Light Dark
March 31, 2016 By Rick M Robinson 2 min read
Government

Privacy and Hackable Devices

Controversy over law enforcement unlocking smartphones has the power to capture broad public attention. But for the information security community and anyone interested in data security, the truly interesting story in these cases is the underlying one.

This story is not about individual companies or government agencies, but instead the overall state of play in information security and where we are going. What does it mean to talk about the security of backbone structures such as operating systems when these systems are inherently hackable? Who determines their security? How is it assessed? Does the very process of security assessment introduce vulnerability risks?

However privacy and security disputes are finally resolved, the security community will continue to face some fundamental challenges.

Security Design and the Inside Risks

The general principles of good application security design are well-understood, with best practices being widely promulgated if not always applied. These apply not just to ordinary applications, but also to fundamental backbone structures such as operating systems.

At the heart of these best practices is building in security from the outset rather than bolting it on. But how do you know if the job has actually been done correctly? The only way to know is to perform a security assessment or audit, examining and testing the security features.

But whenever you bring in an auditor or review team, you are giving more human eyeballs access to security features. Every new set of eyes constitutes an added risk. As Dennis McCafferty noted at CIO Insight, professionals now rate social engineering and insider threats at the very top of the threat hierarchy, which makes the review process itself a major risk.

From Road Maps to Back Doors

A backdoor controversy with respect to government agencies is really just one specific instance of this general principle. To have a road map to a system — which a security assessment team must have to do its job — is to know that it is hackable, how its defenses are put together and how those defenses might be circumvented.

Put another way, any system complex enough to be useful is potentially hackable. No formal back door is needed; just sufficient detailed knowledge of the application and how it works.

Even more to the point, at a basic level, it does not matter whether a security assessment team comes in from outside (such as a government agency or an audit service) or is assigned in-house. On the one hand, the additional eyeballs are needed to assess and confirm security. On the other hand, those eyeballs become a potential security threat.

In the end, there is no purely technical solution to this problem. So long as computers are being designed and used by human beings, the human factor will continue to be the most crucial element of their security. The issues of identity and access will continue to pose a challenge for information security leaders.

 |  |  |  | 
Rick M Robinson

More from Government
October 17, 2023

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

September 19, 2023

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

September 18, 2023

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature