Solving cybersecurity weaknesses is about fixing bugs, isn't it?
Well, no. Fixing the bug is only one of many 'mitigation' possibilities for a security weakness, and therein lies a powerful lesson for software developers...
I recently attended a talk by Alex Tarter of Thales. He outlined a concept that was not exactly new to me, but what impressed me was his emphasis on the way it revolutionises the way we think about software security and privacy. That concept is cyber resilience.
The idea is simple enough. We are not going to be able to prevent attackers from succeeding sometimes. So we need to construct our systems and processes to deal with successful attacks. To illustrate the idea, here are three examples I know of; you may well be able to think of others.
First, if we are running a security service which relies on a master encryption key, it is conceivable that some attacker might succeed in stealing that key. You might think that would be the end of everything. But no, it does not need to be. Most companies nowadays have 'cyber resilience' plans in place for what to do when such disasters happen. For example, they would immediately replace the key and ensure every legitimate user of the key has their configuration updated accordingly. This happened to RSA, one of the world's leading security companies, in 2011. RSA made, and still make, the hugely-popular SecureId two-factor authentication token. When RSA's master keys ('seeds') were stolen, they immediately notified their customers and replaced all those master keys and tokens. As a result they are now more trusted than ever. They made resilience into a business asset.
Or supposing you were running a service to store credit card details. Much worse than simply losing all those card details would be losing that information and not knowing about it. Credit card companies, after all, expect that cards will be lost and stolen; but until they know about a loss they lose money. So you might choose to have 'honey tokens', in the form of special card numbers that, if they are ever used, immediately raise an alert at the credit card company, who can thus tell that your data has been lost. In that way you are resilient and you have reduced the harm involved from a breach.
And of course, we can simply stop trusting the classic system architecture where there is a firewall, and a demilitarised zone, and then an intranet which is safe from attackers. That architecture is valuable for deterring casual attacks. But if we want to be resilient, we should assume that there will sometimes be attackers there, and craft the software within the intranet with many of the same security controls that we would apply to software running outside. Resilience.
Are you cyber resilient?
– Charles
Image by Christine Schmidt from Pixabay