I’ve got a confession to make. I’ve never attended an RSA Conference before last week. For RSAC 2019, however, I had the honor of giving one of my favorite presentations, 12 Ways to Hack 2FA. The crowd filled the presentation room and a spill-over room to hear it. I was a little under the weather, but I think it went well enough.
I was just as delighted to attend the full conference and many sessions. Most of the talks were good. Many were excellent. Two full vendor halls with lots to see, do and learn: book signings, entertainment, fun activities and lots of bar meetups. If you like to collect conference swag, you will find no better conference. I’d go again in a heartbeat.
I met with dozens of companies at the conference, but two stood out.
The Media Trust: An anti-malvertising service for website owners
I have long known about entities that serve banner ads are a huge risk to the websites that profit from them. Bad guys target banner ad companies and code to inject malicious code into content that a visitor to an otherwise legitimate website consumes—a practice known as malvertising. I wrote about “transitive trust” back in 2008, telling website owners that they must verify (and trust) all code running on their website no matter where it comes from.
Flash forward to today. I interviewed The Media Trust CEO and founder, Chris Dison, who says that the average website he works with has 30 to over 1,000 different code components coming from all over the world. If you track the involved domains for any popular website, you’ll be surprised how many different pieces of code and content are making up a single page. Sometimes that nth-party code is malicious, either getting accidentally compromised or launched by some malicious content vendor who otherwise looks legitimate.
Rule number one about legislation affecting the cybersecurity of industrial control systems (ICS) is that no one talks about legislation affecting the cybersecurity of ICS. At least it seems that way based on a number of attempts to get industry stakeholders to talk on the record about the prospects in the 116th Congress for any legislation that affects critical infrastructure, specifically as it relates to industrial control systems.
Although a number of cybersecurity-related bills have been introduced in the new Congress, only a handful of relatively non-controversial pieces of legislation, most reintroduced from the last Congress, deal primarily with critical infrastructure industrial control systems, a surprise given the stepped-up concerns over threats to the nation’s electric grids, gas and oil pipelines, transportation systems and dams and the rise of industrial supply chain issues that have grabbed headlines over the past few years.
Part of the reason for a hazy legislative outlook regarding industrial control systems is that from most critical infrastructure providers’ perspectives, no legislation is good legislation. Few stakeholders want to give currency to the idea of any form of government regulation or mandates. Neither, apparently, does the Congress, particularly on the Senate side, which is where, in the words of a think tank analyst, “cybersecurity legislation goes to die,” as Politico reports.
Industry resistance to regulation thwarting ICS cybersecurity legislation
“Senator Johnson [Republican head of the Senate Homeland Security and Governmental Affairs Committee] has a reputation for swatting down cybersecurity legislation. He comes from a business background, he doesn’t like regulation,” says Patrick Coyle, publisher of Chemical Security News, which tracks legislation affecting chemical and industrial control security.
Although Johnson has rebuffed cybersecurity legislation over the past four years, that may be changing, Coyle says. Some of Johnson’s actions early in this new Congress, such as mid-February mark-ups of three cybersecurity-related bills, make the point that his committee is going to address cybersecurity this session.
There’s an old expression that says, “when it rains it pours.” This has never been more true than the current impact of digital transformation on security teams charged with protecting IT and OT networks. Today’s CSOs and CISOs find themselves at a crossroads in the transition of their role within an organization. They not only serve as security experts, but also guide business decisions in order to ensure that security is woven into the expanding infrastructure. The challenge is that this has to be accomplished effectively, efficiently, and comprehensively as there are simply not enough skilled cybersecurity professionals to address the expanding, convergence driven security challenges.
At the same time, the unprecedented proliferation of IoT devices challenges security solutions to identify, secure, and monitor more devices and higher volumes of traffic than ever. Coincidently, this challenge is even broader as networks are expanding into new ecosystems, such as multi-cloud, mobility, and SD-WAN. Further complicating the security challenge is the fact that much of the security technology currently in place simply doesn’t scale into these new environments. In spite of these expanded challenges, IT teams are required to extend and expand security into these new domains without leaving gaps in policy implementation or enforcement—while simultaneously not overburdening the limited IT resources that are available.
The rapid expansion of the attack surface exacerbates the demand on security professional and presents a scenario where dropping the ball on security is most likely to happen. At the same time, the demands of the new and evolving digital economy compounds the implications due to a lapse in security. Adversaries and motivated cybercriminals deploy increasingly sophisticated attacks to accomplish extortion, espionage, and even sabotage.
The Security Implications of Converging IT and OT
Nowhere are the implications of these security challenges more apparent than in the convergence of OT and IT networks. For many cyber physical organizations, OT is the fuel that drives the success of the business. Manufacturing floors, assembly lines, inventory management, and production lines provide the goods and services that consumers demand. It is imperative in today’s digital marketplace to be able to respond to consumer demand as quickly as possible, so many organizations are looking to implement IT efficiencies and solutions into a network environment that traditionally runs in isolation.
Convergence is clearly a double-edged sword. Failure to integrate IT and OT environments means that production lags behind demand and market share can be quickly lost to competitors that are simply more nimble. On the other hand, failure to take the wide range of security issues into account when converging these two very different networks and networking philosophies can result in catastrophic network failures that can cost millions in lost productivity and inventory.
Contrasting IT and OT System Values
A significant component of the challenge is that IT and OT networks are founded on very different, and often highly contradictory priorities. IT networks generally follow the well-established Confidentiality/Integrity/Availability (CIA) model. The emphasis in on ensuring the confidentialityof critical data, transactions, and applications, maintaining network and data integrity, and only then ensuring the protected availabilityof networked resources. These priorities tend to be the basic building blocks of any security strategy.
Conversely, OT networks depend upon and operate with an exactly inverted model. The safetyand availabilityof resources is the topmost priority. Assembly lines, furnaces, generators, and other large systems simply should never go offline. Monitoring critical systems, such as pumps, valves, and thermostats is essential since any system errors can translate into huge financial loss, and pose catastrophic risk to the life and well-being of workers and communities. The integrityof those systems is the 2ndhighest OT system priority. As a result, systems that are functioning as designed are rarely patched, updated, or changed. The operative model is, “if it ain’t broke, don’t fix it.” In most instances, devices such as HMI workstations or controllers may operate without changes for years or even decades because taking them offline can impact availability. For example, a total retest of the OT system is required when hardware or software changes are executed.
Confidentiality, the third component of the OT value model receives far less attention. OT networks have historically addressed this element by simply being air-gapped from the IT network and the Internet. Within the network itself, however, most OT environments were designed around implicit trust. It is not unusual for an Engineer to be able to control any Programmable Logic Controller (PLC) (devices that control manufacturing processes such as assembly lines or robotic devices) anywhere in the OT network using a single laptop. This enables services for requirements like the rapid troubleshooting of issues happening anywhere in the plant or factory.
Converging IT and OT environments is essential for many organizations to compete effectively in today’s digital economy. But unless great care is taken and the needs of the OT environment are fully understood, a broadened attack surface will be available to adversaries. Both criminally motivated and nation state driven cyber actors will accomplish a wide array of attack scenarios that can result in great consequence to include lost revenue, impacted brand reputation, significant damage to physical plant, and even worse lost lives. The necessity for action to protect critical infrastructure and specifically converged cyber physical assets is an absolute imperative on a global scale. Rethinking and implementing a strategy that enforces a designed-in cybersecurity framework will enable OT system owners to confidently move forward in a digitally transformed business while sustaining safe and continuous operations.
Read more about the unique challenges of securing Operational Technology (OT) environments and how Fortinet can help.
Learn moreabout the threat landscape for OT environments in our latest Threat Landscape Report.
Windows computers and servers update on a monthly basis. Most of these updates are self-installing and need no other interaction. Sometimes, though, you need to add registry keys to enable or disable additional security settings. I discussed the additional registry keys needed for Spectre and Meltdown protection earlier, but other updates often need additional settings.
One way to learn about these needed registry settings is to read the security bulletin. Your vulnerability scanner might indicate missing protections after it scans your network, too. At times the new registry keys are not part of a security bulletin but part of a security advisory. An advisory is sent when there is no patch released. Advisories often give information about additional protections you need or an upcoming change in updates that will impact your systems.
Blocking unsafe ticket-granting tickets in Windows
In the February updates, for example, advisory ADV190006 pointed out an upcoming change that will impact Active Directory implementations. The advisory notes a change outlined in Knowledge Base article KB4490425 in how Microsoft handles ticket-granting tickets (TGTs). Currently the default configuration when you trust identities from another Active Directory forest lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.
This unsafe condition impacts Server 2019, Server 2016, Server 2012 R2 and Server 2012. In July 2019, Microsoft will release an update to harden Server 2008 R2 and Server 2008. In the meantime, the advisory gives guidance on how to block unsafe TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegation to “no” using the following command.
Asking small municipalities to defend themselves against nation-state adversaries is a tall order, but it all begins with the basics of cybersecurity — the “blocking and tackling” — Steve Worley, SCADA security manager for Raleigh, NC, tells CSO. That means network monitoring. Knowing what’s happening on your network is critical to responding to any undesired activity. However, operational technology (OT) network monitoring tools lag far behind traditional IT solutions, which aren’t a good fit for industrial control systems.
In addition to network monitoring, Worley wanted the ability to actively query programmable logic controllers (PLCs) at water treatment plants to discover any changes in programming logic — by an employee, a systems integrator, or a malicious third party.
City of Raleigh
Steve Worley, City of Raleigh SCADA security manager
Rather than develop a solution in-house, he chose to deploy the Indegy network monitoring tool. “We were looking to have more robust network monitoring for our network that spans across a large area of the county,” he tells CSO.
Worley considered developing a solution in-house using open source tools, but concluded that would be too time-consuming. The city published an RFP and considered their options. “We looked at all the major vendors in the realm of network monitoring of SCADA/ICS networks,” he tells CSO by email. “Indegy’s active monitoring of the PLCs and network was a major part of the decision to go with them.”
In this episode we discuss the latest findings on flaw fix rates in enterprises. Chris Eng, Vice President of Research, Veracode, offers perspective on what figures in the State of Software Security report reveal about the troubling amount of time it takes to address the majority of vulnerabilities. Listeners will learn about:
Average enterprise fix rates at one week and one month
Why enterprises still struggle with vulnerable open source components in software
What business can can do to mitigate risks associated with open source flaws
I recently helped my son build his first pine wood derby car. He took second place out of a field of ~60 cars. The secret of taking a block of wood, four nails and cheap plastic wheels is reducing all forms of friction that the car can face and moving the balance to the right parts of the car.
One of the dads realized this fact a bit late in the process and asked a fellow dad if he happened to have any graphite (a carbon-based lubricant) with him. The response was “of course I do, I carry it on me at all times…right next to my Chapstick!”
“Friction” in a human and organizational sense is defined as “conflict or animosity caused by a clash of wills, temperaments or opinions.”
The average employee not working in a security/privacy/legal role may hear the terms “privacy,” “security” and “IP/privacy legal” and think they are variations of the same focus and desired outcomes. For example, defending a company against the theft of intellectual property and confidential information would intuitively have some overlap to protecting personal information. With that shared goal, everyone should work seamlessly well together, right?
The answer, all too often, is a hesitant and unfortunate “no.”
Many companies experience friction, silos and turf wars between security, privacy and legal departments. Friction creates drag. Drag slows progress. Lack of progress reduces a company’s ability to successfully manage collective risks.
Tim Sewell (CTO/Co-founder of Reveal Risk) and I were reflecting on personal experiences and observations of these issues across different companies, and decided to analyze what was going on so we could help colleagues and clients create win:win:win outcomes between these functions. Our usual approaches to further research this seemingly common problem turned up virtually no articles or blog posts on the topic. We suspected the root causes and potential solutions were likely hidden amongst people/politics, culture, fear and legacy thinking.
Not to be deterred and wanting to get to the root of the issue, I went to my network to enlist respected experts and crowdsource contributions to the analysis and solutions. I am grateful to have had over 15 volunteers raise their virtual hands to contribute. In a testament to the complexity of these issues, many asked to remain anonymous because of current situations and relationships but shared their input by role and industry.
Problem 1: Communication/understanding/engagement
Poor communication, understanding and engagement between functions around tools, processes and practices within cyber security can lead to surprises, disagreements, improper evidence handling, broken attorney-client privilege and project delays.
Analysis: Lack of engagement, transparency and partnership were common symptoms shared by almost everyone I talked with. Potential root causes were found to be:
Lack of cross training, education and understanding other perspectives. A chief privacy officer (CPO)/attorney from a large telecom company said, “Information security and privacy functional roles in corporations have evolved separately over the years. The need for symbiosis across these roles is clear, but often these teams at corporations do not place an emphasis on cross-learning to solve these disconnects in goals and perspectives.”
Lack of engagement at the right time or insufficient resources to do so, causing clashes when lack of alignment or direction is discovered. Emotions can get in the way of listening and understanding on both sides when the “wait…what are you doing?” moment hits. Matthew Berger, a privacy and cybersecurity attorney, commented that “Traditionally speaking, privacy is viewed as a roadblock. A hindrance to development, profits and growth and privacy compliance is viewed as a paper exercise. Good privacy professionals get involved at the beginning of the development process and prevent these roadblocks before time is spent designing and building a risk-laden product or process.”
Recommendation: Be a valued and invested partner. Seek to understand the other disciplines (at least enough to speak the same language) and build empathy towards their different perspective. As the large telecom CPO recommends, “Privacy professionals should pursue training and even certification in information security frameworks, and information security professionals should pursue training and even certification in privacy and legal fundamentals.”
A senior security and privacy leader in the automotive industry, shares three of his successful tips on building partnership and trust:
Be the person that reaches out. I am in one of our legal offices almost every day. I stop in for non-immediate chats. Asking how I can help, attempting to make things easier. For instance, any contract review I am asked to do I return within 24 hrs. This way I am viewed as an ally. Particularly, as I see every contract (customer/vendor) to review security/privacy provisions.
Mentor as possible. I have trained legal folks to be Privacy Officers. The more I help them the easier it is when I need something quick.
Bring food. I have brought legal folks cookies/candy on a regular basis (at least 1-2 times a week). Better to see someone that brings food than a problem.
Problem 2: Technology confusion/lack of understanding
Concerns about cybersecurity methods, tools and enabled features/functionality came up as a frequent source of conflict.
Analysis: A relative newcomer to the table, cybersecurity brings with it a host of advanced capabilities with potential privacy and legal concerns. A common example is “full packet capture” technologies that inspect encrypted network traffic. Intended to thwart malicious insiders and malware, these tools carry significant ethical and legal considerations. While the cyber security team’s intent may be to detect malicious code, privacy and legal professionals are concerned about misuse of the technology and its ability to “spy” on employees or inspect their personal files.
Lack of understanding about the details and nuances of a specific technology and its use cases leads to lack of alignment and raising an alarm (sometimes false alarm, sometimes valid concern). Potential root causes were:
Inability to effectively communicate controls, technology and process between security, legal and privacy personnel creates over-inflated concerns and stalemates. Sharing too much or not enough detail can both have negative effects. Additionally, many terms in cyber security stem from military and intelligence and sound, well… kind of scary. As an example, terms like “SSL interception” or “breaking encryption” without context sounds like “we are going to use evil hacker tools to bust into encrypted of documents and have some guys in a room looking at all of the file details to see what people that work here are doing.” The framing, facts and controls must be surfaced in conversations to avoid confusion and alarm.
Steve Snyder, of Bradley’s Cybersecurity and Privacy Practice Group said, “There is a lack of common vernacular to discuss cyber risk. IT/tech folks have one view of evaluating tech and managing projects; legal has a framework for discussions; business people have a different type of project management, etc. And while there are undoubtedly times when they have to come together on other projects when it comes to highly technical subject matter of cyber risk the differences seem more apparent in terms of how the problem is described, evaluated and how proposed solutions are described. I think one thing that helps is an advisor that has bridged those gaps in the past, which means typically someone external who has helped comparable entities harmonize their various stakeholders to communicate and understand the problem.”
Recommendation: Teams must communicate earlier and in simple terms to ensure they stay aligned. Use precise, controlled language to avoid invoking fears of “big brother” and focus on describing their technology and use cases in the context of controls in place to prevent abuse. The phrases security & privacy by design really ring true. While this seems easy, many never get past this step because they trip up on language trying to talk too quickly.
Problem 3: Documentation/compliance focus vs operational outcomes
Friction can be caused by efforts to get the “documentation right” (both what to, and what NOT to put in writing) vs progressing operational outcomes.
Analysis: There is a healthy balance between “a free-for-all with no documentation or compliance efforts” and “drowning in a sea of bureaucracy and paper pushing and not moving anything forward.” Most companies fall somewhere in the middle of these extremes but skew one direction or another.
An automotive industry security and privacy leader shared “Realistically, some of the biggest issues have to do with operational vs. policy or ‘redline’ focus. The practitioner or operational focus involves getting work completed. Whereas the “redline” focus is driven towards a very narrow reading of the law, policy or standard. The redline focus is to perfect every little detail with limited sense of urgency or care if/ how the actual task needs to be done…Unfortunately, it is difficult to find operational folks with deep policy/ legal expertise and it is difficult to find operationally focused risk/legal resources. So, there is ongoing friction.”
A senior privacy leader in the airline industry shared, “The role of legal is frequently misconstrued as a company’s policing authority rather than being advisory in nature. In-house counsel is often asked for ‘approval’ or ‘blessing’ which is not the role, especially when the rules are not always bright line and guidance shifts based upon different factors. The role of legal is to provide legal analysis, surface the risks and provide recommendations to the business. The risks may often be accepted by the business through a mature risk acceptance process. This misconception is further emphasized when the general counsel role (advisor) is held by the same person as the chief compliance officer (enforcer).”
Recommendation: Beyond active partnering and understanding each other’s perspectives (in solutions 1 and 2), companies need to have clear responsibilities for each group. Compliance related functions need to have a stated and practiced objective to make compliance as easy and natural as possible. Operational functions need to determine how to better leverage their more compliance focused partners to drive process improvement and controls (not paper improvements).
Problem 4: Lack of process fundamentals
Without clearly defined processes (with RACIs) there is confusion about how things work and who should be involved, leading to conflict, misunderstandings and surprises.
Analysis: Having effective and well-defined processes reduces the chaos of unstructured processes and programs. Also, when a company lacks fundamental processes, more advanced efforts are hamstrung and destined to fail. One key component of any good process is decision rights. There will always be situations where there are disagreements or conflict
A senior privacy leader in the airline industry shared that “I’ve often experienced confusion between what security and privacy teams are responsible for (including when dealing with security colleagues). One recent example includes managing and providing direction, standards or policy on IT controls. I’ve frequently seen common controls that are simply missed within the scope of security policies and programs (logging standards, access controls, asset management, audit ready documentation). If basic good IT practices that support privacy and security are not being managed, it makes privacy and security by design impossible. It also makes it interesting to explain to an auditor why data management activities are not demonstrable when foundational asset management and asset controls cannot be confirmed.”
She also shared concerns about resourcing and breadth of ownership/coverage: “Another huge challenge is that most organizations are still relying upon a single privacy role to ‘manage’ an enterprise privacy program. This is not scalable when you have that privacy person supporting a large organization with multiple stakeholder teams (IT, ecommerce team, security, risk, marketing, HR, etc.). This program of one usually lacks sufficient budget to be effective in operational.”
Steve Snyder shared that there can be a “lack of attention to the problem due to lack of resources coupled with clear understanding of the problem. Typically, at small and medium sized businesses, IT is heavily utilized, probably understaffed on just supporting operations. They implement the solutions and practices but have no time to document or communicate them with anyone. The rest of the company is in the dark on the info sec side because it is not an operational issue that is in front of them all the time. I’ve seen this problem solved primarily by having a rigorous review, again, most often by a third party. By forcing an assessment, it forces the business to stop and take stock of what’s going on and gets people to focus on the issue instead of just looking at what directly drives the bottom line.”
Recommendation: Companies must invest in their processes, clarity of ownership (RACIs) and adequate staffing to cover the breadth of responsibility. Cutting corners on any of these three will ultimately result in friction, slowness and worse: increased risk to the company.
Problem 5: Ego
Leaders with too much/unchecked ego tend to make decisions focus on the short-term initiatives/gains or self-promotion rather than long term planning or sustainably reducing risk.
Analysis: Security, privacy and law are all domains that require a significant motivational fit to be successful. Ego can spur motives that do not serve a company well in the long run. Much of my discussion with my contributors circled back to a conflict of personality, largely tied to ego. Ego problems can exist in any function and play out in a number of ways that block progress.
A senior privacy leader in the airline industry shared that leaders with too much ego and the wrong motivations/incentives tend to lack the ability to create and drive enterprise strategy and sustainable operations. Their decision-making process tends to focus on the short-term initiatives/gains rather than long term planning and benefit.
Ego problems are difficult to “cure,” especially when leaders are more senior in the company or have a low EQ (emotional quotient) coupled with a high IQ (intellectual quotient). Big egos tent to lose trust, while personal trust and transparency are critical to a healthy partnership between functions.
Recommendation: Know the players involved and understand their motives. My Six Sigma training and certification included a process called political mapping. It involves diagramming an organization’s key leaders, levels of influence or conflict and dynamics amongst the teams. It enables you to create an informed stakeholder management and communications plan to maximize your chances of successfully moving an initiative forward. I’ve carried this tool (and many others) into my regular toolkit. You may not be able to change leaders, but you can attempt to manage them.
Time is money
No company has time for friction in cybersecurity and privacy. The stakes are too high and customer trust is on the line. The intentions and motivations across cybersecurity, privacy and legal stakeholders are likely coming from a good place. However, communications, understanding, tactics, process and ego can cause significant friction for everyone involved. When this happens, no one wins – especially the company and its customers.
Companies that take a little time upfront to invest in minimizing friction will see their speed increase significantly. If you have experienced challenges and need some “graphite” in your pocket to go faster toward your goal, remember these five things.
Focus on building partnerships
Enhance understanding of technology, use and controls to prevent misuse
Find the right balance between operational goals vs compliance/documentation needs
Drive towards defined, efficient and continuously improving processes
Check egos: manage your stakeholders
Lastly, finding resources that have experience across security, privacy and legal can help you accelerate your efforts to reduce friction. Just like one dad asking another for graphite to reduce friction just before the race, it is never too late!
This article is published as part of the IDG Contributor Network. Want to Join?
As much as tools and technology evolve in the cybersecurity industry, organizations remain reliant on clever, well-trained humans with incisive critical thinking skills to protect themselves from the perilous cyber threat landscape. But just as the threat landscape continues to expand, so, too, does the corresponding skills gap that puts organizations at risk of major financial losses and irreversible damage to their brand reputations.
Finding and retaining a sufficient pool of qualified cybersecurity professionals grows ever more challenging, as reflected in ISACA’s recent State of Cybersecurity 2019 research. The retention piece can be especially problematic, particularly for organizations that face substantial resource limitations. Better financial incentives, such as higher salaries and more lucrative bonuses, overwhelmingly came across as the top reason why cybersecurity professionals change jobs, with other considerations such as career development opportunities and better work culture/environment also factoring in among the leading reasons.
The State of Cybersecurity 2019 report reveals several problematic data points about the current cybersecurity workforce outlook, including:
69 percent of respondents say their cybersecurity teams are understaffed
58 percent indicate their organizations have unfilled cybersecurity positions
32 percent report it takes six months or more to fill cybersecurity jobs at their organization
That last statistic is especially troubling. Think of the enormous damage a cyberattack can inflict upon an organization in six hours, let alone the six-plus months that it takes 1 in 3 organizations to fill an open cybersecurity position. That it takes so many organizations such an extended period to secure the candidates that they are looking for is indicative both of the need to cultivate more people to become interested in the cybersecurity profession and, thinking realistically, of the need for organizations to come to grips with the need to reskill and train candidates who might not check every desired box on the job description. Rather than wait six months or longer in hopes that the ideal person walks through the door, organizations would be well-served to take technologically-savvy candidates with tangential skills and bring them into their cybersecurity teams, realizing that a commitment to training and professional development will be needed.
Looking beyond conventional candidates
Along those lines, organizations should become more receptive to seeking out talent from non-traditional backgrounds. As my ISACA colleagues noted in a panel discussion this month at the RSA conference, veterans and others from non-technical backgrounds who possess skills and interest that align with cybersecurity roles often can rise to the occasion when given the opportunity. Furthermore, the cybersecurity industry must do a much better job attracting and retaining women in the field. The underrepresentation of women in the cybersecurity profession is an important piece of the overall skills gap faced by organizations globally. Taking these factors into consideration, organizations would be well-served to develop a business plan that redefines their protocols for how security talent will be attracted and retained.
Little margin for error
Organizations can build and retain effective cybersecurity teams, but the margin for error is slim. Quality cybersecurity practitioners will have many options, so the onus is on enterprise leaders to give them a compelling reason to want to come – and stay – at their organization. Offering a competitive salary is a natural starting point, as the State of Cyber 2019 report reinforces. When budgeting for the overall scope of their security teams, leaders might need to resist the temptation to purchase the latest intriguing tool or gadget if it comes at the expense of being able to offer key team members competitive salaries. Beyond the pay component, there are other areas in which organizations should take stock of what they are offering to make sure team members feel appropriately valued. To that end, organizations should invest in performance-based training for existing staff to groom more practitioners who are technically proficient – often the most elusive professionals for organizations to find. Instilling an upbeat, team-oriented culture also can go a long way toward preventing employees from looking elsewhere.
With each passing year, the recognition that robust cybersecurity is a central business imperative for all organizations in the digital economy becomes increasingly widespread, but there is a difference between knowing cybersecurity is important and having the vision and commitment to put an effective security program in place. That starts with bringing aboard quality cybersecurity practitioners, and then providing the ongoing training needed to fill in knowledge gaps and keep professionals current on the latest attack methods they will be tasked to combat. While artificial intelligence and automation-driven tools will prove useful for enhancing cybersecurity in the coming years, that doesn’t change the reality that no organization will be on secure footing untilit has the right people in place to strategically address cyberattacks that will continue growing in volume and sophistication.
This article is published as part of the IDG Contributor Network. Want to Join?
Quantum cryptography, also called quantum encryption, applies principles of quantum mechanics to encrypt messages in a way that it is never read by anyone outside of the intended recipient. It takes advantage of quantum’s multiple states, coupled with its “no change theory,” which means it cannot be unknowingly interrupted.
Companies and governments around the world are in a quantum arms race, the race to build the first usable quantum computer. The technology promises to make some kinds of computing problems much, much easier to solve than with today’s classical computers.
One of those problems is breaking certain types of encryption, particularly the methods used in today’s public key infrastructure (PKI), which underlies practically all of today’s online communications. “I’m certainly scared of what can be the result of quantum computing,” says Michael Morris, CEO at Topcoder, a global network of 1.4 million developers. Topcoder is part of Wipro, a global consulting organization. It’s also working on finding solutions to quantum computing programming challenges.
“Instead of solving one problem at a time, with quantum computing we can solve thousands of problems at the same processing speed, with the same processing power,” Morris says. “Things that would take hundreds of days today could take just hours on a quantum computer.”
The commercial quantum computers available today are still far from being able to do that. “The theories have advanced farther than the hardware,” says William Hurley, IEEE senior member, founder and CEO of Austin-based quantum computing company Strangeworks. “However, we shouldn’t wait for the hardware to motivate the switch to post-quantum cryptography.”
Who knows what kind of technology isn’t available on the public market, or is operated in secret by foreign governments? “My fear is that we won’t know that the quantum computer capable of doing this even exists until it’s done,” says Topcoder’s Morris. “My fear is that it happens before we know it’s there.”
Asymmetric versus symmetric encryption
Here’s how encryption works on “traditional” computers: Binary digits (0’s and 1’s) are systematically sent from one place to another, and then deciphered with a symmetric (private) or asymmetric (public) key. Symmetric key ciphers like Advanced Encryption Standard (AES) use the same key for encrypting a message or file, while asymmetric ciphers like RSA use two linked keys — private and public. The public key is shared, but the private key is kept secret to decrypt the information.
The first target of encryption-breaking quantum computers will be the weakest link in the encryption ecosystem: asymmetric encryption. This is PKI, the RSA encryption standard. Emails, websites, financial transactions and pretty much everything is protected with asymmetric encryption.
The reason it’s popular is that anyone can encrypt a message by using the intended recipient’s public key, but only the recipient can decrypt it using the matching private key. The two-key approach relies on the principle that some kinds of mathematical processes are much easier to do than to undo. You can crack an egg, but putting it back together is a lot harder.
With symmetric encryption, messages are encrypted and decrypted using the same key. That makes symmetric encryption less suitable for public communication but significantly harder to break. “Quantum computers are unlikely to crack symmetric methods (AES, 3DES, etc.) but are likely to crack public methods, such as ECC and RSA,” says Bill Buchanan, professor in the School of Computing at Edinburgh Napier University in Scotland. “The Internet has often overcome problems in cracking within an increase in key sizes, so I do expect a ramp up in key sizes to extend the shelf life for RSA and ECC.”
How to defend against quantum cryptography
Longer keys are the first line of defense against quantum encryption, and pretty much everybody is on board with that. In fact, the 1024-bit version of the RSA encryption standard is no longer regarded as safe by NIST, which recommends 2048 bits as a minimum. Longer keys make encryption slower and more costly, however, and the key length will have to increase substantially to stay ahead of quantum computers.
Another option is to use symmetric encryption for the messages themselves, then use asymmetric encryption just for the keys. This is the idea behind the Transport Layer Security (TLS) online standard, says Alan Woodward, a professor at the department of computing at the University of Surrey.
Many researchers are also looking at ways to create new kinds of encryption algorithms that would still allow public and private keys but be proof against quantum computers. For example, it’s easy to multiply two prime numbers together but very difficult to break a large number back up into its prime factors. Quantum computers can do it, and there are already known quantum techniques that could solve the factoring problem and many similar approaches, says Woodward.
However, there’s no known quantum method to crack lattice-based encryption, which uses cryptographic algorithms built around lattices. “Lattice cryptography is the one that looks to be the favorite at the moment, simply because it’s the most practical to implement,” he says.
The best solution could be a combination of post-quantum algorithms like lattice-based encryption for the initial communication to securely exchange keys, then using symmetric encryption for the main messages.
Can we really rely on lattice-based encryption or similar algorithms to be safe? “You can’t guarantee that your post-quantum algorithm will be secure against a future quantum computer that uses some unknown quantum algorithm,” says Brian La Cour, professor and research scientist at the University of Texas.
Quantum key distribution is unhackable, in theory
This is where the laws of quantum physics can come to the rescue. Quantum key distribution (QKD) is a method of sending encryption keys using some very peculiar behaviors of subatomic particles that is, in theory at least, completely unhackable. The land-based version of QKD is a system where photons are sent one at a time through a fiberoptic line. If anyone is eavesdropping, then, according to the principles of quantum physics, the polarization of the photons is affected, and the recipient can tell that the message isn’t secure.
China is furthest ahead with QKD, with dedicated pipes connecting Beijing, Shanghai, and other cities. There are also networks in Europe. In the United States, the first commercial QKD network went live this past fall. The Quantum Xchange, connecting New York City’s financial firms with its data centers in New Jersey, rents space on existing fiberoptic networks, then uses its own QKD senders and receivers to send the secure messages on behalf of clients. The company plans to expand to Boston and Washington, D.C. later in 2019.
However, the technology is extremely slow and requires expensive equipment to send and receive the individual photons. According to John Prisco, CEO and president of Quantum Xchange, a customer would need to buy a transmitter and a receiver, each of which costs in the neighborhood of $100,000. “It’s not too terribly different from other high-speed fiber optics communication equipment,” he says. “And the price will come down over time as more companies provide the hardware.”
The big breakthrough last year was that QKD systems no longer require special pipes, says Woodward. “Now it looks like they’ll be able to use existing fiber networks, so they don’t have to lay new fiber.”
Then there’s the satellite-based approach. This one uses the principle of entanglement, which Einstein called “spooky action at a distance” and refused to believe was real. Turns out, it is real, and China has had a quantum communication satellite up and working for a couple of years now.
Entanglement isn’t about instantaneous communications that break the speed of light speed limit, says Woodward. The way that it works is that two particles become entangled so that they have the same state, and then one of these particles is sent to someone else. When the recipient looks at the particle, it’s guaranteed to be the same state as its twin.
If one of those particles is changes, it doesn’t mean that the other particle instantly changes to match — it’s not a communication system. Plus, the state of the two entangled particles, while identical, is also random. “So, you can’t send a message,” says Woodward, “but you can send an encryption key, because what you really want in a key is a sequence of random digits.”
Now that the sender and the receiver both have the same random key, they can then use it to send messages using symmetric encryption over traditional channels. “China has leapfrogged everyone with this satellite,” says Woodward. “Everyone said it couldn’t be done, that passing through the atmosphere would drop it out of superposition, but the Chinese have been able to do it.” To receive the signals, companies would need to put something that looks like a telescope on their rooftops, he says, and then install some processing equipment.
Neither ground-based nor satellite-based quantum key distribution is practical for general use since both require very specialized and expensive equipment. It could, however, be useful for securing the most critical and sensitive communications.
The limits of quantum key distribution
If the integrity of the keys can be perfectly guaranteed by QKD, does that mean that unhackable communications are within our reach?
Not so fast.
“Most hackers, when they break into things, they hardly go head-on,” says Woodward. “They go around the side, and I suspect that’s where you’ll find problems with these implementations.” Today’s attackers, while they could, in theory, listen in to traffic over fiberoptic lines, typically don’t do that.
There are far easier ways to read the messages, such as getting to the messages before they are encrypted or after they are decrypted or using man-in-the-middle attacks.
Plus, QKD requires the use of relays. Unless the sender and the recipient build a pipe that goes directly between their two offices, and the distance is short enough that the messages don’t degrade — about 60 miles or less with current technology — there will be plenty of opportunities for hackers. QKD networks will need repeaters when messages travel long distances. “You can imagine that those repeaters are going to become weak points,” says Woodward. “Someone could hack in and get the key.”
In addition, QKD networks will need to be able to route messages, and that means routers and hubs, each of which is also a potential point of vulnerability. “Physicists can say, this is absolutely secure,” says Woodward, “but there’s a danger in that, in thinking that just because you’re using QKD that you’re secure. Sure, the laws of physics apply, but there might be ways around them.”
Besides the security problems, it’s not realistic to expect that every internet user will have access to an QKD endpoint anywhere in the near future. That means, except for the most sensitive, high-value communications, better encryption algorithms are the way to go.
When will quantum cryptography become available?
So how much time do we have to get those algorithms in place? When are the quantum computers getting here? Nobody knows, says Woodward, since very significant engineering challenges still need to be overcome, and that could take years — or decades — to solve. The technology is still in its infancy, he says. “The quantum computer I play with over ihe Internet via IBM now has 20 qubits,” he says. “Google is talking about 50 qubits.”
Cracking today’s standard RSA encryption would take thousands of qubits. Adding those qubits isn’t easy because they’re so fragile. Plus, quantum computers today have extremely high error rates, requiring even more qubits for error correction. “I teach a class on quantum computing,” says University of Texas’s La Cour. “Last semester, we had access to one of IBM’s 16-qubit machines. I was intending to do some projects with it to show some cool things you could do with a quantum computer.”
That didn’t work out, he says. “The device was so noisy that if you did anything complicated enough to require 16 qubits, the result was pure garbage.”
Once that scalability problem is solved, we’ll be well on our way to having usable quantum computers, he says, but it’s impossible to put a time frame on it. “It’s like saying back in the 70s, if you can solve the magnetic confinement problem, how far away is fusion?”
La Cour guesses that we’re probably decades away from the point at which quantum computers can be used to break today’s RSA encryption. There’s plenty of time to upgrade to newer encryption algorithms–except for one thing.
Quantum cryptography, also called quantum encryption, applies principles of quantum mechanics to encrypt messages in a way that it is never read by anyone outside of the intended recipient. It takes advantage of quantum’s multiple states, coupled with its “no change theory,” which means it cannot be unknowingly interrupted.
Like many other cybersecurity professionals, I spent last week at the RSA security conference in rainy San Francisco. Here are a few of my impressions:
Cybersecurity and business leaders are coming together – awkwardly. Remember when we used to wish that business executives would get more involved with cybersecurity? Well, be careful what you wish for. Yup, business leaders understand there is a tight bond between digital transformation and cybersecurity and are now asking CISOs to provide the right data and metrics, so they can measure risk and implement the right controls. Alas, you can’t measure a dynamic environment like cybersecurity with static data, and most CISOs have nothing but static data. Since this situation won’t change, RSA was full of new innovations to quantify risk on a continual basis and help CISOs and business executives make better risk mitigation decisions. This is a big step in the right direction.
Every layer of the security technology stack is in play. Remember a few years ago when we were all shocked by dual exhibition floors in Moscone north and south? Well, the RSA conference addressed this by making one contiguous show floor in and between both buildings. Why so many vendors? Because every individual technology in the security technology stack is in play, driven by things like machine learning algorithms, cloud-based resources, automation, managed services components, etc. All these vendors may be a boon to industry trade shows, but they are confusing the heck out of cybersecurity pros. Instead of buzz words and hyperbole, successful vendors will invest in user education and thought leadership, offering guidance and support for customers and prospects.
The market is absolutely moving toward consolidation, integration, and platforms. CISOs I talked with at RSA have a 2019 goal of eliminating some percentage of vendors and tools from their networks, and many are just getting started. Large cybersecurity vendors are jumping on this trend with integrated cybersecurity technology platforms and moving toward enterprise license agreements and subscription-based pricing. Many of the vendors I met with are now tracking multi-product deals and incenting direct sales and distributors in this direction. To succeed, vendors need best-of-breed products that come together through central management consoles for configuration management, policy management, and reporting. It’s early on in this transition and none of the big vendors have a distinct advantage, but I predict that we’ll see a few break from the pack by 2020. Furthermore, we’ll see at least one $5 billion cybersecurity vendor by 2021.
Cybersecurity analytics meets cloud-scale. Earlier this year, I predicted that 2019 would be the year of cloud-based security analytics. At RSA, Google and Microsoft did what they could to reinforce this prophecy with announcements of Chronicle Backstory and Azure Sentinel. Both are SaaS offerings that capitalize on a cloud “home court advantage” by accommodating massive amounts of data, storage, processing, etc. Both vendors readily admit that these are Rev 1 products, but each has an aggressive roadmap. Will these announcements usurp category leaders? No. Will they disrupt the status quo in terms of architecture and pricing? Heck, yes.
Professional and managed services everywhere – by necessity. Amongst the widget vendors, there were lots of architects, consultants, designers, and managed services offerings for hire at RSA. Everyone equates this upsurge with the cybersecurity skills shortage, which is true but misses an essential point. Cybersecurity is perpetually evolving, with new demands for data analysis, scale, and incident response, risk management decision making, etc. Most organizations don’t have the advanced skills to keep up with all the change. Cybersecurity technology may be sexy, but the future of enterprise security will depend more on third-party brainpower than ever before. This may shift the balance of power (and topics) at RSA from products to services in the near future.
Cloud security immaturity continues. Large organizations are getting their arms around cloud computing technologies, but there is still a large and growing gap between the pace of general cloud innovation and security controls and skills. So, while we may be figuring out container security, we remain behind in areas such as securing microservices and the APIs they depend upon. This gap represents a true opportunity, but only for vendors who understand various cloud technologies, native controls, and what’s needed for central management. In the meantime, services vendors are acting as the tip of the spear yet again.
The network still doesn’t lie. I’m please to see a renaissance in network traffic analysis (NTA) tools. Some are based upon open-source technologies such as Bro/Zeek, Snort, and Suricata. Some use machine learning to detect anomalous/malicious traffic. Some are tightly integrated with endpoint detection and response (EDR) tools. Why network security? ESG research indicates that network security monitoring is most often the center of gravity for threat detection. In other words, SOC analysts detect suspicious activity on the network first and then pivot elsewhere for further investigation. This makes the network an important source of security truth, which in truth, it always has been. In my humble opinion, CISOs can get a big bang for their buck by implementing one of the more modern network security monitoring/analytics tools, which may be why they seemed to be ubiquitous at RSA.
One additional note: There was lots of discussion at RSA about the MITRE ATT&CK framework. Bravo! This is one industry effort where everyone seems to agree and crow about its benefits.
CIO Index is the world's largest professional network for CIOs - of the CIO, for the CIO, by the CIO.
Over 75,000 CIOs and other IT Executives use CIO Index to Learn, Network and Share.
Mon - Fri 9:00am - 5:00 pm
375 North Stephanie St., Ste 1411, Henderson, NV 89014