A look at the current state of security and how it is likely to change.
Never has there been a more committed effort for malevolent entities to try to leak data, damage infrastructures, and wreak havoc on data essential to our lives. And never has there been a more opportunistic time for the security industry to put their best effort forward and answer the malfeasance challenge.
So what is the current state of cyber security?
“Unfortunately, there isn’t a lot of good news,” says Paul Kocher, president and chief scientist at Rambus‘ Cryptography Research Division. “Moore’s Law is allowing us to move technology ahead faster that we can secure it.”
A lot of organizations are having trouble getting their arms around the scope and complexity of today’s cyber landscape, and the accelerated pace of hardware and software development. Even virtual giants such as Google and Facebook are far from having their networks bulletproof. In reality, to be proactive requires a lot of energy and effort, and many organizations still believe that simply putting up firewalls or software-based cyber solutions is sufficient – it isn’t.
But the juggernaut is slowly turning in the direction of understanding that one cannot simply set up a response system and expect to remain bulletproof. The result is that more and more companies are running hard to try to keep ahead of the threat landscape.
“Some progress is being made,” notes Chowdary Yanamadala, vice president of business development at ChaoLogix. “There is an elevated sense of awareness beginning to bubble up, regarding the need for incorporating security whenever data is generated, transported, or otherwise handled. A lot of non-traditional players are now recognizing the need to intertwine security in their chips or applications. The next few years will be very critical for the field of cyber security.”
Such solutions have to integrate, tightly, into both hardware and software security layers, with hardware being the heavy hitter. Some of what is in place are high-level directives that call for proactive system testing to find vulnerabilities, keeping abreast of the latest threat landscapes, implementing processes, and allocating resources to deal with risks, threats vectors and various forms of threats, both internally and externally, and effective feedback.
“One thing that is bothersome is that, in the current landscape, there is a shortage of talent, especially in the semiconductor section, to help keep up with the pace and technology of the attack landscape,” says Yanamadala. “What that means is that we are pedaling as fast as we can, but the attackers know that the talent, or third-party resources a company can throw at them for keeping them out, is stretched thin. They are ramping up because they know that the odds are pretty good that they can find a target that may not have the talent or resources to build solid security solutions.”
Just how much of a factor there is in the shortage of security talent with respect to the current state of cybersecurity is a difficult metric to nail down. There are so many other metrics, such as financial, perceived damage or liability, buggy code, and general poor understanding of the threat landscape by the majority of the non-security tech sector.
However, the sheer number of attacks from all vectors just continues to ramp up, which is an indicator that the assailant camp isn’t feeling like they are losing the game. As Kocher observes, “We don’t see the attacker giving up trying to break in and get legitimate jobs quite yet.”
Take distributed denial of service (DDoS) attacks, for example. In the first quarter of 2015, the number of DDoS attacks more than doubled compared with the same quarter in 2014, up 35% sequentially from Q4 of 2014.
If it was just an increase in the number of attacks, that would be bad enough. However, the attack profile is changing, as well. In 2014, most DDoS attacks were short-duration, high-bandwidth occurrences. In Q1 of 2015, the typical DDoS attack was less than 10 Gbps, and lasted much longer — more than 24 hours in most cases.
The majority of the attacks came under one of these headings: local file inclusion (LFI), PHP injection (PHPi) SQL injection (SQLi), command injection (CMDi), OGNL Java injection (JAVAi), remote file inclusion (RFI), and malicious file upload (MFU). In total, there were more than 175 million combined attempts [See reference 1]. There also were 8 mega-attacks in Q1, each exceeding 100 Gbps. Such large attacks were virtually non-existent a year ago.
Similar statistics are seen across the board for other types of attacks, as well. The numbers have increased, but the makeup of the attacks is shifting. This is a rather disturbing metric that has a lot of security architects concerned, namely the potential for something radically different for which they are not prepared.
What’s happening in hardware
On the hardware side there are cryptography chips. These provide the most hardened solutions. Building up from that is secure code and IP, and security software stacks. Finally there is software that runs on the systems. All of these, when applied judiciously, amount to the best of breed cybersecurity.
Embedded systems are gaining traction, as well, and there is accelerated development going on in this segment. One reason is the relentless trajectory of attacks on such platforms as financial, transit, telecommunications, retail, and identity applications. The amount of money involved is staggering, so these are at the top of the security pyramid in today’s priority, and some are detailed below.
According to Monolina Sen, senior industry analyst for ABI Research’s cybersecurity practice, “Embedded secure element (eSE), trusted platform module (TPM), trusted execution environment (TEE), host card emulation (HCE), and embedded SIM all are emerging technologies that will see much more application the future security space.”
Of these, TEE is one of the more exciting ones. “What makes TEE so attractive is that it provides a way of enhancing the security of mobile devices and executing sensitive operations on devices running standard operating systems,” notes Sem. “We believe that more and more processors will support TEE, thereby offering device manufacturers integrated, hardware-based security.”
ARM, for one, has integrated its TrustZone architecture into every Cortex-A processor, which the company is now pitching for everything from smart phones and tablets to customizable servers.
Another technology that is gaining momentum is tokenization. “While EMV is effective for securing card transactions at point-of-sale terminals, it is not quite as useful for online payments and other card-not-present transactions,” says Sen.
Presently, more than 22 of the world’s largest banks are on board with it and there is pressure to adopt it in the United States, as well. Tokens provide protection for mobile contact-less payments using host card emulation at the physical point of sale. They work particularly well because the data from credit and debit cards are encrypted at the point where that data is captured. This means encrypted data is all that leaves the POS site. It stays encrypted until it arrives at the payment processing point.
“Emerging proximity and remote payment types along with the increasing desire to replace payment card or bank account numbers with tokens for point-of-sale, online, or mobile payments are pushing this technology into the mainstream,” continues Sen.
There is a lot of other work going on in the hardware security space. Much of it has been discussed in earlier articles so it would be redundant and space consuming to rehash here. (For further reading, see related articles 1, 2, and 3.)
What’s on the horizon
One of the more important avenues that will play a big part in securing the cyber future will be to put a lot more resources into identifying the hackers themselves – the minds behind the keyboard. So expect to see new developments that will be directed at the attacker as well as the threats.
There also will be a lot of attention paid to breach prevention, on all levels. That involves a number of elements. The high-profile breaches of 2014 and early 2015 have placed a new priority on them because it has been shown that little is defensible. One can argue that such breaches are partially or wholly due to lax cyber security, but nevertheless, it was a wake-up call.
On another channel, Internet-based technologies will become inextricably immersed into the fabric of society. Where these technologies come together, between applications, networks, and services, will be the most vulnerable.
Man-in-the-middle campaigns will see increased efforts, too. New versions of “clickjacking” and ”watering hole”-based targeted attacks will be seen. And, frighteningly, the Dark Web will become a repository of cyber crime that will be more difficult than ever to crack.
In addition, emerging technologies such as quantum computing, converging mobile technologies (mobile computing and wireless networks), self-organizing networks, cloud computing, and other technologies will meld into a seamless world that will have no distinction between the physical and virtual worlds. All of this will present a slew of new challenges to the cryptography industry.
Will we survive?
To keep up ahead of all of these future disruptive technologies will require a new paradigm in security thinking. Whether it is implemented in hardware, software or a combination of both doesn’t matter. What matters is that the world moves toward it.
A couple of these new paradigms are semantics integration and dynamic networks. There are others, but these are two of the most interesting.
Semantics integration (SI) was made for the future of cyber security. It has been around for a few years, but now is starting to be seen as a solution for next-generation platforms. This technology supports all tiers of the cyber architecture infrastructure in both horizontal and vertical dimensions, which will be the future architecture of the global network. And there is development in the direction of building cyber security applications on top semantic integration, which will unify the many cyber security vectors.
Its claim to fame is that it can be designed to work seamlessly across all architectures — application, middleware, and data, which is a huge benefit to designing security. It is still early in the SI game but the theory is sound, and once some application development begins, it should catch on.
Dynamic networks are another promising solution to managing security. Networks are developing intelligently. Platforms such as HetNets, network function virtualization (NFV) and software-defined networks (SDN) are blurring the lines between the network nodes or participants, and the network itself. Eventually, there will only be one virtual global network, from a high-level perspective.
The cyber domain is no longer a network of clearly defined enterprises that can be individually defined and secured. Therefore, approaching cyber security with that mindset is an algorithm for failure. Cyberspace now encompasses all other domains with any number of cross-dependencies. It is, in essence, a multi-dimensional cyber network.
Cyber attacks across this network will be different. Next-generation cyber patterns will be both asymmetric and asynchronous, which means they are also potentially multi-dimensional. These cyber-attacks are able cross the boundaries of time, geographic regions, and a diversity of targets. They will be comprised of a diversity of attack techniques, designed to achieve a single set of objectives. The only way to deal with these is by implementing dynamic networks and securing them with new paradigms of cyber security.
It will be a brave, new world. Some of what was discussed in this article is at very high level and only brushed upon. More in-depth discussions will be forthcoming. And, how all this will really shake out is still up in the air. However, the technological evolution of both hardware and software are on predictable development paths. So much of this future technology and its implementation are an extrapolation of what is, and therefore what reasonably will be.
One thing is fairly certan: Security has to catch up with technology or there will be massive fallout. The chip industry is at the cutting edge and will be ready with hardware solutions. The software industry will be there as well. The roadblock will be the acceptance that security isn’t an option. The cost of lack of security will be far greater than the cost of implementing it. And the supply chain will have to get on board with security as an integral component, whatever the cost.
Reference 1: Akamai Q1 2015 State of the Internet Security Report.