The IT industry is famous for constantly inventing new buzzwords. Sometimes, they describe new technologies and sometimes, they are just there to show well known technologies in a new context. So, what’s new with cyber-security and why do we need this new buzzword?
We have all heard of cyber-crimes and the alarming growth rates of cyber-attacks. Less well known are the attackers and the way they operate. For most people, lonely hackers trying to break into bank accounts to make some money come to mind. However, these days we are talking about a highly specialized industry with multidimensional experts specialized in cryptography, networks and even psychology. When breaking into a system or manipulating data and systems, they follow a holistic approach.
Additionally, these attacks are no longer limited to criminals with financial interests. We learn about an increasing amount of attacks by governments who can access almost unlimited resources to acquire data. Finally, while data used to be well hidden behind several layers of firewalls within an enterprise, we are now confronted with the next wave of digitalization resulting in data exposure via cloud- and application services.
How can cyber-security address these new developments?
It seems prudent to introduce a new approach and to propose that fighting cyber-crime is not exclusively about new, groundbreaking security technologies. Instead, a suitable defense requires a new concept following a similar holistic approach the cyber criminals use. It is not only about network firewalls and strong authentication, but about a combination of methods in order to adapt to the new threats and scale to the changing demands. Most importantly, such a solution has to be highly useable to not be compromised due to user errors.
Here, the “password problem” comes into play. Most people tend to use the same password for all their accounts. As a result, every site requiring a password will be able to log into all the other sites where the user has stored his data. More sophisticated platforms try to enforce password policies by setting rules resulting in passwords that are impossible to remember for humans but easier to guess for computers. Best case scenarios involve the user writing down different passwords in a secured place or the use of a password management tool protected with – you guess it – their regular password.
The bottom line is that passwords do not scale well to the growing number of sites and applications that are holding our confidential data – even when using strong authentication technologies like one time password generators and crypto cards with the infamous pocket calculators as the user interface.
These technologies were invented decades ago, primarily to protect high-risk services such as e-banking and corporate data access. The devices are not necessarily unsafe, but have some essential design issues that make them at least questionable to use. First of all, they are not very user-friendly. They need to be carried around to be available whenever data access is required. For all mobile use cases, this is a no-go.
Secondly, they do not scale well. Most of the aforementioned technologies use a symmetric key to calculate a one-time password or access key. This implies a complex key management process and most notably, limits the usage to one single application or service. Imagine all those new services such as health insurance, stock trading accounts, private and professional social platforms, email accounts and many more – this is simply not going to work out.
Finally, those devices are static and not connected. As a result, they cannot adapt to new demands, for instance transaction signing, or threats such as phishing.
So what does an ideal cyber-security solution look like?
As mentioned before, such a solution has to be multi-dimensional and has to be able to seamlessly combine various security technologies within a complete security solution – starting with up to date network firewall and intrusion technologies. Traditionally, this layer already receives a lot of attention from security experts and security operation centers. The next important layer is made up of application layer security solutions such as web application firewalls and web-service gateways. They should definitely gain more traction, not only for high-risk applications such as e-banking or extranet applications, but also for all our new digitalization initiatives.
New web application technologies heavily rely on Java-Script and Ajax services and thus, introduce new attack vectors. Consequently, many of the more recent cyber-attacks have made use of these technologies with various methods of scripting attacks. The only way of coping with this kind of threat are sophisticated application layer firewalls that can be adapted to new threats using software and specialized filter rules.
Reliable string authentication methods are still a cornerstone of any security solution. But today, strong authentication methods need to be scalable and useable for all data access channels including mobile solutions. They have to be connected and update capable to adapt to new security threats and ideally, they should combine proven hardware cryptography with well-designed and -implemented software.
Finally, an ideal cyber-security solution has to be easy to use in order to ensure a correct usage and prevent the solution from being compromised due to user errors.
The newest security technology adding to our Cyber-Security Stack is called Risk Based Authentication (RBA). The general idea behind this technology is to take user behavior into account by comparing the implicit characteristics of users and devices in the current session context with previous sessions. This includes information about the user’s communication device, such as the browser, the OS and installed plugins, as well as connection information including IP-addresses, connection speed and the internet service provider. Comparing this information allows for the pinpointing of deviations from the regular behavior. These deviations can be used to calculate a risk score to determine the probability of the connection coming from the actual user instead of a potential hacker. On the basis of this risk score, the application allows for an appropriate response. For example, the application can demand additional proofs or identity or sent alerts to the user.
Risk Based Authentication can add a lot of additional security due to two facts: First, it does not require any user intervention and isn’t influenced by user errors. Secondly, it is extremely hard for attackers to fake or reconstruct all this data on a big scale.
To sum up
The defense against modern cyber-crime needs more sophisticated solutions than the ones we are used to today. It requires a new, holistic way of looking at security. It is not about the best transport layer security or unbreakable hardware tokens, what counts is an end-to-end solution which explicitly takes user behavior and human errors into account. It has to be scalable to be prepared for the ongoing digitalization and it should not be limited to high-risk applications and confidential data. Instead, such a solution must be affordable to allow for implementation in all or most applications. In short, we already possess the technologies to make the lives of cyber attackers much harder and make ourselves a less profitable cyber-crime target.
Harald Böttcher is CSO at ti&m.