Cyber security: the magic box myth
Cyber security: the magic box myth
The increasingly shrill headlines on security breaches have made cyber security a top priority among policy makers and in boardrooms.
Despite spending an estimated $60 billion in 2012 on IT security products and services, we regularly see breaches where hackers have successfully penetrated defences. Yet the problem is most likely worse than we know; hackers are getting better than ever at not being detected.
A great deal of that spend is geared toward protecting our networks. It's tempting to think that we can secure our infrastructure by securing our networks. After all, networks are the conduits for attacks.
There has been a long history of vendors selling magic boxes that, if you only bought them and plugged them into your network, it would make your network secure and bad stuff would be filtered out with sensitive data kept in. Of course, you will need enough of these boxes to keep up with the network load generated, and that always goes up over time.
A similar approach also dominates for securing PCs and is now emerging for mobile devices. Every system gets a sentry that attempts to guard the machine from being tricked into doing something it shouldn't, keeps sensitive data protected, and gives control to a central IT organisation.
Yet over time, people have found problems in these approaches and attackers get smarter. It's expensive to build mitigations and once an exploit approach is discovered that can circumvent the latest variant of a smart sentry, suddenly that kind of sentry becomes much less effective. Hence the cat and mouse game continues.
A network-centric approach to security makes sense, especially for administrators of networks. More generally, IT security is what you get when you focus on what can be done by IT organisations. But if we're ever going to get a real handle on cyber security as a society, we can't limit our view to users of software. We need to go way back to when that software was made in the first place.
The problem of cyber security is that it has its roots in defective and badly designed software code. At least, that's the vast majority of the problem. If buggy software were factored out, we could drown the rest of the cyber security problem in a bathtub.
Let's take a look at an example. Recently, major financial institutions have come under denial-of-service attacks. On the surface, this seems to be a pure networking and capacity problem, but the reason the attackers were able to create the botnet in the first place was because they exploited a known vulnerability and used it to take over unsuspecting machines on the internet.
The machine you're using right now might be part of a botnet, acting like a zombie, sending requests on behalf of a shadowy attacker. How did it become the slave of some hacker? Maybe one day you visited a website that had malicious content.
That malicious code leveraged a defect in the machine's software infrastructure, such as your web browser or your word processing program. This defect essentially tricked your machine into following instructions from the hacker and from there, it silently installed itself and awaited instructions from its master.
Maybe you didn't keep your software up-to-date. Maybe you opened an email attachment you shouldn't have trusted. Maybe you just got unlucky (there are some vulnerabilities that don't require you to do anything other than be connected).
Then again, why would you expect that clicking on a document or web page, or just being connected to the internet, could result in your machine being taken over?
In a better world, you shouldn't. If we're ever going to solve the cyber security challenge, we need to strengthen the world's software infrastructure from within.
It won't be easy - there are billions and billions of lines of code out there. Yet until we are mature enough to realise that the security and reliability of our infrastructure is only as good as the code that makes it up, we will continue to stumble from patch to patch, weakness to weakness.
Andy Chou is co-founder and chief technology officer of Coverity