Innovative Security
- Gideon Samid
- 1 minute ago
- 4 min read
It is the only security that will withstand your innovative threat
Cyber security is a big project for a big corporate data world. It is designed, built and maintained like a big project. Alas, a typical big project is designed and built with an operational end point, striving for perfection and associated stability, routine, trouble free use. By contrast, cyber security projects are fundamentally different. For them a stable end point is where their vulnerability begins. Stability, rigid pattern is what attackers aim at. A fixed protocol security system is eventually exposed and invites a work around. And with the advent of AI, patterns are discovered much more efficiently, and compromised much faster than ever before.
The threat is essentially innovative, while security tends to fall into the trap of illusionary fixed perfection. The call of this blog is for security managers to be mindful of their natural inclination to cement protocols in place. Security designers should resist the temptation to seek a perfect stable security protocol. They should recognize their ever-lasting need to change, to modify, to keep themselves as a moving target. Remember, we are all a product of Darwinian evolution. We survived because we changed so fast that our threat could not keep up with us.
"Forever innovation" is a high order mission for cyber security and that is why we see so many security failures. But remember, we don't need to innovate to 'high heaven', we just need to innovate enough to meet the innovative threat.
What does "Forever Innovation" means for cyber security managers, designers, and practitioners?
Here is a primer, the author is open to introduce the Security.BitMint.com approach for interested parties.
Innovative Security is achieved through the following avenues: (i) Brute Force Protocol Changes, (ii) operational randomness, (iii) cryptographic randomness, (iv) recovery planning, (v) AI Assisted Security Innovation AIASI.
Brute Force Protocol: Frequent change of passwords is an established norm, but a thin one. A powerful practice amounts to lateral protocol modifications, where the new protocol offers no inherent security advantage over the former but being different is a clear security advantage.
These lateral changes are to be put in place in randomized time intervals. In a certain financial institution five high-level security supervisors were assigned to each approve certain types of high-volume financial records. A "brute force change", switched the assignments among the supervisors. The switch eliminated a stubborn security hole that baffled the CISO. This implicated a compromised supervisor.
Operational Randomness: people normally gravitate towards order, doing things every so often, at a given date, a given hour, with a given team. It takes an active decision to do routine security operations in randomized dates, randomized hours, and with randomized teams. Remember each established pattern is fertile ground for hackers.
Cryptographic Randomness. This is a new powerful security strategy. Classic cryptography offers a huge advantage to top notch attackers (usually nation states attackers). Mainstay ciphers today last for decades (e.g. RSA), serving as a ready non-moving target. And we need to remember, while the big cryptanalytic success is to demonstrate deeper mathematical insight and compromise the cipher analytically, it is almost as destructive if all that the attacker is able to do is to identify a portion of the so called 'weak keys' for which a compromise was found.
This potent (yet usually silent) threat is now successfully neutralized with a class of ciphers known as Pattern Devoid Cryptography. These ciphers have no established pattern, so there is no pattern for the attacker to work around. Pattern devoid ciphers have additional security advantages, most prominent among them is: (i) hiding communication pattern. Hackers don't see frequency and intensity of data exchanges, and (ii) creating honey pots to catch hackers red-handed, or deter them from even trying.
Recovery Planning: The gold standard for a cyber security system is to build a security system that would stand up to attackers smarter than its builders. This very goal, imbues one with humility and leads to active design of a recovery plan if indeed the attacker was smarter than expected. Recovery plans come in two categories: (i) fast return to operational norms, (ii) sustained operation with reduced capacity, until the norm can be rebuilt. Often, security designers have so much confidence in their systems that they don't take the recovery plan seriously, it becomes a lip service. It is much better to think though the recovery issue before the acute stress of a cyber catastrophe. We call this "Lifeboats on the Titanic Security": the Titanic was the top of the technology of the day, the boat that "could not sink"...
AIASI: AI Assisted Security Innovation is the application of AIAI -- AI Assisted Innovation to Security objectives. AIAI is the AI version of Innovation Science. Innovation Science is the science that does two things: (i) it guides the expert in the pre-innovative state, how to efficiently reach the post-innovative state, and (ii) it teaches how to translate an innovative idea to innovative result.
Innovative Cyber Security is not a nice-to-have, it is what you need in order to withstand innovative threat.
References
