Since 1941, when the Colossus Mark 1 was turned on at Bletchley Park (UK) as part of the British code breaking efforts, technology has been on steady journey to become more distributed – and the challenge of keeping these systems secure has grown exponentially as they become more distributed.
In 1946, those worried about the security of the Colossus (and Bombe – Turing’s machine that helped crack the German Enigma Code) had a small number “threat vectors” to be concerned with: (a) physical security of the machine and (b) making sure the people using the machines kept their existence a secret.
In 1969, ARPANET was born when four computers at different locations connected together. This was followed closely by the “Creeper” virus which spread through the Digital Equipment Corporation PDP-10 computers that were connected to ARPANET. Now, you had to worry about the security of not only your computer, but the computers that you were connected to your computer. Creeper resulted in the first anti-virus software, “Reaper,” which was designed to remove Creeper from infected systems.
Fast forward to the present and you can see how the problem has grown exponentially more complicated. Here is my own personal technology footprint:
- 2 x Laptop computer running Windows 10 with
o over 30 applications installed
o 3 different web browsers
- 1 x Smartphone running Android with
o over 100 applications installed
o including 7 different messaging apps and
o 4 x “wallets”
- 3 x cloud-based email
- 3 x cloud storage providers
- Multiple SaaS business applications
o Project Management
- Username and password stored on I don’t know how many websites
- Credit card information held at I don’t know how many websites
- Passport data held by multiple airlines
- Home network
o 2 routers / Wi-Fi base stations
o 1 Network attached storage
o 3 different gaming consoles
o 2 network attached printers
o IP security cameras
When I look at this list, I’m more than a little bit scared. There are literally hundreds, if not thousands of threat vectors and attack surfaces.
For those of us that create technology products and services, all of this creates a set of challenges that are more complicated than ever. Most young companies today build solutions by integrating technology (both software and hardware) from multiple vendors. We get a payment processing solution from one company. An authentication solution from another company. Leverage a cloud service provider for compute power and storage. Throw in several open source products and you have a working product. But how do you make sure all of this is secure?
Historically, software vendors only worry about “is the code I wrote secure?” Often with mixed results. But modern applications depend on code written by multiple other companies. Add in hardware, in the case of IoT solutions, and you may have pieces of the solution provided by 10-100 other vendors. And sadly 63% of all data breaches are related to 3rd-party vendors.
We need a different approach. We need to stop looking at our piece of the puzzle, and look at the solution as a whole. And we need to look at the broader implications of what is being done with the data we collect. A great example of this is the fitness app, Strava. It produced maps of where workouts were being done. The maps were 100% anonymous.
The data did not pose any privacy risk to the users. But it was aggregated – with the aggregated data available to anyone. So why was this a problem? The app was extremely popular with US Special Forces soldiers who wanted to track their workouts. The maps inadvertently showed classified US military sites. Why else would 500 people be doing a workout in the middle of the desert or the jungle?
I wish I could say I had the answer. I don’t. But I can offer a few tools:
- IBM Application Open Source Analyzer – From the IBM Website: “Hackers target open source code because doing so increases their probability of attack success. Chances are the applications you develop contain open source packages. Chances are some of those packages include vulnerabilities that could put your applications and, with that, your data, and your customers' data, at risk.” IBM® is offering free access to IBM Security Open Source Analyzer. Sign up for our Open Source Analyzer Health Check to find out how much risk your application carries today and what steps you need to take to mitigate the risk.
- If you are an Amazon AWS customer, take a look at these tools available from AWS:
- AWS Config continuously audits AWS resource configurations and now includes Zelkova-based managed rules such as s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, s3-bucket-server-side-encryption-enabled, s3-bucket-ssl-requests-only, and lambda-function-public-access-prohibited.
- AWS Trusted Advisor helps improve the security of your AWS environment, including analyzing resource policies.
- Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS. It uses Zelkova to determine the accessibility of S3 buckets.
- Amazon GuardDuty is a managed threat detection service that uses Zelkova.
You might also consider joining the Vendor Security Alliance. The VSA is a non-profit that was founded by a group of technology companies (AirBnB, Atlassian, Docker, Dropbox, Go Daddy, Palantir, Square, Twitter and Uber) who realized that they were all utilizing solutions from a common set of vendors. None of the companies had the resources to perform very deep security audits of their technology providers. But as a group, they could do a far better job of evaluating their vendors.