Destructive cyber attacks are driving a fundamental shift in the information security market, according to Microsoft Trustworthy Computing corporate vice-president Scott Charney.
“It is not just that breaches have continued unabated, it is that the attacks have become more destructive,” he told the RSA Conference 2015 in San Francisco.
Charney (pictured) said this fundamentally changes the way people think about securing their networks because although data theft can have a huge impact on a business, it does not have an immediate impact.
A few months ago, he said the intelligence community talked about a destructive attack going back as far as 2008, where someone hacked oil pipelines in the Middle East.
“They shut off the sensors, shut off the cameras, pressurised the pipeline and caused a kinetic explosion,” said Charney.
As a result of this trend to more destructive cyber attacks, said Charney, the market has woken up, and there are now so many chief information security officers (CISOs) who say they are now talking to the CEO and to the board.
“The nature of these attacks has changed the conversation outside the security community and in the executive suites and boardrooms," he said.
“There is more activity, and the reason that is critical is that when a market wakes up, it creates demand, and the people who build technology rise up to meet the demand.”
According to Charney, the more the market demands, the more that is provided by the market, the more innovation occurs and the less the government has to do.
He also believes that cloud computing will be key, but for that to happen there is a need for technologically enforced trust boundaries.
“These are necessary to ensure that those who want to migrate to the cloud have faith because they have control and because they have transparency,” he said.
Demand for transparency and control in the cloud
Trustworthy computing continues to be about security, privacy and reliability, said Charney, but as we move to the cloud, people are also starting to demand transparency and control.
“In the old world it was the government, vendors and customers fighting the bad guys, but in a post-Snowden world, we are still all fighting the bad guys, but we all have a little bit of concern about each other,” he said.
But Charney added taht getting small and medium-sized businesses to the cloud is one of the best ways of ensuring they have better levels of protection against cyber threats.
“Small businesses do not typically have an IT staff, they do not have a CISO, and they do not have a security information and event management system," he said.
“One of the great things about the cloud is that security expertise and technology gets consolidated."
Charney said that never before has it been possible to scale computer security to the entire planet because that would take too many people to achieve.
“But when security features and services become the backbone of the marketplace, then suddenly we can change the conversation about what great security looks like,” he said.
But Charney said strategy is just talk and suppliers need to ask themselves if they are implementing things in their products and services that demonstrate their strategy is coming to life.
Windows 10 about biometric authentication
“Your computer will recognise you, and you will have a relationship with your machine as they change to become more interactive with people,” Charney said.
This is important because one of the areas the security community has fallen down is security usability, he said.
“For example, when we knew usernames and passwords were not enough, we built one-time passwords sent by SMS to a mobile phone, but we did not make it easy enough to use,” said Charney.
Read more about destructive cyber attacks
- Critical infrastructure organisations are commonly targeted by cyber attacks that are aimed at manipulating equipment or destroying
- The cyber attack on French television network TV5Monde is the latest in a growing list of destructive incursions
- Cyber attacks are escalating from large-scale theft and disruption of computer operations to more lethal attacks that destroy systems
He believes that when we get to a point when computers are more personal and recognise users biometrically and in a secure way, it will be possible to eliminate usernames and passwords.
“Especially if you can not only authenticate to a machine, but also send that authentication in a robust way to a relying party,” said Charney.
The original feature of trusted platform modules (TPMs), he said, was bitlocker, using hardware roots of trust to encrypt, but TPMs can be used for a lot more.
For example, if credentials are signed using TPMs before they are transmitted, then the relying party knows that the credentials are coming from the machine it expects, which means even if the credential is stolen, it will not work because it will not be signed by the correct TPM.
“If that kind of technology is embedded in a way that people can use it easily, will go long way to dealing with phishing attacks,” said Charney.
“Microsoft technologies are designed to bring technologies like TPM to life and be consistent with our philosophy that we need to move to hardware roots of trust and biometrics to finally kill usernames and passwords,” he said.
Charney said that while none of this is a panacea, it will help to narrow the attack surface so that organisations need to worry about less and be more intelligent about what they look for to be more effective in their response.
In a post-Snowden world, he said people also want control over what cryptographic algorithms they use, particularly governments.
One of the Snowden allegations was that the National Security Agency may have tweaked an industry-standard algorithm to provide some sort of access.
“In TPM 2.0, which is now going through the International Organisation for Standardisation process, you get crypto agility, which means governments can choose which algorithm they want in their TPM chips,” said Charney.