When it comes to internet security, no one is safe, and if we’re going to have any chance at all, the ICT industry – and users – need to get back to the fundamentals of network security, design security natively into everything and embrace new technologies. And governments can help by doing all of that and not requiring device makers and service providers to weaken security in the name of law enforcement.
That in essence sums up a keynote panel on cloud security on the final day of PTC 2017, which explored the security implications of shifting to a world where everything is connected, software-based and hosted in the cloud. As recent headlines have demonstrated, that shift has drastically heightened the importance of security. The problem is that far too many people underestimate the scope of the problem.
“Everyone is at risk,” says John Bandler, founder of Bandler Group and Bandler Law Firm. “If you have a digital presence at all, even if it’s just an email account, then you’re a target. It’s like water trying to get into your boat – if there’s a crack, it’ll get in. If you’re doing any kind of business online, sending payments, or sitting on lots of data, then you’re at risk.”
One reason people don’t take security more seriously than they should is because they think they don’t have anything worth stealing – but they’re wrong, Bandler says. “You may think that your data isn’t that valuable and criminals can’t use it, but they can. Even if they just get your email account, they can make money with that.”
It’s also not whether the data itself is valuable, but what they can do with it, he adds. “They could manipulate your HVAC to turn off the cooling in your data center unless you pay ransom, that kind of thing. Ransomware is a big trend now, where it’s not them stealing your data but denying you access to it.”
Which is why the starting point to dealing with security is to think more about scale, says Jim Reavis, co-Founder and CEO of the Cloud Security Alliance. “We’re heading to a point where everything has a chip in it. We’re also looking at a scenario where the bad guys can create and tear down botnets on demand.”
Reavis says the best place to start is with the fundamentals, starting with prioritizing your assets, understand what the critical assets are and how to protect them.
The second fundamental should be two-factor authentication. “This should be everywhere,” he said.
Encryption should also be used by default, he added. “That will get us through at least the next ten years until quantum computing arrives, after which we’re probably screwed.”
Bandler agrees that two-factor authentication should be standard. “If they have your username and password, they can do so much with just that unless two-factor authentication is in place.”
He adds that a lot of people and businesses fail at the basics, and they need to take security more seriously, if only because no one wants to have to explain to the press or the police that they got hacked because they left their smartphone in a bar at 1am.
Security by design
That said, one upcoming problem is that the rise of M2M takes humans out of the equation – which could eliminate the human error angle, but also brings its own security headaches to the table, says Reavis. “So much fraud is going to be from M2M devices with no human interface – there will be millions of them connected and you won’t have control over all of them.”
Also, as more network functions move to software via SDN and NFV, this creates new attack vectors. Consequently, Reavis says, it’s crucial to build security into virtual networks and cloud networks from the start – to be able to think of how the other side will see it and will try to break in to it.
“Ideally you want to get to the point where you can create a virtual private cloud so strong that you could place it in the middle of your enemy’s cloud and they still wouldn’t be able to access it,” Reavis says. “That’s where we need to be.”
Bandler concurs that networks and devices should feature security and privacy by design. “If it’s bolted on after the fact, it’s going to be a problem.”
Reavis points to cloud providers like AWS and Azure as role models for this approach. “They do a great job with security because it’s not a value-add, it’s baseline security. But outside of these sophisticated, managed clouds is everything else where security levels can vary greatly.”
Aside from built-in security, the ICT industry can leverage new technologies like artificial intelligence, machine learning and analytics to build good tools for combating things like online fraud.
“If you have enough datasets, you can do a lot to spot fraudulent activity,” Reavis says. “We’ll see more closed loop systems where the computer can decide if a particular activity looks like fraud then take action, like shutting down the account.
The catch, Bandler advises, is that bad guys will be able to use the same tools and technologies.
Reavis agrees, saying this is all the more reason why the good guys should be embracing new technologies more tightly, “because the bad guys will use them anyway.”
No backdoors, please
The other potential weak link in the security chain is government policies that require service providers and device makers to weaken security for law enforcement purposes, whether it’s for the purpose of gathering data evidence from a device or eavesdropping on communications.
“The government is so far behind on this,” Reavis said. “It’s unrealistic to ask Apple to put a backdoor in their OS, because it doesn’t weaken security for just the criminals – it impacts everyone with an Apple device. A backdoor for the government is a front door for the hackers. And it hurts companies who want to sell overseas. Apple might not be allowed to sell handsets in other countries if the US government can access it at any time.”
Reavis stressed that it is important for law enforcement agencies to have the ability to go after online criminals, collect evidence to fight terrorism and so on. “But we need new tools to fight crime that don’t compromise security for everyone.”
Bandler, who also happens to be a former police officer, agrees. “I fully understand the need to get evidence, but I don’t agree with some of the ways [the US government] makes their argument – it oversimplifies the situation. I think of it like the Wild West – if you live out in the wild where there’s no law enforcement and a 911 call won’t bring the police quickly, you kind of want to be able to have a gun to protect yourself from bandits. With cybercrime so rampant, it’s hard for the government to say, ‘We have to weaken your security a little bit.’ And you are weakening security when you do that.”