A new perspective: Compromised computing
David Nathans, CISO at large U.S. defense contractor
As security practitioners there is a common notion in our community that the compromise of an asset is not a matter of if, but when. As analysts, engineers, managers, and CISOs, we work hard to stay ahead of the threat and figure out how to constantly close the gaps we discover, fix the vulnerabilities we can find, and try to ensure the most secure environment possible for our users.
If you feel that it's a losing battle then it just may be, or maybe you found some product or tool that gives you hope and comfort even if it's just for a while. We live in a contested space where an incredible market of products have sprouted to convince you that they can solve the security problem once and for all, or at least for the specific threat they think they can fix. As an industry we spend billions of dollars fighting for what we passionately believe is a fight we can have some margin of success in. No matter the size of an organization there is an unavoidable expense that must be made on security yet it never seems to be enough, so we keep spending, implementing, and hoping that one day we will be able to sit back and marvel at our accomplishments and sleep well knowing our perimeters are secure, our data is safe, and that our users are protected.
It all started with firewalls, but very quickly the adversary was exploiting the holes in our firewalls that they knew we had to keep open, leading to compromised systems. So we take a fallback position and deployed Intrusion Detection Systems. But of course, Intrusion Detection has its limitations and our systems once again were compromised, so we fall back again and install anti-virus (AV) on our computers. Then our enemies learned the weaknesses of AV and systems were once again compromised.
What next? Well, we work hard to educate our users, get more money for more tools, hire more people, respond quicker, build intelligence, share information and continue to re-image systems we find to be compromised. To make matters worse, our users don't care, they want their social media, business email, family pictures and the latest crazy game they download from somewhere to play in the airport on a device that they just picked up that we in security have never heard of. We scream policy and they scream that security prevents forward progress and business enablement. I'm sure anyone reading this can add to the noise here and come up with other crazy situations that plague us all, but have I explained the problem well enough?
There are extremely smart people working on ways to fix these problems and they have been very successful, whether its mobile security tools, threat intelligence products, secure code practices, or virtual users in a bubble inside a disposable environment that inflicts 50,000 volt shocks and five yard penalties for unauthorized clicking. There are things we call core solutions, point solutions, and then there's the popular bury your head in the sand and hope the problem goes away solution. We are challenged in the industry and have to find a way to get real solutions that make sense and that don't break the bank or disrupt our users.
So what if we threw caution to the wind and changed our approach in a radical direction. Lets just stop preventing what seems to be unavoidable and figure out how to enable our users to operate securely on a completely compromised device. I don't propose to have a technology, a tool, a policy or even a process to do this but rather want to look at the problem from a different perspective and see what, if anything can become of it.
Compromised computing is the secure utilization of a device to conduct tasks knowing that someone or something may have access and control over some or the entire environment where the tasks are being performed.
Yes, I know that this sounds crazy, but if you know the device is compromised, are there still things you can do that you don't care about, ways to do things that don't matter, or ways to make the actions of attackers irrelevant? What would your behaviors be if you know that a device was compromised but were still required to use it. What if there was a way to ensure a single path of information flow between you and an application, with single user access and no residual digital crumbs. Then we can have a completely secure transaction inside and in front of prying eyes.
By eliminating digital crumbs like keylogging, snooping while implementing some kind of encryption that only your physical screen can decode and not allowing any other network activity generated to go anywhere but its intended destination may be the start. If we take the concept of “my eyes only” and really apply that to how applications interact with the backend systems and actual device screens, then we can let attackers do whatever they want on our systems because it will be useless.What if everything on my system is encrypted and there are no decryption capabilities on the device, but by wearing special glasses that know who I am, allows me to see everything in its intended format. If I had those glasses would I need anything else to protect my data? We are living with a contested network operating on a hostile internet and need to protect ourselves just like we do while walking down a busy street filled with pick pockets. Wile we are thinking up new products and services needed to keep us going, lets also come up with new ways to define the problem and change our perspective.