Wednesday

Column: Google Cybersecurity, Hack or Help?



April 22, 2013 By Larry Karisny
 
Google has a perfect opportunity to be a leader in cybersecurity.
From the company's Android OS, to the purchase of Motorola and the new gigabit fiber optic network to be built in Austin, Texas, to its recent hiring of Peiter "Mudge" Zatko from the Defense Advanced Research Projects Agency (DARPA), this combination of Google intellectual property -- with the Telecom intellectual property all over Austin, Texas -- could be a perfect meeting of money and minds in creating a secure smart city.

When it comes to intelligent traffic systems sending avoidance collision warnings and keeping the power grid operating -- and everything in between -- it’s time for corporate citizens to step up to the plate and responsibly address urban cyber security. If Google plans on being the financial beneficiary of billions of devices, running millions of apps on a new gigabit fiber optic network, then it also needs to take on the upfront responsibility and expense in securing these networks, devices and apps.
And right now, the Android OS and the many apps that run on it could not be further from secure.

The New Enterprise Security Threat

From hacking to hijacking enterprise networks to apps that steal apps, the Android has become a hackers' OS and device of choice. In fact, just to make it a little easier for everyone, even network exploit kits are now available, as is a top 10 list for hacker and penetration testers. This stuff isn’t funny, though. Using tools like this to breach an enterprise network means a lot of different things to many people. It is not about the enterprise -- it is the intellectual property that is kept in an enterprise. My recent interview with professional cybersecurity investigator Tom Quilty made it clear that intellectual property, and even state secrets, may be vulnerable sitting in an enterprise network server.

Taking this one step further, if the enterprise is a control system on an aircraft, then could an Android device be used to, let's say remotely access the controls of an airplane?
Such a situation was actually demonstrated at a presentation given at the Hack in the Box security conference in Amsterdam by Hugo Teso, a security consultant at n.runs in Germany, and is still being debated. To put final emphasis on the seriousness of Android smartphones in the enterprise, the recent popularity of bring your own device (BYOD) is flooding these devices into every enterprise and control system, and already overburdened enterprise managers are sending out the security warnings. Even the Army wants to use smartphones, but has shown recent security concerns in using the devices. We need to understand the smartphone is not just a phone -- it is a PC or even a personal enterprise network device with a lot of power and capabilities.

Current Mobile Security Suites Not Enough

How is Google's Android addressing these security issues today? With another app, of course. So now we have bundled smartphone security solutions reused from old PC security solutions -- that really needed some significant improvement in the first place.
For instance, let’s look at the 2013 Best Mobile Security Software Comparisons and Review. The review refers to a list of security features with new smartphone security marketing features such as "real-time protection," "phone app scanners" and "locate and track" lost phones.

If you know how viruses and malware are detected, then you understand there are thousands of new ones found every day that are first stored and analyzed, then potentially blocked. This kind of security process defies the ability to call this feature "real time." And some also say it may be time to dump anti-virus as endpoint protection.
Scan and detect phone apps are no different from scanning a download on your pc. With 1 million available apps for Android, a security app that makes sure these apps are doing only what they are supposed to be doing is needed.
As for the locate & track lost phone feature, is it my phone being tracked or is it me? I don't even see the word firewall or encryption in the list of security protection and feature listings for of any of the mobile security software companies. I also don't see any apps that secure other apps. There are a lot of concerns with these, the first of which starts in mobile smartphone security. Ultimately, however, at least there's a recognition that these devices will increasingly become our next cybersecurity problem.

Why Are We not Secure?

Cybersecurity problems are just becoming recognized and are getting worse for two reasons.
Neither the Internet nor software was built with security in mind, so we've been trying to put Band-Aids on it since its inception. The Internet was made for global collaboration, not user authentication. Software was designed to do something, not validate what it is doing.
In fact, a recent survey by Dell Sonic Wall stated that 68 percent of all businesses reported that employees cannot identify fraudulent attacks on the corporate network. A recent survey of 165,000 employees showed 93 percent of workers knowingly violate policies designed to prevent data breaches. This is not a good start when we're attempting to interconnect our cities' critical infrastructure while adding intelligence and applications to our mobile networks at alarming rates.

We need new security architectures if we expect to effectively address these problems. These new local networks will need to support local Internet applications serving our smart communities for years to come. The applications they will run are projected to be larger in use than today’s entire existing Internet -- and legacy security solutions will not be able address the magnitude of these new security requirements.

Public-Private Secured Networks Are Needed

So how can we deploy new security architectures?
A good start would be to slice and dice our networks so we can offer priority security access and authenticated to public safety, transportation and critical infrastructure. I work with companies that have the ability of cloaking authenticated data using multiple encryption algorithms that can change in milliseconds. This would allow multi-agency multi-network authentication that could securely share a single network infrastructure supporting both the public and private sector. This is a good start, but it needed to be done yesterday. Still, authentication and network security alone will not secure authenticated human breaches or the billions of increasing software and business process application events that run on it.

Anomaly Detection Needed at the Data Input Level

To prepare and protect from the massive growth in social media, mobile applications, BYOD and multimedia files flowing through municipal control systems and enterprise networks, an entirely new technology is needed. Advanced technology such as secure anomaly event detection, audit and blocking at the data input level is required. This available technology has proven effective in not only securing at the application software level (where we increasingly find today’s breaches), but it also can audit and economically refine business process events offering tremendous efficiency savings.
In anomaly detection, security just becomes a byproduct if its capabilities. The key is we need to start understanding networks, devices, application software and business process event security in totality if we are to achieve maximum security. We are being attacked from all of these levels at staggering rates, and deploying these security technologies must be done now before we move on to building additional network and application intelligence in our critical city infrastructures.
Not addressing security was a major factor in slowing down the smart grid. We should not repeat the same mistake.

Perfect Place, Perfect Timing

Google’s recent network -- and acquisitions and hires -- in Austin, Texas, is an opportunity to do security right the first time. The days of bolt-on security are gone. We need to deploy new cybersecurity architectures upfront. We have been trying to figure out how to properly design and secure municipal networks for the last decade. Our critical infrastructure, transportation and safety will depend on these networks and network application for many years to come.

Just as Google boasts tech smarts, so too does Austin. And there are security experts waiting to help with solutions in hand. This new gigabit network could be more than just blazing fast -- it could be used as a learning tool to make our local networks rock solid secure.

So let me end with a call out to Mudge in his new job. I have the perfect project for your new position with Google/Motorola Mobility's Advanced Technology & Projects, whose mission is to "deliver breakthrough innovations to the company's product line on seemingly impossible short time frames." It is a security project with a company called Google.

Larry Karisny is the director of ProjectSafety.org, a cyber security expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and municipal critical infrastructure.