Securing The Internet
Internet Security is a peculiar dilemma. It’s extremely hard and an unenviable task. But also embarrassing to repeatedly get caught napping or behind the eight ball in a constantly evolving threat landscape. As nations and corporations grapple with novel threats and an explosion of entities hooked to the internet, they awaken daily to the reality of its uphill battle.
Asymmetric War
There is no such thing as getting security just right. Our best defenses today may prove woefully insufficient tomorrow. There is an inherent asymmetry in defending against the digital dark arts. Whereas a rogue actor can get away targeting the weakest link in the chain of cybersecurity, the task of securing the internet gets inordinately hard. The realization that there will always be a weak link is unsettling. A cybersecurity chain is only as strong as its weakest link. Adi Shamir, the Turing Award recipient and the co-creator of the famed RSA encryption algorithm, couched this golden nugget into a quote:
Cryptography is typically bypassed, not penetrated — Adi Shamir
Teachable
The recent episode is poignant. It is instructive for me as an IT professional who takes security seriously. The brazen nature of the attacks in penetrating Nvidia, Microsoft, Okta, The Brazilian Ministry of Health, and others is a teachable moment in history.
By successfully employing social engineering tactics as their modus operandi, Lapsus$ stole millions of dollars in currency — both regular and bitcoin. They made a mockery of the security apparatus. Based on reporting, the alleged conspirators arrested were kids between the ages 16 and 21. Their ring leader was a teenage whiz living with his mother in Oxford, England. With insane skills to spoof automated activity, he misled folks tracking into believing there was no human involvement. Internet-of-Things firmware can misfire, and the occasional piece of software programmed by humans misbehave to give an appearance of something going rogue. However rare and implausible they seem, they are known to happen.
Greed
Notwithstanding their mad hacking skills, their escapade was a get-rich-quick scheme driven by old-fashioned greed. And a misguided notion of justice, if there was ever one. They are no Robin Hoods looking to redistribute ill-gotten wealth that deserves anybody’s sympathy. Nothing can justify their actions — not even stipulating that their targets were rich and powerful corporations. And it makes the rest of us collateral in this cynical game of sticking it to society. To toy with their defenses and our sensitive data is disturbing. It’s a slap in the face of cybersecurity and this edifice we call the internet, built by generations of creative and hardworking minds. Such brazen attacks starkly expose its fragility to withstand system-wide shocks. No matter one’s place in society, this attack should hit too close to home.
Posture
What should our stance toward cybersecurity be as upright individuals, and if we are so privileged, as IT professionals? Is this a losing battle? Die-hard professionals and uncountable internet users must agree we must never give up. Throwing up our hands is not an option. It would be synonymous with becoming sitting ducks and the consequential pain and misery. We have no choice but to sharpen our cybersecurity awareness by honing our skills. It’s a constantly evolving game of cat and mouse. As the industry matures, it finds itself in growth pain to get ahead and stay ahead in this game. Cyber-criminals keep them on their toes, threatening to steal, and with great success in their recent attempts. The recent gains are to an extent due to targeting infrastructure and to a large extent, targeting people — to steal digital intellectual property and currency in novel ways.
Weakest Link
If human entities are the chink in the internet security armor, we must do our part to fix it by investing in ourselves. Awareness comes first — that even our most well-intentioned and benign digital actions have a potential for adverse side effects. It should not cripple but invigorate us, spurring us to do more. Just being aware is insufficient. Sharpening our digital habits by training comes next. Our digital diet must include security — the well-being of our devices and our own online and offline behavior. Raising the defensive bar by strengthening our posture can’t hurt. It doesn’t guarantee immunity either. But it may deter by discouraging bad actors from exploiting human gullibility as a weapon to infiltrate and pillage the internet. Going on the offensive against criminals is the next logical step but requires a partnership between nations, corporations, and citizenry.
Evolution
A completely secure internet is Chimera. There is no such thing as infallibility. The conventional model of operating infrastructure, trusted users, and applications within an arbitrary perimeter seems no longer viable. The explosion of devices and their interconnected nature makes that proposition impractical. The transition to always-on, always-available, and globe-spanning public cloud infrastructure coupled with ready access to (and from) any coordinate makes any parochial notion of a perimeter ludicrous. The perimeter is now the planet earth itself. The entire planet has shrunk into one giant interconnected information system — a global database, a global network, and an information dispensing oracle rolled into a single entity.
Never Trust
Air travel used to be pleasant in the bygone era before 9/11 and shoe-bomber. The cost the rest of us pay for a few bad apples comes heavy. Internet security is no different. In realizing this, the IT industry is hurtling toward a future of Zero Trust. This new paradigm dispenses with any notion of perimeter security altogether by pushing it out — toward the edge — the end-user or device that wants to connect and access information. Both non-person or person entities have identities, validity, and lifetimes. They must repeatedly prove trustworthy in dispensing information.
This active posture of never trust, always verify opens up new ways of monitoring threats, quarantining compromised assets, tracking failed attempts to access them, and taking action to prevent, curtail or contain breaches. Constant surveillance of attack vectors to minimize the attack surface by surveilling entities is challenging. This active security posture tends to get noisy and may lead to fatigue by false positives. To rise over the din while not letting the guard down requires advancements in pattern recognition which is the domain of AI/ML-based approaches. Preventing overreach by entities in accessing resources requires the least privileged access. Wrapping the blast radius of an attack requires proper segmentation of networks that make up its backbone.
What’s Next?
Getting ahead of the curve in cybersecurity demands fortifying the internet further. It implies a more aware, vigilant, and informed end-user that takes security seriously and modifies their behavior of safeguarding secrets and adopting healthy digital habits. Shedding the label of the weakest link in the cybersecurity chain is not an easy task. It’s an ideal place for humans to be but requires our concerted effort. It does not guarantee immunity from getting attacked. Allowing ourselves a chance to go on the offensive will alter the nature of this game. And the internet gets more resilient as a result.
Thank you for your readership and support.
© Dr. VK. All rights reserved, 2022
