What We Call Security Isn’t Secure!

Uploaded on 2015-07-21 in NEWS-News Analysis, FREE TO VIEW

two-factor-authentication.gif

Two factor authentication

You put in your login and your password. Then you do it again but a different way. Maybe this time it sends you an unencrypted SMS. Or maybe you need to look up some numbers on a card you have.
Then again, maybe you need to append some numbers that you’ll find on a digital token. Or maybe you give your fingerprint or eye-print or a bit of hair, that’s supposedly more secure. And we need cybersecurity. It’s important. And what we’re getting isn’t working. Because what we call cybersecurity isn’t security. For example, the concept of multi-factor authentication being more secure comes from it being harder. It’s mathematically harder to guess and it’s physically harder to copy. And because it’s harder it takes more time, which introduces more entropy into the authentication process, which means less guesses possible in a given time, generally time enough for security to be alerted and respond.

But is harder more secure, or does harder just limit the number of people willing to try to break it? Harder makes the pool of criminals shallow and small. At least until one of them makes a tool that makes it easier for other criminals and starts growing the pool. Well, it’s probably no shock to you that the security industry can’t agree on a definition of security. Imagine if the horse industry couldn’t agree on what is a horse. Imagine if all those members of the horse industry from those who race them to those who make Jell-O could alter the definition of a horse for commercial gain. 
Well, that’s the security industry and unfortunately there’s no genetic map of security we can look at to match the fact of the thing to the definition. So in the end we get many definitions of security. These include risk and how you feel and variations of vulnerability, protection, degrees of harm, and crystal power. Which is probably how something like 2-Factor Authentication has entered the security playbook.

So how should we define cybersecurity? Just give me 5 minutes so I can show you something:

We have a threat and we have an asset. The threat is threatening the asset. We don’t need to mess around with how vulnerable the asset is. We don’t have to wonder what are the chances the threat will harm, steal, hide, or otherwise abuse the asset to figure out its risk. We don’t do those things because 1. It’s not necessary in most cases and 2. There’s no way to do it reliably until we study them and there’s no time. No, we need to keep the threat away from the asset. How do we do that? Ever work in a factory? Or visit one? I once worked in one of those huge factories where there are parallel yellow lines painted on the floor to show me where to be without my work clothes on that’s an appropriately OSHA-ly distance away from the machines.

As I walk in and machines are spurting molten lead and grinders are chopping animals into wet regret and arcs of electricity are leaping skyward, I stay inside the yellow lines to be separated from INTERACTING with the machines.
So in its basic definition we can say the separation from the machines made me secure. Did I have risk? Sure, there’s always risk like the toilet seats accidentally sprayed with methyl parathion the month before I started.

But I worked there. I had to interact within reach of the machines. So I cross the yellow lines to get to work massaging the blue stuff that looks like silly string into the bunny’s eyes before using the drill press. To do it safely we were all given protective work-wear. For my area I had to wear steel-toed boots, a leather apron, tinted goggles, a respirator, elbow-length, rubber gloves, and an anti-static bracelet on my neck. This protected me, the asset, from the threat of injury that the machines like the sand blaster can cause. Then we can formulate “safety” in fancy, college textbook English as “operational controls, which reduce the interaction with the threat”.

So, the key take-away here in all my fancy operational career talk is about “interaction with the threat.” If you don’t do it then you have security, and if you limit it you have safety.

Dark Matters: http://ow.ly/PYoFi

 

« EU Cyber Police Take on Islamic State Propaganda
Combat the Insider Cyber Threat »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DoD Cyber Crime Center (DC3)

DoD Cyber Crime Center (DC3)

DC3 is a US Department of Defense (DoD) center of excellence for Digital and Multimedia forensics.

Global Secure Solutions (GSS)

Global Secure Solutions (GSS)

Global Secure Solutions is an IT security and risk consulting firm and authorised ISO training partner for the PECB.

Pervade Software

Pervade Software

Pervade Software is a global provider of dedicated compliance tracking software with monitoring & reporting capabilities.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

CLUSIL

CLUSIL

CLUSIL is an association for the information security industry in Luxembourg.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

Think Cyber Security (ThinkCyber)

Think Cyber Security (ThinkCyber)

ThinkCyber is a Tel Aviv-based Israeli company with a team of cybersecurity professionals who are experts in both information and operations technology.

Virtru

Virtru

Virtru's Data Protection platform protects and controls sensitive information regardless of where it's been created, stored or shared.

BrandShield

BrandShield

BrandShield is an anti-counterfeiting, anti-phishing and online brand protection solution.

Interos

Interos

Interos is the operational resilience company — reinventing how companies manage their supply chains and business relationships — through a breakthrough AI SaaS platform.

Theta432

Theta432

THETA432 is a cybersecurity firm that provides 24/7/365 managed prevention, detection, response, Hybrid SOC, cyber defense monitoring services with dynamically defined defense (3D™).

Stronghold Cyber Security

Stronghold Cyber Security

Stronghold Cyber Security is a consulting company that specializes in NIST 800, the Cybersecurity Framework and the Cybersecurity Maturity Model Certification.

Singularico

Singularico

Singularico help secure your software using the power of AI.

Action Fraud

Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cyber crime where you should report fraud if you have been scammed, defrauded or experienced cyber crime.

Yarix

Yarix

Yarix is the leading company in Var Group’s Digital Security division and one of the most recognised, innovative and authoritative Italian companies in the IT security sector.

HP Wolf Security

HP Wolf Security

HP Wolf Security protects your organization and devices from cyberattacks no matter where, when or how you work.