Digital Transactions Authoritative, insightful and timely information for payments professionals
Gideon Samid Gideon@AGSgo.com
Last summer, at a Las Vegas conference, the normally tightlipped National Security Agency (NSA) made an unusual plea and admission. ÒElectrical engineers rely on physics, chemical engineers build on chemistry, physicians on biology, but what is the science that security professionals rely on?Ó asked Steve Borbash of NSA Research.
Good questionÑand a timely one. Cryptography is based on complexity theory, but security in general is primitive in that regard, operating as it does without a foundational science.
Indeed, the present-day Cyber War is really an effort to prevent the recurrence of past defeats. That is, once the bad guys have shown what they can do, we try to stop them from a repeat performance. ThatÕs no way to run a railroad. Instead, the focus should be on interception: anticipating the hackerÕs next move, pouncing in time to prevent damage, and securing a conviction, if applicable. When security efforts reach this state of effective interception, they project effective deterrence and keep most hackers at bay. Alas, every time a new device, protocol, or technology is introduced into the payments industry, the Òrisk executivesÓ in so many words say, ÒWe have to hunker down until we find out how the hackers will exploit this novelty in ways that we have not thought of.Ó
This is just wrongheaded. We have to simulate the hackerÕs side. We have to out-think the threat bearers. This is the first part of the missing science of security. The second part concerns how to perfect our countermeasures. In all the classic works on human war, the same principal recurs: DonÕt let the inertia of yesterdayÕs war drive your effort; let tomorrowÕs threat determine your defensive measures today.
Let me summarize the Security Solution Protocol (SecuritySP) for defining the threat and anticipating the hackerÕs next move. This protocol is taken from an approach that helps scientists conduct their research, since both hackers and scientists face an ÒintractableÓ challenge. Facing a hard challenge, a hacker will resort to one of three avenues of action: (1) break down the challenge into smaller, more negotiable pieces; (2) look for similar challenges that have been well-handled before so as to extend or re-apply their solutions; or (3) re-define the challenge at greater abstraction.
Here are some illustrations to show what I mean. Hackers might rob a wealthy and well-guarded individual by first attacking some small, low-security e-store where that personÕs credit card data are kept. They then use that find to acquire more private data with which to open an account. They make small payments from that account to gain confidence with a merchant before making an expensive fraudulent purchase. ThatÕs the breakdown approach.
An example of the extension approach: Inspired perhaps by an old Charlie Chaplin movie where a glassmaker sends his boy to throw stones at some windows before he walks into the street offering his craft, quite a few hackers unleash a virus on a target bank, then come by, as if by chance, offering countermeasures. The abstraction approach: The hacker thinks more broadly and develops more ingenious solutions. Facing the challenge of factoring large numbers, hackers redefine their target to find the key in any which way. This kind of thinking once suggested an ingenious hack based on the pattern of electric currents that betray computational intelligence.
All hacking pathways fit into one of these three attack strategies: breakdown, extension, or abstraction. Once the hacker moves in one of these directions, he faces another intractable challenge that once again may be approached with one of these mutually exclusive attack methods, and so on.
Eventually, you could draw a two-dimensional map that charts the various attack pathways. Security officials must draw this map in full because they face a host of independent hackers, each coming at them in his own way. If the security map is complete, the officials may block each attack avenue. The problem is that some parts of this map are well-imagined by the hackers, but not by the defenders. To alleviate this risk, we at AGS found that it pays to involve as many employees as possible, picking the brains of anyone with insiderÕs knowledge.
Engineers and scientists have it easy. Their underlying science is static. Warriors and security people face a human opponent, so their underlying science is the science of surprise, the art of the unexpected, the theory of bold imagination. If you canÕt handle the stress, become a scientist.
