Without Maturity, there’s no Cybersecurity
Date: 13 October 2020
There is no such thing as an "unhackable" system. In general, cybersecurity can be described as ensuring that there is no unauthorised access to an enterprise’s network, to applications, to databases and finally to all the data we want to keep safe and secure.
Perhaps, the most “secure” system would be one which does not have any network connection whatsoever. Even then, this system is still vulnerable to physical attacks, theft, or, in some cases, radio frequencies being used to spy on the computer system remotely, and even influence its behaviour.
In this blog, we cover:
The limited knowledge computer users and system administrators have about computer network infrastructure and the working of its protocols does not help advance network security. In fact, it increases the dangers. In a mechanical world where users understand the systems, things work differently. For example, in a mechanical system like a car, if there is a fundamental mechanical weakness, the driver usually finds the weak point and repairs it.
This, however, is not the case with computer networks. As we have seen, the network infrastructure has weaknesses and this situation is complicated when both system administrators and users have limited knowledge of how the system works, its weaknesses and when such weaknesses are in the network.
This lack of knowledge leads to other problems that further complicate network security:
- Network administrators do not use effective encryption schemes and do not use or enforce a sound security policy.
- Administrators and users who are less knowledgeable quite often use blank or useless passwords, and they rarely care to change even the good ones.
- Users carelessly give away information to criminals without being aware of the security implications.
- Network administrators fail to use system security filters. According to security experts, network servers without firewalls “are the rule rather than the exception.”
Core Concepts of Cybersecurity
Cybersecurity is not about creating an “unhackable’ system. Cybersecurity is about reducing the risk of a system being breached (confidentiality), modified (integrity), or disrupted (availability) without authorisation. These three concepts - confidentiality, integrity, and availability - make up the core foundations of any cybersecurity programme. Here then are the key questions to ask to ensure that the three concepts have been paid heed to:
- Confidentiality - Is the data protected from disclosure to unauthorised users?
- Integrity - Is the data protected from modification by unauthorised users?
- Availability - Is the data accessible to authorised users for review or modification?
Too often, the third concept (availability) is overlooked, or ignored when planning a secure system. While confidentiality and integrity of data is important, that data is useless, if it is not available to authorised users. As I said above, security means no unauthorised access, which means no broken authentication by SQL injection (SQL queries), brute force (dictionary attack, common credential), buffer overflow (pass some random data), social engineering (getting the exact credentials), man-in-the-middle (stealing credentials) and session management (using cookies, session ID), that can lead to (sensitive) data exposure.
Tenets for Success of Security Measures
- Vulnerability: A flaw in a design, a possible means of compromising confidentiality, integrity, or availability.
- Threat: An external or internal force, either man-made or natural
- Risk: The probability of a threat successfully attacking a vulnerability
For security measures to be successful, the security measures must cost less than the predicted loss, (should confidentiality, integrity, or availability be compromised, while making an attacker’s opportunity cost of defeating those security measures, higher than the value of a successful compromise?).
Although the network infrastructure weaknesses seem simple, finding solutions will not be easy and it is an ongoing exercise of interest to lawmakers, law enforcement agencies and the network community. The ‘Holy Grail’ is to find a final solution to the complex computer network security problems. Even if this Holy Grail will succeed, the solution will not last long, for many of the following reasons:
- The cyberspace infrastructure technology is constantly changing, adding new technologies along the way and as new technologies are added, new loopholes crop up, therefore, new opportunities are created for cyber-criminals.
- Solutions to social and ethical problems require a corresponding change in the legal structures, enforcement mechanisms and human moral systems. None of these can change at the speed with which technology is changing. Soon, any solution will be useless, and we will be back to square one.
- Yet, there is no fully functional national or international plan or policy that can withstand the rapid changes in technology and remain enforceable.
- Most importantly, solutions that do not consider and are not part of a general public education plan, do not stand a chance of lasting for any extended period. For any solution to the computer network security problem to last, public education and awareness are critical.
Possible Solutions to the Computer Network Security problem
As a personal opinion, a workable and durable solution (if found), must include the following:
• Public awareness and understanding of the computer network infrastructure threats, its potential consequences and its vulnerabilities. We cannot rely on education acquired from science-fiction novels. Otherwise, when such attacks really occur, the public may take them to be science- fiction events.
• A well-developed plan based on a good policy for deterrence.
• A clear plan, again based on good and sound policy, for rapid and timely response to cyber-attacks.
However, we should not ignore the inconveniences, or the social and ethical disruptions that are perpetuated by technology. Our duty is to find ways to prevent future computer attacks. And our focus is to understand what they are, who generates them and, especially, why.
Author: Oana Buzianu
A passionate information security professional who has made cybersecurity a priority in her career. With 15+ years of experience as a cybersecurity specialist and a deep understanding of intelligence processes, Oana is focussed on shifting the focus away from rules and policies to values and ethics & doing the right thing even if no one is looking.