#DeepSec Press Release: IT Security Has A Deficit In Defence
[DeepSec traditionally leans more on the defence side of things. So we published this article.]
Many people are now aware of the importance of information security, but how to operate secure systems is often not obvious. The reason lies in the deficit of real defence measures. This may sound paradoxical, but many products on the market deal with the activities after a successful attack. The prevention of attacks is mostly ignored. This year’s DeepSec conference therefore wants to provide some tuition in digital defence measures.
Fire extinguishers instead of fire protection
A simple scenario will serve as an illustration. Imagine that a company accumulates flammable material in its offices for historical reasons. Grown procedures lead to the fact that more and more hazardous materials are distributed throughout the premises. There is plenty of space. As a safety measure, more and more fire extinguishers are being purchased and distributed evenly over all locations. In addition, all the rooms are equipped with sensors and emergency telephones. But no one comes up with processes to reduce hazardous materials in the first place, to store them separately from the other infrastructure, or even to replace them with less dangerous substances. That’s how IT looks in most organisations. Is this the way to be prepared for the future? The answer should be clear.
If we now look at popular and advertised solutions, we find filter systems for dangerous data and malware, central evaluation of log data, mechanisms for damage limitation after successful attacks and procedures for forensic analysis of incidents. The focus is on the effects after an attack. Of course, strengthening vulnerabilities is also part of best practice measures, but defence can do much more when vulnerable processes are eliminated and vulnerabilities are removed. This step is sustainable, but requires more effort. Especially for processes that are close to the core of an enterprise or have strong interdependencies, implementation is difficult.
Secure Design as a Role Model
One can draw inspiration from the software development process. There are scenarios that cannot be secured even with the best methods because the wrong components are used. There are also systems that are too old and, therefore, cannot serve as a basis for sensitive applications. The creation of secure code is therefore preceded by so-called secure design. Even before the first line of source code is written, the architecture of the application is designed. This process is, of course, easier for completely new designs than for extensions of existing programmes. However, even with modifications, it is sometimes necessary to intervene in proven processes in order to achieve improvements. A very important point here is that it is not about obsolete technologies. For example, some encryption algorithms have aged and have been replaced by new ones. This is a technical necessity that has only limited to do with secure design.
Secure design aims to prevent vulnerabilities from arising in the first place or to exclude unsafe procedures. This is the theory that is often used as an advertising slogan. In fact, however, secure design is often only implemented where fundamental processes in one’s own organisation do not need to be questioned. The best example of this is the constant stream of ransomware attacks that have not yet led to a fundamental change in the affected products or internal processes for processing data.
Digital Tape is no Defence
A good security design prevents risky scenarios from the outset. If you design an infrastructure or an application from scratch, you can make conscious decisions for security. In grown structures, this is difficult. For example, logins in certain Single Sign-On (SSO) systems leave traces that attackers can exploit. In this way, an intrusion on a single computer can affect an entire department or company. This has led to the concept of two-factor or multi-factor authentication (2FA or MFA) as a recommendation. Of course, stronger authentication is never a bad thing, but the recommendation points to a weakness in the actual system. A sustainable defence would actually have to address the root cause of the problem, not put 2FA/MFA duct tape over the gaps.
The same game can be found with biometric add-ons for login processes. With successful attacks, security experts always advise that those affected change their login information. This refers to passwords, but with biometrics, an unchangeable characteristic of one’s own body is added to the login. But you can’t change that. The German Federal Office for Information Security (BSI) also recommends that only one biometric feature per account should be used. An estimated 13 accounts can be equipped with biometrics (10 fingerprints, iris, palm veins, facial recognition). Only one method per account may be used. With sufficiently successful attacks, the selection then becomes smaller.
Sustainability as a Safety Concept
The term sustainability is often used misleadingly. The idea comes from ecology. Transferred to information security, it means that security measures taken provide lasting protection without regular effort. Genuine secure coding, i.e. the secure programming of applications, is an example. Here, effort is required during development or revision in order to put the code into operation securely in the future. Sustainable improvements have one thing in common: they are inconvenient and shake up long-established habits, i.e. business processes that one would rather not change or replace.
This year’s DeepSec conference is once again dedicated to sustainable security concepts. Already at the first event in 2007, assumptions about corporate IT were put to the test and improved concepts were designed. See, for example, Paul Simmonds’ talk about removing the perimeter for workstations. Effective digital defence cannot do without sharing with others.
Programme and Booking
The DeepSec 2023 conference days are on 16 and 17 November. The DeepSec trainings will take place on the two preceding days, 14 and 15 November. All trainings (with announced exceptions) and presentations are intended to be face-to-face events, but may be partially or fully virtual. For registered participants, there will be a stream of the lectures on our internet platform.
The DeepINTEL Security Intelligence Conference will take place on 15 November. As this is a closed event, we ask for direct enquiries about the programme to our contact addresses. We will provide strong end-to-end encryption for communication: https://deepsec.net/contact.html.
Tickets for the DeepSec conference and trainings can be ordered online at any time via the link https://deepsec.net/register.html. Discount codes from sponsors are available. If you are interested, please contact us at deepsec@deepsec.net. Please note that we depend on timely ticket orders due to planning security.