Claude Shannon, a WWII era mathematician and cryptographer, is considered by some to be the godfather of modern computing and cybersecurity. Among his many accomplishments, he developed what became known as Shannon's Maxim: the enemy knows the system. (This is a derivation of Kerckhoffs' Principle, "the enemy knows everything," coined by 19th century Dutch cryptographer Auguste Kerckhoffs.)
This position — that the adversary knows your system as well as you do, if not better, as soon as it is stood up — while extreme, led to the creation of large number factorization, the basis for all modern encryption, from PGP to RSA tokens. Under these encryption schemes, as long as the key is kept private, someone can know everything about how the security system works and still not be able to crack it.
To get to a place of true cybersecurity, another stark innovation in thinking is needed. What is needed is an Inverse Shannon's Maxim: the user knows nothing.
"The area where we continue to have to do more work is on the human side, in terms of individuals doing things they should not do or a process failing," Veterans Affairs CIO Stephen Warren said during a discussion on agency security in November.
The agency was able to block or effectively mitigate all cyberattacks, however lost access cards and misplaced data led to significant leakage.
To create a truly secure network, systems can no longer rely on users to do the right thing at all times. Mistakes and poor behaviors will be made — someone will click when they shouldn't, use "qwerty" as their password, or leave their laptop, unlocked, in a coffee shop.
While agencies and organizations scramble to educate employees on the latest in cyber hygiene, others are working on cybersecurity measures that don't require the user to have any specialized knowledge.
Something-you-know, something-you-have
Jeremy Grant, a senior executive for identity management at NIST, known as an ardent advocate of the "kill the password" movement, has two-factor authentication on his phone without having to remember a thing.
The something-he-knows — the passcode to gain access — is his thumbprint, read through a biometric scanner. The something-he-has — the authentication level, usually covered by a CAC or PIV card — is handled with derived credentials already on his phone.
"This is the most secure solution that's out there that's standards-based that responds to how the market's evolved," Grant said.
"The most secure solution that nobody wants to use doesn't really improve security at all. So focusing on usability is a key guiding principle," he said. "Focus more on how we can get somebody like my dad, who is a 71-year-old retiree in Detroit doing a lot of stuff everyday on an iPad, what's he going to be using? That's where the market needs to go."
Biometrics and one-time passcodes do a good job of managing authentication without relying on the user to remember a password or navigate a labyrinth of checks. However, that method only deals with access.
'A clicker in every crowd'
It is almost impossible to stop malware from infiltrating a network if the adversary is persistent and creative. Modern hacking techniques rely less on direct intrusion and more on retrieving passwords and other key strokes that will allow malicious actors to gain access through accepted avenues, pretending to be an authorized user.
This is often done through spear-phishing — carefully crafted emails or social media that get a user to click through to a malicious site or download malware through a disguised attachment.
Getting a user to click can be as easy as sending a Tweet with a harmless looking link or, as in one instance, an email with a spreadsheet purportedly listing bonus payouts for everyone in a department.
Training employees not to fall for these scams is important but at some point, someone in every organization will get fooled.
"We realized seven years ago that you can't stop spyware from getting on a computer," Waller said. "To protect the user, you need to protect what they enter at the point of contact."
To do this, Strike Force has developed a key stroke encryption system that secures every character as it's typed, pushes it through the application and decrypts on the screen in real time. Even if spyware is embedded in a device, any exfiltrated data would be encrypted and useless without the key.
"This would have stopped what happened at Home Depot, Target, JP Morgan and every other breach in the last few years," Waller asserted.
Expecting perfect cyber hygiene from everyone on the enterprise at all times is unrealistic.
Photo Credit: Getty Images/iStockphoto
Strike Force has been working on a mobile solution in the form of a software developer kit, which it expects to roll out in the next few weeks.
The kit will give application designers the tools to build key stroke encryption directly into their apps, shielding data entry from the device's data dictionary.
Unfortunately, key stroke encryption only protects against spyware. More destructive kinds of malware can wreak havoc on systems, wiping databases or blocking access until a ransom is paid.
Distributed defense
Current methods like containerization — in which apps are segregated from an operating system, preventing the spread of infection — and sandboxing — "detonating" potentially malicious code in a safe environment — are making it harder for malware to infiltrate systems, but they're not perfect.
"We're seeing a dramatic uptick in SSL encrypted malware," said John Gordineer, director of Dell's SonicWall security system. "So the attackers are starting to use the same technology that the good guys use to protect things — they're using it to protect their ability to conduct their business, which is stealing our money."
This shift in tactics by the adversary causes a number of new problems for firewalls. Now, an enterprise can no longer trust encrypted traffic coming into the network and resources have to be allocated to decrypt everything in a safe environment to be analyzed before passing the data along to the network.
Gordineer likened this to performing a man-in-the-middle attack on your own people.
While this takes a lot of computing power, the system is automated and doesn't rely on the employee to decide whether incoming traffic is suspicious or not.
One way to get around the load problem is to distribute the work across multiple devices, as is done with Dell's Invincea platform.
"Invincea takes that to a micro level," Gordineer said. "Instead of trying to manage it all through one big sandbox, you're distributing that out and each client, each laptop is responsible for doing zero-day prevention."
This solution will work for a time, until the bad actors develop a new way to slip past an organization's firewalls.
"We've got to really be more sophisticated and more literate" about cybersecurity, said Paul Christman, vice president of public sector for Dell Software, noting it's incumbent on the technology suppliers to stay abreast of developments on behalf of the users. "There's nothing that kills a conversation at a cocktail party like encrypted network traffic — nobody cares. They just want [to order] their pizza and have their credit card information stored safely."
The users just want it to work. In an ideal world, the user knows nothing.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
