Cybersecurity has been at the forefront of discussion in the news and among those who have been victims of security breaches and identity theft. This month’s issue covered the important role IEEE can play in improving security, which lead to a number of questions from readers. To respond, we enlisted three leading experts in the field to weigh in.
They are: IEEE Senior Member Greg Shannon, chair of the IEEE Cybersecurity Initiative, and chief scientist of the CERT Division in Carnegie Mellon University Software Engineering Institute, in Pittsburgh. IEEE Fellow Michael Waidner, director of the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, a leading organization for IT security solutions. And Anuja Sonalker, vice president of engineering and operations for TowerSec Automotive Cyber Security, in Columbia, Md.
What are the top three causes of cybersecurity breaches?
SHANNON: Failing to identify key assets, failing to identify threats to those assets, and failing to mindfully optimize investments that protect those assets against the threats.
WAIDNER: Information technology contains vulnerabilities at all levels. Products contain design and implementation bugs, many systems are incorrectly configured, and standards are incomplete or leave too much room for interpretation. All these vulnerabilities can be exploited by attackers.
There is also the human factor. Many breaches involve insiders, and often outside attackers trick them into helping, which is called social engineering. Lastly, many successful attacks could be prevented by deploying existing, well-known security standards and technologies such as encryption. In cybersecurity, adoption rates of these resources are often very low, and it can take a long time before security solutions are put into place.
SONALKER: Not adequately identifying and protecting all entry points to a system, not correctly identifying true assets of a system, and creating security solutions that are sometimes not practical operationally and get bypassed as a result.
Are cybersecurity administrators now under the same risks as, say, a bank vault manager? What potential threats could administrators face?
WAIDNER: Users of IT with high privileges such as administrators are the prime targets of attacks. Such users must be aware of this. They must take special care outside of their work environment as well. Being unaware of social engineering attacks and risky practices, like reusing passwords across different services or using personal devices in a professional context, can cause significant security risks. Organizations must limit the privileges of their administrators to what is needed in a specific context, and should closely monitor administrator activities to detect misuse early on.
SHANNON: Anyone in a position of trust must always deal with risks of varying degrees; an administrator is no different. Savvy organizations recognize this and want to minimize the risk to staff because it is also a risk to the organization. The U.S. National Institute of Standards and Technology’s (NIST) framework provides a way for organizations to identify potential threats for staff and mitigate them.
How many years do you think it will be before the Internet will be secure?
SONALKER: Honestly, never. Unless, of course, we completely discard the current Internet as we know it and rebuild it knowing what we know about the Internet and its usage today. The Internet was built primarily for communicating, yet it has evolved into a medium of commerce, community, data storage, and so much more. Security was never a concern in the original design. It will have to be designed from the start if we were to redo it today.
SHANNON: Fifty years (or 20 to 200). The Internet took 45 years to build. It will take a while to protect the amazing value we all have created and which continues to grow.
WAIDNER: There is no such thing as 100 percent security. The goal is not to have perfect security but rather security that is adequate enough for protecting the values at risk and for diminishing the efforts of adversaries. Threats are constantly developing. Getting ahead of them requires being aware of the risks and moving from a primarily reactive model to a proactive one. The transition to the model of security by design, which is integrating security from the beginning in all steps of the design, implementation, deployment, and management of systems, is already underway. Overall, the situation today is much better than it was 10 years ago, but more education is needed as well as more automation and tools.
Why aren’t databases of major companies like Home Depot and Target encrypted? Are there examples of companies that do encrypt their data, and what are the pros and cons of doing so?
SHANNON: Efficient—or effective and thrifty—pervasive encryption is an active area of research and development in academia and industry. Innovative new products and services are coming online that efficiently address security and privacy concerns, and creating commercial ecosystems for pervasive encryption will take time.
WAIDNER: In general, encryption introduces management and performance overhead, and often requires expert personnel and an upgrade to or deployment of new software or hardware. Encryption is key to protecting data in transit, and there is no real excuse for not using encryption at least point-to-point. For end-to-end, or communications that can be accessed by a larger audience, encryption requires solving the public-key management problem, a technique that enables users to securely communicate on an insecure network and reliably verify the user’s identity. My organization is currently working on developing a new solution for this called Volksverschlüsselung, which will make it easy for ordinary users to make use of cryptography.
SONALKER: Encryption by itself cannot solve the problems commercial enterprises are facing today. Encryption is expensive and needs to be done correctly. Credentials need to be managed properly, principals and their subsystems need to be vetted before handing them credentials to company databases, and so on. This aspect of operational security is often overlooked. Having said that, data, which is a primary currency today, needs to be protected. Data is bought, sold, traded, stolen, mined, and harvested into information. It must be protected and not only encrypted. Adequate encryption and appropriate operational security measures make it a harder and less lucrative target for the average adversary. The con to implementing these measures is there is an additional cost.
How can we address vulnerabilities before a system is even designed, rather than after the fact?
WAIDNER: The key to this is security by design. Many, in particular larger software vendors, are applying this principle already but smaller vendors are just at the beginning. The main challenge is automation, education, and awareness. Simple-to-use tools for design and testing help provide the necessary measures to secure systems, but more computer scientists need to be trained in using them. It is key to demonstrate that security by design pays off in terms of better security and at a lower cost so that others adopt the model.
SONALKER: Several things can be done before a system is even designed: Comprehensive assessment of what the security requirements are, which includes what assets are to be protected, what the system is functionally required to do; the constraints the system needs to adhere to such as regulation and compliance; and what the potential threats to the system, the assets, and the organization itself are. With these steps covered, a large portion of the vulnerabilities can be mapped out. Thus, designing a system that mitigates these weak spots can be built in from the very beginning and can address mitigating vulnerabilities to a large extent.
SHANNON: Long term, we need to get humans out of the loop for verifying the security and privacy properties of software, protocols, systems, networks, and so forth. We humans are too error-prone, and technologies are emerging to handle the tedious and detailed work of auditing code for correct implementation and configuration for security and privacy.