Cyber Security

Defense In Depth

Defense In Depth

Security can be an overwhelming topic to get started and as a result, a concept known as Defense in Depth has been making its way across the industry for the last couple of years.  Defense in Depth is an organized and systematic way to ensure that your network is as unattractive to hackers as reasonably possible. Keep in mind that there is no such thing as “unhackable,” so the object of security is to make the costs of attacking your network more than the benefit of doing so without incurring more cost in defense than your network’s security is worth. Defense in Depth does this by breaking the security process down into eight distinct phases.

  • Security Through Obscurity
  • Establishing Identity
  • Encryption and Hashing
  • Hardening your Devices
  • Preventing Intrusion
  • Adhering to Laws
  • Routine Maintenance
  • User Education

These sections are only a snippet of the fifteen pages that I've dedicated to security and privacy in my 140pg book, Understanding IT: Decoding Business and Technology. I've posted this to introduce the concept of Defense in Depth as it relates to the Malware Business Model and as a precursor to Cutting The Cord, Episode Four: Securing Your Network [Episode One and Two]. The topics covered here may be broad strokes, but before a specific technical understanding can be reached, the frameworks have to be established.

The Malware Business Model

The Malware Business Model

We hear a lot about various security or privacy problems throughout the world and we correctly fear for our digital safety; but we seldom stop to consider the intentions of these attackers and why our data is so important.  As I've mentioned before, the issues surrounding our digital culture aren't so much privacy as they are data ownership; and the first step to ensuring that you own your data, is to ensure that you own your computer.

We tend to think of botnets as being a collection of bots, or infected computers, that are nothing more than zombies. And while this may have been true at one point, this is no longer the case: bots are not zombies. The infection that haunts them is far more subtle than anything resembling a "zombie," and recognizing that you're a bot takes far more effort than most users are capable of exerting. Simply put: You can be a bot and never know it.

After all, the owner of the botnet is not interested in your computer: You are the tool being used to achieve a higher purpose. Keeping you oblivious keeps you from doing pesky things like reinstalling Windows or calling Geek Squad, so there are a lot of reasons for an attacker to be extremely subtle in their use of your computer.

Big Data and Privacy

Earlier this week, the President's Council of Advisors on Science and Technology (PCAST) released a seventy two page report on the intersection of Big Data and Privacy with an unoriginal title of:  Big Data And Privacy: A Technological Perspective.  It started by first establishing the groundwork for the traditional definition of privacy, as defined by Samuel Warren and Louis Brandeis in 1890.  These individuals stipulated that privacy infractions can occur in one of four ways:

  1. Intrusion upon seclusion.  If a person intentionally intrudes upon the solitude of another person (or their affairs), and the intrusion is seen as "highly offensive" then an invasion of privacy has occurred.
  2. Public disclosure of private facts.  If a person publishes private facts, even if true, about someone's life - an invasion of privacy has occurred.
  3. Defamation, or the publication of untrue facts, is an invasion of privacy.
  4. Removing personal control of an individual's name and/or likeness for commercial gain is an invasion of privacy.

These infractions basically come down to a removal of the control that an individual has over various aspects of their life (being left alone, selective disclosure, and reputation), and PCAST tends to agree as they state a couple of times throughout their report about the need for selective sharing and anonymity.  The report went on to address a few philosophical changes in our mindset about privacy that were needed in order to better enable the successful implementation of the five aforementioned recommendations:

 

  • We must first acknowledge that private communication interception is easier
  • We need to extend "Home as one's castle" to become "The Castle in the Clouds"
  • Inferred Private facts are just as stolen as real data
  • The misuse of data and loss of selective anonymity is the key issue.

 

The report goes on to state that the majority of the concern is with the harm done by the use of personal data and that the historic way of preventing misuse of personal data has been in controlling access; a measure that is no longer made possible in today's nebulous world of data ownership.

Personal data may never be, or have been, within one's possession.

From public cameras and sensors to other people using social media, we simply have no control over who collects data from whom; and we likely never will again.  Which raises the question of who owns the data and who controls it.

And while the Electronic Frontier Foundation would complain (again) that this failed to address metadata (in spite of it equating metadata to actual data in the first few pages), this report comes on the eve of a unanimous vote in the House to rein in the National Security Agency making this a big week for big data privacy advocates.



Why Heartbleed Matters

Why Heartbleed Matters

By now, you most likely have heard about this Heartbleed bug that has affected over half a million of the world's most popular websites due to a programming error within OpenSSL.  You can read more about the bug at the link above, but in essence it allowed unauthorized users to steal the identity of a server and decrypt all traffic that was coming to or had been to the server in the past.  This was hotly debated for a few days after Heartbleed's discovery, but has since been confirmed:

The demonstration by Cloudfare that it's possible to extract private SSL certificates means that out of an abundance of caution, administrators of sites that used vulnerable versions of OpenSSL should revoke and replace old certificates with new ones as soon as possible. Given the huge number of sites affected, the revelation could create problems.

So this is a pretty big deal for sites that rely on OpenSSL to encrypt their traffic.  The question that users should be asking themselves is which sites are affected?

Security Notice: Heartbleed Bug

Security Notice: Heartbleed Bug
Yesterday, a security vulnerability was discovered that has been colloquially called the "Heartbleed Bug." You can read about the vulnerability in more detail, but in laymen's terms: the vulnerability allows attackers to copy a web server's private key and decrypt (current and previous) communication received by the server - to include passwords.