The mechanism through which a person understands new things, with many variables, is based on assumptions derived from previous experiences involving things of similar phenomena, with additions and substitutions, which in the end are designed to form an image not necessarily perfect, but reasonably complete.

When such a process  does not end up in a system  error that would trigger a correction mechanism, these assumptions become beliefs and subsequently regarded as indisputable truths. Although natural,  this phenomenon can be a dangerous one, because when our assumptions turn out to be wrong, we can fall into the trap of making wrong decisions, not because the logic is cheating   us,  but because it is based on false fundamental elements.

When it comes to Internet  and cybersecurity,  these concepts are so complex, with so many branches, that often even the specialists are forced to work with assumptions. Modern  marketing is particularly  harmful,  as it makes use of this information  jungle in order to create a favorable framework where the goods and services are easily placed. A framework full of emotions, fears, partial information, where the technology limitations are hidden and strengths brought  to the fore.  It is important  from time to time to stop and analyze the  conditions under which we operate  because each system is different. Only if we understand  all sides of the system can we really apply efficient mechanisms   for their security, and in the end, for our own personal safety.

 Security, in general

Before we go into the details of the recent modern computer security system, since the information  world has developed  along an extremely distributed way, let’s analyze  the concept of security in its most personal meaning, namely  referring to an individual  or group  of people, be it a family or a company.

Take for  example,  insulin.  It  is an essential  supplement   for  a person suffering from diabetes  mellitus –   its   absence  can   have  serious consequences on one’s  health.  So, if we look at the “safety  of insulin”,  it is important that it is not lost, nor stolen, nor deteriorated, i.e. it is at the disposal of the person in need. But if we analyze an insulin pump, things get complicated. This is a device that dynamically  analyzes the glucose level and automatically  injects  the required dose.  So,  if you look at the “safety of the pump” from the point of view of the person that needs it, we can see that it is no longer enough to make sure that the pump is available to the person in need, but we must also ensure that nobody  has access to the device setup, as it may harm the person in need due to the direct intimate relationship with its body.

We have to think similarly when it comes to a group, only in this case, we will have additional elements. Thus, in the case of a group, a family or a company, it is not enough if the safety of each individual member  of the group is assured, we must also ensure that the group as a unit is safe. For example, in the case of a company, employees may be safe from the point of view of each person, but the company may go bankrupt because of an event that affects its operations, not necessarily the employee’s health.

 Consolidated and distributed defense mechanisms

The easiest and best-understood security model is the enhanced one, the one around which we can place a security perimeter. In real life this is the most popular security mechanism, even starting  from  ancient times, with medieval fortresses, buildings of maximum safety, our houses, countless examples are built on this model, which are not accidental, but are the easiest to defend. It is sufficient to have a relatively impenetrable perimeter, and a limited number of accesses, and no matter how vulnerable the elements  inside are,  their safety  is provided  by the perimeter.  The defense mechanisms are  also easy to understand and  available to anyone. The concrete  walls provide a high degree of impenetrability, we have the possibility to set up security guards at the doors,  a secretary is an exceptional  biometric  filter that can identify strangers  or those who do something suspicious inside the building,  a dog is also an excellent biometric  filter, and it is not complicated to get one in order to improve the safety of the dwelling or the yard.

The same applies to cybersecurity,  where we  have many relatively secure mechanisms for implementing   security on this kind  of model that has long operated,  practically  from the beginning of the networks. The problem is that this model can no longer be applied to modern information  structures,  because things have changed radically  and the era when the information  assets of an organization could be placed in such premises has long gone. We no longer have the accounting program, the database, the ERP, etc. in the local network, we have them stored by an online service provider, that is, they follow a distributed  security  model around  which no perimeter can be mapped out and so we need other defense mechanisms.

This form  of distributed  security is fundamentally different from the consolidated one and, unfortunately, is often misunderstood  even by those who work  in the field. In particular, the way of thinking about these mechanisms is reduced to the consolidated model and is often viewed simplistically:  it is not a consolidated framework,   there  are  several consolidated frames, each defended by separate perimeters, and from here on a series  of misunderstandings  arise and countless information vulnerabilities are born.

A similar  example from  the physical world,  which we can easily understand,  is the banking  system.  It is a system that has worked  for a long time,  where the goods are not kept exclusively in the perimeter of the house,  but some remain inside the house,  the money goes into the bank account, and some valuable goods are stored in the bank vault. Anyone’s natural reaction to this will likely be, in fact, that this model is even safer than the classical one, with all the goods stored in the perimeter  of the house,  because the bank’s security perimeter  is better than the house’s  perimeter.  It  is normal to look at situations like this, and cybersecurity marketing  is using our weakness  of seeing the glass half full half and misses some “slightly apparent” details, which in some situations can become the Achilles’ heel of the whole system.

Coming back to the bank example,  it is undeniable a bank has a better safety area than any home, and as long as the good is stored in the deposit box, the sense of security is justified.  But if the good in question is an object that we need on a daily basis and in the morning it must be transported to the company headquarters and in the evening back to the bank, the transitional period, in which the asset is neither in the safety perimeter  of the bank nor in the security perimeter of the company, becomes significant and erodes the security aura of this complex system: bank + company. If bankers get bored of taking us twice a day to the vault and they decide to place the door of the safety deposit box by the window so that we can have access to its contents whenever we want, this whole aura completely  disappears.  In this scenario, the safety deposit box no longer benefits from the absolute  security perimeter  of the bank. No matter  if its back is in the bank, its door is out of it, and everything  separating  the good in the safety  deposit box from a villain is the door of the box itself. So, a series of vulnerabilities are introduced to the system with two safety  perimeters:  the transition  period, the box lock, the hardness of the box,  the person holding the key, the security  features of the key, the security elements where the key is being kept, and so on.

If   this  paradoxical situation seems  familiar,   it  is because it precisely  describes  the security  conditions of the distributed framework in the information system. Mailboxes,  our photos,  online bank accounts,  and all other accounts where we store information assets and not only, get to suffer from these deeply misunderstood security gaps that we disregard with the false statement that the security of an information platform provider is more advanced than the one of our PC.

In fact, if we are to secure  the safety of an informational asset in this framework, we must ensure that all stages of its existence are secured. The security elements are not cumulative,  but have a reverse synergy:  the more elements the more unsafe the system becomes. When one climbs up  a  mountain,  he  or she depends on multiple  safety features: the rope, the mountain rock, the anchor, the karabiners, the mate, and so on. If one of these elements   breaks,  the outcome may be fatal, and the more elements we introduce,  the greater the chance that one of them fails.

Going back to  the  information   system, it  is  not enough to rely  on perimeter security, and we cannot afford placing an unsafe object within this framework, we must ensure  that the objects  themselves  are safe at all stages of their use. For example, if we cannot be sure if a file exchange system is safe, but we have to use it anyway,  we can very easily encrypt  the data in the file and pass the key to the recipient in another way. Solutions exist but they are not always apparent.

 Online security paradigms

In   the  distributed   security model,  there are two fundamental paradigms that  must  be taken  into account: isolation, in the sense of ensuring that no one intercepts  or alters transactions,  and the certainty  of identity, that  is, the certainty that the partner which we deal with is the right one. And if in everyday life these two are trivial, in cyberspace where the identification elements are incomparably weaker, and the transactions are made on hostile grounds, things are much more complicated and the two elements must be strictly and concurrently followed, otherwise we cannot speak of security. For example, if we have isolation but we have no certainty of identity, we can fall into the trap of safely dealing with an evil entity, and if we have the certainty of identity and we have no isolation, we can be monitored, or the transaction can be intercepted and altered without our knowledge.

In  1995, Netscape introduced   for  the first time the secured socket layer (SSL) concept, a highly efficient mechanism  capable  of providing both principles, but only under its original form called MASSL (mutually authenticated SSL), which, unfortunately, despite existing for such a long time, due to practical reasons has not been spread. What most Internet users know  as SSL is a simplified  form  in which only the server  has a certificate of authenticity, the client does not, and thus the certainty of identity cannot be ensured on the client side. That is why more uncertain forms of authentication, which we are accustomed  with, are being used, but which remain vulnerable to various forms of attack: by force, identity theft, interference,  etc.  It is important to be aware of these deficiencies when choosing a service provider or the method by which we store / manipulate a certain informational good, to take an informed decision based on importance, sensitivity, and so on.

Another  very dangerous phenomenon  is the introduction  of a new type of SSL called DV (domain  validated)-SSL, which in fact is an SSL that does not bear the certainty of the site’s identity, but only that it was issued for the site in question, which has zero value. Any villain can buy a cheap domain  and run a DV-SSL  data theft site that will look 100% legitimate, because browsers do not issue any alert, and even if this type of SSL can guarantee isolation, the unpredictable Internet user can type the password on an Internet page that steals data, because the certainty of identity is not available.

Security  in this modern framework  based on Software  as a service (SaaS) is not easily understood  and even harder to assure,  because, unfortunately, there is a profound technological handicap coming from the fact that it is impossible  to secure both paradigms in any given situation, and so there is an inherent weakness of the system that cannot be technologically  eliminated,  and should be  analyzed  and reduced methodologically.

 Security in the IoT space

The  IoT  (Internet of  Things) space  is  also an  online space,  but unfortunately, providing even greater  uncertainty   for  many reasons. If  in the case of a classic service-type application, the account,  like the safety deposit  box,  is stored  by the service provider, and this provides a  certain maintenance  that includes vulnerability  correction, security of the perimeter behind the box, imposes  certain access  rules etc, then in the case of IoT devices,  where most of them are stored at home or other  insecure  places without  strict rules, professionalism,  maintenance, vulnerability correction, it is virtually impossible to determine  if they were fraudulently accessed.

These objects belong somehow  to no one, because the responsibility for their safety is not assumed by anyone. For example, these days there has been a massive attack on the east coast of the United States that was executed by IP cameras and other devices in the homes of unsuspicious citizens.

What is  even worse is  that these devices often have an  intimate relationship  with their owners,  such as the insulin pump in the case of the diabetes patient. It can harm the owner not only through information loss, which is in itself grave, but also through the fact that the device can perform functions that the holder relies on, for example, it can be a smart door,  a smart  alarm system,  and so on, which,  if it does not perform its function properly, it can cause serious damage.

So in the case of IoT, as in the case of online services, we need to look for and analyze the dependency points (rope, rock, anchor, karabiner, and so on) of the system and we need to make sure that all these points are solid because each introduces  weaknesses through which the whole system can succumb.

It  might be useful to formulate  a list of questions  that can help us understand these weaknesses and how they affect  us.  It is not easy,  as the responsibility  is deeply  diluted in the case of IoT and almost every device is differently conditioned  both, technically and from the point of view of the relationship  with the person, the family or the company in question  where it is placed.  Any such list of questions  must, however, include at least some elementary questions that we, as users of the device must be able to answer with a high degree of certainty,  as a sign that we understand the problem, the associated  risks, and have a plan in case things derail. For example:

  •  What kind of information does the device collect?
  •  Where is this information stored?
  •  Can the collected information be intercepted while being transferred?
  •  Can the information be stolen during storage?
  •  Who owns the collected information?
  •  Who controls the device?
  •  Who corrects vulnerabilities when they are being discovered?
  •  How do I know if the device is under the control of a malicious power?
  •  How do I turn off the device when  stolen?
  •  How am I or those  that I am responsible  for going to be affected, if any of these questions fail?

It  is  very difficult or  even impossible to  answer all these questions,  so the last question on the list is especially important. This is the question on which  I can decide whether to make a compromise or prefer not to take the risk. Obviously,  the response will be different depending  on the device.  For a smart electric bulb, perhaps  the worst thing that can happen is wasting the object, so the risk  is low,  but in the case of more complicated devices, the situation may be much worse. On December 4, 2011, an American  military drone was hijacked  by the Iranians  and captured because no one asked the second to last question  from  the previous  list. It is not the case to analyze the incident in detail, but we can imagine how serious the situation got at all levels: political,  technological, informational, financial, not mentioning the popular trust.

This long-awaited and prematurely celebrated world of IoT is still an unborn child with a lot of positive potential but which,  if we are not careful enough, can also generate a world tragedy. Last but not least, each of us is responsible  for  understanding   the gravity  of this situation and for taking necessary  action  anytime the decision-making power lies with us – when buying such products or when the authorities consult with us regarding the laws governing these devices.

Information security is a very complex concept that is hard to define in itself, and the more complex a system is,  the harder it is to  analyze and understand.  And although  it is difficult to find a general formula covering all  angles,   it  is  relatively   easy to understand each given situation, through  the personal  security  aspect, because this fact,  beyond certain generalizations,  is a profoundly  personal  subject and those capable of finding questions  and answering  them will be those concerned.  All it takes is elementary  logic, a bit of time allocated  to the matter,  and a mental exercise considering all the elements affected by such a system, the components with which it interacts,  the way they interact, their importance, ways of access, and how they all affect the person, the family, the company, etc., their final benefits  and the risks  to which we are exposed. And even if   we do  not find all the questions and consequently  all the answers, we will be safer because we can eliminate the vast majority of the risks, because in the end it is everyone’s responsibility  to make sure the things surrounding us do not endanger us.

This implies that there is a need for  all of us at a personal level to learn more about the actions we can take to improve the security of the devices we consume to make our lives better.   Ultimately  such knowledge is going to have to be driven by governments  and educational institutions to ensure all people  have such awareness levels.

Translated from original language


Other Magazines