Cyber fraud has matured into a solid industry, where economies and efficiencies count. So the lion’s share of hacking efforts is directed at large databases, where a breach is a gift that keeps on giving (as long as it is well-managed). Financial institutions and online merchants, in particular, use databases that constitute a juicy target for the cyber-fraud industry because of how productive a successful penetration may be.
We on the security side are not strategically prepared for the challenge. We are overly impressed by breaches of individual phones and devices, where the damage is limited and the responsibility lies with the individual user. When it comes to our crown jewels, the financial database, we naturally tend to minimize our vulnerabilities.
Typically, chief information officers are very much taken with the enormous work they invest in installing the latest intrusion-detection software and with the countless coordination meetings they hold, where they design sophisticated security protocols. Their overconfidence leads to fateful decisions against data-at-rest encryption, and against double-checking already-admitted users.
We can rate database vulnerability according to: (i) how attractive its content is; (ii) how many users, and at what levels of credentials, it serves; (iii) how heterogeneous its operations are; and (iv) whether the security team has a good computer-science education. The combination of theoretical flaws (technology and protocols), implementation flaws (bugs and malware), and human factors (stupidity, greed, and indifference) is a reliable predictor of the prospect of compromise.
Complicating matters is that the new hacker tactic is to exploit a breach ever so meagerly to remain undetected, sometimes for years.
To deny this reality with false confidence is not a good strategy. Instead, we need to ask ourselves how to survive a successful penetration. When a database is exposed, the hacker learns private information about the listed customers. Much of this private info will help hackers crack other places where the same data is used. It is therefore a strategic goal to reduce the hacker’s profit from a successful breach.
There are two tactics for doing this. The basic one is replacement. In two previous “Security Notes” columns (June and July 2016), I presented the Cyber Passport concept, which is designed to quickly replace private-access credentials and render the data ineffective.
The second, more ambitious move is to use cryptographic means to fingerprint the credentials database. If the system is breached and that data is compromised, the hackers will not be able to use it to claim access in the name of the original owner of the data. This protection applies also against insiders abusing their access to steal credentials files and peddle them in the dark market.
As this technology takes hold, the payoff for hackers will diminish and they will gradually abandon their strategy to penetrate financial databases. They might turn their efforts to retail theft, attacking one individual victim at a time. Or, one must admit, they might surprise us with a move we are not imaginative enough to foresee.
Other variations on these tactics include sub-encryption: encrypting data with fast, half-transparent ciphers, which impose enough cryptanalytic burden that the effort to crack the data is too taxing relative to the potential benefit. Remember: Now that hacking is no longer a matter of emotional bravado, but a full-fledged industry, it surrenders to the same laws of return on investment that govern the rest of us.
In 1998, Ron Rivest (the “R” of RSA) proposed a “winnowing and chaffing” strategy that mixes the good data with nonsense data such that hackers cannot separate them. His original idea has since been replaced by more effective means, but the principle is still valid and useful.
One side benefit of these new cryptographic tactics is that, for most of them, it is easy to install a breach monitor—a means to detect that a request for credentials is based on compromised data. This detection may lead to stealth-tracking of the source and to preset countermeasures.
The technology is there. What is needed is recognition that the database is the modern cyber-war battlefield, and that the hackers have a non-negligible chance to hack into any database with a sufficient number of credentialed users. Therefore, a strategy for the “day after” has to be devised.
—Gideon Samid • Gideon@BitMint.com