How We Are Doing Everything Wrong In Cybersecurity
The strategies, products technologies and methods we use today to analyze and counter cyber threats is based on a long multi-decades gun and run battle we’ve had with what I will call The Hackers for lack of a more concise term. That would be the State Sponsored or State Owned cyber attack groups as well as Corporate and Lone Wolf attackers whose prime directive is to locate, penetrate and exploit whatever cyber treasures they can find either for their data value or to turn the hacked resource into a machine bent to the hacker’s own objectives.
We follow a predictable, clean cut set of patterns when we build our Resourcces, whether it be a Database, Website or computer Program/App. Let’s use the term DWP. Why? Because that’s the way it’s always been done. It’s what we were taught. It’s what is, presumably, the most Maintainable. We take pride in our crisp, clean, textbook-example coding that any other coder can read. No spaghetti code here, nosirree. Nice organized, normalized DWP with logical names for things like tbl_Customers and col_SSN for where we store our clients’ Social Security Numbers. Even though we do try hard to encrypt everything (we do, right?) we still make these illustrated road maps that guide a hacker right to the goodies.
Continuing with our example, let’s say a 17 year old Russian kid is wanting to get in on the Data Compromise Gold Rush. He wants to lock down some bank with ransomware he found on the so-called Dark Web. So, what’s he do? He spends a few night poking around, for instance at AmericanMegaBank.com. He get’s past the silly and barely tested initial lines of defense and get’s into the huge bank’s system. He then manages to locate their AmerMB.db database (it does say “.db” after all) and locates the tbl_Customers data table with jillions of people’s personally identifiable data, including the col_SSN column with all their Social Security Numbers. Excited as a 17 year old kid can be, he plants his package which encrypts the entire database with his password. The next morning a senior level executive in Manhattan logs in at 5AM only to find a garish message across his computer screen. “You have been hacked. Your data is now locked and under our control. Go check it out. You will be contacted shortly with directions on how to pay a ransom to get your bank’s data back.” or whatever.
By 9AM the IT people will have confirmed the attack and the seizure. Tentative measures will lead them to believe it is the dreaded WhateverLockerSystem that was used against three hospitals, the City of Gotham and another bank last year. They all had to pay ransom because there’s no way to crack the encrypted lock.
We see it almost every month. Billions of dollars are being extorted from America to foreign anonymous and cryto currency accounts. It is quick, easy and quite effective. We need not ponder what those massive piles of cash are being used for but it assuredly is not in America’s best interests.
We’re being robbed on a regular basis, all up and down Wall Street, Main Street and across our nation. Something has to be done soon or our economy is essentially destined to become vulture bait. Actually, it already is.
And what if it was you, the CFO or CIT of American Mega Bank, on that morning when you realize you’ve been expertly compromised? Your gut turns into an acid pump as you hear your phone ringing. It’s the CEO. Two of the Board Members have already left messages and reporters are starting to howl for a statement. Suddenly, your world turns dark and you have a vision of yourself in a tattered suit, in a breadline. Across the street from the breadline on a skyscraper’s front door a sign reads, “No Cybersecurity Executives Need Apply. We’ve Been Put Out Of Business By The WhateverLockerSystem Ransomware Virus.”
It’s the kind of thing that makes people jump out of buildings and it’s happening more and more. And what are we doing about it? The usual. Try slapping on more armor, looking for any chinks, changing passwords, employee Cyber Awareness training. Hire consultants who will spend the next four months asking for records, prowling around your data infrastructure and so forth only to recommend more armor and more training.
Will it help? Well, anything you can do to make it harder for someone to penetrate your systems will help. Will it stop them from trying? Of course not. Especially after you’ve been hacked once.
It’s an arms race. My armor against your bullets. Better armor? Okay, bigger bullets. America spends, depending on who you ask, between $50B and $100B a year doing this stuff. Bank Of America alone spends $14B a year!
Aside from this cost to defend our data, there is the money we flat out lose in data breaches each year. According to various sources it is upwards of $400B in America (1) and $11M per each business per year, worldwide (2). That’s more than half what we spend on the entire Dept of Defense budget and Twenty Times The NASA budget! (3)
So, you won’t get much argument if you say that America is spending a half a trillion clams each year in a losing battle against a rather tawdry crew of ne’er-do-wells mostly in Korea, Iran, Russia and China. They are making us look silly, frankly.
So, how do we stop it? We have to get the hell outside the box we have put ourselves into and stop being so hacker-friendly, predictable and Easy.
Let’s talk again in general terms about or resources, our treasures, our DWP — Databases Websites and Programs. Each of these breaches is typically a series of failures on the part of our systems. Beginning at the beginning we need to analyze how the attackers managed to succeed at each step of the way and how we can take away that weakness.
We need to move away from a strictly defensive posture to one of Catch And (Maybe) Release. We need to make it Hard to figure out our stuff and difficult to ascertain what’s what in there.
Just like the inflatable rubber “tanks” they placed on England’s beaches prior to D-Day, the many false but tantalizing “coded” radio messages we knew the Nazis would intercept, the corpse we placed floating on their beach with “secret war plan” documents in his coat pocket. World War Two was won in no small part to our talents at Obfuscation, the act of making something “difficult to understand, usually with confusing and ambiguous language”.
To be clear, I am not proposing that we abandon our hard won armor and existing encryption and strategies. Everything helps. But we need to pivot to Obfuscation Theory as our new mainline strategy. We have to make our DWP hard to find, hard to identify and confusing to choose. The innards of our stuff needs to be like Alice’s rabbit hole where things just get curiouser and curiouser.
AmericanMegaBank.com needs to be accompanied by similarly named sites, actual websites, to onfuse and lure someone looking for a target. Each of these we’ll call a honey pot. It looks like honey, tastes like honey but is not the real honey. So maybe we have an AMB.Net and a MegaBankOfAmerica.com and a AmericanMegaBank.com sites. Here’s where the trickery and deceit begin. When a legitimate bank customer accidentally finds and opens one of the honey pot sites, it functions like it always has, up to a point. The “About Us”, “Contacts”, “History” and such are all the same. But if you try to log in to your account from a honey pot you are evaluated by your IP and ISP combination, for instance. If you look like a hacker you go down one branch of the rabbit hole but if you look genuine so far, your go to the actual customer login process (which will be much more secure, nut more on that later).
Once a hacker is silently led down a rabbit hole he should be recorded or/or monitored in real time. His identity will need to be gleaned, his actions and movements watched, his attack attempts logged. Alerts and reports will be automatically sent to the responsible IT personnel. A mouse is in the AMB.Net trap and here’s what we know about him so far, etc. There is a dummy database there for him to breach and gigabytes of dummy passwords for him to download and maybe even sell on the dark web, much to the degradation of his reputation in the criminal world. This downloading and other activities will take time, time enough for us to track down who/what he is and where he’s from.
So our honey pot is a smart trap that helps us identify, profile and manipulate our cyber enemies. All through Obfuscation, Trickery and Deceit.
If one were somehow able to penetrate the real American Mega Bank website and/or its database, a similar experience takes place except a special Ultra Priority alert, intense monitoring, identification and reporting begin. The real data is immediately locked down, encrypted and perhaps even Dropped (deleted) while a facsimile of the data, albeit with faux data values, remains to take the bullet. Since the real data is constantly being back up to offline storage, the loss of any unposted transactions is minimal and well worth the doing.
In their website the pages will have strange, similar and confusing names like xh3–4.html might be the home page whereas gh_1_e_2004_thru_2009.xml might be the Clients log in page.
The database table that contains general customer data might be xkf_Archived Office Supplies Reimbursements_ 2004, with the prefix “xkf_” replacing “tbl_”. In that data table the Customer Name data might be changed from “col_FName”, “col_MI” and “col_LastName” to “ela_Seg3”, “ela_Part13” and “rft_Recyc”. In other words, nothing makes sense anymore. This, coupled with expected data encryption is the last line of defense. Obfuscate the structure and purpose of your data.
The cusomer Login information is kept in a seperate table named “rec_UEER FIlings_2017”
and the USer ID and Passweords are stored in columns named “ghp_Location” and “arc_NegativeBalTransNo” or something.
A Stored Procedure (a small database mini-program that might be used in some databases) that was named “proc_PostYearEndEarnings” might be renamed “dff_EmployeeVacation Accumulated_ytd_2009”.
Once you have your DWP resource rebuilt and tested to follow the principles of Obfuscation, you just copy and paste the entire thing and begin altering the second iteration with a little different name, slightly different structures, etc. This will be an inexpensive Force Multiplier, as the military says. The hacker will find himself confronted by a covey of confusing, similar websites, databases or programs that he has to try and pick which is the real one. He will spends days weeks or forever trying to chew his way into and through one, only to find out he’s been outfoxed.
It is like cars. A car thief is less likely to mess with the car that is locked and has the little blinking LED on the dash as a warning. Nope, not when there are so many unlocked cars, some with the keys in them, some with the engine running.
Now, I know what you’re thinking. Once we go rename everything, are we going to have to rewrite all our front end programs to work with the new named locations, procedures, triggers and resources? Yes and no. Maybe you build a translation table that you load as an array that loads memory variables retrieved by the old name and sets another variable with the new name. You call the variable, not the component name. Also, building the translation tables and loading them with both the old actual names and the new obfuscated names is how your rename everything in the database with a search and replace type function. Later, maybe annually, you can change the names again using the translation table and run the search and replace function to change the prior name to the new name.
Of course, much of the information on how this works, the translation tables, etc. will have to be siloed so if they get one they still wouldn’t get them all. Of course, you would encrypt the secret how-to information and definitely, KEEP IT OFFLINE.
It will be a new way to approach building new systems. An Obfucation Layer will handle the translations, alerts, monitoring and reports. They should be as easy to maintain as a non-Obfuscated system.
And there’s more. We need to go to “keyless” encryption. Key management, and mismanagement are a big problem with a big Human element. We need to change that. I’m aware of one such system that;s running today. Also, we should end our reliance on industry standard encryption where anyone with a computer can decode anyone’s message from anywhere if they can get the key. Baloney! We need encryption that is designed to only decode for one recipient(s) with the proper set of credentials. There should never be a key passed between humans.
Speaking of credentials, we need the new Life Experience-based Positive Authentication Credential (PACred) technology to validate and authenticate system users and encryption receipts.
You DON’T want to go to so-called BioMetric access systems like fingerprint matching, retina scans and such. Those would be immediately hacked and sold in bad places. People would spend the rest of their lives having to prove that they didn’t access their bank account and send all the money to a blind account in the Caymans. Employment background checks would be rendered useless and time consuming to determine if Suzy Jones really was fired from Genomex for IP theft.
Once you lose control of your retina, fingerprints or other personal measurements, you lose control of you and anyone else can become you. Biometrics are a bad idea. If they get hacked you can’t just cancel your fingerprints and get new ones. NEVER LET SOMEONE GET YOUR BIOMETRICS. Refuse. Walk away.
Long passwords are another proposed solution. The longer the password the longer it would take a password-cracking program to guess it. That’s true but it also becomes quickly too long and cumbersome for the legitimate user to remember. So, we’ll end up leaving little stickers on our monitors or creating little files called PWDS.doc that we open to cut and past our long passwords from.
Or, we may get a Password Locker app that lets us store all our passwords, all of them, in one box with just a single master password to remember. And, since we have to remember it, it surely won’t be a long secure master password, nope. It will be back to the hackable ones like MyPassword@2019 or something. Plus, when a hacker guesses your master password, he gets ALL OF YOUR PASSWORDS FOR THE ENTIRE WORLD. Don’t do long passwords or password lockers.
There is a type of password that is very strong but not very long, 10 characters or more. No special characters needed like @#% or whatever although you can double it’s strength with two of your choice of brackets (() or {} or [] or <>. It’s also easily remembered for most people and is based on science relating to how people memorize and recall things. For example, 21MyDuTe88 or a much stronger <21MyDuTe88>. And you don’t have to change it all the time.
Password systems need to disallow stupid passwords and to suggest unique, easy to remember passwords that don’t contain English words longer than two letters, common patterns or numbers like ABCD or 1234. You need to assist people by letting them choose an approved password immediately. Don’t like 21MyDuTe88 (when I was 21 I did My Duty and I owned a Buick 88)? click Next and you will be offered another, perhaps 19TuDaOk55 (I’m 19 and Today Is Okay as long as I drive 55) or 22ItWeLk48 (22 It We Like more than 48).
Your brain will slip into easily remembering one of the thousands of possibilities the new Smart Password system can offer you. And, the system won’t store your password, it stores an encrypted “Cyphertext” version of it, like perhaps “AFJERCDJKFLDMNRMBNAF”. When you log in, it would instantly convert whatever you enter into Cyphertext and compare that value against “AFJERCDJKFLDMNRMBNAF”. If they match, you’re in.
Back in the 70’s there was a popular comedy act called the Firesign Theatre. They had a hilarious album of radio-theatre like skits called Everything You Know Is Wrong. Well, in this bizarro world we find ourselves in today, that really is becoming true. All the traditional methods we’ve been applying against the hackers are not wrong, really, so much as outdated and grossly inadequate. They are no longer Right. It is time to change our strategy to add the Obfuscation Layer.
This movement will breed a new industry within Cyber and IT. New consultants, developers, programmers and analysts. Yes, substantial sums will be spent designing and tailoring Obfuscation strategies for our companies and government. It will take a while but we have to get started. As far as cost, if the offset is a half trillion dollars a year in lost American dollars, it will be money well spent. More to the point, our American dollars stay in our pocket, paying American people to protect American data and depriving 17 yo kids and state sponsored hacking groups of their ill gotten gains.
Obfuscation. It is the way we find ourselves out of this quagmire so that IT departments, inventors, investors, financiers and workers can get back to doing what we do best, making the best, most innovative products in the world.
Sources:
(1) https://www.inc.com/will-yakowicz/cyberattacks-cost-companies-400-billion-each-year.html
(2) https://www.inc.com/will-yakowicz/cyberattacks-cost-companies-400-billion-each-year.html
(3) https://www.thebalance.com/nasa-budget-current-funding-and-history-3306321