The methods for achieving effective cybersecurity for a large class of applications are simple and obvious, but almost never implemented. If the methods were implemented, they would prevent the kind of massive, high-profile data loss that has been increasingly in the news. The methods make common sense to most normal people – but as we all know, computer “experts” are anything but normal. The industry needs to get it together, stop spending massive amounts of money on futile efforts to secure consumer data, and start implementing common-sense measures that work!
The current approaches to CyberSecurity are fundamentally flawed
That’s why they don’t work! It’s like if you’re playing pool, missing a lot of your shots, and spend lots of effort gesturing, jumping and grunting as your shot fails to achieve its objective – do you think your problem is not jumping vigorously enough or grunting loud enough? That’s what most enterprise responses to cyber-insecurity amount to. Increasing the money spent on things that don’t work won’t suddenly make them start working.
The basics
No matter what methods we use, if we continue to deploy large numbers of security guards who are nearing retirement against small, smart, fast-moving ninja bad guys, we’ll lose. If we continue fighting the last war, we’ll lose. If we continue to think that this game is all about how high and thick the walls of the castle are, we’ll lose.
New approaches, new methods
They’re not really new – like most good ideas, they’ve been thoroughly proven in other domains. We know they work. It’s a matter of adapting them so they apply to our computer systems.
A lot of smart computer people have worked on the security problem for a long time. The issue isn’t something abstruse like better encryption algorithms. It’s simple!
First, realize that anybody who walks in the door could be a bad guy.
Second, monitor and track the valuable stuff that you don’t want walking out the door.
Both of which, believe it or not, we fail to do today inside computer systems!
How retailers do it
Retailers with lots of low-value goods like grocery stores have store monitors and checkout areas. Anyone could be a thief, so people are assigned to monitor actions accordingly. Some goods may be valuable and easy to hide, like razor blades. Those are often displayed, but require a store employee with a key to let you get them.
Clothing stores frequently have security tags on every single item. The tags are removed using a special tool during the check-out process. If you try to walk out of the store with an item that is still tagged, alarms ring and security people grab you.
Stores with very high value goods like jewelry stores have locked cases, and a heavily human approach to security. Basically, at least one person watches each customer (and sales person!) with jewels at all times. They are disciplined to manage the number of items that are outside a locked case carefully. While the guards watch the customers (i.e., the potential thieves), what they really do is watch the jewelry. They track each item until it’s been bought or safely returned to its case.
The retail approach to securing valuable items is clear: using whatever combination of automated and human means that make sense, track every valuable item, and assure that when the item goes out the door, it has been cleared to go out with the person it’s going out with.
Applying Cybersecurity methods to retail
What would retail look like if we used the kind of methods used by computer experts?
First, every store would be surrounded by thick, high walls. No display windows! There would be strictly controlled ways of getting in – think TSA security at an airport. Further imagine that the world was awash with fake and stolen ID’s, so that while getting in the store legitimately is odious, for a skilled bad guy, not too hard.
Now imagine that once you’re in, there is no one watching the goods, there are no security tags on the clothes, no security cameras and no guards. You can grab a string of shopping carts, pile them high with goods, and wind slowly through the aisles. At check-out – well there is no check-out! You’ve been thoroughly vetted on the way in, after all, so you must be OK. When you’re done “shopping,” you can just leave! With your mountains of goods!
Of course, most visitors to this imaginary store are legitimate. They put up with the horrible entrance gauntlet because all stores have something like it. They get what they need and somehow arrange with the store to pay for it. There’s nothing to stop thousands of bad-guy visitors from walking out with thousands or millions items each, or millions of visitors to walk out with normal-sized shopping carts. Whatever works.
You might think I’m exaggerating. I wish I were.
Applying Retail methods to Cybersecurity
It’s a bit more technical and less visual to see how retail methods can be applied to computer systems, but the basic concepts are clear. While current cybersecurity focuses on perimeter defense (like TSA security for stores), the retail approach would be a bit looser. After all, if the bad guys get in but can’t get away with anything valuable, they haven’t accomplished much, have they? How proud is a bank robber who’s broken into the safe but can’t leave with the dough? How fruitful is his career of crime if, every time he passes the demand note to the teller, she just smiles and says “next customer, please?”
Applying the retail method to computers requires a completely new approach to tracking what visitors do when they’re inside the computer. While tracking their actions is important, what really needs to be done is track the “goods,” the valuable data items. The retail approach would differ according to the value of the items. If they’re like clothing, each item would be checked on the way out to make sure it’s authorized to leave. If they’re like jewels (for example, personal information), each item is watched like a hawk the moment it’s “picked up” by a “customer” (program). Does the customer have a couple of jewels? That could be OK, but we’re more alert. Does the customer have ten or more? Quietly circle the customer, watch the doors, and make sure there’s no escape.
The method needs to be extended to apply to the unique circumstances of the computer. Computer bad guys can easily assemble thousands of confederates to do their bidding. The bad guys can dress and act however the boss wants them to. However, they are unlikely to act just like normal shoppers. But I don’t want to take this too far in a blog post – we’re coming up to the edge of methods I’d rather not disclose.
Conclusion
Computer systems, corporate and government, will continue to be breached at an alarming rate, which is of course much higher than is publicly disclosed. More money will be spent and people hired. More standards will be set, regulations promulgated and enforced. As should be obvious by now, most of the money will be wasted, most of the people will accomplish nothing, and the regulations will increase costs while making things worse. Unless something changes.
The problem of cybersecurity can be solved. But it can only be solved if: we acknowledge we’re at war and act accordingly; we apply within the guts of our systems common-sense methods whose principles are clear, obvious and proven in other domains; and we start acting as though we actually want to solve the problem, as opposed to the current strategy of denial, cover-up and blame-shifting.
Comments