What We Call Security Isn’t Secure!

Uploaded on 2015-07-21 in NEWS-Cybersecurity News, FREE TO VIEW

two-factor-authentication.gif

Two factor authentication

You put in your login and your password. Then you do it again but a different way. Maybe this time it sends you an unencrypted SMS. Or maybe you need to look up some numbers on a card you have.
Then again, maybe you need to append some numbers that you’ll find on a digital token. Or maybe you give your fingerprint or eye-print or a bit of hair, that’s supposedly more secure. And we need cybersecurity. It’s important. And what we’re getting isn’t working. Because what we call cybersecurity isn’t security. For example, the concept of multi-factor authentication being more secure comes from it being harder. It’s mathematically harder to guess and it’s physically harder to copy. And because it’s harder it takes more time, which introduces more entropy into the authentication process, which means less guesses possible in a given time, generally time enough for security to be alerted and respond.

But is harder more secure, or does harder just limit the number of people willing to try to break it? Harder makes the pool of criminals shallow and small. At least until one of them makes a tool that makes it easier for other criminals and starts growing the pool. Well, it’s probably no shock to you that the security industry can’t agree on a definition of security. Imagine if the horse industry couldn’t agree on what is a horse. Imagine if all those members of the horse industry from those who race them to those who make Jell-O could alter the definition of a horse for commercial gain. 
Well, that’s the security industry and unfortunately there’s no genetic map of security we can look at to match the fact of the thing to the definition. So in the end we get many definitions of security. These include risk and how you feel and variations of vulnerability, protection, degrees of harm, and crystal power. Which is probably how something like 2-Factor Authentication has entered the security playbook.

So how should we define cybersecurity? Just give me 5 minutes so I can show you something:

We have a threat and we have an asset. The threat is threatening the asset. We don’t need to mess around with how vulnerable the asset is. We don’t have to wonder what are the chances the threat will harm, steal, hide, or otherwise abuse the asset to figure out its risk. We don’t do those things because 1. It’s not necessary in most cases and 2. There’s no way to do it reliably until we study them and there’s no time. No, we need to keep the threat away from the asset. How do we do that? Ever work in a factory? Or visit one? I once worked in one of those huge factories where there are parallel yellow lines painted on the floor to show me where to be without my work clothes on that’s an appropriately OSHA-ly distance away from the machines.

As I walk in and machines are spurting molten lead and grinders are chopping animals into wet regret and arcs of electricity are leaping skyward, I stay inside the yellow lines to be separated from INTERACTING with the machines.
So in its basic definition we can say the separation from the machines made me secure. Did I have risk? Sure, there’s always risk like the toilet seats accidentally sprayed with methyl parathion the month before I started.

But I worked there. I had to interact within reach of the machines. So I cross the yellow lines to get to work massaging the blue stuff that looks like silly string into the bunny’s eyes before using the drill press. To do it safely we were all given protective work-wear. For my area I had to wear steel-toed boots, a leather apron, tinted goggles, a respirator, elbow-length, rubber gloves, and an anti-static bracelet on my neck. This protected me, the asset, from the threat of injury that the machines like the sand blaster can cause. Then we can formulate “safety” in fancy, college textbook English as “operational controls, which reduce the interaction with the threat”.

So, the key take-away here in all my fancy operational career talk is about “interaction with the threat.” If you don’t do it then you have security, and if you limit it you have safety.

Dark Matters: http://ow.ly/PYoFi

 

« EU Cyber Police Take on Islamic State Propaganda
Combat the Insider Cyber Threat »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyfor

Cyfor

Cyfor provides digital forensics and eDiscovery in civil, criminal, intellectual property, litigation and dispute resolution investigations.

Mobile Guroo

Mobile Guroo

Mobile Guroo is a strategy and systems integrator for Enterprise Mobility Management projects.

mnemonic

mnemonic

mnemonic helps businesses manage their security risks, protect their data and defend against cyber threats.

7Safe

7Safe

7Safe has been delivering hands-on digital security training courses since 2001 and offer e a portfolio of university and industry-accredited courses.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

Idaho National Laboratory (INL)

Idaho National Laboratory (INL)

INL is an applied engineering laboratory dedicated to supporting the US Dept of Energy's missions in energy research, nuclear science and national defense including critical infrastructure protection.

Secure Soft

Secure Soft

Secure Soft are experts in Computer and Information Security with a presence in Peru, Colombia and Ecuador.

Zen360Consult

Zen360Consult

Zen360Consult provides Advisory and Training services in the field of Cyber Resilience, which includes Cyber Security /ISMS and Business Continuity.

Fingent

Fingent

Fingent develops strategic software solutions for businesses across the globe in areas including Network Security, Infrastructure Security, Application Security, Risk and Compliance.

Africa ICS Cyber Security Conference

Africa ICS Cyber Security Conference

Africa's largest ICS Cyber Security Conference and Expo. The only platform that will proudly present top level B2B and B2C networking opportunities.

GB Group (GBG)

GB Group (GBG)

GBG is a global technology specialist in fraud, location and identity data intelligence.

Whistic

Whistic

Whistic is a cloud-based platform that uses a unique approach to address the challenges of third-party risk management.

TatvaSoft

TatvaSoft

TatvaSoft is a custom software development company delivering business IT solutions and related services to customers across the globe.

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.

Framework Security

Framework Security

With Framework Security, you get more than a consultancy; you get a partner dedicated to simplifying cybersecurity and protecting your business in the most efficient way possible.

Intertec Systems

Intertec Systems

Intertec Systems is an award-winning, global IT solutions and services provider that specializes in digital transformation, cybersecurity, sustainability, and cloud services.