What We Call Security Isn’t Secure!

Uploaded on 2015-07-21 in NEWS-Cybersecurity News, FREE TO VIEW

two-factor-authentication.gif

Two factor authentication

You put in your login and your password. Then you do it again but a different way. Maybe this time it sends you an unencrypted SMS. Or maybe you need to look up some numbers on a card you have.
Then again, maybe you need to append some numbers that you’ll find on a digital token. Or maybe you give your fingerprint or eye-print or a bit of hair, that’s supposedly more secure. And we need cybersecurity. It’s important. And what we’re getting isn’t working. Because what we call cybersecurity isn’t security. For example, the concept of multi-factor authentication being more secure comes from it being harder. It’s mathematically harder to guess and it’s physically harder to copy. And because it’s harder it takes more time, which introduces more entropy into the authentication process, which means less guesses possible in a given time, generally time enough for security to be alerted and respond.

But is harder more secure, or does harder just limit the number of people willing to try to break it? Harder makes the pool of criminals shallow and small. At least until one of them makes a tool that makes it easier for other criminals and starts growing the pool. Well, it’s probably no shock to you that the security industry can’t agree on a definition of security. Imagine if the horse industry couldn’t agree on what is a horse. Imagine if all those members of the horse industry from those who race them to those who make Jell-O could alter the definition of a horse for commercial gain. 
Well, that’s the security industry and unfortunately there’s no genetic map of security we can look at to match the fact of the thing to the definition. So in the end we get many definitions of security. These include risk and how you feel and variations of vulnerability, protection, degrees of harm, and crystal power. Which is probably how something like 2-Factor Authentication has entered the security playbook.

So how should we define cybersecurity? Just give me 5 minutes so I can show you something:

We have a threat and we have an asset. The threat is threatening the asset. We don’t need to mess around with how vulnerable the asset is. We don’t have to wonder what are the chances the threat will harm, steal, hide, or otherwise abuse the asset to figure out its risk. We don’t do those things because 1. It’s not necessary in most cases and 2. There’s no way to do it reliably until we study them and there’s no time. No, we need to keep the threat away from the asset. How do we do that? Ever work in a factory? Or visit one? I once worked in one of those huge factories where there are parallel yellow lines painted on the floor to show me where to be without my work clothes on that’s an appropriately OSHA-ly distance away from the machines.

As I walk in and machines are spurting molten lead and grinders are chopping animals into wet regret and arcs of electricity are leaping skyward, I stay inside the yellow lines to be separated from INTERACTING with the machines.
So in its basic definition we can say the separation from the machines made me secure. Did I have risk? Sure, there’s always risk like the toilet seats accidentally sprayed with methyl parathion the month before I started.

But I worked there. I had to interact within reach of the machines. So I cross the yellow lines to get to work massaging the blue stuff that looks like silly string into the bunny’s eyes before using the drill press. To do it safely we were all given protective work-wear. For my area I had to wear steel-toed boots, a leather apron, tinted goggles, a respirator, elbow-length, rubber gloves, and an anti-static bracelet on my neck. This protected me, the asset, from the threat of injury that the machines like the sand blaster can cause. Then we can formulate “safety” in fancy, college textbook English as “operational controls, which reduce the interaction with the threat”.

So, the key take-away here in all my fancy operational career talk is about “interaction with the threat.” If you don’t do it then you have security, and if you limit it you have safety.

Dark Matters: http://ow.ly/PYoFi

 

« EU Cyber Police Take on Islamic State Propaganda
Combat the Insider Cyber Threat »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Fortify Experts

Fortify Experts

Fortify Experts is a search and recruitment firm specializing in Cyber Security.

Averon

Averon

Averon's technology is the new gold standard for digital identity - the easiest, fastest and most secure verification solution for users on both WiFi and LTE.

Wallarm

Wallarm

Wallarm is the only unified, best-in-class API Security and WAAP (Web App and API Protection) platform to protect your entire API and web application portfolio.

Platin Bilişim

Platin Bilişim

Platin Bilisim is an IT Security company providing consultancy, solutions and operational support services.

Nexis

Nexis

Nexis GmbH is a German IT security company specializing in IAM, access control, and risk management.

Kuratorium Sicheres Österreich (KSO)

Kuratorium Sicheres Österreich (KSO)

KSO is an independent non-profit association that has set itself the goal of making Austria safer as a national networking and information platform for topics of internal security.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

Cloudsine

Cloudsine

Cloudsine (formerly Banff Cyber Technologies) is a cloud technology company specializing in cloud adoption, security and innovation.

Findcourses.co.uk

Findcourses.co.uk

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

Software Diversified Services (SDS)

Software Diversified Services (SDS)

SDS provides the highest quality mainframe software and award-winning, expert service with an emphasis on security, encryption, monitoring, and data compression.

Gunnison Consulting Group

Gunnison Consulting Group

Gunnison Consulting Group serves the Federal Government with high quality IT consulting services.

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

Riot Security

Riot Security

In today's world, most successful cyberattacks start by a human failure. Riot have developed a platform that makes it easy to prepare your employees for cyberattacks, in a way they love.

Technoware Solutions

Technoware Solutions

Technoware Solutions is a global company committed to helping entities navigate the digital waters of modernizing their system processes in an ever changing cybersecurity landscape.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

SpoofGuard

SpoofGuard

Spoofguard shields organizations from online scams, automating the entire process from domain monitoring to takedown enforcement.