Ever wondered why it is that despite substantial growth in the information security industry, computer systems are apparently still so insecure? The reason is as simple as it is perplexing: there are problems in the field of security that don’t have any solutions – and the only way to practically overcome this quandary is by the application of technique rather than technology.
That’s according to Peter Bailey, general manager at Aura Information Security. “While technology plays an integral part in securing information systems, achieving a suitable level of ‘hardness’ for any given application or data requires the appropriate technique – or it won’t be successful.”
Speaking at Aura’s recent 31c0n cyber security conference in Auckland, Dr Peter Gutmann, computer scientist and cryptography expert, characterised the challenge facing security professionals as a ‘wicked problem’. “There are some problems in cryptography that just don’t have solutions,” he said.
He explained that a ‘wicked problem’ is a concept that originated in the field of social planning in the 1970s in attempts to deal with inner-city slums. A wicked problem has no definitive formulation (“How to communicate securely’ is not a definite problem, it is just a wish,” said Gutmann), it has no ‘stopping rule’ or goal, there is no obvious right or wrong way to solve the problem (just better or worse), there are no steps to take to get to a solution, and stakeholders tend to pull in different directions.
A simple example is communicating securely with someone with whom no prior contact has been made. “This can’t be solved; it makes cryptography impossible and this is something that is exploited by the bad guys [through phishing attacks].”
Another example is antivirus software. The common approach to stop malicious software is with antivirus software, but antivirus software can only stop viruses it knows about. Therefore, antivirus software cannot stop 100% of malicious software alone.
There is an abundance of more complex examples, said Gutmann, including those related to authentication (where PKI and SSH ‘fuzzy fingerprints’ are readily bypassed), smart cards that are so onerous that users eschew them, smartphones that are bug-ridden and therefore prone to compromise, and the fact of widely-used software that carries millions of faults that are open to exploit. Cloud computing presents new challenges, which can be described as ‘how to operate securely on someone else’s computer’ – an unsolvable problem, or as Gutmann said, “Obviously, you can’t do that.”
Even compliance with security standards, of which there are many, doesn’t provide an assurance of security: Gutmann said it is possible to be fully compliant with applicable standards while bypassing all the cryptography requirements.
There is the further issue that those protecting data or systems do so within bounds defined by the protector – but the attacker clearly does not care for those bounds, Bailey points out.
“The challenges for security professionals are complicated, too, by the fact that even secure systems have to provide a good user experience. If they don’t, the users themselves are likely to purposefully compromise the system – or simply stop using it,” he says.
Does the wicked problem mean achieving reasonable levels of security is not possible? No. Gutmann went on to explain that the goal is not 100 percent security, which is in any event unattainable. Instead, he said, it is necessary to shift the goalposts and focus instead on those parts of the problem that can be solved. “Accept that there are no perfect solutions and you don’t need perfection anyway.”
The way to do that, Gutmann added, was through the clever application of sometimes quite mundane techniques; even email can be effectively used as a simple but effective authentication method. “The idea is to create speed bumps for attackers that will slow down and make it more difficult for them to compromise your systems and information.”
Looking at the antivirus software conundrum from before, some ways to help combat these issues can be to develop incident response processes to react faster to virus outbreaks. This will not only limit the impact of an infection, but also allow provide your response team with an opportunity to obtain a sample of the code to submit to AV vendors.
Or to simply educate and engage with systems on a regular basis to know what normal network activity/health looks like, then it can be easier to spot suspicious anomalies and early infection.
In other words, Bailey says, while security technology has a role to play, it is an obvious one that is known by attackers. “What isn’t certain to them is the techniques that are being used – and therein lies one of the better tools for effective defence.”