July 14, 2015 by Larry Karisny (c) govtech.com
From unlocking cars and opening garages to hacking a satellite, recent breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous. And our current method of “fighting” these attacks is not working
Two of the largest hacking conferences, Black Hat and DEF CON, highlighted some of the scariest vulnerabilities in cyberattacks today. From hacking a Wi-Fi connected rifle, a Tesla electric car, a Brinks safe and an electric skateboard, there seemed no end to the demonstrations of what a hacker can do.
From unlocking cars and opening garages to hacking a satellite, the breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous.
Although content database hacking is still of concern, as seen shown by thePentagon’s recent hacking of nonclassified emails, there seems to be a more dangerous and lethal capability now being demonstrated in our increasingly device-connected world. Gartner projects 25 billion connected vehicles will be in use by 2020, and a recent HP study shows that more than 70 percent of Internet of Things (IoT) devices have vulnerabilities that can be exploited.
Given these statistics, you’d think there would be an urgency to getting these “things” secured. But that is not so.
WHY DON’T WE SECURE THINGS?
Since we began writing software, we have put productivity and functionality ahead of security. For years, the short-term gain in using software to reduce operating costs (or sometimes just to have that new digital gadget) seemed to trump security.
But now that security breaches are costing billions of dollars — and with billions of new connected things on the horizon that, if breached, could get you killed — there at last has been new focus on cybersecurity. Unfortunately, however, today’s focus is on cybersecurity solutions that find where the attack occurred, not on solutions that actually proactively stop cyberattacks. There are reasons for this, and we need to take a good look at today’s cybersecurity technologies limitations to understand why.
In general, we don’t secure things because we use software technologies and networks that were never designed for security. We write software that connects one thing to the next, and then connects to an open network with a bunch of data that is sitting there ready to take action via the software’s command or a digital message. This tiny message event can occur in microseconds, and can do any of the great things we see today in digital device technology — or any of the shocking security breaches we are beginning to see. Whether this microsecond message event could be activating the greatest new app ever seen or hacking an airplane, we are using the same software technologies to execute them.
IS WHAT YOU SEE WHAT YOU GET?
Today’s cybersecurity models are caught in the historical aggregation of data consisting of terabytes of system logs that are waiting to be analyzed when something goes wrong. We have deterrent intrusion prevention technologies and historical detection technologies that use software patches to temporarily stop the breaches from reoccuring. In fact, the main focus of cybersecurity today is how to recover from the damage of a cyberattack by finding and patching the problem — not actually stopping it from happening in the first place. These cybersecurity models are why things aren’t properly secured today, and they must change.
We have been trusting the actions of software messaging units — and the people who create and analyze them — since the infancy of the digital age. It is these very messaging units that cyberattackers now exploit into actions they want. We need to deploy technologies that can proactively live-audit these message events and relate them to the workflow processes within a given ecosystem. We are wasting our time and money in trying to improve existing cybersecurity technology approaches. These technologies just can’t keep up with the volume of connected applications on the horizon, and they have no way of live-auditing the authenticity digital events and their workflow processes.
WHAT AND WHERE WE NEED TO SECURE
Almost all systems are interconnected to the Web. However, all systems work autonomously and, in most cases, locally. It is not your responsibility to secure your neighbor’s garage door opener. It is their responsibility. These human-to-machine enhanced digital environments are called digital ecosystems. These ecosystems are defined not only by the person using their digital extension, but also by the interacting of other digital extensions by other people within the same ecosystem workflow. The business enterprise is a good example of local workflow and all of its digital extensions working locally within a specific ecosystem, and having the ability to connect to other larger remote ecosystems. You need to first define the correct local workflow process and its proper security policies before you can connect to a larger ecosystem. One of the best examples of this is incident response by public safety organizations.
Local public safety procedures and policies are put in place for disaster response to such things as tornadoes, hurricanes and explosions. The local authorities respond to the incident, they block and secure the area. Meanwhile, additional agencies come in to reinforce the area and add or collect incident intelligence using a variety of digital technologies. Each department has its own responsibilities and security policies but also takes part in an orchestrated cohesive response that consists of multiple actions and security policies. This is the basis behind the Department of Homeland Security and how it works — there is secure orchestration and oversight of multiple agency ecosystems and events within a response area. And this is the way cybersecurity works.
Cyberattacks are local in nature, and the needed audits of workflow events also must be local. If the initial local response was audited as being incorrect, the orchestration of responses would also not be correct. Like the old computer saying goes, “garbage in, garbage out.”
If you review the list of devices hacked in the recent DECON and Black Hat conventions, you realize one thing very quickly: Cybersecurity attacks might be initiated remotely through the Internet, but the target of attack is very local (your car, garage, house, your business, a hospital, a power grid substation, a naval ship). Local cybersecurity is the point where you define what is yours and what isn’t in your personal ecosystem and how you wish to securely interact, and how other ecosystems wish to securely interact with you.
TODAY’S DATA-DRIVEN MONITORING
Today’s cybersecurity has approached a focus on recognizing and monitoring unauthorized access and manipulation of the utility functionality of data being transported by a network. A small messaging unit that activates a desired digital action, which is then historically stored in the system log. When something doesn’t work right, the analysis of sometimes terabytes of system logs offers the possible answer to where the breach occurred. There are encryption and analytic formulas that try to protect and monitor data, but these approaches must make assumptions on the digital messages rather than just observe and audit what is happening in real time. You cannot do this by historically monitoring data at the utility function of the process. We need a way to live-monitor and live-audit what is really happening — not try to later define what might have happened.
True cybersecurity can only be achieved by live-monitoring and live-auditing whatthe data does in real time not how it does it. To understand this better, I will use one of the most concerning examples of what hackers are doing today. If a hacker has encrypted a hidden exploit that is in your system readied for activation at any time, how would you stop it? The data-driven security model can’t see it, and can’t even modify or stop the action because it is encrypted. In fact, the only way to monitor the encrypted hidden exploit is by activating it. In the current data-driven monitoring, we will find this exploit in the historical logs — which is too late. This is the point where an available live model-driven monitoring approach is needed — and the only way to stop an attack of this nature in microseconds.
Model-driven monitoring has some unique functionality in cybersecurity due to some of its distinctive attributes. First and foremost, it is done live. From observation to audit to response to mapping the secured orchestration of multiple systems, model-driven monitoring focuses on live actions and interactions within specific and multiple digital ecosystems. To better understand effectiveness of model-driven monitoring security, let’s look at the hacking examples discussed earlier. Every hacking demonstration was done within the framework of a specific digital ecosystem. The network and data utility function of the targeted ecosystem were then manipulated.
Live model-driven monitoring recognizes the exact real system message polices and events that are occurring and does not use human or analytic analysis of aggregated data in historical system logs. Model-driven monitoring can be used in the orchestration of any ecosystem — and even multiple ecosystems — offering the secure orchestrated monitoring of more complex systems. From enterprise, to smartphones to cars to planes to naval ships to atomic power plants to even the human body, model-driven monitoring offers live observation, audit, response and mapping for any process or control system, no matter what hardware, software or network utility it runs on.
Of additional importance in model-driven monitoring is that the live information patterns do not require the retrieval of historical system logs for observation, audit, response and mapping. These features are what gives the monitoring approach not only its live capabilities, but additional security and privacy capabilities not found in current data-driven models. Rather than having vulnerable stored data telling the system what to do, model-driven monitoring graphically demonstrates under the specified system event policies what the system is actually doing in real time without leaving a digital trail. These stored digital trails left by the data-driven model are not only why people are hacking, but are becoming serious privacy issues as we continue to add more connected devices to personal and business ecosystems. For more information on model-driven modeling, see: Model-Driven Monitoring: An Application of Graph Transformation for Design by Contract.
MONITOR IT OR STOP IT
A few concerns with current cybersecurity technologies is that they focus primarily on patching problems and making money, rather than actually securing things. Current cyberattack responses and the current cybersecurity technologies offered are more focused on the whodunnit than not letting it happen in the first place. Just looking at cyberattack headlines, you’ll find the reactionary response of something that actually happened months ago. These slow-to-react responses are due to the utility systems data-driven monitoring cybersecurity approaches rather than live model-driven monitoring. We currently live in a world of unmonitored microsecond machine messages that can properly activate or even manipulate the actions of virtually any automated ecosystem.
If we are to enjoy the tremendous capabilities that our new digital communities will bring us, we must then also offer the most economical and technologically superior technologies in the protection and use of these new digital technologies. If we can’t prove the security and privacy of these upcoming technologies, then we will dangerously play the risk game of productivity and functionality versus security and privacy.
The hacking demonstrations at Black Hat and DEFCON have proven that we are reaching a whole new level of cyberattacks: the deadly ones. We need to fix these cybersecurity issues now or stop the deployment of billions of digital things that clearly can cause us harm.