Meredydd Williams
  • Blog
  • About

.

Cybersecurity schizophrenia

1/31/2015

0 Comments

 
Picture
Source: http://bit.ly/1JrBj56 and at gotcredit.com, modified. Creative Commons (CC-BY 2.0).
Those within the corridors of power argue that cyber security is essential, that the health of our economy is dependent on UK businesses being protected. Evidence of the government's new drive can be clearly seen upon the London Underground and online, through the Cyber Streetwise campaign. This is indeed true, companies of all sizes lose millions of pounds each year due to security incidents, whether these are data breaches, malware infestations, or phishing scams. It is refreshing for researchers to hear that cyber security has been given such great importance, especially as the risks of attacks are so frequently underestimated by those companies not peddling anti-virus products.

However, in another case of the heads of the Whitehall Hydra not acting in unison, David Cameron has recently proposed for data encryption to be broken in order to assist law enforcement and secret intelligence efforts. Whilst it is true that the government has the right to open your physical mail in transit (in special circumstances), implying that forces are prevented from pursuing cases due to encryption is disingenuous. At the other side of the puddle, the National Security Agency (NSA) also appears misaligned with the US National Intelligence Council: the former wishing access to more data, while the latter emphasises the importance of encryption within a Snowden-released 2009 document.

Let me repeat an oft-repeated fact: a backdoor is a backdoor, and a vulnerability is a vulnerability. We have enough implementation errors and design flaws within software when we try and make it bullet-proof; purposely adding security holes into widely-deployed applications is just a bad idea. Once malicious parties understand that software vendors must comply with backdoors to trade effectively, the race is on to find the vulnerability and steal the data. We might sleepwalk into a situation where law enforcement and criminal groups both have access to our personal information, hence leaving the balance unchanged at the cost of our civil liberties.

In essence, you cannot have your cookies and eat them too. We have been trying to make software more secure, more robust, and more reliable for decades, bemoaning that no "silver bullet" exists to solve our woes. What we certainly do not need is to work in the opposite direction, all in the faint hope that the "good guys" will be the only ones intelligent enough to exploit the vulnerabilities. If the intelligence agencies truly have that current advantage, then they shouldn't require everyone else to weaken their security.
0 Comments

Why Sony cannot be wholly blamed for insecurity

1/31/2015

0 Comments

 
Picture
Source: Yahoo! Finance
One would think Sony have not had the best time of late. If it wasn't bad enough having embarrassing senior-level emails, unreleased movies, and sensitive employee records leaked onto the Internet, then your network gets DDOS'ed on Christmas Day. Not forgetting of course that Sony Pictures appears to be in direct conflict with North Korea concerning The Interview, a symbol of American freedom with a 52% fresh rating on RottenTomatoes.

After this recent turmoil, you would be forgiven for thinking that Sony's finances would be reeling. However, this is far from the case: indeed, the Japanese giant's share price is 135 points higher (Dec 1st 2014: 2640, Jan 29th 2015: 2775) than at the start of a seemingly disastrous December. Perhaps the breaches might finally act as a wake-up call to the large collection of companies with insecure networks, looking to avoid the weeks of continued bad publicity. However, if a corporation can sustain such a strike and overtake their previous share price in only 50 days (Dec 5th 2014: 2677, Jan 23rd 2015: 2737), then is there really an incentive to invest in cyber security?

The security issues at Sony are anything but recent: in 2011, 77 million customer accounts were spilled over the Internet in a much-publicised breach. At this point it was discovered that employees were using passwords such as “s0ny123” (not an uncommon practice), and that account details were stored unencrypted. After claiming outage costs of $171m and facing mass criticism for the week-delay before informing customers, 3 years later you would expect security to be a greater priority.

There are no simple solutions. Sony is a large, multinational corporation with a network stretching across the globe, accessed by hundreds of thousands of employees. Ensuring total security is impossible and intrusions are naturally bound to happen. However, there does seem to be an underinvestment that needs to be addressed: Sony shall continue to be targeted until their defences are improved.

I have some sympathy with their rationale. Security decisions are a cost-benefit analysis: why implement a defensive measure costing £500 if you only stand to lose £400? Whilst Sony have been dragged through the papers and ridiculed by the security community, if their shareholders care that little about the incident then it makes little economic sense to change policies.

At least we can hope that the new EU General Data Protection Regulation shall alter the equation for European firms: a €100m fine would surely make an executive think twice about connecting an insecure USB stick. For companies to take security seriously it must affect their bottom line and unsettle their shareholders; currently the incentives just don't add up.
0 Comments

    Author

    Meredydd Williams. Multidisciplinary PhD Cyber Security researcher. Opinions expressed are personal and do not represent the University of Oxford.

    Archives

    April 2015
    March 2015
    February 2015
    January 2015

    Categories

    All

    RSS Feed

Proudly powered by Weebly
✕