment specific issues, but after analysis the deployment process is the same for most organizations. The process:

  • Create a mirror of exiting browser-based website containing the secure portal.
  • Deploy a plugin or proxy server that blocks all non-authorized access to the mirrored site. Requires CyberID for access.
  • Modify existing client database adding an additional key field to store the CyberID public key.
  • Modify existing browser code to require an active CyberID session.
  • Ship CyberIDs to clients.
  • Remove website portal and data from the browser-based environment
  • Deployment completed

The CyberID retains all activity in volatile RAM while in use and monitors communication links for attack. Each token, regardless of the community it is related to, is exactly the same except for its encrypted serial number. The CyberID token has no knowledge about a community owner or token owner. The only visible difference between any two tokens is labeling.

How it works:

The client plugs their CyberID into a computer and clicks on start. The software on the CyberID segments RAM to create a Virtual Environment (VE) in which to work, a node comes into existence temporarily. SecureAxcess links to an authentication server to validate the token hasn’t been reported lost or stolen. If it has, it self-destructs. The authentication server returns location of the community owner’s portal to SecureAxcess. SecureAxcess then connects to the community.

The community’s proxy server identifies a CyberID is attempting to access the secure portal. The proxy connects to the authentication server verifying an active session and ID. Assuming the connection is valid the SecureAxcess triangulates servers and monitors for man-in-the-middle. If any attack to the communications is detected the SecureAxcess implodes removing all traces from RAM.

At this point, a CyberID session has been initiated, validated and security monitoring for the environment has been established. The community owner loads their logon and takes control of the client’s experience while SecureAxcess technology and the CyberID protect the session.

The client inputs credentials and the community owner validates the CyberID and credentials for validation and then provides access to service that is associated with the client. The communication link for data interaction is from the proxy to the client with the security session never having vision into its encrypted communications.

When the CyberID is removed from the computer the session breaks and communication between the authentication server, local computer and proxy is terminated. On the local computer the secured volatile RAM is flushed and released leaving no footprint behind.

This all sounds great. But what about increasing security for “Protected” data used and retained by retail websites such as payment data? The truth is that most Retail Websites have already deployed the “Best Practices” to secure their data. They cannot stop an individual with complete valid, stolen, credit card data from being used!

And yet CyberID security can prevent the use of this Credit card stolen data. Any organization issuing credit cards and providing account access via SecureAxcess can prevent fraudulent data from being used, putting a dent into $190 Billion in fraud last year.

The organization issuing the credit card provides two options at logon, “Access Account” and “Shop”. “Access Account” enters the secure portal but “Shop” just informs the company that you are currently online and intend to shop. This simple act renders stolen credit card data useless!

The individual goes to a retail site and makes a purchase. At checkout, the charge is sent for authorization. With CyberID security at the bank, the bank can verify that the individual is online and intends to shop. If they are not logged in, then even valid data is rejected because the data owner has not authorized online shopping. When stolen credit card data cannot be used, the incentive to steal it is removed.

Originally Published April 27, 2016 Cyber Defense Magazine e-zine

Christopher Murphy is Founder of Cyber Safety Harbor and CEO of Vir-Sec, Inc.

Company website: www.cybersafetyharbor.com

« Pentagon Wants to ‘Fingerprint’ The World’s Hackers
SpyEye Masterminds Begin 24 Year Sentence »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Hack Miami

Hack Miami

HackMiami is the premier resource in South Florida for highly skilled hackers that specialize in vulnerability analysis, penetration testing, digital forensics, and all manner of IT security.

CERT-In

CERT-In

CERT-In is a functional organisation of the Ministry of Information & Electronics Technology, Government of India, with the objective of securing Indian cyber space.

RCMP Cybercrime Strategy

RCMP Cybercrime Strategy

The RCMP Cybercrime Strategy sets out in an Operational Framework and Action Plan to combat cybercrime.

Zurich

Zurich

Zurich’s Security and Privacy policy is designed to manage financial and reputational costs as a result of a breach of network security or unauthorized access or release of private information.

Atos

Atos

Atos provides a unique Cyber Security end to end solution with a data-centric and pre-emptive security approach.

AFCERT

AFCERT

AFCERT is the national Computer Emergency Response Team for Afghanistan.

Telia Cygate

Telia Cygate

Cygate are specialists in information security, data networks, and data centre and cloud technologies.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

Kudelski Security

Kudelski Security

Kudelski Security is an international cybersecurity company providing innovative, independent and tailored security solutions for large enterprise and public sector clients.

idappcom

idappcom

idappcom provides unique industry approved software solutions for auditing and enhancing the threat recognition and response capabilities of your corporate security defences.

Science Applications International Corporation (SAIC)

Science Applications International Corporation (SAIC)

SAIC is a premier technology integrator in the technical, engineering, intelligence, and enterprise information technology markets. Services and solutions include Cybersecurity.

Honeywell Process Solutions (HPS)

Honeywell Process Solutions (HPS)

Honeywell's Industrial Cyber Security Solutions help plants and critical infrastructure sectors defend the availability, reliability and safety of their industrial control systems.

Cloud GRC

Cloud GRC

Cloud GRC is an innovative cybersecurity company with solutions and expertise in Cybersecurity Strategies & Frameworks, Threat & Risk Assessment, Cloud Security, and Regulatory Compliance Requirements

Clone Systems

Clone Systems

Clone Systems is an award winning global cloud based managed security as a service provider.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

Valeo Nertworks

Valeo Nertworks

Valeo Nertworks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.