Platt Perspective on Business and Technology

Information systems security and the ongoing consequences of always being reactive – 4: moving towards proactive controls 2

Posted in business and convergent technologies by Timothy Platt on February 27, 2013

This is my fourth installment to a series on the state of information systems security going into the second decade of the 21st century, and on challenges that will have to be addressed in moving forward from where we are now (see Ubiquitous Computing and Communications – everywhere all the time, postings 185-187 for Parts 1-3.)

I began this series with a discussion of how historically pursued reactive cyber-security paradigms have been falling further and further behind and breaking down (see Part 1 and Part 2.) And I followed that with the start of a discussion on breaking out of the rut of always playing catch-up, and always being reactively one or more steps behind when seeking to safeguard information assets and information owners and legitimate users (see Part 3.) I continue that discussion here.

Up to here, I have identified and at least briefly discussed a few of the basic approach requirements that would have to be addressed in developing a next generation cyber-security system, and I begin this posting by briefly reiterating and expanding upon the key points that I have presented up to this point in this series:

1. Targeting and addressing specific threat sources at the level of precisely how they function and on the level of identifying specific malware code can never be proactive. Any effective information security system has to be oriented towards identifying and responding to threats on the basis of their overall functional goals. As a specific working example, consider a subprogram to a downloadable file such as a computer game that would install a software package into the operating system of the receiving computer, that would connect out through a new software port set up for it, and that would download to a set recipient IP address, as the computer goes to sleep, a copy of all data that has been entered into that computer through its keyboard port since the last time the computer went into sleep mode – here, a behaviorally specified definition of a keystroke logger malware app of a type used to gather account login, credit card and other sensitive information. Here, the goal is to identify this behavioral pattern as malware, and not the specific programming code that would carry out this functionality, that might be a rapidly changing polymorphic target as overall behavioral goals remain fixed.
2. These systems need to be automated and to be able to function without active involvement or oversight from computer or system users. And any modification of automated ongoing functioning and performance in systems security – any overrides of security measures taken, would have to be intentionally and actively triggered on the part of the user and on a case by case basis. The default setting should be security-focused.

I add a third point to that here, that would be essential if computer users are not to simply turn off or disable their information security systems in frustration:

3. A proactive information security system has to be able to identify both when an intended goals-directed behavior pattern (e.g. in a proposed software download) should be identified as malware, and when that is actually a legitimate and desired functionality that is being accessed or exercised by a desired piece of software.

If users find themselves to be blocked and stymied when carrying out the tasks they are trying to perform, and they do not see any protective benefits from being blocked in that, they will turn off their computer system’s protection. So:

4. A proactive security system has to both know how to distinguish good from bad, and with low error rates for missing malware and letting it through, coupled with low error rates in misidentifying legitimate software and activity and blocking that. But more than just that, it has to notify the user when it finds and blocks an identified source of risk, and it should identify what that perceived malware or other assault consists of (e.g. “Computer security has just blocked an attempted software download as it contains what appears to be a keystroke logger. That type of malware is specifically used in identity theft and for stealing confidential information.”) Yes, I would include a link to a definition in this, so a user who sees a message like this coming up on their screen, can quickly and easily find out what their computer was trying to prevent, if they do not recognize the term used. And I would keep these messages brief and to the point – here the 34 words of that warning and explanation message is probably about as long as any such message should ever be.

And this brings me to one of the most important sources of threat that computer and computer systems users and administrators face, and one that is becoming more and more important as malware producers and black hat hackers tap into social networks for target insight: phishing, and more specifically spear phishing and related personalized attacks. I am going to continue this discussion in my next series installment, there specifically focusing on individualized, personalized attacks and on proactively identifying them and blocking them. Meanwhile, you can find this and related postings at Ubiquitous Computing and Communications – everywhere all the time.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: