Page 64 - index
P. 64
More of the Same Won’t Keep Us Safe
It’s time for a reboot on our approach to network security
By Jeff Hussey, President and CEO, Tempered Networks
It is a widely understood and yet astonishing reality that all major companies have been hacked,
along with countless government agencies around the world. The impact of these attacks is
staggering. According a 2014 Ponemon Institute survey, the average annual cost per company
of a successful cyber attack was $12.7 million. Certain industries are hit even harder, including
energy and utilities companies at $13.2 million and financial services companies at $13 million.
Organizations suffered an average of 1.7 successful attacks per week.
TCP/IP is the problem
How did we get to the point where cyber attacks are a routine cost of doing business? The
unfortunate reality is that the Internet, specifically TCP/IP, is inherently insecure. Originally
developed by the U.S. Department of Defense in the 1960s, TCP/IP was created to provide
network interoperability within a closed environment of military-grade physical security. Now its
purpose is to provide the backbone for wide-open, global communications and commerce. This
dichotomy fuels an annual $77 billion cyber-security technology market, with no relief in sight.
Efforts to secure networks rely on encrypting communications, which requires establishing
trusted relationships between the entities that are communicating. The flaw in this approach is
that all of these entities are identified by their IP addresses, and IP addresses on their own
assume trust. Security is typically “bolted on” after the fact, using firewalls, VLANs, VPNs, and
any number of other mechanisms that cybercriminals have found ways to abuse.
Encryption is easy, trust is hard
Trust is the fundamental problem in IP communications. It turns out that adding encryption to
communications is the easy part. Adding trust, on the other hand, remains an intractable
problem. Why? Two reasons. First, access to apps and IPv4 communications are both tied to
the same piece of information: the IP address. We do not have a cryptographic identity to use
for communications, which is why we have to login to every “secure” application like banks,
email, and medical records. Second, there has been no good way to manage trust
relationships.
You might argue that the communications are still encrypted. But with whom are they
encrypted? Does it matter if you encrypt your password over the network if goes directly to an
adversary? Attribution on the Internet is nearly impossible. The browser-based trust model of
hundreds of trusted CA certificates does little to assert trust and assurance for the underlying
communications. Case in point is the DigiNotar CA hack.
64 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
