infoTECH Feature

June 19, 2015

A Security Manifesto: Why Are Breaches Inevitable?

By TMCnet Special Guest
Tom Smith, Market Strategy, SafeNet Labs by Gemalto

Face the facts: at some point, sooner or later, your system will be breached. It's no longer a question of "if", but rather "when". Why? It has to do with the very nature of the Internet itself, the increasing complexity of our connections, and a growing web of software and hardware that daily adds openings into the silos we expect to be interconnected and secured all at once.

In the end, it may take a cooperative movement the likes of which we've never seen in terms of Internet security to once again secure our online data, but first, we need to understand why we are where we are and how Internet security is broken at a foundational level.

The Internet Is Built On Broken Ground

The fundamental challenge we face is that companies and business models formed their security worldviews based on working within private networks. When many companies first became networked, it was locally, and so access was limited to those physically present. Information was passed over a network that was limited to computers given strict access to that network and generally a known user base.

From the very foundation, the Internet has a different set of design criteria to that of what businesses had for moving information around in a company setting. While private networks were designed to control access to information and resources, the Internet was designed to connect and share, and companies have been dealing with this intrinsic difference in principle and function ever since.

Everything changed when the Internet arrived. Using encryption and passwords on a private network is very different from usage on a wide area, public network. The whole idea of passwords and even key management used for encryption is much more complex and must be adapted to the Internet. The Internet was designed with sharing in mind. From IP addresses to TCP/IP and DNS mapping, the Internet was designed for connection and communication resilience and the ease of sharing of information among a lot of different user devices. By default, it errs on the side of publically sharing such things as header information, content attribute information, and other such meta-content, making interoperability its primary goal.

In many ways, the use of passwords on the Internet parallels another common and insecure practice—the use of Social Security numbers as secure identifiers. SSNs were originally created to track people's incomes and it wasn’t until the ‘60s that they were used for ID purposes when the computer made that possible. Now, however, they are used as passwords on public networks to access private information, which creates problems because they are not easily changed when they fall into the wrong hands. Passwords have a similar history. They were originally in use on private networks, where they didn't have to be complex or long. They were a simple security measure in a closed system. People picked passwords they could easily remember, as they do to this day, but back then exposure was small and limited. Nowadays, with the Internet, exposure is massive as is the computing power behind cracking programs and dictionaries is almost limitless. For passwords to be secure now, they have to be long, mathematically complex and machine-generated. While many security professionals understand the risks and the need for strong passwords, not every user fully understands the consequences and risks introduced by their password behavior.

Passwords, and their current usage and practice on the Internet, bring us well into our next point.

Your own employees are your biggest threat

When companies moved from private to publicly accessible networks, the security focus immediately moved to securing the perimeter. The most obvious attack vector would be an external source, the thinking went, and so they installed firewalls and increased security measures to keep outsiders from getting in. And things have gone on like that for a while now.

Image via Shutterstock

Until recently, that is. The latest trends show that insiders—such as your own employees—rather than outsiders are not only a primary attack front, but can also inadvertently leak or expose data. Your employees have become the weak link in the chain when it comes to security. While businesses have historically focused more on the network and "locking it down", it has become more apparent in recent years, with the cloud, cloud apps, and Bring Your Own Device (BYOD), that the human factor is more important and riskier than ever. In fact, according to one recent survey by CloudEntr, more than 70 percent of respondents identified employees as the single greatest vulnerability to their security.

So, why is this? Employees are individuals first and, as such, they are trained on consumer devices and technologies. They have personal lives where they act as consumers and they bring this behavior into the workplace. This goes for security as well. Ask almost anyone, and they'll admit to reusing a handful of passwords across a number of different services. A 2013 study found the 55 percent of Internet users reuse the same password, for most, if not all websites. As a result, if one service is breached, several others can be as well since in many cases the username part of the login is an e-mail address, and this can bleed over into the workplace. The method most businesses take to defend against these consumer behaviors is to put into place complicated security policies, such as complex password requirements, which employees end up circumnavigating for reasons of their own convenience. If a company policy makes an employee change their 12-character password, with upper and lower case characters, every six weeks and they will inevitably use an insecure practice such as e-mailing each new password to themselves or jotting it down on a post-it note at their desk.

Beyond dealing with antiquated security technologies meant for private networks, modern companies have to deal with a host of other problems when it comes to employees creating security holes into their networks. In the siloed past of private company Intranets, employees were locked down. Now, there is no feasible way to "lock down" your employees’ access to public networks unless you are in a high security facility. The delta is the Internet. Proxies and other tools can be used to enforce access and security policies but personal employee phones and wearable devices, employee acquired software and SaaS (News - Alert) tools can quickly circumvent these policies. The BYOD phenomenon has employees bringing consumer grade technology into enterprise grade settings. For example, while employees using their own devices can increase worker efficiencies, without proper BYOD policy in place the ways in which it can introduce security holes are numerous. The same goes for Web-based applications (BYOA). Employees may decide to store sensitive information on personal cloud storage services, potentially exposing confidential information owned by the company.

But this is just the first step in the increasingly complicated security environment businesses operate in these days. When you think of all the complications introduced by employees, just realize what happens when you take into account all of your external business relationships and their employees.

Your business partners are a new attack front

If there's anything that recent attacks on companies like Home Depot, Target, and Sony have taught us, it's that your business partners represent a new attack front. Any business today has a ton of reliance on other vendors, from credit card payment processors to point of sales systems, cloud storage, e-mail, or even your Internet service provider itself.  Where 15 or 20 years ago, we had completely private and internally controlled networking environments, today we have a completely interconnected cloud supply chain, wherein various parts of your business are handled by numerous cloud-based services. Even if your networks aren't connected, your data can be compromised when stored in a partner's network, such as with the Sony hack.

This is where the problem grows exponentially, because we move from just securing one perimeter to securing seemingly limitless perimeters. And for each perimeter of each service, you have a plethora of employees and other interconnected businesses to worry about. Businesses today are very interdependent. While you can control your own security environment to some extent through policies for your employees, you have very little control over how the other businesses you work with run their business, how they manage security, or what other partners they have. All businesses now live in a world with a spider web of interconnections and relationships and every node on that web represents a potential weak link in the chain for your data.  

New technologies are new entry points

As we continue to introduce new technologies, we continue to operate on the unstable groundwork of an Internet meant to be open and connected, creating further insecure attack points. As new technologies are introduced, security is not necessarily top-of-mind; instead, new feature innovation becomes the mantra that drives adoption.

A good case in point is the Internet of Things (IoT). Devices are increasingly connected to our networks, but typically do not include the security precautions we've come to expect of other networked devices. These can be entry points for hackers, in any number of ways. They may not only give access to other networked devices, but also disclose information that can be used in other ways. For example, now that you have an Internet connected and remotely programmable home thermostat, does it potentially disclose when you are or are not home? The same can apply to software innovations. Location-aware social applications can disclose when you are out of town on vacation. And these same things can happen in a business setting as well. There is so much big data and information being mined and processed by sophisticated analytics tools that ultimately could be used to expose security weakness, leading to a breach. More importantly, all of these Internet-connected devices create additional entry points into our networks and potential avenues for hackers to gain entry to our devices, our networks, and ultimately our data.

In a business setting, one of the biggest threats with new technology innovations arise again from BYOD and BYOA. The Apple (News - Alert) Watch, for example, is a new device, with a new interface and features that communicates with the user's phone. Security companies don't know the device's capabilities until it is released, which means it's a potential entry point for hackers. While the watches (or any new device, for that matter) are designed with certain intended usages in mind, only when they are released into the wild can we see their actual use and effects.

A Systemic Change

For decades, security dogma has dictated that we secure the perimeter. We wrap the network in firewalls, and protect the information with passwords and even multiple points of authentication, to keep all of the important data at the core secure. And after decades of failing to keep that data secure, the thinking has changed.

No longer can we focus on securing the perimeter. Instead, we must secure the breach. We must accept the breach as an inevitability and protect the data at the core in addition to the perimeter, so that when it is accessed, it is unusable.

Much like vaccines, however, the practice of securing the breach needs to be systemic in order for it to be truly effective.  If one company puts in the effort to secure its data on its own network, but then shares that data to another company that doesn't, it can again be accessed when that inevitable breach occurs. In the meantime, businesses should take it upon themselves to secure their business relationships by building data security into partnerships, even on a contractual level. By securing against the breach, you can not only ensure that your data is safe in the case of that inevitable breach, but the breach itself can be seen as a positive for business in the midst of pervasive news of insecure breaches.

In the end, the path that this adoption takes, whether government regulated or induced by the free market effects of continued breaches, is yet to be determined. At some point, however, we as an international, interconnected community need to admit that we need to work together to secure the breach and protect critical information as well as the integrity of our day-to-day operations.

About the Author: Tom Smith focuses on market strategy at SafeNet Labs by Gemalto. Follow him on Twitter (News - Alert) @Gemalto_NA.


Edited by Dominick Sorrentino


Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers