How to beat the cy­ber crooks

Belfast Telegraph - Business Telegraph - - Front Page - Byrahimjina, Chief Oper­atin­gof­fi­cer, Edges­can

With less than a week to go un­til dublin info sec, speaker rahim jina talks about preven­tion

IT’S all just soft­ware. Re­ally, it is. Soft­ware runs our ap­pli­ca­tions and soft­ware makes our hard­ware work. Soft­ware has al­ways had bugs, due to the fun­da­men­tal fact that hu­mans, un­like com­put­ers, are not fi­nite state ma­chines which fol­low pre­dictable paths. The hu­man brain is not wired like this, which means that as long as hu­mans write code, code will al­ways con­tain bugs. This raises the ques­tion for the fu­ture of ar­ti­fi­cial in­tel­li­gence, since it is hu­mans that will write the code that cre­ates the in­tel­li­gence, but that is a dis­cus­sion for an­other day.

Where soft­ware runs does make some dif­fer­ence, but not as much as you might think. It’s funny when an in­dus­try can cre­ate new mar­kets for it­self, just by reusing ex­ist­ing con­cepts and repack­ag­ing them. That’s what cloud is. Cloud is the new main­frame, back when the par­a­digm was for com­put­ing to be per­formed cen­trally and then ac­cessed re­motely by a ded­i­cated ter­mi­nal — sound fa­mil­iar? The cloud is sim­ply just an­other bunch of big com­put­ers sit­ting some­where else, where that some­one else is pay­ing the elec­tric­ity bill in­stead of you (di­rectly, any­way).

In fact, cy­ber­se­cu­rity has not changed much in the past 15 to 20 years.

It has been re­branded of­ten but the fun­da­men­tals are still there un­changed. Se­cu­rity vul­ner­a­bil­i­ties which give rise to hack­ing in­ci­dents and breaches can still be largely grouped into three cat­e­gories: bugs in soft­ware (badly writ­ten code), mis­con­fig­ured soft­ware (where pro­tec­tions are there but some­one did not set them up right), and re­source avail­abil­ity (some­one else hogs all the re­sources and the sys­tem goes down).

Vul­ner­a­bil­i­ties still come in three flavours The first cat­e­gory is where real com­plex­ity creeps in. Lots of soft­ware bugs can be lever­aged to trick the soft­ware so that in­stead of re­ceiv­ing ex­pected data, such as a name or phone num­ber, it ac­tu­ally re­ceives new code which ef­fec­tively rewrites the ac­tual soft­ware. While gen­er­ally the most com­plex at­tacks to carry out, the im­pact of these can be dev­as­tat­ing to a sys­tem.

Se­condly, (mis)con­fig­u­ra­tion is­sues are huge and con­trib­ute to about one third of vul­ner­a­bil­i­ties that we see af­fect­ing busi­nesses over a given year. This is like any­thing from leav­ing a win­dow in your house un­locked to leav­ing your front and back doors wide open. Some of the sim­plest at­tacks lever­age these types of vul­ner­a­bil­i­ties and although they are gen­er­ally quick and easy to fix, this as­sumes that you knew about them in the first place.

Fi­nally, a re­source avail­abil­ity breach is akin to us­ing a giant loud­speaker at a con­cert, to over­power and drown out the mu­sic with noise. It’s not that so­phis­ti­cated and is a less-than-el­e­gant at­tack, although the im­pact can be se­vere (un­less you can do with­out on­line bank­ing and stream­ing TV). The other two cat­e­gories, how­ever, are more Hol­ly­wood-hacker and ex­cit­ing.

There are some cloud-spe­cific is­sues but they all fit into the above cat­e­gories. Ever hear of AWS S3 buck­ets? Well, some or­gan­i­sa­tions were not con­fig­ur­ing them cor­rectly and leav­ing them ex­posed to the in­ter­net. An­other com­mon is­sue is to leave ad­min­is­tra­tion ser­vices ex­posed, al­low­ing for easy at­tacks such as pass­word guess­ing, which can lead to full com­pro­mise of a sys­tem. These types of is­sues have re­cently be­come very preva­lent in a num­ber of high-pro­file breaches by hacker groups with steam­punk-sound­ing names. These all gen­er­ally come down to mis­con­fig­u­ra­tion and even though they might present them­selves dif­fer­ently, the is­sue is the same as ex­pos­ing any in­ter­nal sys­tem to the in­ter­net un­in­ten­tion­ally. If only we knew it was there.

Vis­i­bil­ity is ev­ery­thing How can we even start to get a han­dle on things? Vis­i­bil­ity is ev­ery­thing. Vis­i­bil­ity of not only what we have, but where it is, too. Only then can we get into where our vul­ner­a­bil­i­ties lie. We need to be able to map our at­tack­able foot­print in a mean­ing­ful way as vul­ner­a­bil­i­ties arise in both sys­tems which change fre­quently and also those that don’t. No soft­ware runs in iso­la­tion and bugs can be in­tro­duced in your soft­ware or the mul­ti­tude of soft­ware that is not yours but which you need in or­der to make your code work. We can­not test what we can­not see and surely can­not se­cure that which we do not know about. Vis­i­bil­ity is key.

Rahim Jina, chief op­er­at­ing of­fi­cer and co-founder of Edges­can, will dis­cuss cy­ber­se­cu­rity and the cloud at Dublin In­for­ma­tion Sec 2018 — Ire­land’s cy­ber se­cu­rity con­fer­ence — at the RDS on Mon­day, Oc­to­ber 15. There’s 25% off to­day only – for tick­ets and more in­for­ma­tion on Dublin In­for­ma­tion Sec 2018, see in­de­pen­ in­fosec18

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.