Perspectives on Cyber Security

by Super Ells

The way cyber security has changed through the digital age, going from simple passwords on S/360s interfaced through dumb terminals to multi-factor authentication, routing and firewall security, and even shredding paper to counter dumpster divers and social engineers has, overall, not really increased security.

The ways that security has been "improved" have done very little to truly improve cyber security.  Over the decades, people from Kevin Mitnick to Edward Snowden have consistently been able defeat security measures, as have organizations from governments eager to spy on its citizens along with hacktivist groups such as Anonymous.  A complete paradigm shift must be made in order to improve cyber security.  The days of making networks a "vault" are belated in their inevitable demise.

Cyber security has been "improved" in three ways: encryption, layering (multi-factor authentication, complex passwords), and access restrictions (security clearances, physical security, need-to-know, access permissions).  Of those, the only one that has been successful is encryption, enough that the U.S. government freaks out about it - from considering it a munition in the 1980s to the FBI director asking the American people to accept being spied on.²

Encryption, when properly implemented, has been the most effective tool for security, and with encryption tools such as PGP and AES that are extremely strong, it is not only extremely difficult to crack, but also widely used.

The second way is layering.

Multi-factor authentication, though a good idea, has its weaknesses.  Cell phones can be spoofed to get text message security codes, CACs can be copied as well as other card-based access mechanisms, and users have the risk of losing one of the factors - and that hampers productivity.  Also, increasing the complexity of passwords has allowed tools like Apple's Keychain to proliferate, as well as convincing more users to write down their passwords.

However, from many anecdotal stories and security assessments, it is routine for just about any sysadmin, anywhere, to grab 30 to 40 sticky notes a week with user passwords on them.  Some of these passwords were found to be able to access supercomputers, mainframes, and even web-based email accounts.  The sysadmins would then let the affected people know not to leave their passwords out.  Even with utilities like Keychain, you can extract a user's Keychain and grab every password they save, further compromising security.

This leads into the human factor, and how it can be exploited - the fine art of social engineering.

The human weakness is always the biggest weakness; even with extensive (and annoyingly repetitive if you work in the U.S. government) training, it is still a large problem.  Even security clearances have issues; they can detect weaknesses and deception, but they cannot detect true human intentions.  Even the use of polygraphs is not often effective.  If anything, their use is far from it.

Edward Snowden and Chelsea Manning are the two most recent examples of why just simply being cleared doesn't mean that you have brought in an insider threat, and people who may be thought of as insider threats because they don't "play the game" or "act normal" due to being eccentric or culturally different may be the best people to have.  Shredding documents has become a deterrent to dumpster divers - until they start looking for old hard drives, CDs, memory cards and USB sticks, or even intercepting Wi-Fi transmissions.

Even more interesting are systems like the Pwn Plug that can be plugged in a back room and used to extract data without being detected easily.³

Even VoIP can be compromised and used to listen in on unsuspecting people.¹

The best, and most efficient ways, of extracting information from users and compromising security is still the simple phone call, acting like a colleague or an IT support team, and getting the information from the unsuspecting user that way.

Spear phishing is still effective, but it is losing its effectiveness due to counter-spoofing measures.  Government agencies ban the entry of cell phones with cameras into certain facilities, but there is no way to legally trace phones without a StingRay (and even then, it's legally dubious).  Cell phones are so small and easy to hide - the smallest GSM phones are the size of a credit card.  It is a matter of trust, and more times than not, people bring them in.  Many government offices that ban the use of cell phones have found that, because of the inconvenience of trying to enforce the policy, it's easier to simply not say anything about them unless they're blatantly visible out in the open.

The effects of increased cyber security through the above mentioned ways are very profound and simple to express.

It inconveniences the normal working body of people by forcing them to go through one layer of security after another just to be productive, while building a structure for people who want to get information or intelligence that's somewhat difficult to penetrate, but isn't enough to discourage them from trying.  Also, cyber security is very reactionary instead of proactive.

Policies can change drastically because of one incident, and not even in the right way.  Flash drives were banned because of Chelsea Manning.  It does not make any sense, since Chelsea Manning should have never been able to keep a security clearance, much less be deployed, due to a myriad of issues.

Worse yet, and typical of the reactionary implementation of cyber security, he burned the leaks on CD-RWs named "Lady Gaga," for example.  Does that have anything to do with flash drives?  Absolutely not.  Does it make the "cyber security" professionals look great?  Wonderfully so.  However, they are so deceived in arrogance that they cannot shift to another paradigm about security.  That arrogance blinds them from the most crucial element of security: the human element.  You cannot eliminate it, but you must be able to mitigate it.

How to change it?

On private networks, it is best to use a combination of items to mitigate the human element.  There is no need for two-factor authentication unless it can be easily usable, reliable, and most of all, stable.  It's good to have your standard firewalls and IDS, as well as good malware protection.

But the main difference is that instead of locking every single thing down, you only need to lock out what you wish to lock people out of (keeping people out of others' personal folders, for instance), and keep the rest open.  Use port control on your switches, and lock to MAC addresses.  The most important approach to change is to implement a file transaction logging system.  This allows the ability to identify and catch a problem in open view, since every file transaction, program accessed, and file location access is logged.  With proper user management and port controls, if information leaks out, it is easy to trace out who did it, and pursue action against the offender.

Vigilance is most important in the endeavor of security.  You need to constantly flag and monitor what is going on in the network.  Using tools such as transaction logging will allow security managers to be able to assess in real time what is happening on their networks, and by whom.  Then, when breaches happen (and they will, and it's not worth the effort trying to stop them - it's best to just mitigate the spread), you know who was the perpetrator.

With the use of strong encryption for inter-network and off-network communication to remote workstations, and without monitoring the workstation itself (improves privacy while maintaining security of on-LAN files), this is the most effective approach to managing network security.

In conclusion, an open and transparent approach to security without impeding productivity should always be looked at and, with this outlook, a paradigm shift needs to be made.  The old methods of implementing cyber security are on their way to irrelevancy; and recent events have made it necessary to be able to guarantee a level of privacy while maintaining a level of security.

References

1. Bugging a Room with an IP Phone  Malvineous
2. FBI Director to Citizens: Let Us Spy on You."  Lemos, R.
3. The Little White Box That Can Hack Your Network  McMillan, R.