Cybersecurity in Today's World

Image courtesy of
December 27, 2012 By
Curt Massey spent an entire 35-year career protecting our national security. His military service, civilian law enforcement, corporate security and military contracting experiences have imbued him with the unpleasant knowledge of our core vulnerabilities and a visceral drive to build a team capable of finding answers to questions most don’t even want to ask. “Look, it’s my team," Massey has said, ”they don’t see impossible, they see challenges which they are eager to overcome -- they are saving the world, I just juggle cats.”
A visionary and entrepreneur, Massey now leads STT's strategic direction. Here is what he had to say about today’s world of cybersecurity.

It seems we are suddenly being hit with all sorts of cybersecurity breaches. In general, what seems to be the problem?

Curt MasseyPhoto: Curt Massey
In my opinion, we aren’t suddenly being hit with cybersecurity breaches; they are just being reported on a much more frequent basis than in the past. With stockholders and political pitfalls to worry about, many corporations and government entities under-reported cyber attacks and losses until the effects and potential for catastrophic harm have just become too obvious to ignore. Add to that equation the fact that more and more of our critical infrastructure has moved online, and you suddenly have a great plethora of ripe targets whose value continues to increase exponentially.

What is a typical breach and why don’t current security solutions address it?

I hate to say this, but I don’t see a "typical" breach; cyber-crime and cyber-warfare (yes, we are under attack right now) attacks are now directed across all possible targets; basically any machine hooked to the Internet. The techniques used in these attacks haven’t changed, there have been new cyber-crime tools and devices that incrementally increase efficiency and the ease of use for these criminals and national enemies, but all the possible basic means of attack are known and they utilize the same attack vectors. These are the same security holes and flaws that have been with us since prior to the commercialization of the Internet. The major computer/Internet security players attempt to mitigate damage by treating the symptoms, while doing nothing to address the disease. Like prescribing aspirin for headaches while ignoring the tumor that is killing the patient.

Will standards, certifications and compliance address these problems?

No. I will accept that they are well-intentioned, but standards, certifications and compliance are part of the problem. They are the prime reason that all the industry and government experts state that you cannot stop a determined hacker from compromising your network. Standards, certifications and compliance force you to keep an inherently insecure system insecure. If you go all the way back to a nascent ARPANET and follow its incremental development from 1974 to just prior to commercialization in the early 1990s, you find that it was a trusted network, there were no "strangers" involved and it was designed to maximize redundancy during a period where computers were unreliable. The fact of the matter is that the Internet was designed from the ground up to be open, and the practical result of that is the inherent insecurity we see today. The warnings and pleas by the true pioneers of the Internet to address security flaws were completely ignored in the rush to commercialize it.

What is the newest problem that has been found in foreign manufactured chip sets?

Once again, a beast of our own making; after the vast majority of our chip-manufacturing capacity was driven overseas, China – ever industrious and ever serious about their own national security – got into the chip-manufacturing business in a very large way. Years later we find that a great many of our computers and other machines and devices that use microchips -- that could be virtually everything -- are "infected" with rogue chips. These rogue chips are malevolently hard-coded with routines that automatically begin communicating to China’s, and other countries’ cyber-warfare commands, which can also send instructions to these rogue chips. We can’t just replace these millions of chips, as we no longer have the capacity to produce them and, not so shockingly, China and others will not allow us to put inspectors in their chip-manufacturing supply chain

So, yes, we are now forced to rely on the good will of China and other foreign chip suppliers as part of our national security policy; I’m not very comfortable with that.

Are the Russians and Chinese that good or are we just that bad?

The same conditions that enable self-educated children to hack into the Pentagon make cyber-crime and cyber-war "low hanging fruit;" it’s cheap, it’s easy and, for some bizarre reason, there is a great deal of prestige attached. Anybody can acquire the knowledge and tools to penetrate systems hampered by adherence to current standards, certifications and compliance. If you just enter "hacking," or more properly, "cracking" as a search term online, you are well on your way to becoming a world-class hacker.

Have you ever been breached, in any way, by any of the penetration testers or outright hackers who have gone up against your technology?

No. You can’t attack what you can’t see … or touch.

What is so different about your security approach and why does it work?

Most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it.

We refused to accept that premise.

We devoted a huge amount of research into exactly what makes the Internet insecure and found that the answer was right there for anybody with an open mind who cared to invest a little time. We identified the inherent flaws and determined methods to fix them. Our approach was simple in concept, but excruciatingly difficult and complex in execution. We had to be able to "plug the inherent security holes" and ignore the protocols and standards that promulgate an insecure Internet. But our technology also had to still be able to function seamlessly and flawlessly within that same environment and do so in such an efficient and faultless manner so as to run unnoticed by the user and incur negligible performance hits on average computers. It needed to be redundant, self-healing and not interfere with existing network infrastructure.

We have achieved our goals. A properly configured STTealth network is impenetrable from external and internal cyber-attack. Our messaging component is orders-of-magnitude more advanced, stable and … private than any other technology in existence.

Oh, and those rogue chips? They are completely emasculated and isolated; we also identify machines thus affected.

Where do you see IPS security going in the next few years and where are the roadblocks occurring?

We will truly solve the issue for those smart and agile enough to incorporate our technology. Many, of course, will continue to keep their heads in the sand and will find that, as more networks become unassailable by virtue of our technology, they will become the focus for continually increasing attacks. Many haven’t been attacked simply because the Internet is such a target-rich environment.
As far as the road blocks, once again, standards, certifications and compliance; that and the fact that people are stuck in this "punch, counter-punch" mentality of reacting after their current, very expensive IPS is broken and then buying the next, very expensive version and on and on, ad-nauseum. This scenario certainly makes some players a lot of money, but it will never solve the problem.

I do believe that we will all look back on the era from the early 90s until today as a very strange time when we allowed the very conditions to exist that enabled widespread cyber-crime and cyber-war.

Cybersecurity and 'Smart Encryption'

December 19, 2012 By
Paul “Prem” Sobel is a Cal Tech master of science in electrical engineering and has dedicated a 40-year career to protecting mission-critical systems.
He worked with IBM, NASA, Northrop and Intel before launching MerlinCryption LLC. He developed an exponentially stronger encryption with variable key length called the Smart-World’s Smart-Encryption.
In this edited interview, Sobel discusses encryption and other security technologies and critical infrastructure vulnerabilities.

Where are we today in encryption methodologies architecture?

 Paul "Prem" Sobel, Cal Tech master of science in electrical engineering
Since World War II, increasingly sophisticated encryption algorithms have been developed with early keys sizes starting at 16 bits and growing to 512 bits. Computer speed, with use of statistical analysis, cryptanalysis, mathematical and brute force techniques have broken, and will continue to break, these encryption algorithms.

Where do you see current major legacy encryption architectures in supporting future requirements?

DES, RSA, SSL and AES algorithms produce simple key strands, which continually repeat in cyphertext.
Current encryption methods also require that keys are transmitted by known mechanisms between end points, which are easily intercepted or spoofed. These two inherent weaknesses explain why a criminal’s attack of choice is against the key. The next generation of encryption must eliminate these two major risks. The new Anti-Statistical Block Encryption (ASBE) utilizes variable-length keys that scale between 2008 bits and 2 GB, which are reinforced by variable-length passwords up to 64KB.
The ASBE method uses a random data generator that generates-destroys-recreates keys and passwords on demand, making key/password transfer between end points unnecessary. The communication and storage of encryption keys and passwords are also not needed, which circumvents criminal interception.

Future requirements will also dictate a more simple and inexpensive key management system. Today’s Public Key Infrastructure (PKI) is economically and operationally an albatross. Research shows that organizations spend between $47 and $5,921 for the creation, distribution and maintenance of each PKI key in use. PKI management involves certificates, registration authority, directory management, central key deposit, external validation and protocol. Future encryption methods must find alternatives to secure key communication and management.

Can Intrusion Prevention System (IPS) security put us on a catastrophic path of the whole security architecture collapsing?

IPS architects must secure against external attacks and insider attacks. The approach is different for each threat. External attacks can be thwarted with strong whitelisting and using advanced authentication. Two- and three-factor authentication is not enough. Airtight multi-factor requires validating both people and machines over and above the “something known,” “something physically possessed,” and “something unique” that the industry typically uses today. MerlinCryption also employs “something temporary,” which increases authentication to 10 and more factors. All authentication data (both inbound and outbound) needs to be strongly encrypted.

Sophisticated internal espionage may overcome typical two-factor authentication. Again, the use of additional factors and something temporary fortifies prevention. A stealthy security system against insider attacks must encompass data-at-rest, data-in-motion, data-in-use and data-in-change. Real-time data change can be protected with an encrypted in-memory solution. Monitoring and recording activity helps identify the source of foul play. Using strong encryption, with larger variable-length keys, derails system compromise.

What characteristics would you suggest to look for when selecting a solid IPS security solution?

An airtight security process must not only deny access, but also secure data integrity while alerting operators of foul play. Instead of requiring every smart grid node to be capable of detecting intrusion, it is recommended to use multi-factor time-varying authentication and strong encryption with larger, variable-length keys. Keys that require no transfer are most advantageous. Additionally, it is an optimal strategy to have a separate system, which monitors for and reports intrusions on the smart grid networks

Built-in whitelisting can enable which code is allowed to communicate or cause critical actions. This security measure not only prevents but also alerts of an attempted violation of the whitelist.

We are putting billions of networked applications out with little concern for security. Where is the vendor disconnect in these security needs?

Before the recent outcry, security was often regarded as merely a nice feature. However, with the $388 billion cybercrime business now as large as the international illegal drug trade, and threats of foreign espionage, encryption is no longer a choice. Today’s environment requires that developers and OEMs strategically address the use of strong encryption and multi-factor time-varying authentication in the design phase of any project. A good security system must encompass data-at-rest, data-in-motion, data-in-use and data-in-change.

Are compliance, mandates and executive orders helping cyber security?

Compliance and security are not the same. Compliance sets a minimum standard. A system can be in full compliance and still be totally at risk. The concept of “minimum standard" is an open-ended problem, which evolves along with the evolving sophistication of the attacks. Mandates and executive orders are often “too little, too late.” Systems and their architecture must be proactively designed to address future attacks.

What needs to be done today to expedite readied security technologies in support of sensitive areas such as critical infrastructure?

Protecting access to status, states, reports, machine software updates, commands and controls is paramount to critical infrastructure security. These systems have unique high-risk challenges in different network zones, automated processes and device networks, including servers, human-machine interface (HMI), intelligent electronic devices (IED), controller logic, and industrial network protocols. Adequately securing critical infrastructure requires a dynamic encryption engine, which works in tandem with strong authentication.

As example, a man-in-the-middle strives to intercept messages, change updates, block alerts, or other false data injection between meters and the utility company. This type of attack against the grid would require authentication and encryption to securely, dynamically and flexibly transmit status messages, alarms and alerts between operators, security intelligence and machines in a sub-second response. The smart-grid operator needs the flexibility to continually change all key, password and authentication parameters, on command.

Protection of our critical infrastructure is a serious and immediate challenge for security leaders, striving to thwart potential incidents. Fortunately, the new ASBE encryption technology overcomes the obstacles of older encryptions and supports a national move to dependable security.

How can manufacturers prepare for new security requirements?

It is imperative that all systems, old and new, have more memory than currently needed, both RAM and Flash. This is needed for new functionality, evolving security threats, monitoring and alerts, and perhaps things yet to be thought of.

Two simple last questions: Why is security being breached today and has your solution ever been breached?

In today’s power-grid environment, we are connecting things that were never connected before, and they were never meant to be connected to the Internet.  We are also working with old security architectures that can’t scale to today’s needs. These archaic systems do not address the complexity of SCADA control systems, and many were not built for network conductivity. The old ways won’t work. Critical infrastructure security needs a fresh look.

To answer your second question, the MerlinCryption solution has been pen-tested by the best -- including some noted hackers in Ukraine and Russia. ASBE encryption has never been broken. Encryption keys that disappear after they are used can’t be compromised. It doesn't have to be complicated.  It is a matter of using common sense.

Acronyms & Definitions

DES | Data Encryption Standard
RSA | a public-key encryption technology developed by RSA Data Security, Inc.
SSL | Secure Socket Layer
AES | Advanced Encryption Standard
OEM | Original Equipment Manufacturer
Cyphertext is encrypted text