18 May This is 100% Secure – Information Security Myths
This blog is a step away from our usual Identity and Access Management topics and talks about a few points that people should do, or know, to be better equipped in this modern world of 1s and 0s.
In recent weeks we’ve seen plenty of headlines about vulnerabilities. Today it requires a bit more to breach the threshold of news as there’s plenty to choose from. The Intel AMT flaw opened up complete access to (some) Intel servers and an old (as in undisclosed, now fixed in the latest updates) vulnerability MS17-010 resulted in the WannyCry epidemic. These 2 high profile vulnerabilities sparked me to write a few lines about basics of information security.
This is 100% Secure
A couple of years back when I was working for the EU Commission Research Centre, I was invited to a presentation by a company that delivers quantum cryptography solutions. At one point the presenter told us that in the 90’s when fibre optics were introduced, the companies selling fibre solutions claimed it was impossible to physically hack – but now you could buy a simple repeater. But now… their solution was impossible to hack. Right. Have you ever bought a used car? I got the same kind of feeling when listening to the presentation that I might get from the semi bold, sweaty, 70’s shirt wearing, XL dad body carrying used car dealer. “So this car was driven by a single mother, only to commute the kids to the school?”
Needless to say, a vulnerability was discovered in a quantum crypto system a few months after the presentation (disclosure: I can’t remember if it was the same vendor, probably not). It was not related to the quantum portion of the solution, but to another component. To my knowledge QKD (Quantum Key Distribution), the quantum part of existing solutions still remains untouchable.
An information security system is a collection of components that form a complex whole. You only need to find the weakest link to breach a system. Nothing is 100% secure.
This is tamper proof
“And you say that this car has only 23 000km on it?” [as you look at the worn steering wheel and frayed seats]. Tamper proof is a term used widely in the hardware side of information security. In short it means that there’s absolutely no way to retrieve the secret information from the device. Another myth. Tamper resistant is the correct term to use here, when a manufacturer has used technologies to make it extremely difficult or, using current technology, impossible to retrieve information from within. The keyword here is “current”. The technology might not exist yet, but it might be discovered a week from now, or 10 years from now. Nothing is tamper proof.
This is fully XYZ Compliant
Right now there are a ton of marketing messages whizzing around the social media sites like LinkedIn, company pages, e-mails about companies producing technology solutions that are e.g. fully GDPR compliant. “And this car has never seen an accident?” [looking at the poor paint over job and clearly filled up dents on the wings]. In most cases compliancy requirements affect the companies utilising a certain technology. Not the technology itself. The technical solution is a tool or a collection tools to help the (end user) organisation to move towards a situation where they are compliant.
Every organisation is different. What might apply to one, will not work with another in a 1:1 fashion. The companies facing regulatory requirements need to do their own homework first, then evaluate what kind of technology will help them reach compliance. There is no silver bullet for compliancy.
You Don’t Need Information Security Here
The new dishwasher you just bought has a fancy feature that allows you to control it over the Internet. Information security is one of the last things that come to mind when you bought it, but your new appliance might be already open for attack. However, more and more of these connected (Internet of Things) devices are having very serious problems with even the most basic things related to information security. “So you say I really don’t need the brake pedals… That the car has tremendous wind resistance and stops all by itself. And that it will also give me the best fuel economy there is in the market right now, better than a Tesla”. [huh???]
Connected devices at home pose a personal security or a privacy risk, or they can be used as bots in a distributed denial of service attacks. This will not be a top concern in the consumers mind, until the home videos of smart TV unauthorised recordings start to spread. The situation changes drastically if the connected device performs a vital function. And by vital, I mean vital. A good example would be hospital devices, like infusion pumps that control e.g. drug administration to patients. If such a device is hacked, the results can be fatal.
Another example is a control system. Control systems are found in the industry (SCADA), but also healthcare has its own type of control systems. One of the most (in)famous attacks against an industrial control system is naturally the Stuxnet worm that found its way into the facilities in Iran. The above mentioned infusion pumps don’t usually operate standalone anymore. They are connected to a central system for information retrieval and input. Lapses in information security can result in the systems not working properly or being shut down as demonstrated by the WannaCry and NHS. If it’s connected – it needs up to date security. And extrapolating from the previous statement, if you can’t have up to date security on the device – try to isolate it from the open networks.
Now this blog may seem like a FUD (fear, uncertainty, doubt) article, but the meaning is quite the opposite. If you are more knowledgeable about the current state of affairs, you can make a more educated decision, or investigate further, and see through some of the reality distortion field created by crafty marketing departments promising you a 100% secure, tamper proof and fully compliant solution.
Just remember some basic precautions that will very quickly transform into reflexes – applies both for your professional work and your personal life:
- Make sure your computers, phones, tablets, devices are up to date
- Use threat protection software such as antivirus, even if you are on a Mac
- Do not use public WiFi without a VPN
- Backup, backup, backup!!! And detach the backup device once all your holiday snaps or corporate docs are safely tucked away on the backup device
- Do not click on any links you received via e-mail if you can avoid it. Always go to the site by writing the address yourself. If you feel you absolutely must click the link – hover your mouse over the link text and check out the real address (e.g. in Chrome it will appear in the lower left corner, and in OSX Outlook client right next to the hand). A link to an internal memo should not point to Internal Memo <– Go ahead and try (points to www dot ishallstealallyoursecrets dot com).
- When possible, use e-mail signing
- If it’s too good to be true – it will be a scam. The ex-wife of an African dictator who is looking to transfer the 20 million US dollars to another bank, but requires your help, just might not be real
As always – should you need assistance in knowing your customers better, securing your new digital services, increasing revenue or improving the customer experience and journey, contact us now and hear how Customer Identity and Access Management can help.