Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 3: moving towards proactive controls 1

Posted in business and convergent technologies by Timothy Platt on February 19, 2013

This is my third installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Part 1 and Part 2.) Up to here I have been discussing the reactive approaches that have effectively defined information security up to now, where:

• Risks emerge, spread, are identified, and responded to – always after the fact and
• Always as an ongoing effort to catch up with the current state of the art for malware and criminal hacking.

I have been writing as a part of that how reactive approaches and the basic reactive paradigm as a whole are breaking down with information security lagging further and further behind in its race to keep up and remain relevant. And I have already intimated that there might be alternative, proactive approaches that would break information systems security out of its current no-win and unwinnable situation. My goal here in this posting is to shed some light on the basic parameters that any such approach would have to work within. And I begin with the most fundamental requirement of all for this:

• As long as information security is directed towards identifying and blocking specific technology-based assault risks (e.g. specific lines of malware code as found in specific computer viruses), any responses will by definition have to be reactive – and subject to response systems-overload as it is easier and faster to generate more new threat sources, than to identify and respond to them on a technical-point by technical-point basis.
• So any truly proactive approach has to look past the technical How and to the goals oriented For What. Next generation, new paradigm based approaches have to look past the specific code, that can be a meaningless target and certainly for threat sources such as polymorphic viruses where virus definition codes as identifying signatures change from virus copy generated to virus copy generated.
• Any proactive approaches to information security have to begin with and focus on what potential threat sources seek to do, and focus on their overall behavior and goals-directed functionality.

As a starting point in that, I would address one of the core potential choke points that most any malware would have to pass if it is to work, and regardless of its specific computer code or how it is written, or what it is intended to do. Before a piece of malware or any software for that matter can do anything on or through or to a computer it has to get into it. I start with this as an exemplifying source of examples for several reasons.

• First, software downloadability – the capacity to enter into a computer system and functionally connect into its operations can be considered a single behaviorally defined performance goal, even if it can be parsed out as to technology used for achieving this goal in a wide range of ways.
• Second, much if not most of the time, it can be assumed that a computer user knows if they want to download an executable file – a computer program or other functional capability onto their machine. If they are trying to download a photo or a word document, the answer is probably no, that they are not trying to download software that could in some way fundamentally change their computer or alter their control over it.
• So a defense at the level of the computer user with their clicking to allow or block sounds like it should work to at least strongly limit malware intrusion.

But in practice, as soon as the user and their decision making processes enter this system, whole new areas of vulnerability and exposure are created.

• First, the number of routes in that can be pursued in infecting a computer with malware is vast, and many of them do not readily come to a computer user’s attention.
• And second, users intentionally download applications and executable files all of the time, and if for no other reason, because so much of the legitimate content they seek out has functional elements to it. This can mean opening a website that has Java or other functionality, some of which is downloaded to the user computer so it can work user-side, and some of which works from the server side. This can mean Word or similar documents that come with macros or other app capabilities. And of course, people seek out and download games, screen savers and a wide range of other executable files, any of which might be legitimate or malware or some combination.
• One of the primary goals of malware production and of cyber-intrusion in general, and certainly since this became a source of profitable business, has been stealth. And the black hat hackers have succeeded in that, and many users are inattentive to the possibilities of risk and loss of privacy on their computers anyway. So in the real world, computer users cannot be expected to even know when they would need to make allow or deny decisions for content they might download and allow into their computers.

Together, the lines of reasoning I have been discussing up to here, lead me to a first core principle for any really effective behaviorally focused, proactive information and computer systems security approach:

• These systems need to be automated and to be able to function without involvement of system users.
• And any modification of automated ongoing functioning and performance in systems security would have to be intentionally and actively triggered on the part of the user and on a case by case basis. So when for example, a computer owner and user intentionally choses to allow an operating system or other major systems update that would require that parts of a security software system to be turned off for clean installation, they would have to explicitly click to allow that and in the context of their computer’s security software. Both before and after this, the default setting would be to automate security and to follow automatic processes, and exceptions to that would always have to be manually triggered through software menus and by explicitly selecting labeled options that would come with popup warnings.

I am going to return to the issues of user control and oversight later in this series, but will leave this set of issues here where I have been noting and at least partly justifying a need for automated systems. I am going to continue from here in my next series installment with at least a start to a discussion of what a proactive, behaviorally based information and computer security system would look for – and the challenge of identifying proper and legitimate, and distinguishing it from improper and malware. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: