SmarTown™

Are We Looking at Our Last Chance to Get IoT Security Right?

noreply@blogger.com (Anonymous) — Tue, 15 May 2018 13:49:00 -0400

The Internet of Things is growing and so is the risk of exploitation.

Time is running out on setting security standards for the Internet of Things. The President’s National Security Telecommunications Advisory Committee (NSTAC) has examined the cybersecurity implications of IoT and has determined that there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.

While the adoption of IoT is increasing in both speed and scope, and will impact virtually all sectors of our society, NSTAC warns that if the country fails to develop and use security standards, “it will be coping with the consequences for generations.”

The President’s Commission on Enhancing National Cybersecurity reached a similar conclusion: “The IoT facilitates linking an incredible range of devices and products to each other and the world. Although this connectivity has the potential to revolutionize most industries and many facets of everyday life, the possible harm that malicious actors could cause by exploiting these technologies to gain access to parts of our critical infrastructure, given the current state of cybersecurity, is immense.”

IOT SECURITY IS A PUBLIC, PRIVATE AND INTERNATIONAL CONCERN

To reduce such risks, the National Institute of Standards and Technology (NIST) Draft NISTIR 8200 Report has kept the door wide open for private-sector comments for developing much needed global IoT security standards. With IoT breaches increasing constantly, this comment request may have been just in time.

IoT is everywhere and, if exploited by hackers or terrorists, could cause physical damage, including critical infrastructure devastation, human harm or even death. This puts standard groups in a precarious position of requiring international agreements on how to address IoT security on a global basis.

There is an added concern with the interaction of IoT processes and unseen machine actions. For example, Intrusion Prevention System (IPS) security requires specialized authentication, validation, encryption and process management capabilities that are not necessarily possible under current cybersecurity standards.

In encryption alone, two issues repeatedly come up, according to the NIST. First, IoT has limited processor and memory space that restricts high-end encryption hardening while extending connectivity to millions of new system process endpoints. Second, current authentication and encryption technologies were not designed to be implemented under these criteria.

IoT offers deeper learning, systems actions and connectivity, which in turn requires security methodologies that can interoperate across all systems. These needed capabilities require security methodologies that can operate effectively across all hardware, network, protocol and software platforms with the added processor limitations and multi-protocol requirements of IoT.

Securing IoT is a tall order. The comments on the NIST Draft show changes need to be made in existing standards with the potential of deploying completely disruptive cybersecurity technologies to achieve IoT security.

CAN IOT SECURITY FIX ALL CYBERSECURITY?

IoT security is not typical security. It sometimes adds an entire layer of process events to an already complex operating system. Many processing systems already have security issues. Adding IoT to them could open additional weaknesses. This is the “weakest link” scenario, in which the smallest IoT device could cause catastrophic consequences.

There is an advantage to learning how to secure IoT. If a small IoT action can be secured at the processor level of an operating system, then the same techniques that require low overhead millisecond security can be used in a variety of system process applications. IoT security could be the learning process needed in achieving complete system process security.

Finding the answer to IoT security requirements isn’t easy. The physical application of IoT requires many different human and machine security authentications while extending process intelligence and events throughout the system. This extension is often connected to system processes that already have security concerns, such as cloud applications and even locally isolated IoT ecosystems used in DDoS attacks. Obtaining a solid IoT security platform could be a road map in addressing all forms of cybersecurity. From encryption hardening to deep process learning, if you can secure IoT you can secure anything.

NOW IS THE TIME TO GET IOT SECURITY RIGHT

The Interagency International Cybersecurity Standardization Working Group offers an interesting direction for national and international standards evaluation of IoT. Global public- and private-sector IoT applications could be greatly affected in IoT cyber-attacks. This presents NIST with the daunting task of addressing the best technological solution for IoT security while still addressing the political and corporate influence already in existing cybersecurity standards.

With the private sector pointing to big problems with IoT security and the International Organization for Standardization (ISO) rejecting NSA IoT encryption algorithms, this could be the time for getting IoT security right. It could happen through government guidelines and regulations involving global standards bodies, such as ODVA, OPC and ISA; or it could happen through industry groups, such as the Internet Engineering Task Force (IETF), the Industrial Internet Consortium (IIC) security working group, or IEEE. The world understands the importance of securing IoT devices and systems, and NIST is in the forefront of this need.

Now starts the hard work. We need to get these standards right and fast. IoT security answers many of the problems existing that multiple cyberdefense systems can’t answer on their own. Data at rest, motion signature and key algorithms are all vulnerable to attack. So, too, is key and signature theft under current security technologies. These same signatures and keys multiplied by billions of IoT devices cannot be managed. Viewing and validating the smallest digital event must be addressed with a speed and accuracy that’s never been available in current cyberdefense technologies.

Security environments are already having scalability, monitoring, management and cost issues. IoT offers a whole new extended endpoint in processes that will require deeper and easier managed monitoring and security methodologies. IoT security experts must find a way that allows this to be done at the deepest, most complex systems while adding needed process security simplicity.

This may require a different way of thinking in an industry that is reaching a level of complexity and employment it can no longer sustain. The comments section of the NIST Draft offers an opportunity to respond to these IoT security needs in a public- and private-sector forum. Both sectors need to participate and collaborate in addressing the global requirements of IoT security.

STANDARDS ON STEROIDS

Public- and private-sector participation in cybersecurity needs to continue. We all will gain by working together on this issue. There is no better picture of this than securing IoT. In fact, it requires international cooperation in many applications while still offering unique or even proprietary requirements for national defense and critical infrastructure.

There must be a balance of authentication, privacy and security on both the human and machine level. We no longer can afford to use Band-Aids on legacy security standards. We must search and deploy security designs that don’t delay but fix the problem. By choosing the right capability, we can address this.

IoT has the worst security record in the industry and little has been done about it. We need to find a different way of getting the job done if we are to catch up in the race to cyberdefense. IoT’s vulnerabilities have forced standards groups like NIST to think outside of the box of tweaking old standards into a whole new proof of concept era. We need to catch up in cyberdefense technologies and having a public-private collaborative approach just may be the answer. We have been given the opportunity. We must now change the opportunity to action.

Larry Karisny

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

IoT Is Changing the Cybersecurity Industry

noreply@blogger.com (Anonymous) — Fri, 19 Jan 2018 10:53:00 -0500

Despite a less-than-stellar record to this point, the Internet of Things space is forcing companies to think holistically about the security behind their devices.

BY LARRY KARISNY / JANUARY 16, 2018

It’s odd that the Internet of Things (IoT) industry — an industry with a dismal record of cyberbreaches — would be the one moving cybersecurity forward, but that is exactly what is happening. With regulation looming and the bad press from recent breaches, there is no longer a choice: Better IoT security is a must. I will be speaking at the IoT Evolution Expo in Orlando this month on this very subject, and thought I'd give you a sneak peek.

IoT Security Gets a Failing Grade

If I remember correctly, 50 percent is a failing grade and yet, nearly 50 percent of IoT companies reported some type of security breach in recent memory. This shocking reality confirms that something needs to be done to improve IoT cyberdefense — and quickly. I cover a lot of areas in cybersecurity and know of no other industry with such a bad track record of breaches. Though these hacks expose data, not all of it has value. Sometimes an IoT hack garners useless data and offers no intelligence to use in an exploit, denial of service or machine control attack. The better news is that there are, at last, cyberdefenses coming to market that can address the need for solid IoT security.

New Cyberdefense Technologies Needed for IoT

IoT is different and has the potential to change everything. It is the new extended edge that allows unprecedented applications and intelligence with tremendous economics and accuracy. These tiny devices are the next step in physical artificial intelligence (AI). I stress “physical.” They are out in the real world telling both people and machines what they need to know and need to do. If hacked, they can manipulate or destroy physical things with impacts that can extend to entire economies or worse cause loss of life. IoT is not just a database. IoT it is an actuary in the physical world that must be authenticated, validated and secured or risk the potential for very real danger.

Deep IoT Needs Deep Security

There’s no room for a standard encryption file sizes or even simple processor updates patches in IoT. These tiny devices were built around minimal battery life that required tiny low-powered processors with minimal flash memory. This limitation has pushed the entire cybersecurity industry to rethink how we currently secure all digital technologies. We are beginning to see the successful deployment of these new security technologies today. If we are going to have deep learning in artificial intelligence and IoT we need to have deep security as well. IoT is pushing new security technologies toward achieving this goal.

The Enhanced Blockchain IoT Security Fit.

Today’s centralized security models require high infrastructure and maintenance cost associated with centralized clouds, large server farms and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow into the tens of billions will create bottlenecks and points of failure that can disrupt the entire network. Decentralized blockchain technologies could address these limitations, though blockchain alone is not a complete solution. As a principal in a company offering enhanced blockchain security, I am aware that blockchain alone is promising, but it is not the total answer. Just like current layered security architectures today, what we need in blockchain is a secure and safe IoT where privacy is protected. Enhanced blockchain-layered security technologies can offer this.

Revolutionize or Regulate

It is always better to self-regulate, and I hope the IoT industry gets that opportunity to find security solutions on its own. In working with cybersecurity entrepreneurs, I find that compliance and regulation seem to never catch up to the pace required by cyberdefense technologies. Billions were spent in security compliance of the smart grid. And while these security guidelines have value, at the end of the day, compliance does not mean you are secure. Hackers change things daily while compliance recommendations can take years. Cyberdefense needs to be more proactive, as does the matured working technologies that need to be used.

Preparing for Post-Quantum

Quantum computing and IoT have a very bright future. I stress “future” because there are a lot of issues that need to be addressed prior to quantum computing and IoT working together. Quantum computing in the short-term though will have the processing power to crack any static encryption algorithm. Solutions of more complex encryption algorithms with larger files sizes will work for IoT or really any other industry. In my last article, Is Cybersecurity Encryption Ready to Break?, I discussed the importance of looking for new low-overhead encryption technologies.

The IoT security opportunity

IoT suppliers that have a future will be the ones that invest in the security of their products. Even venture capital startups are clearly aware that they need to secure their IoT applications. If they do not, they could lose customers, spend money on regulatory issues or, worse yet, be involved in legal action against them. The smart IoT suppliers are embarrassing security and advertising it, even if it involves a premium price. They are beginning to find that customers will pay the premium. There are even IoT enterprise, managed services and cloud computing companies getting into the game offering their own solutions. IoT security is not a matter of choice anymore, it is a requirement.

Larry Karisny is the director of ProjectSafety.org, an adviser, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

noreply@blogger.com (Anonymous) — Tue, 17 Oct 2017 15:17:00 -0400

Is Cybersecurity Encryption Ready to Break?

Cyberattacks are already bad today. But what if all encryption didn’t work? We are reaching a point now where global adversaries can crack encryption, and will be able to crack all encryption in the near future.

BY LARRY KARISNY / OCTOBER 6, 2017

SHUTTERSTOCK/CREATIVE-MATERIAL

TODAY'S CRYPTO DILEMMA

From mismanaged encryptions keys and system errors to eventual crypto cracking, Public Key Infrastructure (PKI) encryption has increasingly become more difficult to maintain as the needs for these encryption services exponentially increase.

Security adviser Roger A. Grimes has been installing PKIs for private and public companies for more than two decades. In a 2015 CSO article, 4 Fatal Problems with PKI, he discussed why PKI has too many moving parts. Even when it works perfectly, it doesn't solve the biggest security problems. Eventually it will stop working forever.

The complexities of these systems require the deployment and management of certificates, registration authority, directory management, digital signatures, key protocols and key validation. These systems are so complex that they are seldom installed properly and have so many errors that system operators often ignore them.

In addition, Internet of Things (IoT) security providers are finding that PKI may work in Web applications but clearly were not designed for IoT devices. IoT processors are often so small that they don’t have the ability to update key certificates or embed any type of encryption at all. With encryption file sizes constantly increasing and the number of IoT connections reaching the billions, PKI encryption is effectively dead for IoT.

POST-QUANTUM ENCRYPTION

With recent advances in quantum computing, there needs to be a focus on developing encryption that will not have its algorithms cracked, opening up a Pandora’s box of hacking.

The National Institute of Standards and Technology (NIST) has been studying this problem and is focusing on post-quantum encryption solution proposals still open in its Post-Quantum Cryptography project. Although it is great to see NIST understanding the urgency of this potential crypto-cracking dilemma, there are industry experts that disagree with their approach.

Recently there was an interesting debate among security industry professionals on the respected blog Schneier on Security. It was in response to a post about a research paper on RSA cryptography after quantum computing.

The researchers’ answer: Just make the encryption key algorithms bigger, more complex and more costly. How big? Using the calculations of the readers, a one-terabyte public key. Since IoT hardly has space for kilobytes, this is just not the direction to go. Not only will these resources hogging crypto-algorithms take valuable processing space, they will also use network resources and take longer.

HACKING STATIC ENCRYPTION AND PATTERNS

Over the years I have reviewed hundreds of cybersecurity companies. The people that normally have the best solutions are the ones that already know the problems coming from current technologies. Sadly, they often need to wait until the problems come before they can get people’s attention and offer different solutions.

The real problem in current cryptography is the very thing that makes the technology work. A hacker can identify and exploit the encryption repeating processes to crack the system and take control. Today’s encryption algorithms are static in nature, repeating processes over and over. Their behaviors are expected. Patterns are anticipated. In fact, hackers today are using artificial intelligence to quickly define these patterns. This is why quantum and super-computing can hack current cryptology.

THE FIX?

There is a solution to this problem. Successfully accomplished, patented and deployed by a company called MerlinCryption, the Anti-Statistical Block Encryption (ASBE) leverages dynamic algorithmic complexity and employs stochastic randomization in many aspects of its encryption process. Because all output is variable, there is no static behavior to monitor.

The key word is variable. Even a quantum computer cannot crack this encryption that protects data as it is created, viewed, edited, shared, stored and moved across any communications channel or in the cloud. The key then vanishes after use, leaving no trace of the encryption process.

Authentication is also an important part of security. Most authentication factors are based on something you know, something you have or something you are. Attackers can imitate the authentication rights of employees or systems to gain access and control. MerlinCryption has innovated a new fourth category of authentication factors using information that is temporary and always unique. These factors are not deterministic, but stochastic in nature.

Finally, MerlinCryption offers true end-to-end, person-to-processor and processor-to-processor encryption and authentication. Its smallest key is more than 10522 stronger than AES’s 256 bit key. There’s good news for IoT providers too. It offers a 58 KB Low Overhead Platform with a 284 KB Embedded Encryption Platform that can fit in the smallest microprocessors. Oh, it’s cheaper too. Not bad.

THE CLOCK IS TICKING

I seldom focus on encryption solutions because, as we are aware in the cybersecurity business, it addresses only a part of the problem. The potential of breaking all authentication and encryption is serious though. Allowing cyberattackers a wide-open cyberdefense without minimally hardening our systems would be catastrophic. It would allow cyberattackers to strike at will.

It’s nice to end an article discussing all the problems in a specific area of cybersecurity and then detailing immediate solutions available. The warnings we are getting from both the private and public sector in IoT security issues is chilling. I will be speaking at a major IoT convention about this very issue. The question is: Are we going to talk about it, or do it?

Larry Karisny is the director of ProjectSafety.org, an adviser, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors. He will be speaking at the IoT Evolution Expo in Orlando, Fla. on Thursday, Jan. 25, 2018 from 10-10:55 a.m. discussing IoT security strategies.

The Race to Cyberdefense, Artificial Intelligence and the Quantum Computer

noreply@blogger.com (Anonymous) — Wed, 9 Aug 2017 11:31:00 -0400

The power grid, oil and gas, and even existing telecoms are perfect targets for funding and development of these technologies.

By Larry Karisny August 8, 2017

SHUTTERSTOCK

I've been following cybersecurity startups and hackers for years, and I suddenly discovered how hackers are always ahead of the rest of us — they have a better business model funding them in their proof of concept (POC) stage of development.

To even begin protecting ourselves from their well-funded advances and attacks, cyberdefense and artificial intelligence (AI) technologies must be funded at the same level in the POC stage.

Today, however, traditional investors not only want your technology running, they also need assurances that you already have a revenue stream — which stifles potential new technology discovery at the POC level. And in some industries, this is dangerous.

Consider the fast-paced world of cybersecurity, in which companies are offered traditional funding avenues as they promote their product's tech capabilities so people will invest. This promotion and disclosure of their technology, however, gives hackers a road map to the new cyberdefense technologies and a window of time to gain knowledge on how to exploit them.

This same road map exists for technologies covered in detail when standard groups, universities, governments and private labs publish white papers — documents that essentially assist hackers by giving them advanced notice of cyberdefense techniques.

In addition to this, some hackers receive immediate funding through nation states that are coordinating cyberwarfare like the traditional military and others are involved in organized secret groups that fund the use of ransomware and DDoS attacks. These hackers get immediate funding and then throw their technology on the Internet for POC discovery.

HOW NOT TO DO CYBERDEFENSE

One project that strongly makes a case for rapidly funding cyberdefense technologies in an effort to keep up with hackers is the $5.7 billion U.S. Department of Homeland Security's (DHS) EINSTEIN cyberdefense system, which was deemed obsolete upon its deployment for failing to detect 94 percent of security vulnerabilities. As this situation illustrates, the traditional methods of funding cyberdefense — taking years of bureaucratic analysis and vendor contracts — does not work in the fast technology discovery world of cyberdefense. After the EINSTEIN project failure, DHS decided to conduct an assessment — it's currently working to understand if it's making the right investments in dealing with the ever-changing cyberenvironment.

But it also has other roadblocks, as even large technology companies and contractors with which DHS does business have their own bureaucracies and investments that ultimately deter the department from getting the best in cyberdefense technologies. And once universities, standards groups, regulation and funding approvals are added to these processes, you're pretty much assured to be headed for another disaster.

But DHS doesn’t need to develop these technologies itself. The department needs to support public- and private-sector POCs to rapidly mature and deploy new cyberdefense technologies. This suggestion is supported by what other countries are successfully doing — including our adversaries.

MAKING THE CASE FOR POC FUNDING

The same two things that have motivated mankind all through history — immediate power and money — are now motivating hackers, and cyberdefense technologies are taking years to be deployed. So I'll say it again: The motivational and funding model of cyberdefense technologies must change. The key to successful cyberdefense technology development is making it as aggressive as the hackers that attack it. And this needs to be done at the conceptual POC level.

The concern in cyberdefense (and really all AI) is the race to the quantum computer.

Quantum computer technologies can’t be hacked, and in theory, its processing power can break all encryption. The computational physics behind the quantum also offer remarkable capabilities that will drastically change all current AI and cyberdefense technologies. This is a winner-takes-all technology that offers capability with absolute security capabilities — capabilities that we can now only imagine.

BARRIERS TO CYBERDEFENSE POC FUNDING IN THE U.S.

The most recent funding source for hackers is Bitcoin, which uses the decentralized and secure blockchain technology. It has even been used to support POC funding in what is called an Initial Coin Offering (ICO), the intent of which is to crowdfund early startup companies at the development or POC level by bypassing traditional and lengthy funding avenues. Because this type of startup seed offering has been clouded with scams, it is now in regulatory limbo.

Some states have passed laws that make it difficult to legally present and offer an ICO. While the U.S. seems to be pushing ICO regulation, other countries are still deciding what to do. But like ICOs or not, they offer first-time startups an avenue of fast-track funding at the concept level — where engineers and scientists can jump on newer technologies by focusing seed money on testing their concepts. Bogging ICOs down with regulatory laws will both slow down legitimate POC innovation in the U.S. and give other countries a competitive edge.

Another barrier to cyberdefense POC funding is the size and technological control of a handful of tech companies. Google, Facebook, Amazon, Microsoft and Apple have become enormous concentrations of wealth and data, drawing the attention of economists and academics who warn they're growing too powerful. Now as big as major American cities, these companies are mega centers of both money and technology. They are so large and control so much of the market that many are beginning to view them as in violation of the Sherman Antitrust Act. So how can small startups compete with these tech giants and potentially fund POCs in areas such as cyberdefense and AI? By aligning with giant companies in industries that have the most need for cyberdefense and AI technologies: critical infrastructure.

BIG COMPETITION FROM BIG PLAYERS

The industries that are most vulnerable and could cause the most devastation if hacked are those involved in critical infrastructure. These large industries have the resources to fund cyberdefense technologies at the concept level — and they would obtain superior cyberdefense technologies in doing so.

Cyberattacks to critical infrastructure could devastate entire country economies and must be protected by the most advanced cyberdefense. Quantum computing and artificial intelligence will initiate game-changing technology in both cyberdefense and the new intellectual property deriving from quantum sciences. Entering these new technologies at the POC level is like being a Microsoft or Google years ago. Funding the development of these new technologies in cyberdefense and AI are needed soon — but what about today?

Future quantum computer capabilities will also demand immediate short-term fixes in current cyberdefense and AI. New quantum-ready compressed encryption and cyberdefense deep learning AI must be funded and tested now at the concept level. The power grid, oil and gas, and even existing telecoms are perfect targets for this funding and development. Investing today would offer current cyberdefense and business intelligence protection while creating new profit centers in the licensing and sale of these leading-edge technologies. This is true for many other industries, all differing in their approach and requiring specialized cyberdefense capabilities and new intelligence gathering that will shape their future.

So we must find creative ways of rapidly funding cyberdefense technologies at the conceptual level. If this is what hackers do and it's why they're always one step ahead, shouldn't we work to surpass them?

Cybersecurity Industry Must Adopt Cyberdefense Tech that Utilizes Analytics, Artificial Intelligence

noreply@blogger.com (Anonymous) — Sat, 1 Apr 2017 12:20:00 -0400

SHUTTERSTOCK/TITIMA ONGKANTONG

We must recognize that our cyberdefense technologies are not working and will not work. Cases in point: Our most sensitive cyberoffense technologies have been hacked; power companies admit they would have great difficulty stopping a cyberattack and are being asked to be prepared to operate at much less than full capacity under a cyberattack; 70 percent of oil and gas companies have been attacked — and the threat is growing.

The cybersecurity industry is in chaos and needs to move toward new technologies — cyberdefense technologies that are beginning to leverage analytics, machine learning and artificial intelligence (AI). Hackers are taking advantage of the same technologies, so the cyberdefense industry needs to jump on board. Let's quit playing catch-up and instead take a proactive approach to cybersecurity.

So what is this industry doing wrong, and how can we change it?

CYBERSECURITY 101

One of the core principles in cybersecurity is to establish a baseline of what the operational and industrial system is doing. Once this is done, you can:

define your security policies;
evaluate the risk;
look at security technologies that could reduce the risk;
evaluate the potential threat impact cost verses the cost of the security technology;
get management approval; and then
deploy the security technology.

Sounds simple, right? Not so.

We have layered so much hardware, network and software on top of each other that we truly can't see what our systems are doing. And if we can't see what our systems are doing, how can we establish a system baseline of what is normal in daily system operations? The fact is that we can't see it, which is not a good start to one of the most basic principles of security. This must change.

DEHUMANIZING OUR MACHINE SYSTEMS

Conventional cybersecurity generally points everything to the human first while the system's machine actions are doing most of the operational and industrial processes. As metadata grows, it becomes increasingly difficult to manage and understand. Even the best analytic algorithms can't keep up and are themselves subject to error.

Human error is the major reasons for cyberbreaches, and we are pointing increasing complex systems toward people who can neither see nor understand what the systems are doing; it is a dangerous scenario to continually disconnect the human from massively automated systems that run without audit. Hackers know this, and they will continually exploit these systems until new technologies can deeply and consistently view and audit our operational baseline.

People need to be able to see with deep inspection the structured and unstructured data that run the systems. Without this being done first, a true operations and security baseline cannot be established, leaving the system exposure to cyberattacks. AI, machine learning and analytics can assist in the viewing of this data, but exponentially increases the amount of structured and unstructured data that must be secured. These approaches also create vulnerabilities because they layer additional algorithms and software over critical data and systems actuaries. This gives hackers a targeted system exploit capability that could allow a complete hijacking of system processes. This is being done while humans are continually being removed from our system processes.

CYBERDEFENSE GOING IN THE WRONG DIRECTION

Industry experts are warning of the use and abuse of AI and its use in both cyberdefense and hacking.

As Sean Carroll, a cosmology and physics professor at the California Institute of Technology told Vox.com, "It is absolutely right to think very carefully and thoroughly about what those consequences might be, and how we might guard against them, without preventing real progress on improved artificial intelligence."

And Nick Bostrom, director of the Future of Humanity Institute at Oxford University, also told Vox.com that “the transition to machine superintelligence is a very grave matter, and we should take seriously the possibility that things could go radically wrong. This should motivate having some top talent in mathematics and computer science research the problems of AI safety and AI control.”

Even the newest neural network technologies that Google is using — the basis of its DeepMind Artificial Intelligence technologies — can be hacked. The reason is that we're using existing technologies to learn what our systems are doing, so we are essentially adding points of offensive exploit to cyberdefense technologies that are supposed to reduce the attack vector. The cybersecurity industry is, in essence, going in the wrong direction.

A good example of this is tech giants buying up AI cybersecurity startups. This is being done while the DARPA Cyber Grand Challenge demonstrated how AI could hack into AI. Machine learning and AI connect to a very sensitive part of operational and industrial control systems. That’s how it learns. Hackers can use AI to watch what AI is doing, which in turn can offer total control of the machine systems. All third- and fourth-Generation programing language (code) can be hacked, period. We must find a migration path to codeless fifth-generation programing language (5GL) that uses codeless signature patterns.

THE DEMAND FOR NEW CYBERDEFENSE TECHNOLOGIES THAT WORK

I have discussed the use of 5GL in previous articles and spoke about the technology at Oak Ridge National Laboratory. I clearly discussed how we need to use 5GL codeless patterns in parallel with existing operational and industrial system technologies. This use of 5G in cybersecurity as a system auditing tool could be the much-needed answer to new cyberdefense technologies.

A company called On Point Cyber has been watching the development of these 5GL technologies for years, and CEO Tom Boyle said he thinks the timing is right for 5GL.

"Disruptive technologies must have a migration path back to existing technologies and forward to newer technologies. To achieve this, we first index all the current structured and unstructured data, then run them in parallel to the new 5GL codeless signature pattern technologies," he said "This offers a real-time deep inspection of the operational system security baseline and the immediate detection of anything not part of that baseline.

Boyle also noted that what's great about 5GL technology is that it can be used without changing any of the current operational and industrial system technologies.

"These newer technologies can then offer older technologies a migration path to code vs. codeless signature pattern technologies that could even be used in the Quantum computer," he added. "The use of 5GL in cyberdefense could prove the most important use of this technology today. Clearly, we need to do something different.”

CYBERDEFENSE PUBLIC-PRIVATE PARTNERSHIPS

We are entering dangerous times in cybersecurity, and both the public and private sectors must recognize the urgency in finding an industry correction. Immediately invest in cybersecurity technologies that offer more than calculated risk remediation. We are throwing things on the wall that could potentially put our cyberdefense technologies in greater danger. We need to find solutions that stop cyberattacks.

In the confusion of pretty words and explanations of cyberdefense technologies, government officials and CEOs are asking the simple question, "Can I invest in cyberdefense technologies that work?" It is time to answer that question with the recognition that we need to move on to entirely new technologies that can secure us today and prepare us for the future.

Chuck Brooks on Cybersecurity: The Weakest Link Will Always Be the Human Elemen

noreply@blogger.com (Anonymous) — Fri, 4 Mar 2016 00:28:00 -0500

Cybersecurity expert Chuck Brooks talks about where we stand in what many people call the "wild, wild west" of cybersecurity.

BY LARRY KARISNY / MARCH 2, 2016

If you're in the cybersecurity business, you know the name Chuck Brooks.

He is an advisor to the Bill and Melinda Gates Foundation Technology Partner Network, chairman of CompTIA's New and Emerging Tech Committee, subject matter expert to the Homeland Defense and Security Information Analysis Center, “passcode influencer” for The Christian Science Monitor, on the Board of Advisors for CyberTech, and on the Board of Directors at Bravatek and the Cyber Resilience Institute.

Brooks also has authored numerous articles focusing on cybersecurity, homeland security and technology innovation for such publications as Forbes, Huffington Post,InformationWeek, MIT Sloan Blog, Computerworld, Federal Times, NextGov,Government Security News, Cygnus Security Media, Homeland Security Today, The Hill and Government Executive.

I recently got a chance to get Brooks' take on where we are today in what many people call the "wild, wild west" of cybersecurity. Here are his thoughts.

Q. You wear many hats and certainly have been focused on cybersecurity for some time now. So tell me, who is Chuck Brooks and what is he trying to accomplish this space?

A. You are right, over my career in government, corporate and academia, I have worn many hats. There have been some strong common threads [of] science, technology, national security, and legislative and executive policy in all my various roles. Thankfully, I selected a professional vocation of government relations and marketing that encompasses all those threads.

My passion for cybersecurity issues was first established over a decade ago during the time I spent at the Department of Homeland Security’s Science and Technology Directorate. Back then, the threats to our critical infrastructure were not as pronounced as they are today. Of course we were just beginning to experience the smartphone era. The field of cybersecurity has evolved exponentially along with the technologies, networks and connectivity that make up the cyberecosystem. And the ecosystem is quite diverse and expansive, comprising software, hardware, monitoring, forensics, governance and more. All these elements make it an exciting area to explore since there is always more to learn from strategy and technology perspectives. Also, it certainly blends my common career threads.

For anyone’s career focus, studying cybersecurity makes [sense] since it touches everything work- or personal-related. In both the public and private sectors — just about every CIO survey — cybersecurity is the top concern. And of course, along with data analytics, cybersecurity is a annually a budget priority of federal spending. DHS Secretary Jeh Johnson recently described cybersecurity and counterterrorism as the two top priorities for the protecting the homeland.

What I want to accomplish in this space is to continue being a subject matter expert in cybersecurity; I enjoy writing and speaking about the varied aspects of the topic and especially in educating others on how it can impact their lives. My advisory and board director roles with organizations are a reflection of that interest. When I retire (which is a long way off), I hope to join academia again in a part-time role. I spent two years at Johns Hopkins University SAIS [School of Advanced International Studies] teaching graduate students homeland security and found it very fulfilling.

Q. You have one of the most active groups in LinkedIn under the heading of the Department of Homeland Security. How has this helped both yourself and DHS in feeling the pulse of the cybersecurity industry?

A. I do operate a half dozen groups that focus on homeland security and information security on LinkedIn, including a few of the largest groups: “U.S. Department of Homeland Security, DHS” “Information Technology (Homeland & National Security)” and “Homeland Security.”

In all, these groups include about 60,000 people. Among the members are a host of well-known cybersecurity professionals who often post and comment on issues of the day. Also, as any news on data breaches or cyberincidents occur, they are often posted in the LinkedIn groups.

Moderating these groups certainly keeps me updated and in tune with the pulse of policy. It has also served as a great networking venue to share ideas and information with some of the best security minds around in both the private and federal sectors. Many senior-level executives in the federal government are on social sites such as LinkedIn, GovLoop, Facebook and Twitter. There are an estimated 1.5 million federal government employees who regularly use LinkedIn, including over 65,000 from DHS. Because of the growing need for public/private-sector collaboration and interface, being actively involved in social media makes a lot of sense.

Q. What is Sutherland Government Relations and what do you do for the company?

A. Sutherland Global Services is a global provider of business processing services, contact centers, IT service desks and management consulting serving government and U.S. leading corporations across multiple industries, including health care and insurance, technology, mortgage and loan services, finance and banking, retail, and travel. Sutherland has 36,000 employees and annual revenues of over $1.2 billion, [and] was listed in 2015 as one of the fastest growing private companies in America byInc.

I work for the recently created Sutherland Government Solutions as VP of Government Relations and Marketing, where we are at several agencies and are known for integrated services for citizen service needs and digital government. Our cybersecurity operations at Sutherland Government Services are internal, but we do have a practice in customer relations management after a company or agency has been breached. Our cybersecurity practice is led by Glenn Schoonover who has a deep technical background. He is a former chief information security officer for the Army and was responsible for providing network security to the Department of the Army headquarters. He is also a former senior technology strategist for Worldwide National Security and Public Safety at Microsoft.

Q. I see you are active in both the public and private sectors when it comes to cybersecurity. What are the similarities and differences between these two sectors?

A. The biggest difference is that government is motivated by mission, and the private sector (for the most part) is driven by profit and loss. The R&D efforts, innovation sector and skilled technical expertise in the private sector has been more robust than in government. Industry is more agile and able to react to threat trends.

On the federal side, the landscape has really changed over the past few years. [The U.S. Department of Defense], of course, has had the cybersecurity war-fighting mission and continues to build upon new requirements for operations and for systems. On the civilian side, DHS takes an increasingly larger role in cybersecurity. Presidential and congressional directives have mandated that DHS play a growing and more primary role, especially with protecting critical infrastructure (transportation, health, energy, finance) that is mostly owned by the private sector. DHS has to step up its activities in assessing situational awareness, information sharing, and resilience research and development plans with stakeholders. This has led to a trend in public-private partnering for sharing threat information and in creating standards and protocols. In both the public and private sectors, training of the next-generation cybersecurity technical and policy [subject matter experts] is a major priority.

Q. To date, there seems to be a stand-off between Apple and the federal government when it comes to iPhone security. What are your thoughts on this, and can this bring about some lessons learned for the cybersecurity industry?

A. This is the topic of the day, and it is a complicated issue relating to government requesting a corporation to provide software to allow access to data. My thoughts may be a bit different from some of the others in the industry. While I recognize the importance of privacy and the dire risk of an Orwellian surveillance state, I consider protecting innocent lives as a mitigating circumstance. What if that data that the FBI is seeking on the terrorist's encrypted phone uncovers a deeper terrorist network planning more horrific acts? In my opinion, this is a mitigating circumstance.

What should be done is to establish protocols between industry and law enforcement to cooperate in these type of instances (with proper warrants and assurances) so that company Internet protocol can be isolated and privacy issues for the company’s customers can be best addressed. I am quite sure Congress will be looking closely at this case to establish legislation to create a working formula. The lesson for cybersecurity is that there is a balance between privacy and security that has to be constantly reviewed in accordance with the threats at hand.

Q. With billions of Inernet of Things devices on the near horizon and zetabytes of data projected by 2020, can we secure and control our digital processes, or are we headed for a digital train wreck?

A. According to Gartner, there will be nearly 26 billion networked devices on the Internet of Things (IoT) by 2020. Moreover, it will keep expanding as the cost of sensors decreases and processing power and bandwidth continue to increase. The fact is that most of these IT networks will have some sort of an IoT-based security breach. We could be headed for a digital train wreck if IoT security standards are not adopted. We may have a digital train wreck even if they are adopted. Standards will have to be developed industry by industry. Protecting a network of medical devices in a hospital will require different sets of standards than protecting utilities with SCADA [supervisory control and data acquisition] systems that make up the electric grid. There are a lot of questions, including who enforces compliance? And what are the liabilities of an IoT breach?

CYBERSECURITY EXPERT CHUCK BROOKS' MASTER LIST OF CYBERSECURITY TECH AREAS, PRIORITIES AND EMERGING TRENDS

Emerging Technology Areas:

// Internet of Things

// Wearables

// Drones and robots

// Artificial intelligence

// Smart cities

// Connected transportation

// Quantum computing

Priorities:

// Protecting critical infrastructure through technologies and Public/Private cooperation

// Better encryption and biometrics (quantum encryption, keyless authentication)

// Automated network-security correcting systems (self-encrypting drives)

// Technologies for “real-time” horizon scanning and monitoring of networks

// Diagnostics and forensics (network traffic analysis, payload analysis and endpoint behavior analysis)

// Advanced defense for framework layers (network, payload, endpoint, firewalls and antivirus)

// Mobility and BYOD security

// Big data

// Predictive analytics

// Interoperability

Trends:

// Informed risk management

// Emergence of public/private sector partnerships

// More information sharing and collaboration between the public and private sectors

// Shared R & D spending

// Increased spending for cloud computing

// Consolidation of data centers

// Expansion of hiring and training of cybersecurity workforce

// Tech foraging

Bringing Innovation into Cyberdefense Technologies

noreply@blogger.com (Anonymous) — Thu, 18 Feb 2016 11:25:00 -0500

Hackers use innovative thinking when breaching systems, why can't government?

The U.S. Office of Personnel data breach and its solution -- that is plagued with problems -- are a perfect example of inferior technologies that hackers are aware of and can penetrate.

MARK VAN SCYOC / SHUTTERSTOCK.COM

When I spoke on the need for cybersecurity innovation at the January ITEXPO conference in Fort Lauderdale, Fla., I sensed something interesting about my cybersecurity colleagues: They don't seem to care about innovation; they care about having a job in cybersecurity.

Unfortunately, this is a normal reaction, and has plagued both government and industry, leading to inferior cybersecurity products and deployments that may never catch up with the hacker -- unless we change our thinking.

The difference between a hacker and cybersecurity companies is that a hack has no brand, no national loyalty, no secure employment. Hackers immediately use or develop for their purposes the best hacking technology out there. It is this same innovative thinking we must use in approaching our cyber defense technologies.

HOW BIG GOVERNMENT, BIG BUSINESS STIFLE CYBERDEFENSE INNOVATION

One of the most difficult challenges in offering superior technologies to big government and big business is the massive amount of bureaucracy you must penetrate. As a cyberdefense expert and adviser, I know how to choose the best technologies while addressing the hurdles of bureaucracy. Like the hacker, I have no brands, bosses or bureaucrats influencing my objective selection (though I do admit to national loyalty as an American). I can focus on correcting cybersecurity problems and find the best in defense technologies to address them.

I have discovered that government and business are sometimes their own worst enemies. While government decisions are sometimes based on confusing politics, industry makes decisions based on a technology's return on investment or a corporate purchase that has now made a technology part of their company. This type of thinking not only delays needed new cyberdefense technologies from getting in, but can cause old technologies to be used due to political and business decisions. These inferior technologies are known and hackers can already can penetrate them. A perfect example of this was the U.S. Office of Personnel (OPM) data breach and the solution of the problem (EINSTEIN) that is plagued itself with problems. We need to find better ways of offering quicker technical responses to cyberdefense technologies or hackers will always be one step ahead.

THINK LIKE A HACKER

Today if you are offering even an urgently needed technology there are two main factors that will give you road blocks. Government is making political decisions and industry is making monetary decisions. This is the worst place to be when offering a disruptive technology but is exactly where I have been in the last few years. I use a simple formula in addressing these road blocks. One is know your problem and predict how big it will become. My past articles written over a period of five yearsgiven me a discipline of putting my name on not only disclosing the problem but offering some suggested solutions to the massive weaknesses were are facing in cyber defense. With limit resources this is difficult but I have had the luxury of standing back from politics and business and staying focused on the problem and the fix just like a hacker focuses on getting in.

Now, you can't disregard the reality of politics and business, but you must surround yourself with people who excel at such things so you can maintain your focus on correcting problems. This approach has allowed me to surrounded myself with the best in both technology and business.

PROTECTING INNOVATION WITH INNOVATION

In an article in The Wall Street Journal by President Barack Obama titled, "Protecting U.S. Innovation From Cyberthreats," both the cyber attack threats and the immediacy in addressing these threats was clear. The president’s analogy that, “government IT is like an Atari game in an Xbox world," was a perfect example of how much catch-up is required by the federal government when it comes to cyberdefense systems.

In fact, the president is pushing a new Cybersecurity National Action Plan that includes $3 billion to kick-start an overhaul of federal computer systems. This is the right move to stop the bleeding. But let's go back to the hacker: All the employment and training in the world cannot stop a hacker's millisecond attack. People don't think in milliseconds; technology does. We need to find technologies that can proactively defend in milliseconds, or we will lose our defense capabilities to the first strike capabilities of hackers. This can be done, but will require big changes in our current cyberdefense technologies; we cannot continue using the patch and pray cyberdefense systems we employ today.

The reason hackers can hack in the first place is that the 3rd- and 4th-generation software used today can be exploited because it was made to connect and automate things -- not view or secure digital processes. The code and algorithms are, by nature, vulnerable to attacks. And new cyberdefense techniques such as analytics and business intelligence software may actually be adding to the prevalence of cyberattacks as they also run on 3rd- and 4th-generation software. In fact, my colleagues and I have been warning that security software's use of analytics and business intelligence software will be the next attack targets. Why steal a database when you just hack the analytics and business intelligence software to see what a company is doing? We can't continue this way. We need a true paradigm shift in cyberdefense technologies.

WHERE THE CYBERSECURITY INDUSTRY WENT WRONG

There is a great article in the Washington Post called, "A History Internet Security." It gives a great snapshot of where we started with Internet security and why we have the problems we do. The lack of security was intentional. No one thought the Internet would get so big or be used in so many ways. Interestingly enough, the reason the Internet was first developed was to create a survivable network even if an atomic war occurred. The survivable network was a great idea. Offering little to no security was not.

As an independent adviser I have worked with some of the best in both technology and business. Together we have seen the problems and have again and again come back with confidence to the same solution. First and foremost, we need to understand that cyberdefense is just the viewing and auditing of selected security policies in milliseconds for a specific process. It is validating what we want to happen, not what we don't want to happen. This is how we can protect critical systems and intellectual property residing on the Internet.

The entire cybersecurity industry has been looking at cyberdefense in the wrong way and frankly has used the wrong technologies in the wrong place when addressing it. To clarify the needed changes we must make in cyberdefense technologies, my colleagueTom Boyle, CEO of On Point Cyber, Inc., commented on what the problems are, what changes must be made and how they should be implemented.

Q: Can you explain the problems we face when it comes to cyberdefense technologies?

The proliferation of big data, the Internet of Things, cloud computing and mobile devices has created an intrusion detection environment that challenges current information security practices, if for no other reason than sheer volume of data. Detecting intrusion is akin to finding a needle in a haystack. Government and corporate leaders echo the need for a fundamentally different approach to cybersecurity, capable of sustaining the pace of cyber threats, while detecting intrusions at machine speed.

Q: What changes need to be made to address these weaknesses?

We see an information security transformation to the process side of information technologies, and work with companies who develop these capabilities, 5GL visual languages of logic with autonomic modeling of system operations for immediate reactive cyber security. Through these technologies, the cybersecurity playing field is leveled, so defenders can stop attackers within milliseconds, at the point of attack.

Q: How do we get this done and done quickly?

Fortunately for the United States, the Department of Homeland Security and other agencies have spearheaded cooperative research and development between private and government sectors, to readily identify and adopt new and emerging tools to secure our most critical cyber infrastructures. Now it is time to get it done.

WHAT A CYBERATTACK LOOKS LIKE

The trouble with hacking is twofold: We don’t see it, and we don’t understand how damaging it is. So first and foremost, we need to find a different word for "hacking." It is too nice a term given the devastation it causes.

I grew up in Harper Woods, Mich., and lived one block away from Detroit and one block away from Grosse Pointe Farms -- my small city sat between these two vastly different communities. The satellite photo below shows these two communities: The left depicts the complete demolition of entire neighborhoods that were knocked down for the copper in the walls. Those living on the right side -- with which my small community aligned -- didn’t steal, nor would we let people who stole into our neighborhood. We had a good police force, but frankly, the old ladies were the enforcers: By the ear, they would walk the intruder right back to his house. Basic defense, but quite effective.

Cyberdefense is the right side of the picture. Cyber war or cyber offense is stealing back and forth, which in the end offers no gross national product until there is nothing left to steal. That is the left side of the picture. This is a picture of just millions lost over many years. Last year, in the private sector alone, British insurance company Lloyds projected that more than $400 billion was lost due to cyber attacks.

Anybody got a picture for that?

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sector.

Cybersecurity 2016: Out with the Old, in with the New

noreply@blogger.com (Anonymous) — Wed, 13 Jan 2016 15:10:00 -0500

The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.

BY LARRY KARISNY / JANUARY 13, 2016

In 2015, we determined that the important criteria of cybersecurity include the need for proactive defensive approaches, what weaknesses exist in current cybersecurity technologies, how even billion-dollar systems are being hacked, the current and future dangers if we don't fix these problems, and the need to do this all in milliseconds.

To tackle all of this is a tall order, but as I will discuss in my opening session on Jan. 26 during the four-day ITEXPO in Fort Lauderdale, Fla., we can do this. And here's a sneak preview.

DATA TRANSMISSION HISTORY: WE STARTED OFF GREAT

When data communications started, the X.25 protocol — one of the first packet-switching data transmission services ever used — was transmitted over plain old telephone system (POTS) lines or private point-to-point lines. At the time, analog phone lines were prone to interference that often would drop data before being received at the transmission endpoint. To eliminate this possibility, an auditing system validated 8-bit packets that were placed in the data transmission's footer and header. This packet would then be audited and confirmed at both ends of the transmission.

Believe it or not, this was one of the most secure data communication systems ever developed. So what happened?

The 8-bit packets transmitted in the X25 protocol, however, pale in comparison to the terabytes of information that pass through our information networks today. Though this ultimately is a problem, it remains one of the principles behind today's deep packet inspection. When talking to X25 engineers back then, they knew the desire for more connectivity — and data on networks overcame the need for security. This is what really led to the Internet. We needed to find a way to rapidly and economically move all this data over a shared network. The need to distribute information quickly and economically on a network was the first priority as security and auditing the information became an afterthought. Understanding this we can realize why we are using network connection mediums that had known security issues as did the software that these networks and applications ran on. These vulnerabilities lead to a lot of work done on the network layer of cybersecurity with some success. The real danger in cyberattacks though lies not in the network but the software, and more importantly in the processes used in our day-to-day information technologies. This is where the hackers are getting in and can be viewed. This is where we must focus if we are to defend and future-proof information security processes.

THE INSATIABLE DESIRE FOR MORE SOFTWARE, DATA

Though the term "big data" was a tad overused in recent years, I love it. And when it comes to data, the priority has always been connecting and using data efficiencies — which is why security was pushed to the back burner. The cybersecurity risk analysis dilemma continues to be this: We can make this much this quarter if we use this software, and we can use the efficiency of the Internet to distribute it globally.

From corporations that can add millions to their bottom line to government's struggle with security versus wanting a backdoor in, the insecurity of cybersecurity in the past may have held more value than actually having security.

Things have changed, though.

The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.

In today's IT utility processes, the third- and fourth-generation language software we use links to other software and data to achieve the desired digital processes. These actions are then historically saved in a data log. Current cybersecurity technologies have historically viewed these logs to determine if the system is running properly or if there has been potential exploit. But finding potential flaws can take days, months, even years of manual subjective analysis. If a system breach is found, a software patch is typically put in the system utility — and this is the window of opportunity a hacker leverages, and will continue to leverage, unless targeted security process policies can be audited in front of the utility system processes.

We need to move beyond the utility approach of connecting and moving data from one place to another toward viewing and auditing actual systems process events in real time. We cannot audit algorithms or software in milliseconds, as there is too much data that is ever-increasing in complexity. Auditing software and data at the utility level is too complicated and slow, so to achieve real-time cyberdefense, we must change the way we view and audit targeted system security policies in specific digital process ecosystems proactively.

New approaches are now being hailed by research organizations and standards groups in both the public and private sectors, which also are promoting and investing in this needed cybersecurity paradigm shift. We must move quickly in deploying these new technologies because as cyberattack predictions go, the worst seems yet to come.

WHY OUR CYBERDEFENSE APPROACH MUST CHANGE NOW

When it comes to cyberattacks, we are faced with two simple facts: Current cyberattacks are increasing, and we are going to connect many more things to the Internet. In fact, research firm Gartner predicts that in 2016, there will be 6.8 billion connected devices in use — a 30 percent increase over 2015. By 2020, that number will jump to more than 20 billion.

Cybersecurity experts cite attempted cyberattacks at about 500,000 attacks per minute, and the number of connected devices presents an even greater opportunity for hackers. Trying to defend from cyberattacks using current cybersecurity technologies is no longer feasible. We have neither the people nor the time to defend ourselves against the onslaught. We must drastically automate our cyberdefense approaches or hackers will have too many opportunities to strike — and at best, we will always be caught in patch-and-pray cybersecurity catch-up.

We need to understand software processing languages and business processes if we are really to understand the issues with cybersecurity today. Hackers manipulate software and can change the desired digital process action to their benefit — and can activate these changes in milliseconds.

Whether a network or specific data process application is in use, it all basically runs on software that activates specifically designed processes. From flooding attack points with terabytes of data creating denial of service to tricking employees to accessing centralized data at rest databases, hackers use software as their real-time attack tool — while current cyberdefense solutions often are blind to what is occurring. Thus, the hacking must be addressed by viewing and auditing the critically targeted security policies the event caused by taking action — action that occurs through the use of software, not software or IT utility itself. To do this, our focus must shift from viewing and auditing the IT utility function run today to a more process-focused approach. We must shift our focus from technical assets to critical business processes.

CALLING FOR CHANGE IN CYBERDEFENSE

In 2015, some very promising things occurred as far as addressing the known and future problems with our cyberdefense strategies. Many organizations — including the Defense Advanced Research Projects Agency (DARPA), the National Institute of Standards and Technology (NIST), the Institute of Electrical and Electronics Engineers (IEEE), and RSA Security — have been looking at technologies that offer microsecond viewing and auditing intelligence outside of utility function of today's IT processes. These new approaches are more focused on what is happening in workflow security policies rather than how the utility system processes happen.

To understand the importance of this new cyberdefense paradigm, I pose this question: How do you stop a hidden encrypted cyberattack exploit already in your system?

The answer to this shows us why we are always trying to put the wrong cyberdefense technologies at the wrong place at the wrong time. The only way you can stop this attack is by allowing the hacker to activate the exploit and stop it in milliseconds before it disrupts system security policies. This requires a new way of looking at information processes security — and major organizations are beginning to understand the need for these changes.

NIST has done a good job of getting organizations, specifically in critical infrastructure, to find and define both their cyberdefense vulnerability and to establish specific security policies in addressing these potential points of breach.

DARPA has done a good job in calling attention to these security policies in which events may be the function of a microsecond machine actions and, in turn, must be defended in microseconds.

RSA is convinced we need to move from technical utility assets to a critical process approach by establishing business-centric risk assessment processes to transform information security, while the IEEE is focused on a similar approach it calls model-driven security. Even the recently passed Cybersecurity Information Sharing Act of 2015 has emphasized the need for DHS to establish a pilot to test and deploy advanced technologies to improve detection and prevention.

This is a good start to finding new approaches to cybersecurity — approaches that must be put in place if we are to deploy the effective cyberdefense capabilities we so desperately need today.

I will be discussing these new approaches in more detail in my ITEXPO security session opening later this month. Hope to see you there.

Cybersecurity: A Millisecond Defense

noreply@blogger.com (Anonymous) — Wed, 18 Nov 2015 11:41:00 -0500

BY LARRY KARISNY / NOVEMBER 12, 2015

From access to activation, we pass through multiple digital ecosystems with devices that can be used to hack unrelated digital system processes in a millisecond.

When it comes to recent cybersecurity talks, the prevalent theme seemed to be, “We know we need to do something, but what?”

The recurring questions are: Where do we start, and how fast do we need to react to stop cyberattacks? What's become quite clear is that if we are to secure our digital world, we need to do it with technologies that run as fast as the networks and applications in which they operate — in milliseconds.

Repeated time and again in recent discussions is the need for proactive defensive measures in cybersecurity — and how quickly they must react to stop today's hacker. Even the language in the new cybersecurity billseems to fall short of true cybersecurity protection, as it is more based on the sharing of information to assist in the detection and recovery of a cyberattack rather than a proactive cybersecurity solution that would stop the attack.

And this leads to a few important questions: Is there a big disconnect between the public and the private sectors when it comes to what cybersecurity is suppose to achieve? If so, what is that disconnect, and how can we move forward?

THE SECTOR MISSIONS OF CYBERSECURITY ARE DIFFERENT

The way the public sector reacts to a cyberattack is much different from how the private sector reacts. When the public sector responds to an attack, officials immediately disclose the attack in order to obtain additional funds to fix it. In the private sector, however, officials don't want to disclose the attack because the company will take a stock hit — which would reduce revenue sources that could be used to fix the problem.

The public sector typically looks at problems after they've occurred and then tries to get funding to analyze the size of the problem and how to control it. The private sector tries to immediately address the problem, running it through a risk management process to evaluate how expensive it is and how much it will cost to fix.

Even private-sector technology providers' loyalties differ compared to their counterparts in the public sector. This was clear when 22 of the largest tech companies were firmly against the controversial Cybersecurity Information Sharing Act (CISA) due to their customers' privacy concerns. Knowing this, the passing of the recent cybersecurity bill by the U.S. Senate explains clearly why there is so much opposition between the two sectors: They haven't been on the same page from the start, because they serve different customers and operate their organizations very differently. Wespend a lot of time and money in cybersecurity only to be left with technologies that potentially deter attacks or historically define when and how the attack occurred.

Keith Alexander, a retired U.S. Army general and founder and CEO of IronNet Cybersecurity, made two straightforward comments about cybersecurity in a keynote address at the University of South Florida Cybersecurity Center Annual Conference earlier this year: “Our current cybersecurity technologies don't work," he said, and, "we need to focus on proactive defensive cybersecurity technologies."

Although Alexander called CISA “a good start,” the bill is now reaching its fifth year trying to get approval. It will then take years of public/private breach information-sharing before cyberattack improvements would be realized. Many are saying that passing this cybersecurity bill has taken so long that the solutions in addressing how cyberattacks suggested in the bill are now obsolete.

In an article focusing on cybersecurity insurance, Scott L. Vernick, a partner at Fox Rothschild LLP in Philadelphia called cyberlegislation a good first step, but “we shouldn't get carried away” about what it can and cannot accomplish given that cyberattackers “are changing what they're doing in milliseconds.”

The private sector's response to leading-edge cybersecurity technologies is not much better. Combine private-sector technology purchases with product lifecycle time frames, and it's nearly a guarantee that the "security" in cybersecurity will always be behind the curve. Both the public and private sectors are at fault here; they are more the reason for a lack of cybersecurity defensive technologies than part of the solution.

So where is the disconnect in truly understanding how to achieve superior cybersecurity solutions and rapidly offer leading-edge services that work?

HACKERS ARE NOT OBSOLETE

When a large technology company or government research group evaluates a proof of concept for a fix to cyberattacks, that fix is immediately met with resistance, even if the technology works. From the government side, it is how that technology could work with technologies in already-funded programs —technologies that may be inferior, or even obsolete. These technologies are funded by big research grant monies that take so much time to get approved, the money and studies continue flowing even if the technology is going in the wrong direction.

Those in the corporate world may be caught between having a superior technology but needing to recoup investment of an inferior technology before that superior tech can be allowed in. And because years pass between these decisions being made, hackers have plenty of time to change their game plans. As these delays continue, hackers have time to obtain information from government entities, standards groups and corporate product releases that disclose what they're doing. So as big government and big business stifle new ideas in defense cybersecurity technologies, hackers can continually place themselves ahead of the obsolescence curve — always putting themselves in the position of cyberattack innovator.

Large organizations also have a need to centralize cybersecurity technologies for control and profit. This is the main reason for standards groups and open architectures that can put a thousand eyes on a particular cybersecurity architecture. There is value in these standards, but cybersecurity works at a very granular level — right down to individual, location and processes of the digital technology used. Essentially, use of the same cybersecurity solution may greatly differ depending on who, where, what and why it is used.

Most cybersecurity technologies are focused on protection and prevention by analyzing historically logged digital analysis techniques while adding access and encryption techniques for intrusion prevention. In reality, what's needed are technologies that audit in real time the uniquely targeted security policies and events of a particular process or ecosystem that often occur in milliseconds. This millisecond requirement has been echoed by both Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) and an IEEE citation by the Department of Homeland Security's Peter Fonash and Phyllis Schneck inCybersecurity: From Months to Milliseconds. This need is now being demanded as a proactive cybersecurity requirement echoed by many industry and government leaders.

As a cybersecurity advisor, I have proposed the need for this millisecond cyberdefense capability —and I've found working and patented technologies available and ready for use to address this requirement. These technologies were already lab tested are well beyond proof of concept; they are ready for targeted deployment. What my associates and I struggle with, as do many innovative idea companies, is how to get this information out and technologies deployed within the established bureaucracies in both the public and private sectors.

If even working solutions can't find a rapid process of evaluation, hackers will always maintain the technological advantage. Do you think hackers submit proof of concept to bureaucratic oversight groups to see if their stuff works? Of course not. They just do it and see if it works; they aren't waiting for someone’s permission. And if we are to close the innovation window between needed cyberdefense technologies and advanced cyberattack technologies, we must find avenues of testing and deploying cyberdefense technologies in the same manner.

CYBERSECURITY BILLS VS. REAL-TIME CYBERSECURITY

The process of evaluating hackers by determining how they hacked somebody is flawed. For starters, it takes too long to share the data without potentially disclosing personal information not related to the breach, as the scrubbing of non-pertinent private information could take months. By that time, the hacker has already morphed a new version of its cyberbreach exploit, which means those trying to protect against these attacks will just be playing catch-up.

We must focus on cybertechnologies that define the correct digital actions taking place and audit these events as they are used — which means tackling them in the millisecond windows in which our digital systems operate.

When it comes to cybersecurity, many recurring facts are oddly misunderstood. For starters, cybersecurity is local and it is often human-initiated, but then it operates as a microsecond machine-to-machine action that often cannot be traced.

From access to activation, we pass through multiple digital ecosystems with devices that can be leveraged to hack unrelated digital system processes in a millisecond. With millions more digitally enhanced devices projected in the near future, we need to effectively focus on authenticating, viewing, auditing or blocking these millisecond machine actions as they relate to the security policies of our accepted processes and digital ecosystems.

This is the reality of the millisecond machine action cyberworld we live in today — it's one that is rapidly growing, adding the potential of many more system breaches. If we are to enjoy the amazing digital technologies of today and the many more on our doorstep, we must find and deploy millisecond technologies that can defend cyberattacks ahead of the hacker.

We Need a Cybersecurity Approach That Is Proactive, Agile, Adaptive

noreply@blogger.com (Anonymous) — Thu, 15 Oct 2015 01:11:00 -0400

Before delivering a keynote at the Florida Center for Cybersecurity 2015 Annual Conference, former NSA Director Keith Alexander spoke about his new startup and the direction cybersecurity must take to be successful.

In June of 2013, privacy advocate Edward Snowden exposed the National Security Agency's mass surveillance efforts — and it was during this time that Keith Alexander, a retired four-star general of the United States Army, served as the NSA's director. On March 28, 2014, after leading the agency through one of the toughest periods in its history, Alexander retired from his post

During this time, Alexander also served as commander of United States Cyber Command. And when he spoke at the 2013 Black Hat USA conference, he spoke about how as our dependence on information networks increases, it will take a team to eliminate vulnerabilities and counter the ever-growing threats to the network.

"We can succeed in securing it by building strong partnerships between and within the private and public sectors, encouraging information sharing and collaboration, and creating and leveraging the technology that affords us the opportunity to secure cyberspace," he said.

Now, as CEO of IronNet Cybersecurity, which offers an integrated, end-to-end approach to cybersecurity, Alexander is working to fill in a critical gap between cyberthreats and available security technology. Before delivering his keynote speech at the Florida Center for Cybersecurity 2015 Annual Conference, he sat down with me to answer a few questions.

Q: In the cybersecurity industry, we call it the Wild Wild West. Did you ever think it was going to get this wild?

A: In 2007, after the distributed denial-of-service attack by Russian “hackers,” we predicted that the numbers of exploits and attacks would increase significantly, and we have seen just that. It is my personal assessment that these attacks will gain momentum as crises throughout the world evolve, especially in the Ukraine and Middle East.

Q. Recent attacks by China caused tense discussions in a recent U.S. visit by Chinese President Xi Jinping. You had warned of these state-sponsored attacks for years. Will the resulting U.S.-China cybersecurity agreement have an impact in cyberattacks or is there more needed?

A: Clearly there will be a significant need for more discussion and talks at every level — political, military and commercial. President Obama and President Xi Jinping have taken an important first step. We must now all help push this forward. In addition, we should concurrently work to improve our own defenses.

Q. Your are now CEO of a startup cybersecurity company, IronNet. How do your responsibilities differ from the past and what similarities are you seeing?

A: As commander of U.S. Cyber Command, my most important mission was to defend our nation from cyberattacks from our adversaries. I no longer have that responsibility. As the director of the National Security Agency, I was responsible for providing information on those attacking and exploiting our nation in cyberspace, providing intelligence to our national leaders and the Armed Forces, especially those in combat. And I was responsible, along with a great government team, in keeping our nation safe from terrorist attacks. The greatest privilege and honor I have had in my lifetime was leading the great military and civilian personnel at USCYBERCOM and NSA.

As the CEO of a cybersecurity company, we can continue the mission in cyberspace by providing key capabilities to the commercial sector and to the government to help them defend their networks. Cybersecurity requires a team effort — between government and industry, and with our allies. It is an honor to continue to serve and support this national effort in this new capacity.

Q: You have led some of the largest agencies in the federal government. As a startup, how difficult is it to get through these bureaucracies, and should industries like the ever-changing cybersecurity industry be addressed differently?

A: I have focused on working with the commercial sector as my top priority for a host of reasons. I think we can help provide a more defensible architecture and prepare the commercial sector for the time when cyberlegislation is approved and the sharing of cyberinformation can really flow.

Q. Cybersecurity software-as-a-service (CSaaS) is a new approach that is just beginning to catch on. This is a major focus of your new company. Can you tell us some of the advantages of CSaaS over typical cybersecurity offerings?

A. IronNet deploys a minimal set of hardware at customer locations. Software and services are provided out of our Security Operations Center (SOC), where we efficiently manage resources and capacity. Similar to the neighborhood watch concept, the SOC detects and mitigates threats within and across business sectors using a suite of technologies we call IronDome.

Q. We seem to be stuck with some older cybersecurity technologies that just can’t support us now or into the future. We are constantly playing catch-up with what the industry calls “patch and pray” reactionary cybersecurity rather than deploying needed real-time proactive cybersecurity. Are there any new technologies or approaches you see that will support these needed proactive cybersecurity services?

A: We need to move now to a new approach to cybersecurity — an approach that is proactive, agile and adaptive. The old reactive methods, which are based on static perimeter defenses, are not sufficient. Innovative approaches begin with the capability to have visibility across a company’s network, and this visibility needs to be in real time. Then, with this visibility, we can see how machines and people behave on the network, and we can identify changes in behavior. It is these changes in behavior that allow us to identify malicious activity and cyberattacks — and then to take steps necessary to protect a company’s network and data.

Q. What will be the focus of your Keynote Address in Tampa at the Florida Center for Cybersecurity 2015 Annual Conference this month?

A: Three key areas — the rapid evolution of technology, the evolution of threats in cyberspace and a roadmap to the future.

Cyberattacks: The Danger, the Cost, the Retaliation

noreply@blogger.com (Anonymous) — Sat, 12 Sep 2015 02:54:00 -0400

SHUTTERSTOCK

From hacking cars to stealing state secrets and instances of retaliation, there is a real-world awakening to just how expensive and dangerous it is to recover from a cyberattack.

Cybersecurity companies make billions of dollars in patching and reacting to the problem, but customers want proactive cybersecurity — not reactive analysis and temporary repairs. There are reasons this is not happening, and we must redirect both money and thinking in order to put the cybersecurity industry on the right track.

TODAY'S CYBERSECURITY BUSINESS: BAD START AND NEEDED CHANGE

When cybersecurity becomes a business rather than true protection, we have a problem. Unfortunately this is what it's become, and though some are calling it a flat-out scam, I wouldn't necessarily go that far.

There is so much vulnerability in networks and application software that even good cybersecurity developers are working with one hand tied behind their back. This has led to a hack-and-patch cybersecurity business that is a reactionary temporary repair — not an upfront cyberdefense. It takes months to even detect a breach and many more months to temporarily fix it. Companies are making billions in historically patching cyberattacks when customers want to spend their money to stop them from happening in the first place.

Case in point: The Sony attack was disclosed on Nov. 24, 2014, and discussed in a recent 60 Minutes broadcast: Today there are still hundreds of technicians working to correct the problem. Since this attack, other companies and government agencies have been hacked, involving millions of people. This continues while the cybersecurity industry admits to limited cyberdefensive capabilities. In fact, the cybersecurity defensive positions are so weak that retaliatory offensive positions are being considered. What we have learned from earlier attacks is now being used to develop strategies to stop future attacks.

THE OPM BREACH AND LESSONS LEARNED

Nothing was more telling than the information disclosed in a report from the largest federal government breach ever on the U.S. Office of Personnel Management (OPM), which shows both desperation and hope as far as cybersecurity is concerned. The rapid disclosure of the attack may be easier for a government than a corporation that may take a stock hit, but the needed quick response is the same. The quicker the reaction to the breach, the less damage is most likely to occur.

One of the most impressive things that resulted from the OPM breach was the creation of a Cybersecurity Sprint Team that includes members from OMB's E-Gov Cyber Unit, DHS, the National Security Council Cybersecurity Directorate and the Defense Department. The team was charged with leading a 30-day review of "cybersecurity policies, procedures and practices," and issuing a Federal Civilian Cybersecurity Strategy based on its findings.

The sprint team will focus on eight priority areas:

Protecting Data: Better protect data at rest and in transit
Improving Situational Awareness: Improve indication and warning
Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel
Increase Awareness: Improve overall risk awareness by all users
Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities
Controlling, Containing and Recovering from Incidents: Contain malware proliferation, privilege escalation and lateral movement; quickly identify and resolve events and incidents
Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner
Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect

The creation of the Cybersecurity Sprint Team and the unprecedented 30-day review that issued a Federal Civilian Cybersecurity Strategy based on its findings is a good sign of present and future responses to cyberbreaches. The key now is whether the recommendations from the Cybersecurity Sprint Team produce results.

STILL PLAYING CATCH-UP

Current cybersecurity technologies — that were designed years ago — are behind the curve. In a recent Federal Times article, Federal CIO Tony Scott explained that most of the systems — most of the technology we use every day — were designed and architected in the 1970s or 1990s, and even newer systems are built on that same framework. Scott said that future systems need to be designed with cybersecurity at the center, and agencies must also work to secure existing systems.

These needed changes in technology are often delayed by industry standards groups, government regulation, compliance and red tape, all of which create process delays and even danger when trying to get needed technological change in and operating. Hackers know this and target these weaknesses while being very agile and always changing. Both industry and government are recognizing they must offer avenues of responding to these changes, and are finding ways to cut all the red tape and get these need changes evaluated and deployed.

CYBERSECURITY: PICK UP THE PACE

A Brookings Institution think tank suggested that government needs to pick up the pace of funding research and acquiring the latest technology in the quickly changing software and electronics sectors. Even day-to-day operations are affected. When you have software upgrades happening every six months, on average, systems must be in place to accept these frequent upgrades. The bureaucracies of both government and business must change their procedures if they are ever to stay ahead in an industry in which change is the new normal.

The last RSA conference also warned of even a bigger problem. Are there enough people to deploy and operate these needed cybersecurity systems? Two studies validated these concerns in the conference and discussed what steps can be taken in correcting the problem. So how do we get better cybersecurity technologies out quickly while having enough personnel to rapidly respond to the ever-changing exploits? By using something called cybersecurity software as a service (CSaaS).

CSAAS: AN EMERGING TREND

CSaaS may not only address how to get advanced cybersecurity services in and updated, but also the industry's known personnel shortage. These system capabilities offer customers advanced cybersecurity services without the worries of complex design builds and necessary staffing to run these often complex services.

When former NSA Director Keith Alexander entered the private sector, he built a company with a goal of offering CSaaS. His company, IronNet, touts top personnel with more than 100 years of combined experience in top posts at the NSA, U.S. Cyber Command, National Counterterrorism Center and Army Intelligence. An initial version of IronNet’s CSaaS will be generally available later this year.

This CSaaS trend seems to be continuing with CloudLock — the industry's first CSaaS for the cloud. CloudLock was launched in 2011 with one simple goal in mind: to transform cloud security into a business enabler. Delivered as a service, CloudLock’s unified Cloud Security Fabric connects and secures any app natively from the cloud in the cloud through a series of CloudLock Cybersecurity APIs.

While most CSaaS services are focusing on the use of existing cybersecurity and software technologies, a company called Decision Zone is offering a completely new cybersecurity platform that is capable of securing multiple industries. Its CSaaS platform focuses on the use of a non-algorithmic fifth generation programming language (5GL) technologies. This patented technology runs in parallel to any existing network, hardware or software process platform and can detect cyberattack event anomalies in microseconds.

MOVING FORWARD

Our current cybersecurity technologies are still stuck in after-attack mode, while bureaucracies delay needed change. We must be able to rapidly deploy proactive systems or we will remain stuck in the dangerous game of cybersecurity catch-up or offensive cyberretaliation. Recent cyberattacks have already disclosed how costly and dangerous reactive cybersecurity approaches can be, offering tremendous lessons learned. It is now a matter of how we move forward.

It is refreshing to see the unprecedented responses by the Federal Government Cybersecurity Sprint Team in not only rapidly responding to attacks, but also offering both existing and new technologies avenues of addressing these attacks. We must continue to find ways to move and change quickly in addressing cybersecurity. It is a good sign that both government and industry are realizing this. They must now find procedures and avenues of funding and rapidly deploying these needed cybersecurity technologies advances.

Like the saying goes, “Pay me now or pay me later.” But in cybersecurity, “later” can be too much and too late.

Cybersecurity: Fix It or Die?

noreply@blogger.com (Anonymous) — Fri, 14 Aug 2015 15:39:00 -0400

From unlocking cars and opening garages to hacking a satellite, recent breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous. And our current method of "fighting" these attacks is not working.

Two of the largest hacking conferences, Black Hat and DEF CON, highlighted some of the scariest vulnerabilities in cyberattacks today. From hacking a Wi-Fi connected rifle, a Tesla electric car, a Brinks safe and an electric skateboard, there seemed no end to the demonstrations of what a hacker can do.

From unlocking cars and opening garages to hacking a satellite, the breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous.

Although content database hacking is still of concern, as seen shown by thePentagon's recent hacking of nonclassified emails, there seems to be a more dangerous and lethal capability now being demonstrated in our increasingly device-connected world. Gartner projects 25 billion connected vehicles will be in use by 2020, and a recent HP study shows that more than 70 percent of Internet of Things (IoT) devices have vulnerabilities that can be exploited.

Given these statistics, you'd think there would be an urgency to getting these “things” secured. But that is not so.

WHY DON’T WE SECURE THINGS?

Since we began writing software, we have put productivity and functionality ahead of security. For years, the short-term gain in using software to reduce operating costs (or sometimes just to have that new digital gadget) seemed to trump security.

But now that security breaches are costing billions of dollars -- and with billions of new connected things on the horizon that, if breached, could get you killed -- there at last has been new focus on cybersecurity. Unfortunately, however, today’s focus is on cybersecurity solutions that find where the attack occurred, not on solutions that actually proactively stop cyberattacks. There are reasons for this, and we need to take a good look at today’s cybersecurity technologies limitations to understand why.

In general, we don't secure things because we use software technologies and networks that were never designed for security. We write software that connects one thing to the next, and then connects to an open network with a bunch of data that is sitting there ready to take action via the software's command or a digital message. This tiny message event can occur in microseconds, and can do any of the great things we see today in digital device technology -- or any of the shocking security breaches we are beginning to see. Whether this microsecond message event could be activating the greatest new app ever seen or hacking an airplane, we are using the same software technologies to execute them.

IS WHAT YOU SEE WHAT YOU GET?

Today's cybersecurity models are caught in the historical aggregation of data consisting of terabytes of system logs that are waiting to be analyzed when something goes wrong. We have deterrent intrusion prevention technologies and historical detection technologies that use software patches to temporarily stop the breaches from reoccuring. In fact, the main focus of cybersecurity today is how to recover from the damage of a cyberattack by finding and patching the problem -- not actually stopping it from happening in the first place. These cybersecurity models are why things aren't properly secured today, and they must change.

We have been trusting the actions of software messaging units -- and the people who create and analyze them -- since the infancy of the digital age. It is these very messaging units that cyberattackers now exploit into actions they want. We need to deploy technologies that can proactively live-audit these message events and relate them to the workflow processes within a given ecosystem. We are wasting our time and money in trying to improve existing cybersecurity technology approaches. These technologies just can’t keep up with the volume of connected applications on the horizon, and they have no way of live-auditing the authenticity digital events and their workflow processes.

WHAT AND WHERE WE NEED TO SECURE

Almost all systems are interconnected to the Web. However, all systems work autonomously and, in most cases, locally. It is not your responsibility to secure your neighbor's garage door opener. It is their responsibility. These human-to-machine enhanced digital environments are called digital ecosystems. These ecosystems are defined not only by the person using their digital extension, but also by the interacting of other digital extensions by other people within the same ecosystem workflow. The business enterprise is a good example of local workflow and all of its digital extensions working locally within a specific ecosystem, and having the ability to connect to other larger remote ecosystems. You need to first define the correct local workflow process and its proper security policies before you can connect to a larger ecosystem. One of the best examples of this is incident response by public safety organizations.

Local public safety procedures and policies are put in place for disaster response to such things as tornadoes, hurricanes and explosions. The local authorities respond to the incident, they block and secure the area. Meanwhile, additional agencies come in to reinforce the area and add or collect incident intelligence using a variety of digital technologies. Each department has its own responsibilities and security policies but also takes part in an orchestrated cohesive response that consists of multiple actions and security policies. This is the basis behind the Department of Homeland Security and how it works -- there is secure orchestration and oversight of multiple agency ecosystems and events within a response area. And this is the way cybersecurity works.

Cyberattacks are local in nature, and the needed audits of workflow events also must be local. If the initial local response was audited as being incorrect, the orchestration of responses would also not be correct. Like the old computer saying goes, “garbage in, garbage out.”

If you review the list of devices hacked in the recent DECON and Black Hat conventions, you realize one thing very quickly: Cybersecurity attacks might be initiated remotely through the Internet, but the target of attack is very local (your car, garage, house, your business, a hospital, a power grid substation, a naval ship). Local cybersecurity is the point where you define what is yours and what isn't in your personal ecosystem and how you wish to securely interact, and how other ecosystems wish to securely interact with you.

TODAY’S DATA-DRIVEN MONITORING

Today's cybersecurity has approached a focus on recognizing and monitoring unauthorized access and manipulation of the utility functionality of data being transported by a network. A small messaging unit that activates a desired digital action, which is then historically stored in the system log. When something doesn't work right, the analysis of sometimes terabytes of system logs offers the possible answer to where the breach occurred. There are encryption and analytic formulas that try to protect and monitor data, but these approaches must make assumptions on the digital messages rather than just observe and audit what is happening in real time. You cannot do this by historically monitoring data at the utility function of the process. We need a way to live-monitor and live-audit what is really happening -- not try to later define what might have happened.

True cybersecurity can only be achieved by live-monitoring and live-auditing whatthe data does in real time not how it does it. To understand this better, I will use one of the most concerning examples of what hackers are doing today. If a hacker has encrypted a hidden exploit that is in your system readied for activation at any time, how would you stop it? The data-driven security model can't see it, and can't even modify or stop the action because it is encrypted. In fact, the only way to monitor the encrypted hidden exploit is by activating it. In the current data-driven monitoring, we will find this exploit in the historical logs -- which is too late. This is the point where an available live model-driven monitoring approach is needed -- and the only way to stop an attack of this nature in microseconds.

MODEL-DRIVEN MONITORING

Model-driven monitoring has some unique functionality in cybersecurity due to some of its distinctive attributes. First and foremost, it is done live. From observation to audit to response to mapping the secured orchestration of multiple systems, model-driven monitoring focuses on live actions and interactions within specific and multiple digital ecosystems. To better understand effectiveness of model-driven monitoring security, let's look at the hacking examples discussed earlier. Every hacking demonstration was done within the framework of a specific digital ecosystem. The network and data utility function of the targeted ecosystem were then manipulated.

Live model-driven monitoring recognizes the exact real system message polices and events that are occurring and does not use human or analytic analysis of aggregated data in historical system logs. Model-driven monitoring can be used in the orchestration of any ecosystem -- and even multiple ecosystems -- offering the secure orchestrated monitoring of more complex systems. From enterprise, to smartphones to cars to planes to naval ships to atomic power plants to even the human body, model-driven monitoring offers live observation, audit, response and mapping for any process or control system, no matter what hardware, software or network utility it runs on.

Of additional importance in model-driven monitoring is that the live information patterns do not require the retrieval of historical system logs for observation, audit, response and mapping. These features are what gives the monitoring approach not only its live capabilities, but additional security and privacy capabilities not found in current data-driven models. Rather than having vulnerable stored data telling the system what to do, model-driven monitoring graphically demonstrates under the specified system event policies what the system is actually doing in real time without leaving a digital trail. These stored digital trails left by the data-driven model are not only why people are hacking, but are becoming serious privacy issues as we continue to add more connected devices to personal and business ecosystems. For more information on model-driven modeling, see: Model-Driven Monitoring: An Application of Graph Transformation for Design by Contract.

MONITOR IT OR STOP IT

A few concerns with current cybersecurity technologies is that they focus primarily on patching problems and making money, rather than actually securing things. Current cyberattack responses and the current cybersecurity technologies offered are more focused on the whodunnit than not letting it happen in the first place. Just looking at cyberattack headlines, you'll find the reactionary response of something that actually happened months ago. These slow-to-react responses are due to the utility systems data-driven monitoring cybersecurity approaches rather than live model-driven monitoring. We currently live in a world of unmonitored microsecond machine messages that can properly activate or even manipulate the actions of virtually any automated ecosystem.

If we are to enjoy the tremendous capabilities that our new digital communities will bring us, we must then also offer the most economical and technologically superior technologies in the protection and use of these new digital technologies. If we can't prove the security and privacy of these upcoming technologies, then we will dangerously play the risk game of productivity and functionality versus security and privacy.

The hacking demonstrations at Black Hat and DEFCON have proven that we are reaching a whole new level of cyberattacks: the deadly ones. We need to fix these cybersecurity issues now or stop the deployment of billions of digital things that clearly can cause us harm.

Even Einstein Couldn't Fix Cybersecurity

noreply@blogger.com (Anonymous) — Fri, 3 Jul 2015 12:46:00 -0400

BY LARRY KARISNY / JULY 2, 2015

The Einstein and Continuous Diagnostics and Mitigation cybersecurity programs have been hailed as the cornerstone of repelling cyberthreats in real-time -- but it turns out this is not actually the case.

A massive cyberattack at the U.S. Office of Personnel Management (OPM) exposed the personal information of as many as 4 million federal employees. Though this type of news is not unusual, this particular case is different given that a multi-billion-dollar federal civilian cyberdefense systems was hacked. The cyberdefense systems supposedly protecting the OPM are Department of Homeland Security programs known as Einstein and Continuous Diagnostics and Mitigation (CDM) -- and were hailed as the cornerstone of repelling cyberthreats in real time.

Unfortunately this is not actually the case, as it took five months to discover the intrusion -- hackers hit the OPM in December, and the agency did not detect the intrusion until April. How bad the attack really was is still being analyzed.

WHAT ARE EINSTEIN AND CDM?

Einstein (also known as the EINSTEIN Program) is an intrusion detection systemthat monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team (US-CERT), which is the operational arm of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS). The program was originally developed to provide "situational awareness" for the civilian agencies. The first version examined network traffic while the expansion in development could look at content.

Will DPM 5GL Save Cybersecurity?

DARPA Director Calls for Cybersecurity Change

Time for a Cybersecurity Overhaul

The CDM program provides IT security software and hardware tools and services for continuous protection of civilian agency networks and systems from cyberattack. This program is a dynamic approach to fortifying cybersecurity of government networks and systems. CDM provides federal departments and agencies with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. Congress established the CDM program to provide adequate, risk-based and cost-effective cybersecurity, and more efficiently allocate cybersecurity resources. The CDM program lets government entities expand their continuous diagnostic capabilities by increasing their network sensor capacity, automating sensor collections and prioritizing risk alerts.

WHY EINSTEIN AND CDM FAILED

One of the biggest problems with federal system security is the magnitude of connected and interconnected information systems, databases and agencies. These are often some of the largest systems in the world, with security upgrades often at different points of deployment in different locations and departments. Unfortunately this widespread approach allows for breach points within the centralized system security, offering weakest link vulnerability that is capable of breaching the entire system.

The more the federal government attempts to centralize these information services, the greater the attack vector. This is a problem seen in many government entities, as in large companies that have used the efficiencies of centralized digital information for years while continually playing catch-up in securing the system digital processes.

Another big issue that I have previously covered (see video at left) is that today we are securing enterprise service applications at the utility service level by analyzing historical trace logs. This is why it took the OPM months to detect the breach of 4 million employees’ clearance records and related files. Our current Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) today are focused on securing the information utility transport services. This massive aggregation of data in motion, data at rest and intermittent active data are sitting ducks for hackers. Larger information systems are then connected to additional utility transport services offering the potential of multiple points of beach. The bigger the system, the more complex the data repositories -- and the more difficult it is to find what data has been compromised.

After a cyberattack, a cybersecurity analyst is then faced with the unenviable task of finding the needle in the haystack and sorting though sometimes terabytes of system logs to discover the point of cyberbreach. This is why it takes so long to find the source of the cyberattack. In general, this is why large databases both in government and big corporations are being hacked: They react to system beaches rather than proactively stop cyberattacks. Until we change the way we view our information services in our current cybersecurity systems, we will not effectively stop cyberattacks.

NIST RESPONDS TO THE OPM ATTACKS

The National Institute of Standards and Technology (NIST) released guidelines for better security from government contractor covering 14 areas: access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

The heart of all recommendations lie with the security system's audit and accountability and the time period it takes to complete this audit. If you cannot be reassured of what your workflow services are in real time, then none of the other recommendations really matter and your systems are susceptible to breach. Case in point: If a hacker has put in a hidden exploit in a system and has encrypted it, how would you stop this on demand real-time cyberattack? The only way an attack of this nature can be stopped is by knowing what the process workflow was supposed to do. Anything else -- even an authenticated encrypted hidden exploit -- could be considered an event anomaly and would be blocked. If utility machine events can occur in microseconds, then the cybersecurity solutions offered must be able to audit and block system exploits anomalies ahead of these microsecond worklflow process and machine actions. If this cannot be done, then the hacker will always have the first-to-strike advantage.

MOVING FROM ALGORITHMIC TO NON-ALGORITHMIC APPROACHES

Both software code and the algorithmic analytic approaches have the same problem. They are susceptible to code and algorithm exploits that can take control of the system process services. Our systems today are at best auditing historical actions of system utility events not the actual workflow process services. When you are talking about microsecond events that can turn on or off critical digital services, algorithmic formulas and code take too long to audit. Both are also susceptible to exploit manipulation through reverse engineering or code and algorithm manipulation.

In cybersecurity, an audit should tell what is accepted as a proper workflow event or security policy -- not that something unusual has occurred and was found by historically viewing system logs.

Getting back to the question of how to stop a hacker that has hidden the exploit and encrypted it for activation at any time, if you know the correct workflow services and correct system security policies, then an exploit that isn't part of the workflow event services can be alarmed or blocked ahead of the activated exploit. Doing this in microseconds requires the recognition of these correct workflow services in codeless fifth-generation programming language (5GL) patterns, not code or algorithms. Code and algorithmic formulas are too slow and can only offer code patching cybersecurity technologies. These cyberbreach corrections are made after historical viewing system logs, not in real-time pre-emptive methods of blocking of cyberattacks.

When you have data in motion, data at rest and data in use available for access without real-time audits of the access and use of the data, then why shouldn't this data be hacked? When you have code written on top of code, cloud computing connecting to enterprise computing, and the Internet of Things (IoT) without any security standards (and a projection of billions of connected devices), why would you expect cyberattacks to be stopped? We can't keep doing the same things and expect different results. It is only when you can proactively audit your real-time workflow events in microseconds ahead of a potential cyberattack that you can stop exploits and achieve true cybersecurity.

ADDRESSING HUMAN NATURE

People find change difficult even when it is greatly needed and can improve their lives. Technological change is even more difficult because people neither understand it nor have a vested interest in it, because they are employed in the use of inferior older technologies. A hacker makes new cyberattack technology every day and can activate these digital exploit breaching capabilities in microseconds. We are currently combating these attacks with published standards and guidelines that take years to develop, and are known to be ineffective in stopping a cyberattack after their release.

As the saying goes, necessity is the mother of invention. We are faced with an expanding use of connected services that if not secured, will stop the massive progress we currently have achieved in our current digital information systems while simultaneously halting technological innovations. When these information system technologies are continually breached and become too expensive and dangerous to operate, they will have to be stopped. This will put us back to the pre-digital age, which for most of us is incomprehensible.

We have not even touched the service capabilities that cloud computing and IoT services can offer us now and in the future. We can't depend on current IPS and IDS technologies in securing the billions of connected applications operating today and in the future. We can't keep thinking we can patch things, control cyberattacks or even win a cyberwar. Even power and money has shown its weaknesses in stopping the independent hacker (now groups of hackers) who are simply saying, "If you do, this then I can do that," while we slowly react to their daily ingenuity.

BECOME PART OF THE CYBERSECURITY CHANGE

Before there was software, people did things manually while watching and auditing their progress -- which is still a big part of today’s business processes. This means of oversight is not perfect and is sometimes subjective, leaving much room for error. Today's information system technologies and the workflow they automate are no different. We need to find ways of auditing these digital assisted processes to assure that the workflow services and security policies they run on are correct. We have greatly increased our automation through digital workflows, but have not put the proper auditing services in to assure that these microsecond workflow event services are actually correct.

Cybersecurity is about the audit of how we use information technologies (digital workflow) and doing things correctly, not the historical analysis of what went wrong. If we do not implement the correct auditing technologies within the digital workflow services, then connecting our ever-expanding information system services to the workflow processes means they will surely be breached. To do this, we must do things differently -- we must not depend on current cybersecurity technologies that continue to show fault. Please take a look at this YouTube presentation (also embedded above) and become part of this needed change that will secure our current digital technologies while simultaneously securing the exciting future connected digital capabilities we can now only dream of.

Larry Karisny |

Cybersecurity: When “Good Enough” Isn’t Enough

noreply@blogger.com (Anonymous) — Mon, 11 May 2015 12:20:00 -0400

BY LARRY KARISNY / APRIL 15, 20152

If superior cybersecurity technologies exist, there is a responsibility beyond corporate profits or government compliance standards that must expedite their use.

The new TV show CSI: Cyber offers a view of the complexities of cyber attack investigations, offering a glimpse into today's approach to cybersecurity, which is more of a whodunnit than a technological detection.

From the new TV show CSI: Cyber, which offers a view of the complexities of cyber attack investigations, to the seeming insanity of a CEO talking to a CISO about a potential cyber breach, it seems today's cybersecurity approaches are more of a whodunit than a technological detection. Even the whodunit approaches are, at best, time consuming manual assumptions rather than technological real-time security detection of what has really happened.

Although this makes for a highly-viewed TV show, in reality, the current approaches of how we address cybersecurity are more a part of the problem than of the solution. Today we are throwing known ineffective technologies, lots of money and people at reactionary cyberattack approaches that are almost shameful in an information technology industry that created the term, "good enough."

By definition, the "good enough" principle is a rule for software and systems design. It indicates that consumers will use products that are good enough for their requirements, despite the availability of more advanced technology.

Though this definition may technically work for the latest new gadget, perhaps we shouldn't be settling -- we don't want this "good enough" security technology in our cars, homes, banks, businesses, critical infrastructures or national defense systems. If superior cybersecurity technologies that greatly exceed current solutions exist, there is a responsibility beyond corporate profits or government compliance standards that must expedite their use.

THE CYBERSECURITY INDUSTRY: IS IT MOVING IN THE RIGHT DIRECTION?

A review of the top 10 young security companies to watch by Network World shares both intriguing and disturbing directions in which cybersecurity solutions could go.

The intriguing part: There's a general focus on technologies that detect cyberbreaches more quickly and accurately, which confirms the focus of both my previous articleand a recent article in Fortune. It's comforting to see that security companies are realizing their solutions must detect breaches more quickly, and that where detection should occur is in the processes and application workflow events. Sadly, however, intended cybersecurity spending is going toward security networks rather than securing application level events, which is where hackers are clearly focusing.

The disturbing part: Some of these new start-up cyber companies are using high-end encryption, but as explained in my previous articles, criminals are actually using encryption to hide their activities and protect their on-demand exploit hacking capabilities. This is such a concern that separately, the FBI, Europol and Britain's MI6 expressed misgivings about technology companies using this method. Encryption has been under the microscope since Prime Minister David Cameron inferred that encryption should be banned. Encryption used properly is a good first line of network defense. The problem, however, is that the majority of cyberexploits are now focused at the application level -- and few IT people secure or monitor activity at this level.

At the second annual Cybersecurity Workforce Summit in Arlington, Va., FCC CIO David Bray was quoted as saying, "We do a lot on signature detection, how can we also move to be much more about behavior, so we can deal with unknowns?" A good example of signature detection is the new collaboration between IBM and TI on an embedded secure device identity. The problem is that we continue trying to secure things at the centralized hardware and software integration layers when we are operating in a distributed network-computing environment where the applications rule.

Current enterprise security architecture serially analyzes historical output system data log traces to discover if the organization's policies and procedures are in compliance. This enterprise security architecture was designed for centralized computing and is vulnerable to cyberintrusion attacks in the distributed network-computing environment in which we mainly operate today. Hackers know this, and that's why 84 percent of all cyber attacks occur on the distributed network computing application layer. Unfortunately, we do little in securing or managing these critical application events -- events that are the heart of today’s distributed network-computing processes. We must be at the right place at the right time if we are to achieve true cybersecurity. Though today we are not doing this, there are ways to achieve it.

MONEY CAN NO LONGER TRUMP SECURITY

As an adviser to startups with often superior cybersecurity technologies, I have pushed through layers of lab tests and standards groups only to find that status quo big businesses and big government are still playing catch up when it comes to cybersecurity. There are good reasons for this, and we can't just throw technologies out there without some form of investment coordination or technology oversight.

We must keep in mind, however, that we are embarking on a new industry called the Internet of Things (IoT) that has multiple standards and seemingly a disregard for cybersecurity. In the past, cybersecurity has taken a back seat to the next big thing. But with the potential of a billion devices and seemingly endless amounts of big and small data, the fix it later approach in cybersecurity must change. This time around, I don't think even first-to-market money will trump security, and there is good reason.

The CEO of Kaspersky Lab is warning about the upcoming dangers, calling the Internet of Things the "Internet of Threats." Symantec also warns of known IoT security issues. And IDC noted that within two years, 90 percent of all IT networks will have an IoT-based security breach, although many will be considered "inconveniences."

If IoT wants to be the trillion dollar industry that is projected, it must now be forced to address cybersecurity or people will not trust the products in their cars, homes, workplaces or critical infrastructures. When breaches start getting personal, people will stop using the products that caused or were the source of the breach. Cybersecurity technologies must address today’s security needs; we must find new approaches to secure the billions of devices headed our way in the near future. We know the problems, so now is the time to define true solutions rather than use temporary patch-and-pray bandages.

WALKING SECURELY THROUGH MULTIPLE DIGITAL ECOSYSTEMS

In today's world, we secure cyberecosystems by giving employees authenticated access to the often-encrypted enterprise system. But most cyberbreaches are inside jobs. So an employee with authenticated access to the enterprise who walks into his or her place of business with a smartphone filled with thousands of apps that can, together or independently, connect to hundreds of other IoT devices is a danger. Some of the apps could be exploit tools he or she will use to breach the network.

Although these methods of cybersecurity are at times a deterrent to cyberbreaches, experienced hackers can use them to their advantage. There are many breach opportunities from this point thanks to the introduction of utility-integrated centralized networks and distributed network-computing environments. They, by design, offer hackers almost endless opportunities to initiate a breach. This is where today's cybersecurity technologies fail (and fail miserably), and where they will continue to fail by design. So where are we going wrong?

The point where security lies is where an organization's policy and procedure applications reside. Knowing this, all we must do is design and build cybersecurity applications that detect, manage and secure the events taking place in the distributed network-computing environment ecosystem.

Every ecosystem is different, as are the security policies and procedural applications that an ecosystem uses. We may have an IoT that does exactly the same thing from a software or hardware perspective, but will work or not work based on the ecosystem's policies and procedure workflows. By converting these workflow policies into an automated intrusion detection application, we can accept or reject event procedural workflow security policies as part (or not part) of the ecosystem. This must be done in microseconds if we are to beat the hacker while allowing billions of software, hardware and IoT devices to securely move seamlessly through multiple ecosystems. So how can we do this?

FOCUS ON POLICY-CENTRIC NOT DATA-CENTRIC

Most organizations already have defined their expected security policies and procedures on how, when and what data/information can be exchanged by people, systems, devices or applications in their business environment. In fact, organizations such as the National Institute of Standards and Technology (NIST) have mandated compliance of these policies and procedures in areas such as critical infrastructure. Organizations have done a good job of targeting security policies and procedures in their workplaces and digital control systems, they just haven't deployed the right technologies to audit, manage and secure these process events in real time.

Today’s cybersecurity crisis stems from the fact that current data-centric 3rd- and 4th-generation programming language-based security products cannot detect real-time cyberintrusions in distributed network-computing applications, security policies and workflows. When it comes to security, current software products only accumulate logs into databases to perform data analytics, discovering wrong policy patterns. The wrong data patterns are added to a knowledge base to implement system patches in an attempt to detect future offences.

Digital Process Management 5th Generation Programming Language (5GL) uses your policies to define the right event patterns (methods and constraints) for conducting business according to policy, accurately determining the relationship between a condition or variable and a particular consequence with one event leading to another. 5GL displays anomalies and normal event transactions at machine speeds, with consolidated audit trails providing deep insights into business transactions. This cybersecurity paradigm shift instantly identifies events that do not follow the right pattern so you can respond immediately to proactively prevent/mitigate the cause and/effect of business impacts in real time.

Fifth-generation code-free software allows organizations to rapidly customize their cybersecurity applications to automatically detect and manage intrusions or flawed operations in security policies, workflows, applications and mobile apps in real time in today’s distributed computing environment. To solve the cybersecurity crisis, organizations must deploy 5GL security applications that are policy-centric not data-centric to prevent cyberintrusions. This is how we can be at the right place at the right time with cybersecurity technologies that will be, at the very least, “good enough” to stop a hacker before the damage is done -- not after.

EXCEEDING 'GOOD ENOUGH'

How to achieve cybersecurity is baffling some of the world's most brilliant minds. Though there is much investment in cybersecurity, it's questionable whether they're for improvements to current methods or solid cybersolutions that will protect us today and prepare us for a much bigger digital connected future.

ADDITIONAL CYBERSECURITY RESOURCES

Visit an automated cyber intrusion detection application to read more about a solution that can achieve more effective cybersecurity solutions, and go toProjectSafety.org to register for free webinars that discuss with top industry experts this needed paradigm shift.

With cloud and IoT applications increasing by the billions, we must ready ourselves for all these applications while simultaneously playing catch-up with the current (and increasing) cyberattacks.

We have reached the point where current cybersecurity technologies cannot neither effectively nor rapidly address our increasingly connected world. The projected use of cloud and IoT applications exceeds all current Internet usage -- so we must build a security platform that can seamlessly allow the use of these technologies while protecting each and every other ecosystem within our digital communities.

Bottom line: We must exceed “good enough” security technologies and create completely new technologies -- that are ready and available today.

Larry Karisny |

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

Cybersecurity: Taking a Proactive Approach is Key

noreply@blogger.com (Anonymous) — Mon, 11 May 2015 12:12:00 -0400

BY LARRY KARISNY / MARCH 4, 2015

If we are to proactively defend our cybersecurity, we must move away from historical algorithm audit and analysis to real-time pattern recognition audit and analysis.

Given the Anthem data breach, which could rank among the largest identity theft breaches ever, and the 100-bank, $1 billion cyber heist, it's clear we're off to a bad start in 2015 when it comes to cybersecurity.

In fact, Inga Beale, the CEO of British insurance company Lloyd's, estimates that cyber attacks will cost businesses as much as $400 billion a year, including the damage itself and subsequent disruption to the normal course of business. Beale also noted that the firms best prepared for cyberattacks buy insurance -- and 90 percent of cyberinsurance is purchased by U.S. firms, leaving other companies around the world exposed.

So why would companies best prepared for cyber attacks buy insurance? Perhaps it's because they've realized that their current cybersecurity technologies are focused primarily on reacting security breaches rather than proactively stopping cyberattacks.

PATCH-AND-PRAY CYBERSECURITY

Information sharing on cyber attacks is an insufficient method for fighting cybersecurity. As Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA) stated, "The attacks are happening in microseconds, so today all we can do is patch and pray, and keep throwing human beings at the problem. We are looking for a fundamentally different way to get faster than the pace of the growth of the threat." In November 2014, Prabhakar called for a change in how cybersecurity is approached.

CEOs, CIOs and CISOs pay billions for cybersecurity solutions only to discover that, at best, these technologies solely help in gathering information after an attack rather than stopping the attack from occurring. These c-level officials are now demanding for proactive cybersecurity solutions that will give them upfront protection -- not just historical evidence of the breach. They know that most breaches are inside jobs, that people are part of the problem and can, with authorization, attack in real time. To defend against this, cybersecurity professionals are looking for new real-time technologies that can audit people-to-machine and machine-to-machine digital actions and proactively protect their pre-designed security policies.

Yes, people are a big part of cybersecurity breaches. But it's the digital extension of what people do that must be technically audited -- and if we are truely going to proactively address cybersecurity, this must be done during data in motion. You can't beat cyberbreaches by simply offering manual human log audits and sharing historical breach information. If we are to defend ourselves, to offer true cybersecurity defense capabilities, we must be in front of these microsecond attacks -- not just historically analyzing and sharing the information post-attack. We must move from reactionary cybersecurity methodologies to real-time proactive technologies.

WILL THE CYBERSECURITY BILL HELP?

Information sharing when it comes to cyberattacks -- which is the brunt of the new cybersecurity bill -- will at least expose and share the vulnerabilities that will establish better security policies.

But as previously stated, this is not enough. It will help expose vulnerabilities, but it won't offer immediate technical correction to cyberattacks. To get a clear picture of where security policies should be put in place, take a look at this white paper that details the critical infrastructure protection (CIP) compliance for the North American Electric Reliability Corp. (NERC), a nonprofit designed to “ensure that the bulk electric system in North America is reliable, adequate and secure." This document gives industries a clear view of their business and control system processes and events.

The problem with the compliance process is that it is audited by the historical collection of data logs that are then evaluated by people using a software-assisted program like analytics. This is the very same problem that we have with current cybersecurity technologies. We are analyzing historical logs in a historical static environment when we need to be proactively authenticating, viewing, auditing and analyzing the security policy logs in real time during data in motion. Even analytic algorithm technologies cannot offer these real-time capabilities. In order to do this, we must change the location and methodologies of how we view security policies.

UNDERSTANDING THE HOW AND WHERE OF DATA IN MOTION

Data-in-motion is this: You have a database waiting to do something and an application that can activate an event process when needed or in microseconds with human- or machine-to-machine activation. We currently secure these processes using antivirus software or firewalls that weed out basic known threats. Now, as hackers routinely overwhelm such defenses, cybersecurity experts say thatcybersecurity is overdue for an overhaul. (See also my January 2014 article Time for a Cybersecurity Overhaul.)

These same experts now realize the knowledge and logging of application activity is where new cybersecurity techniques must focus, and that attempts to protect networks and data perimeters are no longer effective. What they have not yet realized is that the where and how these of these event activities are the key to true cybersecurity. Even these new techniques are focused on the historical review of event logs and not the real-time dynamic work activities. We are always behind the hack. We should not be searching for the problem behind the historical event log, we should be recognizing the anomaly before it occurs. This is our problem; this what we need to correct.

When the application in a digital process does something, it creates a log. This log is where cyberattacks are being detected in hours, months, sometimes even years later -- or not detected at all. If we are to proactively address cybersecurity, we must apply our technologies during data in motion -- prior to the historical log. A data-in-motion application used to be a simple message sent for a specific action or event, occurring from one end point to another. Today, data in motion carries multiple application event actions that, if exploited, can greatly affect the security policies of a specific process if they are not audited. This point of audit must be done during data in motion, where a casual real-time event can be recognized prior to processes logging. This is where and how achieving true proactive cyberdefense resides.

My article Will DPM 5GL Save Cybersecurity? focused on these needed corrections. Policies and business processes define the right set of dynamic work activities, which can be described in a causal event patterns. DPM 5GL -- Digital Process Management 5th Generation Programming Language -- monitors the critical causal patterns, and every other activity/event is an anomaly. It is used to monitor the correct activities, not characteristics. Even today’s data analytics examines frequency of data records attributes to discover a characteristic pattern or algorithm that is manually or machine-generated for profiling purposes. We must move forward from historical analysis to real-time 5GL event patterns if we are to successfully monitor data in motion activities. This is where and how we must deploy new cybersecurity technologies to truly defend ourselves against cyberattacks.

MOVING FROM HISTORICAL LOG ANALYSIS TO REAL-TIME 5GL PATTERNS

If you look at a hack's anatomy, you can see that the hacker not only has the real-time first strike advantage, but he can also manipulate the security policy to make the exploit look like a normal part of the process. Knowing these two critical attributes of a breach -- location and policy exploit -- defines where proactive defense mechanisms must be placed. The tricky part is how to put it in data in motion vs today’s end point input-to-output log analysis that is used in current cybersecurity technologies. The very definition of an algorithm shows how it analyzes and retrieves data from beginning to end while it processes and automates the data. This is the basis of how third generation programming language (3GL) and fourth generation programming language (4GL) work, and this is the window that hackers use to breach the system.

If we are to proactively defend our cybersecurity, we must move away from historical algorithm audit and analysis to real-time pattern recognition audit and analysis. 5GL can achieve this because it does not use algorithms and can audit in real time predefined event policies patterns in microseconds. Simply put, given the compliance or process requirement as explained in the NERC CIP automation suite, we can now view and audit in real time all policy applications pinpointed in the compliance requirements. This is how compliance can actually become cybersecurity, and we can move from historical event log cyber analysis to real-time data-in-motion policy analysis.

5GL just makes sure the right stuff is connected to the right security policies by auditing the policy event action patterns in real time during data in motion. This is how we will at last offer proactive defenses to cyberbreaches. These real-time cybersecurity technologies will become increasingly important as we add billions of devices through the Internet of Things (IoT). These microchip devices connected to the IoT could actuate unwanted events or anomalies during data in motion if we do not defend our process event policies.

With potentially billions of these IoT devices out there, we can’t manually review historical log events to detect a potential breach activated by such a device, which in many cases today we can’t even see. It is imperative the we deploy proactionary real-time security solutions that can defend our digital process against a potential onslaught millions of IoT device actions that could quickly get out of control. Thisgraphic demonstration shows how proactive cybersecurity technologies actually work and my previous articles share companies actually deploying 5GL technologies to address this critical need.

FAST TRACK CYBERSECURITY FUNDING

The federal government’s push of the $14 billion cybersecurity bill is at least a start to defending ourselves against cyberattacks. This recent funding has major research universities scrambling for a piece of the billion-dollar pie, and partnerships like the University of South Florida, Tampa and CENTCOM have established a Florida Center for Cybersecurity to attract this funding.

Interestingly enough, a recent study by security company Enigma Software named Tampa the most-hacked city in America. This fact coupled with U.S. Central Command's location being in the Tampa Bay area may mean a perfect partnership and location for the new Center for Cybersecurity. We should expect a continued growth of cybercenters and partnerships to be funded around the world.

On the private-sector side, there is a lot of speculation and suggestion on how Apple should spend its remarkable profits -- and cybersecurity tops the list. Apple has always been known for superior security to competing operating systems, but it has shown that it, too, can be vulnerable to cyberattacks. Still, Apple is best positioned to be the leader in the IoT industry and should take the brunt of the responsibility in securing these new device technologies.

Dan Kaufman, who heads the software innovation division of DARPA, stated in a recent 60 Minutes interview that today, all devices that are on the Internet of Things are fundamentally insecure -- that there is no real security going on. With IoT projections in growth exceeding $1 trillion, securing the IoT could be Apple's greatest success. If not secured, it could be its greatest failure.

CRITICAL CROSSROADS

With nearly $500 billion projected in cyberattack losses just this year, we are at critical crossroads of addressing cyberattacks. Both the public and private sectors are demanding proactive cybersecurity technologies versus today reactionary options. To achieve this, we must beat the hacker to the punch by deploying technologies that can authenticate, view, audit and analyze known digital policy events in real time during data in motion. 5GL allows us to audit policy event patterns in microsecond speeds during data in motion, which puts us ahead of the hacker.

We can offer these proactive cybersecurity technologies while we keeping our algorithm bases and 3GL and 4GL technologies in place. These new 5GL technologies can now proactively offer the first defense advantage over the current first strike advantage of the hacker. If we do not do this, we will be overwhelmed by patch-and-pray reactionary cybersecurity approaches that by the sheer volume of cyberattacks will eventually overcome our digital processes. We must deploy new proactive cyberdefense technologies if we are two win the war on cyberattacks in our increasingly connected world. We have the money; we must now direct both public- and private-sector funding toward the right solutions to proactively defend ourselves against increasing cyberattacks.

Larry Karisny |

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

Will DPM 5GL Save Cybersecurity?

noreply@blogger.com (Anonymous) — Mon, 11 May 2015 12:09:00 -0400

BY LARRY KARISNY / JANUARY 21, 201511

The back and forth hack and patch cyberwar could be devastating. Is Digital Process Management 5th Generation Programming Language the answer?

We are at an interesting crossroads in cybersecurity -- somewhere between cyberwar and cybersecurity. There were more attacks than ever in 2014, including the largest state attacks, and in 2015, there are predictions of even more attacks.

All this comes at a time when the largest use of the Internet -- that will dwarf all current Internet use -- will be massively increased by the Internet of Things (IoT) and cloud computing. Both are projecting massive growth in the upcoming year with both having known cyberattack vulnerabilities.

Preparation for inevitable cyberattacks is imminent, and these new technologies will offer increased attack vectors. These attacks occur in microseconds, and only technology that works faster than this can fix it. So what are we doing wrong? And what exactly should we do?

This is where DPM 5GL -- Digital Process Management 5th Generation Programming Language -- comes into play. But what is DPM 5GL? To explain, I must start with some basics.

DOING NOTHING IS NOT AN OPTION

Remember the days when you simply didn't open an unrecognizable executable file as a means of protecting yourself against cyberattacks? Well those day are long over. We live in a time when software has been released with admitted back doors, microchips can have hidden malicious functionality, smartphone apps can actually be used as cyber exploit tools, cloud computing breaches are increasing, and the IoT is web of devices being connected to the network without even being seen by the provider. And as we are increasing the potential of breach with new technologies that have even worse vulnerabilities, we have yet to address known cybersecurity vulnerabilities. There will soon be a tipping point of cyber breaches, and all projections point to this year.

But there is a fundamental flaw in all current cybersecurity technologies. They work after the attack has occurred -- but wouldn't it be better to avoid a hack altogether vs receiving notification that your database has been hacked? Would you prefer discovering that your software or chip set is doing something wrong, or would you like real-time validation that it's performing as expected?

At best, current cybersecurity technologies aggregate data that can be historically analyzed in the hopes the problem might be found. This means we are doing little to proactively stop cyberattacks in real time -- and it's why everyone agrees that the cyberattackers will continue to have the advantage. Historical-based cyberattack information technologies are no longer an acceptable option in addressing attacks, as machine actions can occur in microseconds. Cybersecurity must act within microseconds to be effective in securing our information processes. We can no longer use the same current cybersecurity technologies that are, at best, a deterrent, and expect different results. At this point, we are losing ground to cyberattacks.

ASSUMING YOU’RE ALWAYS UNDER ATTACK

One of the recommendations given by cybersecurity analysts is to assume you've already been attacked. This is one of the concerns I have in current Intrusion Prevention Systems (IPS) cybersecurity technologies and Intrusion Detection System (IDS) cybersecurity technologies.

This assumption validates that current IPS encryption technologies are, at best, a first-level defense in cyberattacks -- and IDS technologies didn't even see the attack come in. With these two valid assumptions (and cybersecurity vendors now admitting to these inefficiencies), we must conclude that our defensive cybersecurity technologies are not enough to stop attacks. If you can’t stop attacks, then what?

There have even been discussions on the use of counter attacks as a offensive retaliation -- a disturbing trend being seen in nation state attacks that we should be very careful about. Cyberattack expertise can be bought on the open market with both white hats and black hats offering services. Nation states are actually hiring independents who have little loyalty to the nation or cause, and more interested in the money. Even ex-NSA and Israeli Unit 8200 are leaving their public-sector organizations and going to the private sector for the money.

The fact of the matter is that there are thousands of these people who have the skills to hack their desired targets. They are just doing what they need to do today and not necessarily concerned about the long term outcome of cyberattacks. Whether they are patching known vulnerabilities that were put in by nation state spy organization or a hackers just doing it for fame and fortune, this back and forth hack and patch cyberwar could be devastating. The problem is who wins or gains when this is done. The short answer today is the aggressor wins in the short-term until eventually stopped with some short-term patch. Then a new exploit is found and we start all over again. The problems are these: Who is the aggressor? Who wins? And how much does all this cost? This has led to a whole new field of cyber risk management that unfortunately is more of a guess than a science.

CAN WE INSURE CYBERSECURITY?

The short answer as to whether we can insure cybersecurity is no.

The problem with cybersecurity insurance is in these two questions: How much did they take? And how deep was the breach?

Why? Because how can an insurance company calculate a premium or settlement in a cyberattack without complete information? Frankly, the cybersecurity industry doesn't have enough analysts now, so where is the insurance industry going to find the expertise to even evaluate the attack? We don't have enough trained cybersecurity analysts today to even support our current information processes. Even if you are to get a cyber insurance policy, you must prove how well you are currently protected. If current cybersecurity technologies are simply deterrents to cyberattacks, then who would want to insure you in the first place?

As you can see, even a monetary defense posture of cybersecurity insurance is unreasonable. Rather than getting caught up in cyber war offense and defense and patch technologies, we should be looking to cyber intelligent technologies that can authenticate, view, audit, analyze and block these attacks in real time. Who cares about who did it -- when you get robbed, do you want your money back or to know who the robber was? Wouldn't it be better to just not be robbed in the first place? Cyberattacks use offensive technology, and we need to defend these attacks with better proactive defensive technologies. This can be done, but to achieve it, we must be better and faster than the attackers.

5GL DPM CLOSES THAT HACK GAP

We currently use software that runs mainly on 3rd Generation Programming Language (3GL) and 4th Generation Programming Language (4GL) technology. To explain what 5th Generation Programming Language is, it's is best to compare it to previous 4th generation programming language.

While fourth-generation programming languages are designed to build specific programs, fifth-generation languages are designed to make the computer solve a given problem -- without the programmer. This way, the programmer only needs to worry about what problems must be solved and what conditions need to be met, without worrying about how to implement a routine or algorithm to solve them.

5GL is a programming language based on solving problems using constraints given to the program, rather than using an algorithm written by a programmer. Most constraint-based and logic programming languages, as well as some declarative languages, are fifth-generation languages.

By adding Digital Process Management to 5GL, you now have a comprehensive real-time intelligent viewing capability during data in motion, which can catch cyberattacks before they occur.

It is important to note that 5GL does not use algorithms. This is a significant departure from current security and analytic technologies that are heavy dependent on algorithms, which, in many cases, are targets for cyberattackers.

A recent whitepaper (PDF) written by M. E. Kabay, professor of Computer Information Systems at the School of Business & Management at Norwich University, clearly identifies the immediate need for DPM 5GL technology. In the white paper, Kabay states: "Have you ever wondered why computer and network security are so difficult? One of the problems is that it’s really difficult to make sure that all the proper procedures used by machines and by people are in fact in use to protect their information."

Process events are usually locally activated, with the process knowledge being driven by the local operator and the procedures defined both locally and company-wide by thorough standards and proprietary process flows. These human and digital process flows are the heart of every organization that not only determine security breach anomalies, but also the competitive process efficiency and ROI of each organization.

Current 3GL and 4GL programming languages were mainly focused on interconnecting and automating systems rather than intelligently monitoring their operations in real time during data in motion.

Adding to this system complexity is an increasing amount of software and device applications now being connected to the enterprise, cloud or Internet that can affect or even exploit the control system processes. If we are to continually interconnect digital devices and software to our system processes, we must start to manage this digital information. Kabay continues by saying that if a user can develop an unambiguous, complete flow chart of a process, "that chart can be converted into a working program (instructions, or code, for the computers to execute) to identify deviations from the expected operations or data. Computing professionals call the process of turning a design into a working program instantiation.”

By combining DPM and 5GL, they are able authenticate, view, audit and block system events in real time during data in motion across multiple software, hardware and network platforms. Kabay gives specific examples of how 5GL DPM could be used by more than 25 industries verticals.

Another important part of 5GL is that it simplifies current software events while monitoring these process events in microseconds. Today's software is so complex that the complexity itself is where hackers find weaknesses. This is why current patch and pray technologies are having difficulty in just keeping up with attacks. We must be ahead of the attack actions in real time while improving the ability to observe both the correct events and attack anomalies even if using multiple networks and layers of software. 5GL has the unique ability of intelligently recognizing these multiple process events in milliseconds.

IN CONCLUSION

Today's information technologies were really built to automate processes and not necessarily to view or secure the events within the processes. All current IPS and IDS cyber security technologies are not really good at security these events because they frankly don't even see them or know they are an accepted part of the process. There is nothing more important than events in information processing because they represent the exchange of information between systems applications, and the individual and machine actions that initiate them. All systems and applications, enterprise, network, cloud, IoT -- it doesn't matter. If you really watch what hackers do, you can see that they manipulate digital events or software to get their desired results.

The knowledge of this process workflow is local. Your house, the area you live in, your work processes, even your global interaction. If we are to secure these processes, we must define and validate the event flow in real time during data in motion. From giving a key to the office to having access to complex control system processes, event processes are driven locally and are the first step to achieving true cybersecurity. DPM is used to pre-define the sequence of these multiple events in the accepted processes. By adding the intelligence of 5GL to the pre-determined digital management process, we can effectively be ahead of cyberattacks in microseconds rather be in the reactionary cybersecurity mode we are in today.

Mr. Karisny will be speaking on line in the 4th Annual Smart Grid Cyber Security Virtual Summit on Thursday, Jan. 22, 2015. His session, Securing the Smart of the Smart Grid with 5GL, will cover the technologies discussed in this article in more detail with live Q&A available after the session.

Editor's note: On Feb. 4 at 7:40 a.m., this story was edited to remove the reference to M.E. Kabay as being the "father of cybersecurity."

Larry Karisny |

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.

DARPA Director Calls for Cybersecurity Change

noreply@blogger.com (Anonymous) — Sat, 8 Nov 2014 00:51:00 -0500

November 7, 2014 By Larry Karisny

A recent C-SPAN interview with Dr. Arati Prabhakar, director of the Defense Advanced Research Projects Agency (DARPA), conducted by Mary Jordon from the Washington Post, gave credence to my three previous articles this yearconcerning how we defend ourselves against cyber attacks.

As Prabhakar stated: "The attacks are happening in microseconds, so today all we can do is patch and pray, and keep throwing human beings at the problem. We are looking for a fundamentally different way to get faster than the pace of the growth of the threat."

Clearly the realization has hit that real-time cybersecurity is now a necessity, and it has reached the point of requiring big changes in how we are going to fix it.

What we are doing wrong

The basis of today's information processing technologies historically aggregate information for distribution or processing such as initiating machine control system event actions across the predetermined information system processes. The very reason hackers can hack is because information processing transfer and aggregation data is historically transported and stored. We encrypted at the end points and we store data at the historical data output level.

This time window allows hackers the ability to manipulate these historical information processes and change the information process or machine action that may only take milliseconds to occur.

Today's cybersecurity technologies aren't even in the right place to detect these breaches. If we are to get faster than the pace of the growth, as stated by the director of DARPA, we need to be ahead of machine action microseconds rather than be caught in historical information processes we currently use today.

Why current cybersecurity technologies will continue to fail

Cybersecurity weakness are clearly being disclosed with attacks publicized by all major media outlets almost daily. These disclosed weakness are beginning to concern both customers and major cloud providers. There is mounting evidence that today's cybersecurity technological approaches that have served us well for years may no longer be valid for information processing today and for future technologies like the Internet of Things (IoT). The two areas of concern are how we attempt to secure and analyze information processes through the use of algorithms and analytics. Both of these technologies have the same vulnerability in how they work and how they are hacked. They both operate at the historical data output level. This offer hackers the opportunity to manipulate or breach algorithms and access stored data and, in real time, change the information process.

A hack is really the manipulation of software to exploit a desired action in the information process systems. The problem with all information processing today is that the systems they are all based on are historically sending and retrieving of information at the data output level. This leaves a window of opportunity for hackers. If we are to get faster than the growth of the cyber threat, we must deploy real-time data in motion technologies that are ahead of even millisecond machine actions or we continue to be behind and hackers will maintain their breach advantage. You will find clear explanation of how we could get ahead of the hackers and achieve this needed real time cybersecurity capability in the inserted presentation of the article Getting Cybersecurity to Actually Work.

Why we must change now

The largest explosion of millisecond machine actions will take place when billions of IoT devices are deployed. Until we find a way to authenticate, view, audit, analyze and block IoT devices often connected to cloud computing, we frankly shouldn't be putting IoT out there. As the security industry saying goes, "money trumps security," and as increasingly more of these IoT product are released, cybersecurity will just be playing catch-up. With potentially billions of these devices being deployed all over the world, this could lead to a cyber attack free-for-all of catastrophic proportions.

There is a big fundamental problem with securing IoT though. The systems are so small that even today's patch and pray cybersecurity fixes won't work. It is not like you're going to take a $10 IoT device in and ask to download a security upgrade patch. Even if you did, in many cases there wouldn't be enough room in the processor or memory to install the software patch. The need for a new security platform for IoT will be one of the main driving factors for major changes in cybersecurity. There also are reasons today to change cybersecurity, but the pain of unacceptable cybersecurity platforms is just now being recognized in big industry revenue losses by cloud providers.

Why will change will occur? Money!

When the largest stock holders of IBM (Warren Buffett being one of them) lose over a billion dollars in a few days, people will take notice. There were predictions early on about the Snowden effect that disclosed secret relationships with the NSA and top cloud providers. This left an uneasiness in cybersecurity certainly from U.S. adversarial countries like China, but is now is going much deeper to even with US friendly countries and the US itself. How badly these security concerns will affect some of the biggest names in information technology (Cisco, Microsoft, Apple, Oracle, IBM, Google) is just beginning to appear. One thing is for certain, though: These companies must prove that their security platforms actually work or their billions in revenue losses will continue. While existing revenues are lost this time around, even the future trillion dollar revenues in IoT could be lost proving that money will no longer trump security.

Why we must move forward now

As the saying goes, "necessity is the mother of invention." Some of the largest information technologies companies in the world are facing the need to accept a complete paradigm shift in the way they have been processing digital information. With staggering losses of revenues already occurring and more to come, customers are beginning to lose confidence in these Internet technology giants of the past. There must be a proven change in the security and information processing itself if these IT giants are to regain the trust and market share they have enjoyed for many years.

As bad as things are today, though, the biggest loss could be on the horizon: The potential loss of the multi-trillion dollar IoT market. Today's cybersecurity was never intended to secure cloud computing or the billions of future microchip intelligent sensors that could connect to them -- the Internet of Things. From physical microchip limitations to the inability to decipher billions of machine actions occurring in microseconds, a fundamental change and even a paradigm shift must occur in cybersecurity if we are to allow billions of IoT devices to be deployed all over the world.

Change is Inevitable

When money, power and intelligence all agree, change is inevitable. We have reached that point in current cybersecurity limitations and now must focus on the deployment of new security technologies that can protect us now and in the future. We must get beyond the point of analyzing technology in cybersecurity and must begin to deploy new known cybersecurity technological capabilities. The very future of information processing and the wonderful things it has brought us are dependent on this change.

Getting Cybersecurity to Actually Work

noreply@blogger.com (Anonymous) — Tue, 16 Sep 2014 13:02:00 -0400

September 15, 2014 By Larry Karisny

Recent conferences and industry studies are coming up with the same concerns in cybersecurity. At the heart of it? Current industry methods of securing information processes aren't working very well -- and hackers know it.

As these weaknesses are reported by government, business and academia, our information processes are becoming more complex and connected, adding to increasing cybersecurity threats and cybersecurity exploit opportunities. So why can't we fix this? And what will it take to actually change cybersecurity from a buzzword to a reality?

What is cyber security?

In one of the many online cybersecurity discussions I've had, someone posed the question, "What do you think cyber security is?"

Some of the answers were long and complex, but as I reviewed them -- and researched the respondents' backgrounds -- I found that the general answer was this: Cybersecurity was the respondent's specific cybersecurity knowledge, the discipline or a product that he or she promotes. And who is the decision-maker? Primarily, it is an IT person who has similar industry knowledge, disciplines or product biases that are offered to the final decision-maker. These so-called cybersecurity experts include some of the biggest names in IT and some of the most brilliant mathematicians in the world.

But what does this all mean? The way cybersecurity solutions are chosen has more to do with what the technical influencer is comfortable with is less about what is needed to secure the specific process. Additionally, the CEO in most cases is not disciplined in cybersecurity technologies and would have no way of validating this security technology selection.

Let's assume for discussion purposes, though, that there are no biases in the cybersecurity knowledge base or solution, and the cybersecurity technical influencer puts the best known cybersecurity solutions in place. Will we then be secure? I have a simple way to answer this question. Can the technologies you have selected authenticate, view, audit, analyze and block your information processing flow by application at the data input level during the data in motion? If your answer is no, which today is everyone's answer in cybersecurity, then you are not secure. Today, all cybersecurity technologies secure information processes at the data output level either at the network end points or the historical database storage point. These points of security are too late to achieve true cybersecurity -- and hackers know this.

The hacker's advantage

There is a simple reason why hackers have an advantage in cyber attacks. They hack in real time, and current cyber technologies analyze the breach at the historical data output level, which can take hours, days or even months to detect. This fact alone will continually put current-day cybersecurity technologies at a disadvantage and is the area of correction that must be addressed.

So how do we tackle these problems today? With bureaucratic reviews, processes, groups and organizations that take years to approve cybersecurity technologies while the hacker just created a new cyber attack exploit yesterday. We are always playing catch-up in cybersecurity, and we need to get in front of these cyber breaches if we are to stop these now devastating cyber attacks. We need to defend cybersecurity at the point of attack, not after the attack.

The first strike advantage of hackers must be combated with technologies that can are placed at the data-in-motion input level, not at the network end points or data aggregate collection points. This is this common sense part of cybersecurity that the industry must focus on if we are to achieve true real-time cyber security. As our world becomes increasing digitally smart and connected in real-time, we need to adjust our cybersecurity technologies to support these smart technologies. With real-time Internet of Things (IoT) technologies here now and trillions more projected in the near future, we need a paradigm shift in cybersecurity now, or this trillion dollar IoT industrial revolution may have to be put on hold.

More connections, more problems

Before we discuss solutions to these cybersecurity problems, let's take a look at what the future looks like in our continually interconnected world. From social media to smart phones apps to the IoT promise of smart everything, we are reaching a point of truly not knowing what is connect to what -- and hackers know this. Take the Target breach -- the attacker used backdoor access to the company's energy management systems to then access a server containing confidential customer information. We are increasing digitizing our people and machine processes, and are beginning to lose control of what we are doing.

We can't just connect anymore. If we are to continually interconnect smart devices to our phones, homes, businesses, transportation systems, buildings, factories, cities and critical infrastructure, we must define what is connected to what, and understand how one could affect another. One weak link from a tiny IoT could take down a power plant or be used to rob your home. We need a technology that can assist in quickly securing and understanding sometimes terabytes of information transfers that take place in our increasing complex digital processes. We must begin to know and manage all this digital info in a smart way, and not just assume or trust that the interconnected hardware, software and people are doing what they are supposed to be doing. We need a Digital Process Management (DPM) system that can, in real-time, manage terabytes of data in motion and data input processes, and have the ability of doing this in milliseconds. That may be a big request, but thinking it through, this is what must be done to achieve true cybersecurity. So what are we doing today?

How can cybersecurity really work

It is human nature to do what you have done before and base the correction of problems on these same knowledge-based principles. Both in cybersecurity and big data analytics, the algorithms (mathematical instructions) are basically the current core technology used to secure and understand IT processes.

These mathematical instructions by nature all have a beginning and end, and are historically built instructions for the information process. Any intelligent digital action activated by an algorithm is then historically based at the data output level of the process action. We currently do not authenticate, view, audit, analyze or block algorithms at the data-in-motion input level. This is the window of exploit opportunity that is leveraged by hackers, and is the Achilles heel of current cybersecurity and analytic approaches. If we agree that all these factual statements are correct, we then must also assume all current cybersecurity technologies are a best deterrents to cyber breaches but can't completely stop cyber attacks, which at last many cybersecurity industry leaders are admitting.

As a director of ProjectSafety.org and a recognized industry expert in cybersecurity and digital forensics, I urge you to review my video presentation, shown at left, that can actually address the discussed requirements in achieving true real-time data-in-motion cybersecurity. I also act as an advisor to a company called Decision Zone, which offers a patented DPM paradigm shift in cybersecurity that can address our current weaknesses in cybersecurity while putting the technology in front of the data stream -- where the hacker exploits occur. The video covers more than a decade of research from my not-for-profit ProjectSafety.org, which has predicted many of the problems we are seeing in cybersecurity today, and continues to research effective solutions to the now monumental cybersecurity problems we face.

A paradigm shift in cybersecurity and analytics

noreply@blogger.com (Anonymous) — Tue, 15 Jul 2014 14:29:00 -0400

Could real-time eForensics be the Answer to Cybersecurity and Analytics?

noreply@blogger.com (Anonymous) — Mon, 30 Jun 2014 14:05:00 -0400

by Larry Karisny
June Addition

eForensics may be more than a good name for a magazine. Understanding what digital forensics does in real time may be the holy grail of cybersecurity. The information technlogy security industry explains cybersecurity in terms of complex algorithms or virus detection systems that only a scientist or software developer can understand. In reality what cybersecurity really is just the authenticated use of validated causal actions taking place in a predetermined process that is used to accomplish specific results.

Cybersecurity is achieved when theses action and processes are authenticated, viewed, analyzed, audited, activated or blocked in real time during data in motion. If we can do this we will be secure. We are not doing this today. With the ever increasing demand of security in ever increasing digitally intelligent world it may be time for paradigm shift if we are to reach true cybersecurity. It maybe time for real-time eForensics.

The seen of the crime

Most of us are familiar with forensics in the evaluation of a crime scene. There was a criminal incident that occurred and a team of forensic analysts come in to gather information that might lead to solving the crime. eForensics today is no different. A hack has occurred and a team of specialist sift through mounds of data, software,hardware, processes and people to determine how the systems processes have been breached. The commonality of both these forensic approaches is that they are both reviewing historical information and using tools and techniques that can analyze these historical incidents. These historical forensic approaches can in time possibly solve the crime or cyber breach but neither of these approaches can stop the crime or the hacker in advance.

The current cybersecurity methodologies using passive process monitoring are proving to be the wrong place and the wrong time in attempts to achieve system cybersecurity and intelligence analysis. To accomplish information technology security and intelligence we need to focus on technologies that stop and analyze information technology processes real-time during data in motion. This is where a technology paradigm shift needs to occur in the cybersecurity industry and real -time eForensics can accomplish this. Can our current cyber security and analytic technologies keep up?

Increased varieties of connected devices are being added daily to our already complex intelligent world. Unfortunately these intelligent technologies are being releases by the millions at the cost of increasing cybersecurity threats while using complicated digital intelligence analysis techniques that are neither effective nor can keep up with the amount of data input these system devices and software produce. Cybersecurity experts are beginning to realize that current passive process monitoring using historical data aggregation and database analytics techniques are no longer efficient or effective methodologies for cybersecurity and system intelligence.

Current approaches fail due to the inability to secure or properly analyze the many real-time messaging application actuaries that occur in our incceasingly complex digital intelligent system processes. The current historical passive security and analytical technologies only tell what might have happened after the causal action has occurred not what did happen. Monitoring active process causal actions in the process tell what actually is happening in real-time during networked data in motion which is where the point of new security and process analytics need to occur.

As we are increasingly connecting and interconnecting our digital intelligence in the forms of software, hardware, apps and now Internet of Things (IoT), These casual actions multiply making the process more complex and difficult to track. While these interconnected technologies continue to be leveraged in digital intelligence we are losing control of the where and when point of causal actions that are actually occurring in the system processes. This is point where securing and analyzing causal actions and processes need to be secured and analyzed. We are not doing this today.

Losing control of digital intelligence and cybersecurity

We have reached a point in intelligent operation complexity that even trained operators are not sure what the digital control systems actuators are actually initiating what actions in the process. We are losing control between human to machine and machine to machine system processes while we increasingly interconnected software, cloud and IoT application messages that in many cases are not secured, audited or even seen in the system process.

Causal messages are constantly being sent in real-time during data in motion in these complex system processes and can be exploited to manipulate the process results. Hackers know this and are successfully targeting and exploiting these weaknesses affecting every individual and every industry that uses digital intelligence in their information technology processes. Hackers have already attacked cars, homes, business process systems, factory control system and critical infrastructure control systems by manipulating the causal messaging action within these system processes.

The danger of algorithms and analytics in cybersecurity

For years we have had a false sense of security that was built around mathematical algorithms. This is what the encryption Intrusion Detection System (IDS) security has been based on for years. Recent disclosure of the NSA’s involvement of the control and release of these encryption algorithms and their direct relation with RSA has caused the loss of of considerable trust in cybersecurity industry. This combined with weaknesses found that were not able to be disclosed caused a boycott of major encryption scientists in the last RSA conference. The encryption games are over and for many the use of encryption in security is no longer technically effective and certainly not trusted.

Intrusion Dewtection Systems (IDS) security technologies are no better off now admitting they can’t stop denial of service attacks (DDoS ) while sophisticated and aggressive cyber weapons like Snake and Stuxnet are now part of the arsenal of cyber war weapons with critical infrastructure as its main target. Analytic approaches are also showing their weakness in being used in process action discovery. They are having difficulty even understanding what all the big data means and could fall victims to subjective analyst methodologies to explain what the historical data means. Clearly if we are to secure and understand all these new intelligent actions in our control processes we need new methods and even a new place confirming that these complex and layered control system actions are actually correct.

Adding security while adding intelligence

Intelligent control systems are faced with a two edge sword of needing digital intelligence and securing this intelligence. They need the digital intelligence to assist in physical security and the monitoring complex process systems processes while also faced with making sure this digital intelligence can’t be access or exploited by hackers. In critical infrastructure applications, such as the process control of a power grid, there is no room for error or good enough security. When you have machine to machine (M2M) IoT or cloud services sending actuary messages without human intervention, these system processes must be digital authenticated, viewed, audited and blocked in real-time data in motion in order to be effectively secured and analyzed.

Having focused in critical infrastructure cybersecurity for years, my many industry colleges and I have come to a similar conclusion. The cybersecurity and analytical methodologies used today are flawed and cannot achieve the stringent security requirements or the volume of analytical data needed to protected and understand our increasing complex and interconnected control system operations. In fact both Intrusion Prevention System (IPS) security and Intrusion Detection System (IDS) security methodologies are increasing showing security prevention and detection failures.

Current analytical approaches cannot even scale to address the billions of applications and terabytes of big data need to be evaluuated in the increasing complex processes. We must deploy security technologies that can secure and understand the millions of causal events and interconnected causal events that take place in the control system process on the network. This can be done by using an active business process monitoring process firewall during on the network the data input data in motion point of digital intelligence transfer. This is where the beginning of a new paradigm shift is occurring and where real-time eForensics can be achieved.

The paradigm shift of Intelligent Cybersecurity

A recent MIT paper addressing both physical and digital security found that the current cybersecurity solutions focusing on securing data and networks are 50 year old technologies were really made for the electrical-mechanical processes and not the digital processes. Rather than focus on securing networks and data the study suggested that security must target at the causal action which is the true point of system security. The new approaches detect anomalies not meant in the causal action and system process. The difference in these approaches is determining at what point in the data in motion is the causal identified secured and how it is analyzed.

Layer 7 Firewall is an active monitoring system on the network that secures the device against rogue applications (example: smartphone private information accesses by unauthorized apps.) OSI layer numbers are commonly used to discuss networking topics. A troubleshooter may describe an issue caused by a user to be a layer 8 issue. As the industry jokingly refers this as layer 8, in reality this human to system causal action event is where true authenticated application security must be achieved.

The layer 7 OS firewall can secure the application but there needs to be an additional message intelligence layer if we are to secure active live message applications that are continually active in the transfer of system intelligence. There are constant data in motion message actuaries that are constantly creating real-time causal action in a typical control system process. This is where things really get switch on or off and desired or undesired actions need to be authenticated viewed, audited, activated and blocked. This message application intelligence firewall needs to be placed at the data in motion flow of desired process not the end to end points of data transfer on the network. Securing data end points has been a main stay in cybersecurity for years but can no longer secure the billions of actuaries predicted in cloud and IoT systems.

The intelligent causal action fix

Security companies are beginning to understand the importance of anomaly detection and its relationship to the system process. They all though have the same problem of using historical security and analyzing methodologies in detecting of the anomaly at the data output level. They use algorithms in the protection of the input to output data and then use analytics to determine the anomaly. The end point of these methodologies are at the historical data output level and does not offer the security of digital intelligence or the analysis of the anomaly to take place during the real-time data in motion data input level.

After many years of work and research a patented anomaly detection approach from a company called Decision Zone has uniquely accomplished the ability to authenticate, view, audit, activate and block terabytes of real time digital intelligence in milliseconds at the input data in motion level. Today’s security systems use a passive monitoring collection and aggregation data methodologies on the network and analyzes this information at the historical data output level. Decision Zone offers active application message monitoring on the network using graphical process rules and utilizing its patented causal inference engine. This new intelligent process layer firewall can protect the application infrastructure against any unauthorized causal action or system process.

This significant achievement by Decision-Zone offers a paradigm shift in cybersecurity methodologies by uniquely addressing security and system intelligence at real-time data in motion data input level. It doesn’t not use historical data output or analytics to evaluate the anomaly which is currently allowing hacker a window of system exploit. It uses process logic mapping to validate the interactions of the multiple layers of causal action processes which allows it the ability to even detect human to machine and machine to machine causal action process errors.

If we are going to continue remove to human intervention from our control system processes while allowing layers of human to machine and machine to machine actions to occur in these systems, we must use a method to real time secure and analysis the casual events and the intelligence processes in the system. Decision Zone offers a unique data in motion application message firewall that can authenticate, view, evaluate, audit, activate and block any causal actions across any software, hardware, cloud or IoT platform. For a more thorough explanation of this capability see the presentation Layer 8 Process Firewall (L8PF) or go the decisionzone.com.

Conclusion

Spending years in the networking world I like many of my colleagues considered cybersecurity the protection of the end to end network and its data flow. This information transport has served us for many years but is now showing its weaknesses as does the IPS and IDS security technologies that are currently protected it. With everything today being about the cloud, the app and the IoT, we must apply new security methodologies to secure these growing and ever increasingly interconnected intelligent system technologies.

Hackers are exploiting the causal actions of the process and are manipulating message application system actions to their benefit. We must move the firewall from protection of the output data transport systems to the real-time data in motion data input level if we are to stop these cyber breach actions and achieve true cybersecurity and analytical system intelligence. The use of real-time eForensics in evaluating and security causal events and system processes are critical to the understand and security of digital intelligence today and in the future.

Could real-time eForensics be the Answer to Cybersecurity and Analytics?

noreply@blogger.com (Anonymous) — Mon, 30 Jun 2014 11:55:00 -0400

eForensics may be more than a good name for a magazine. Understanding what digital forensics does in real time may be the holy grail of cybersecurity. The information technlogy security industry explains cybersecurity in terms of complex algorithms or virus detection systems that only a scientist or software developer can understand. In reality what cybersecurity really is just the authenticated use of validated causal actions

taking place in a predetermined process that is used to accomplish specific results.

The seen of the crime

Current approaches fail due to the inability to secure or properly analyze the many real-time messaging

application actuaries that occur in our incceasingly complex digital intelligent system processes. The current

historical passive security and analytical technologies only tell what might have happened after the causal action has occurred not what did happen. Monitoring active process causal actions in the process ell what actually is happening in real-time during networked data in motion which is where the point of

new security and process analytics need to occur.

Losing control of digital intelligence and cybersecurity

We have reached a point in intelligent operation complexity that even trained operators are not sure what

the digital control systems actuators are actually initiating what actions in the process. We are losing control

between human to machine and machine to machine system processes while we increasingly interconnected

software, cloud and IoT application messages that in many cases are not secured, audited or even seen in the system process.

targeting and exploiting these weaknesses affecting every individual and every industry that uses digital intelligence in their information technology processes. Hackers have already attacked cars, homes, business process systems, factory control system and critical infrastructure control systems by manipulating the causal messaging action within these system processes.

The danger of algorithms and analytics in cybersecurity

Adding security while adding intelligence

increasing showing security prevention and detection failures.

The paradigm shift of Intelligent Cybersecurity

A recent MIT paper addressing both physical and digital security found that the current cybersecurity

solutions focusing on securing data and networks are 50 year old technologies were really made for the

electrical-mechanical processes and not the digital processes. Rather than focus on securing networks and data the study suggested that security must target at the causal action which is the true point of system security. The new approaches detect anomalies not meant in the causal action and system process. The difference in these approaches is determining at what point in the data in motion is the causal identified,

secured and how it is analyzed.

The layer 7 OS firewall can secure the application but there needs to be an additional message intelligence

layer if we are to secure active live message applications that are continually active in the transfer of system intelligence. There are constant data in motion message actuaries that are constantly creating real-time causal action in a typical control system process. This is where things really get switch on or off and desired or undesired actions need to be authenticated viewed, audited, activated and blocked. This message application intelligence firewall needs to be placed at the data in motion flow of desired process not the end to end points of data transfer on the network. Securing data end points has been a main stay in cybersecurity for years but can no longer secure the billions of actuaries predicted in cloud and IoT systems.

The intelligent causal action fix

Security companies are beginning to understand the importance of anomaly detection and its relationship

to the system process. They all though have the same problem of using historical security and analyzing methodologies in detecting of the anomaly at the data output level. They use algorithms in the protection of the input to output data and then use analytics to determine the anomaly. The end point of these methodologies are at the historical data output level and does not offer the security of digital intelligence or the analysis of the anomaly to take place during the real-time data in motion data input level.

After many years of work and research a patented anomaly detection approach from a company called

Decision Zone has uniquely accomplished the ability to authenticate, view, audit, activate and block terabytes

of real time digital intelligence in milliseconds at the input data in motion level. Today’s security systems use a passive monitoring collection and aggregation data methodologies on the network and analyzes this information at the historical data output level. Decision Zone offers active application message monitoring on the network using graphical process rules and utilizing its patented causal inference engine. This new intelligent process layer firewall can protect the application infrastructure against any unauthorized causal action or system process.

If we are going to continue remove to human intervention from our control system processes while allowing

layers of human to machine and machine to machine actions to occur in these systems, we must use a method to real time secure and analysis the casual events and the intelligence processes in the system. Decision Zone offers a unique data in motion application message firewall that can authenticate, view, evaluate, audit, activate and block any causal actions across any software, hardware, cloud or IoT platform. For a more thorough explanation of this capability see the presentation Layer 8 Process Firewall (L8PF) or go the decisionzone.com.

Conclusion

Spending years in the networking world I like many of my colleagues considered cybersecurity the protection

of the end to end network and its data flow. This information transport has served us for many years but is now showing its weaknesses as does the IPS and IDS security technologies that are currently protected it. With everything today being about the cloud, the app and the IoT, we must apply new security methodologies to secure these growing and ever increasingly interconnected intelligent system technologies.

Is Cybersecurity Officially Broken?

noreply@blogger.com (Anonymous) — Thu, 3 Apr 2014 14:54:00 -0400

April 2, 2014 By Larry Karisny

NSA disclosures, RSA conference scientist boycotts, University white papers and even cybersecurity supplier contest challenges are validating the weaknesses of our current cybersecurity methodologies.
The old model of "good enough security" is being replaced by a new model of "0 trust security" upon which cybersecurity must be built. Mysterious scientific encryption algorithms combined with the subjective analyses of big data is no longer trusted or even effective in offering true security solutions. And yet we are connecting an explosion of software and devices that enhance or even take over human processes.
We need to deploy cybersecurity technologies that can effectively secure the billions of application process actions, or adversaries will continue to manipulate these application-based technologies that are now the focus of new cyber attacks. The question is how.

Hackers Get It

I have watched and privately disclosed successful attacks on wireless intelligent devices including smartphones, automobiles, homes and power-grid infrastructure. In doing so I was able to use what I discovered from hackers, then follow cybersecurity industry trends and methods of stopping these breaches.

Inside breaches are increasingly being used to penetrate authentication access to systems. Process applications software was being exploited to achieve breaches. Why go through the trouble of breaking complex mathematical algorithms with a supercomputer when it is much simpler to manipulate the processes and process application software to achieve the same results?

While the cybersecurity mathematicians continue to pitch now 50 year old technologies that even MIT considers outdated, hackers simply use the system process application actuaries or action messages as points of exploit. There are three things we do not do very well when securing these action messages. We do not authenticate, view or audit these multiple message actions or the collaborative processes that occur in a typical information technology control or business process. Instead, the majority of cybersecurity technologies focus on the protection of the network and data. Thus, they are not even looking in the right place to view or audit these process actions. Hackers know this and that is where they can most easily enter.

Securing the Process not the Algorithm

This new focus on cybersecurity at the action of a business or control system process is becoming a welcomed and understandable security methodology to CEOs and COOs around the world. CEOs who understand their organizational processes and actions do not understand how today's cybersecurity products and services work.

While mathematicians were making algorithms to scramble and secure data streams, the actual security end point is in actions and collective processes. True security is achieved by authenticating and securing the causal action of the business or system process in real time, not securing data transportation input and output while historically analyzing its causal actions and processes using data analytics.

We today process multiple software message actions without authenticating or confirming the data-in-motion action. This is like turning the key in a car and just assuming the vehicle control system is doing what it is suppose to be doing. This same lack of system causal confirmation is why scientists have been able to demonstrated how an automobile control system can be hacked. For 0 trust security to actually be achieved, we need methods of monitoring these software process application messages in real-time data with a data-in-motion firewall that can view and audit the causal messaging actions of any control system or process at the data input level.

There are real-time anomaly-detection messaging technologies that are beginning to be recognized. The problem in both of these solution approaches is the continued use of mathematical algorithms which are outdated, complicated and breachable. IoT devices often do not even have enough memory to store these complex algorithms. We are beginning to understand that causal actions are the real end points of cybersecuriity. We now must find new way of securing them.

Control or Lose Control of Digital Intelligence

I recognize the benefits of digital intelligence and the many forms it takes in hardware, software, apps and the Internet of Things (IoT). I like my smartphone and the software apps it runs. The problem is all these things can be hacked and we are irresponsibly connecting and interconnecting them without concern for security at a pace so fast we are losing control of what these digital devices are actually doing. We are automating without authenticating and actuating without auditing. We just touch an icon and assume the interconnected layers of network, hardware, software, apps and IoT are going to do what we want them to do. Hackers know this and just find the weakest link.

Control systems and processes must have the capabilities to view realtime causal actions at the data-in-motion input level. Whether an authentication breach, network breach, data breach or software application breach, this same methodology must be able to quickly and accurately secure billions of application messaging actions and the interconnected processes they activate. I discussed these methodologies in detail in my last article, "Time for a Cybersecurity Overhaul." Cloud applications and IoT devices today already have a bad security track record that will only get worse if we do not change the way we ecure these new technologies that are now at the doorstep of our digital communities.

Conclusion

Our digital age had brought us many wonderful technologies and I am not underestimating their importance. But like others in this industry, I am screaming "proceed with caution and find a way to secure this stuff before deploying it." We have interconnected so many of these digital technologies we have lost control of what the actual business and systems process are doing. We are increasing the use of these technologies exponentially without proper security procedures in place -- like a manager hiring 10,000 employees and saying "don't worry I will never check or even have the ability of knowing what you are doing."

We do not understand the power of technologies we use every day. Hackers do and exploit these security technology weakness as current cybersecurity suppliers try to improve older technologies that are proving to have outlived their effectiveness. We can't move forward by just putting security patches on what we have and the industry is at last coming to that conclusion.

I would like to offer my own cybersecurity challenge. If you have a better cybersecurity methodology to secure the projected billions of apps and IoT my not for profit has already researched I will promote your security technology to thousands of my cyber security contacts and submit an article disclosing your capabilities. This much I know. We need to fix cybersecurity now or our digital age could come to a screeching halt.

Time for a Cybersecurity Overhaul

noreply@blogger.com (Anonymous) — Sat, 25 Jan 2014 01:40:00 -0500

January 23, 2014 By Larry Karisny

Most of the recent attention on cybersecurity has been directed toward the disclosure of NSA activities and recent corporate breaches now reaching record-breaking levels. Both the public and private sectors are beginning to witness how devastating cyber breaches can be in critical infrastructure, intellectual property, wealth and even state secrets. These attacks are so big that monetary estimates range from $100 billion to $3 trillion, and the extent of some attacks are still unknown. What is known is that the whole world has had enough, and cybersecurity needs to start living up to its name: security.

How Bad is It?
The infograph World's Biggest Data Breaches gives a sense of the extent of these breaches using information from DataBreaches.net and IdTheftCentre. It summarizes breaches that exceed 50,000 files by year, number and type. In a recent interview on the CBS program 60 Minutes, National Security Agency (NSA) director Gen. Keith Alexander admitted that “a foreign national could impact and destroy a major portion of our financial system” by placing a virus in our computer systems “and literally take down the U.S. economy.” The message is clear that things aren’t working properly, and those of us in the industry knew they weren’t working. With a new focus, it might be time to pursue solid security solutions.

While the press has been focused on the NSA collection of cell phone metadata from private U.S. citizens, the real problem is their collaboration with some of the largest cloud tech companies in the world. Forester Research reported that cloud businesses led by HP, Cisco Systems and Microsoft and managed service providers (MSPs) could lose an estimated $180 billion through 2016 in cloud products and services. These losses are directly attributed to disclosures of the NSA spying programs. The concerns were so great, top tech executives met President Barack Obama to discuss their concerns. Snoop agencies are only part of the problem, though, with reports on millions of files hacked from both the public and private sectors annually. Mistakes made by people and systems are the main causes of data breaches. Whether intentional or not, the results are the same, and the cybersecurity industry and the companies it affects seem to need a fresh look -- or maybe even a cybersecurity overhaul.

One of the greatest concerns is that the very industries that are already witnessing security issues are producing and releasing products and services without considering security solutions. The cloud-computing industry is vulnerable to cyber attacks, and worldwide is expected to see double-digit growth rates during the next three years, with revenues reaching $148 billion in 2014 and $207 billion by 2016, according to the Information Technology and Innovation Foundation.

The Internet of Things (IoT) industry has forecast revenues of $8.9 trillion for 2020, and to date has no cybersecurity plan for the trillions of devices it plans to connect to the Internet. Clearly the cybersecurity and related organizations and industries needed a wake-up call, and maybe the recent NSA disclosures will actually help by putting responsible cyber solution in place.

What is Cybersecurity and is it Secure?
The definition of cybersecurity differs depending who in the industry you speak with. In general, some people think it's protecting networks and data, and others think it is having the ability to detect breaches. There are basically two ways cybersecurity is viewed today: You authenticate and encrypt end-to-end data network transport between users and information technologies (Intrusion Prevention Systems or IPS), or you detect what has come though the data stream and try to block or discard suspicious data (Intrusion Detection System or IDS).

Both of these methodologies have faults. Take IPS, for instance. Edward Snowden had top secret clearance and authenticated encrypted access, but left with thousands of files. Typical IPS security alone can’t stop inside authenticated breaches. IDS security technologies finding things like malware, viruses and trojans at the historical stored data output level often are too late in stopping a malicious attack.

Even combined, these technologies leave intentional and unintentional exploit capabilities, which hackers have demonstrated. All these technologies are missing the ability of authenticate, view and audit multiple process actions during real-time data in motion with human and machine action applications. These vulnerabilities leave gaping holes in current cybersecurity solutions and must be addressed quickly as we continue to connect more and more applications to an already insecure Internet cloud. Customers don’t want to spend billions of dollars for “almost security.” Tricky back doors and "almost security" are out; real proven solutions are in.

So Who do You Trust?
These NSA revelations were really not surprising to cybersecurity professionals. The NSA purchases many of these capabilities from the private sector. But today, exploit capabilities that were normally disclosed in confidence between computer scientists and vendors are now being marketed in the open by global brokers with little concern about state sovereignty or corporate entity. While people express concerns about NSA activities, at least these activities have some form of centralization and responsibility. Now we are faced with a form of global cyber ransom in an open market that is decentralized with varying amounts of responsibility.

This new global exploit threat means that security vendors will need to take security more seriously. In the past, the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities was rare, and in most cases of responsible disclosure, the vendor was given time to release a patch before the vulnerability was published. Now the game has changed. The penetrate-and-patch cybersecurity market is a short-term solution and actually demonstrates how weak current security methodologies are. Security patching will not be sustainable or trusted by customers in this now open-market free-for-all. Cybersecurity users are now demanding a new methodology. Trust needs to be built, and the only way to validate these solutions whether offered by government or corporate entity is “show me.”

Moving Forward with Solutions
Old ways of cybersecurity are slowly eroding, and customers will no longer accept the “appearance” of security. Even standards groups such as NIST were not left unscathed from the NSA involvement while they are working with industry on new approaches through the National Cybersecurity Center of Excellence Even U.S. government contractors with top secret clearance who were poised to have a big part in offering cybersecurity services in areas such as critical infrastructure are now coming under scrutiny, as are big name companies like Apple, Facebook, Google, Yahoo, Cisco, IBM and Oracle.

A recent merger of Mandiant and FireEye is an example of what customers want in cybersecurity. Security experts expect strong growth in both FireEye's cloud-based systems for detecting malicious software and Mandiant's software that analyzes cyber attacks. This merger is a reflection that customers are now demanding higher levels of cybersecurity services and new technologies for stopping cyber attacks.

A white paper released by Decision Zone discusses one of these new security technologies and clearly demonstrates the need for a paradigm shift to truly prove to customers that cybersecurity can be achieved. Decision Zone’s anomaly detection technology was actually built on the premise of an easy and inexpensive way to view, authenticate, audit and block process action in real-time at the application level. There is also an added nuance of now assuring the hardware and software they are using is doing what it is supposed to do. Hardware and software cloud companies and service providers will need to embrace technologies such as this if they are to regain trust in the marketplace.

Conclusion
With revenues losses already being seen by major cloud hardware providers, the global message in cybersecurity is clear: The customer still rules. “Good enough” cybersecurity technologies will not be sufficient, only “show me” will suffice. Our world is becoming ever more connected with smart technologies offering cloud-connected apps and devices in the trillions, there has never been a better time to expose the weaknesses of cybersecurity and offer solutions to these vulnerabilities. The digital future of every town, city and country depends on it.

Larry Karisny is the director of ProjectSafety.org, a cybersecurity expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and critical infrastructure. He will speak at the Smart Grid Cyber Security Virtual Summit, on February 20, 2014.

Is Cybersecurity an Inside Job?

noreply@blogger.com (Anonymous) — Wed, 16 Oct 2013 23:08:00 -0400

Photo from Shutterstock

October 16, 2013 By Larry Karisny

While security clearance and authentication processes are essential to physical and other security, the physical DC Navy Yard breach by Aaron Alexis and the state secret breaches by Edward Snowden illustrate some disturbing weaknesses in personal validation and authentication. These clearance breaches were very different in nature but show a range of how a person’s calculated action can subvert basic security measures.

Neither top secret clearance, sophisticated authentication nor the most advanced encrypted information systems can necessarily stop an intended breach action. These security procedures are not designed to detect real-time actions and anomalous business processes from authorized personnel. These practices are just the "moat around the castle" approach upon which most current cybersecurity technologies are based. Current national security breaches clearly show we need to do more.

The Enemy Within

The highest percent of breaches occur inside an organization. When a criminal wants something specific he or she will choose the path of least resistance to obtain it. Cybercriminals don’t do this by breaking complex security algorithms. They normally do it by gaining access as a trusted insider, using and manipulating secured and authorized software and hardware to which they have access.

Corporate espionage has utilized this methodology for years and now entire countries are using software exploits to gain access to state secrets in this new cyberwar. Authenticated access is not the issue. The unknown enemy already has access. We need to quit focusing so much on allowing and disallowing access and instead watch the business system process tools and how people are using them.

As our organizational systems grow larger and our business process and control systems become more complex and connected, we begin to lose track of what we are doing, let alone securing what we are doing. We currently run business processes using layers of software, hardware and people all trying to achieve a certain departmental or subsystem task. Whether software, machine or human -- the actions of these process components are seldom if ever combined in a single understandable view of the entire process. By not allowing a total system action view, the breach of a single process action could greatly affect other connected process actions and potentially take down the whole system.

These process actions are the Achilles heel of cybersecurity and they cannot be defended by hardening physical, network or system information process security. We need to direct our attention more toward action viewing technologies vs. encrypted authorized actions. We need to assume the enemy is already in and needs to be watched.

What We Don’t See Can Hurt Us

While many people are very concerned about technical snooping capabilities, the fact is that we need better snooping capabilities in areas such as critical infrastructure, industrial control systems, intellectual property and national defense. We have created massive intelligence process capabilities through computer software, hardware and networks and have done a pretty good job securing the transport and storage of information but little in securing system processes. When we interconnect multiple actions to multiple processes without detection capabilities, we leave a wide open opportunity for breaches. Physical security in background checks, biometric authentication, RFID location based services and network encryption all have value, but they alone will not stop an authenticated breach. We are not even looking in the right place.

The recent national security breaches were recognized at the action output level after the breach action already occurred. These breaches demonstrate two very important requirements in security that we must be concerned with. One is that we need to add intelligence to physical, human and machine actions that view and even predict a physical breach like a person breaking barricades. We can’t just go back to the old days and think that getting rid of all this digital smart stuff will improve security. It won’t. These intelligent and connected technologies can greatly help both physical and digital security if properly implemented. There are a multitude of technologies that can give intelligence to our physical world.

The second important requirement is the timing of when a process action breach occurs versus when a process breach can be observed and blocked. This is where new technologies such as anomaly detection can be used to recognize, audit and block these process actions at the real-time data input level when seconds matter. The technologies exist and are called anomaly detection. Companies such as IBM and Decision Zone have so much belief in these technologies that they have both patented their solutions. When things aren’t working properly, demonstrated by the scale and magnitude of the cyber breaches we see today, we need to do something different and there are some security companies that are realizing this. So the big question is how much? The answer may surprise you.

Cost Justifying Security Through Anomaly Detection Process Efficiencies

One of the biggest concerns in security services is the initial cost in deploying these technologies, the continued cost in using them and how these costs can be justified. Even improvements in first-level authentication and IT security are not yet considered a cost of doing business although these opinions are changing. There are ROI calculators that are now at least trying to put a number on the cost of potential security breaches and attempts to reduce insurance policy premiums when cybersecurity defensive plans can be demonstrated.

Security is only the anomaly detection of an incorrect process action. More accurately viewing the process actions through anomaly detection can also improve the total process. Security is really only a byproduct of detecting anomaly actions that are not part of the process. People are not buying security because they can’t justify the cost. Both the public and private sectors can gain efficiencies through the use of anomaly detection resulting in service savings or profit that would justify the cost of security. The process efficiencies gained through anomaly detection technologies can absorb the cost of security while improving process actions.

Conclusion

Problems occur in business processes when someone or some technology does something wrong whether intentional, mistakenly or as part of a targeted attack. We can only achieve true security when multiple actions and process can be detected simultaneously and in real time. New technologies are offering these capabilities in a time when we are rapidly expanding interconnected humans to intelligent machines that have capabilities that are so large we are having trouble even viewing these processes.

We need to start recognizing that authentication of a person no matter how accurate the techniques used are only the first level of cybersecurity. True security can only be achieved when combining prevention and detection technologies at the real time business or process input action level. Most security breaches occur quickly and are themselves an input process action. Using technology than can focus on these input actions is where we need to focus our efforts.

True cybersecurity will be obtained when we can effectively view, audit, correct and block organizational process actions. If you could have a technology that does this, then why not?

Are Black Hats and White Hats Really Grey Hats?

noreply@blogger.com (Anonymous) — Fri, 9 Aug 2013 20:34:00 -0400

Image by Pedro Nunes

August 8, 2013 By Larry Karisny
I advise security companies that have demonstrated cybersecurity technologies far superior than those generally offered today, So why aren't we using them? The reasons have little to do with technology and a lot to do with people. Hackers sell security exploits daily on the open market while regulatory organizations take two years or more to write security regulations. Recent DEFCON and Black Hat conventions in Las Vegas clearly demonstrated that offense is far out in front of defense. So are we really trying to secure cyber? The answer is "yes and no" and there are good reasons for both. Let’s take a look at the two hats we wear while trying to find the balance.

Those Pesky Humans
There are a lot of serious mathematicians and scientists in cybersecurity. They develop rather complex systematic approaches to security solutions that do not like intermittent variables. You know -- people. Everything looks great until people enter into the digital process logic, then it all changes.

Securing machine-to machine actions are relatively simple. You have a software logic map that does what it is supposed to do (although we don’t often audit them in security) and the machine action responds to the given audited logic commands. These process actions are often relatively simple and repetitious so they can be secured to assure that no changes have been made in the information system process.

The problem occurs when we start adding layers of software logic with access to hundreds of machines, thousands of devices and then add the human variable into the mix. Now it gets messy and the best mathematical algorithm in the world won’t fix this one. This is when you need a good process detection technology that can watch and audit both human and machine actions. These technologies exist and are what people are getting a little sensitive about lately in personal privacy.

Personal privacy aside, we must understand in critical process applications these same technologies actually need improvement if we are to obtain superior defensive cybersecurity. There is a big difference between personal privacy and information privacy in the workplace, and also which technologies should be used for those purposes.

Old Security Standards Methods Won’t Work
Remember when things were easier? A standards group put a thousand eyes on a problem, leveraged corporate and government money and made things the way everyone agreed they should be. Everyone got something and everyone was happy. But then the hackers showed up and made a mess of things by finding vulnerabilities only days after the security standards were released.

For the first time since 2005, the U.S. National Institute of Standards and Technology (NIST) has revised federal cybersecurity standards. What took so long? Because writing regulations takes 24–36 months. Meanwhile new technologies hit the marketplace, including a supercomputer that can be purchased for $100. This means that new security regulations are already outdated by the time they are implemented. When you have massive standards and compliance bureaucracies on one side and an independent hacker with no rules or regulations on the other, guess who is going to be able to respond more quickly? The game has changed and so must the methods of approving and deploying cybersecurity technologies.

Cybersecurity is different than most other technologies. The more people that know about the technology, the more vulnerable you become. Creating a bunch of college courses in cybersecurity offers the potential for lots more hackers. If it comes down to the ethics of being a white hat or black hat, the first priority today is 'where can I get a job and how much are you paying?' Government officials have learned this and are today playing catch-up by even hiring the black hats when needed.

There is no easy answer to these cybersecurity problems but there is a clear understanding that trying to fix the problems won't be accomplished with standards, compliance and mandates. This process has proven very expensive and has offered little in the way of strong, defensive cybersecurity measures. Just trying to keep up with vulnerabilities has been hard enough and frankly, the exploit offense technologies are currently beating the security prevention and detection defense technologies every which way. The game has changed and we need a way to get game-changing technologies to the forefront of cybersecurity quickly, That won't happen by belaboring bureaucracies that just are not fast enough or smart enough to react to the rapidly changing world of cybersecurity.

Expensive Band-Aid Security
We will continue to have cyberbreaches by continuing to rely on Band-Aids to "fix" vulnerabilities we find in our software. These intentional and unintentional back doors are problematic in both old and new software. Intentional back doors are often put in software for simple maintenance and upgrades. These known vulnerabilities need to be continually monitored if we are to ever achieve any acceptable level of cybersecurity. We also have the secret back doors put there through collaboration by government agencies and the private-sector that have recently received some attention.
The biggest problem is the unintentional backdoors installed by getting product out rapidly without proper security audits or writing bad code. Whether it's intentional or unintentional, it’s all the same to a hacker. It’s a way in and today’s hackers can find these vulnerabilities so quickly with exploit software that security patches are at best just playing catch-up.

To make matters worse, there is an increasing and disturbing trend in finding and correcting security vulnerabilities. A recent article in the New York Times, “Nations Buying as Hackers Sell Flaws in Computer Code”, disclosed an open market on zero-day security flaws offering hundreds of thousands of dollars to hackers. Once discovered, these flaws can be immediately leveraged by hackers and taken advantage of through the sale of the information or threatened use in a cyberattack. The use of the information in zero-day exploits can be leveraged by both hackers and governments at will before anyone else knows the vulnerability exists. This is today's dangerous back-and-forth exploit game.

Whether intentional or not, these security flaws have added up over the years and are continually being discovered. As the saying goes, "pay me now or pay me later." We are now paying for years of software vulnerabilities and need to use defensive technologies to counter-attack these exploits as discussed in an earlier article, rather than just continue paying ransom for potential offensive hits.

Privileged Information and Trust
We seem to be having a little problem understanding what privileged information is and what it is not. Privileged information is that which should be protected from disclosure by single individuals, or from sharing metadata between government agencies and thousands of companies. Abuse of this kind can deprive the originator(s) from their rightful compensation of years of work, intellectual property or nation-state security. We do not properly protect privileged information and its rightful ownership. Cybertheft of intellectual property is reaching a trillion dollars in just the U.S., so there must be a change in the way information is stored and secured by both the public and private sectors. These changes may even be seen in a loss of trust and business by some of the largest data center providers in the world.

Still to be seen -- with the recent disclosure of government surveillance programs such as PRISM -- will be how U.S. cloud service hosting centers and the technology companies that support them will be affected. The Cloud Security Alliance revealed some disturbing results in its July 2013 survey. The survey questioned how the recent disclosure of programs such as PRISM impacts attitudes about using public cloud providers as well as any other broadly available Internet services. The results clearly demonstrated a decline in trust of U.S. cloud hosting service from foreign responders. For example, 56 percent were less likely to use U.S. cloud service providers. This concern goes much deeper with major software and hardware suppliers also being questioned and potentially taking a hit.

One thing for certain, U.S. data centers and the technologies they provide will be under a lot of scrutiny in the future and have a lot of trust to regain and validate. A happy medium may be found in new private cloud services or even a return to private enterprise networks. One thing for certain, the status quo is no longer acceptable and trust must be regained.

Conclusion
We live in an age where the technology marketplace has trumped security needs for decades and we are now paying the price. We are currently releasing millions of connected products and services with little concern for security while hackers easily find vulnerabilities and readily sell exploit capabilities. Our security approval processes have become a hindrance in releasing timely defensive cybersecurity capabilities that are hacked by the time the standards are released. Those responsible for the use of security technologies and the information these technologies provide require a high level of ethical responsibility and in turn require checks and balances of personal oversight.

Security only works when you are all in and all on the same page. The other choice is all out cyberwar which is a lot more devastating than most people realize. From secret state espionage to abuses in political power, cyberwar could devastate any country. It would be to everyone’s advantage to find a middle ground and quit pretending we are all perfect. We are not. If you have been in the security business long enough, you probably have to admit your hat isn’t white or black. It’s really kind of grey.

SmarTown™

Are We Looking at Our Last Chance to Get IoT Security Right?

The Internet of Things is growing and so is the risk of exploitation.

CAN IOT SECURITY FIX ALL CYBERSECURITY?

NOW IS THE TIME TO GET IOT SECURITY RIGHT

STANDARDS ON STEROIDS

IoT Is Changing the Cybersecurity Industry

Despite a less-than-stellar record to this point, the Internet of Things space is forcing companies to think holistically about the security behind their devices.

BY LARRY KARISNY / JANUARY 16, 2018

New Cyberdefense Technologies Needed for IoT

Deep IoT Needs Deep Security

The Enhanced Blockchain IoT Security Fit.

Revolutionize or Regulate

Preparing for Post-Quantum

The IoT security opportunity

Is Cybersecurity Encryption Ready to Break?

Cyberattacks are already bad today. But what if all encryption didn’t work? We are reaching a point now where global adversaries can crack encryption, and will be able to crack all encryption in the near future.

BY LARRY KARISNY / OCTOBER 6, 2017

SHUTTERSTOCK/CREATIVE-MATERIAL

TODAY'S CRYPTO DILEMMA

RELATED

POST-QUANTUM ENCRYPTION

HACKING STATIC ENCRYPTION AND PATTERNS

THE FIX?

THE CLOCK IS TICKING

The Race to Cyberdefense, Artificial Intelligence and the Quantum Computer

The power grid, oil and gas, and even existing telecoms are perfect targets for funding and development of these technologies.

By Larry Karisny August 8, 2017 SHUTTERSTOCK

Cybersecurity Industry Must Adopt Cyberdefense Tech that Utilizes Analytics, Artificial Intelligence

CYBERSECURITY 101

DEHUMANIZING OUR MACHINE SYSTEMS

CYBERDEFENSE GOING IN THE WRONG DIRECTION

THE DEMAND FOR NEW CYBERDEFENSE TECHNOLOGIES THAT WORK

CYBERDEFENSE PUBLIC-PRIVATE PARTNERSHIPS

Chuck Brooks on Cybersecurity: The Weakest Link Will Always Be the Human Elemen

Cybersecurity expert Chuck Brooks talks about where we stand in what many people call the "wild, wild west" of cybersecurity.

BY LARRY KARISNY / MARCH 2, 2016

CYBERSECURITY EXPERT CHUCK BROOKS' MASTER LIST OF CYBERSECURITY TECH AREAS, PRIORITIES AND EMERGING TRENDS

Bringing Innovation into Cyberdefense Technologies

Hackers use innovative thinking when breaching systems, why can't government?

HOW BIG GOVERNMENT, BIG BUSINESS STIFLE CYBERDEFENSE INNOVATION

THINK LIKE A HACKER

PROTECTING INNOVATION WITH INNOVATION

WHERE THE CYBERSECURITY INDUSTRY WENT WRONG

WHAT A CYBERATTACK LOOKS LIKE

Cybersecurity 2016: Out with the Old, in with the New

The costs of cyberattacks have significantly affected corporate bottom lines, and nation-state attacks have threatened the security of entire countries, renewing the focus on and demand for cyberdefense.

BY LARRY KARISNY / JANUARY 13, 2016

Cybersecurity: A Millisecond Defense

BY LARRY KARISNY / NOVEMBER 12, 2015

From access to activation, we pass through multiple digital ecosystems with devices that can be used to hack unrelated digital system processes in a millisecond.

RELATED

HACKERS ARE NOT OBSOLETE

CYBERSECURITY BILLS VS. REAL-TIME CYBERSECURITY

We Need a Cybersecurity Approach That Is Proactive, Agile, Adaptive

Cyberattacks: The Danger, the Cost, the Retaliation

TODAY'S CYBERSECURITY BUSINESS: BAD START AND NEEDED CHANGE

RELATED

THE OPM BREACH AND LESSONS LEARNED

STILL PLAYING CATCH-UP

CYBERSECURITY: PICK UP THE PACE

CSAAS: AN EMERGING TREND

MOVING FORWARD

Cybersecurity: Fix It or Die?

From unlocking cars and opening garages to hacking a satellite, recent breach demonstrations made a clear point about cyberattacks: They are very real and can be very dangerous. And our current method of "fighting" these attacks is not working.

RELATED

WHY DON’T WE SECURE THINGS?

IS WHAT YOU SEE WHAT YOU GET?

WHAT AND WHERE WE NEED TO SECURE

TODAY’S DATA-DRIVEN MONITORING

MODEL-DRIVEN MONITORING

MONITOR IT OR STOP IT

Even Einstein Couldn't Fix Cybersecurity

BY LARRY KARISNY / JULY 2, 2015

The Einstein and Continuous Diagnostics and Mitigation cybersecurity programs have been hailed as the cornerstone of repelling cyberthreats in real-time -- but it turns out this is not actually the case.

WHAT ARE EINSTEIN AND CDM?

RELATED

WHY EINSTEIN AND CDM FAILED

NIST RESPONDS TO THE OPM ATTACKS

MOVING FROM ALGORITHMIC TO NON-ALGORITHMIC APPROACHES

By Larry Karisny August 8, 2017

SHUTTERSTOCK