- Email: [email protected]
The practical impossibility of embedded ICT security
EMBEDDED SECURITY
The practical impossibility of embedded ICT security Andrea Pasquinucci, PhD, CISA, CISSP, freelance ICT security consultant When someone mentions ICT security we immediately think about firewalls or cryptography if talking about ICT personnel, or anti-virus if talking about normal ICT final users. The words ‘ICT security’ should instead prompt us to consider how well our ICT systems are behaving, which accidents have happened or been prevented, or which security features are present or missing. Why do we always think about assessing or buying new security devices, without considering the intrinsic security of our ICT products? Nowadays we view ICT security as an add-on to ICT products and solutions. When we buy an ICT product we usually evaluate security as a separate issue, with its own budget and personnel to manage it. It would be nice not to have to worry about security and spend money on it, but nowadays that is a utopian dream.
Insecure ICT Add-on ICT security products are needed because ICT products are insecure. The lack of security in current software and certain hardware ICT products goes back to the origin of ICT and its fast-paced development in the last 20 years. For example, internet protocols were designed in the 1960s and not written for today’s needs, so we deal with them by trying to patch them up, adding extra security features which will hopefully help to fix the problems. Another reason we find ourselves in this situation is the need to release new products within time-lines fixed by management, coupled with trying to provide the maximum number of features at a lower price. In this situation security features are the first to be cut out. Rather than looking at the past, let’s try to consider the present and the near future. As mentioned, ICT products are insecure because they adopt standards and protocols that have not
November 2008
been designed with security in mind. They are also inherently insecure due to bugs and mistakes in design and implementation.
The dual market It is natural that because security has not been considered enough in the development of ICT products, ICT security products have been created to provide those missing features. At first glance this seems to be a good idea, but in the long run it is not. It has resulted in two markets which rely on each other to prosper. From an ICT industry point of view this is most convenient. Developers and manufacturers of ICT products do not need to worry that much about security. They concentrate on features, time-to-market, and prices and they rely on someone else to fix security issues and make the products usable. They depend, therefore, on the existence of the ICT security market in order to sell their products. Security product manufacturers depend on the weaknesses of ICT products for which they can offer solutions. If ICT products had no bugs, weaknesses, or missing security features, the security product manufacturers’ market would almost disappear. For example, consider the anti-virus market and what would happen if viruses did not exist in the next release
of software. The ICT security industry relies on the fact that most products on the market are very weak from a security point of view. The loser in this game is the final user. The user gets a product that is weak in terms of security, is sometimes missing security features and, all too often, has security bugs. In order to use this product, the user is forced to buy a second product which supposedly fixes the problems of the first. A third product may even be needed to fix the problems of the second, and so on. The user is now in a lose-lose situation. He has to buy two products instead of one and, even more worrying, he knows that the first product has problems, maybe big ones, and that the second is only a palliative, avoiding the problems without really eliminating them. Another remarkable factor in this scenario is that ICT market producers are not responsible for their products. Customers have to buy, manage and maintain two products instead of one and if something goes wrong, neither the first nor the second producer will be responsible for what happened. This is a no-win situation.
ICT security becoming more difficult The current ICT and ICT security markets situation has not been imposed by bad market practices, rather it is almost an unavoidable result of what has happened and the intrinsic problems of ICT. Why it is so hard to achieve ICT security? Security problems in ICT can be divided into two broad types: Computer Fraud & Security
5
EMBEDDED SECURITY • Problems, bugs or mistakes in the design or implementation of ICT products • Incorrect usage of ICT products by humans Even though these two types overlap, drawing the distinction helps us understand the kind of problems we face. The first type involves problems of a primarily technical nature within ICT, whereas the second type involves problems that arise from human usage of technology.
“The user gets a product that is weak in terms of security, is sometimes missing security features and, all too often, has security bugs” The second type is often overlooked, although it is receiving more attention recently due to the phenomenon of phishing. Humans and computers adopt different logics, and it is not easy to design an interface which would allow humans to interact with computers without error or confusion. Most ICT users do not have a clear idea of the consequences of certain uses of technology, and ICT itself does help to make these consequences clear to the user or limited in their effects. Let’s consider a simple example, the use of biometrics as an authentication method. At first sight it looks like a good idea, because nobody would be able to impersonate me if the authentication method used is my fingerprint. But what about a serious criminal who will not hesitate to cut off my finger in order to access the ICT system? Or, what about the possibility that my biometric credentials could be stolen or leaked from the system and that someone else could use them? We can always change a username and password, but we cannot
6
Computer Fraud & Security
change our fingerprint, or at least we cannot do so easily and without pain. The crux of this example is that because most users are not aware of the consequences of using ICT they could use it inappropriately which may lead to security problems, ranging from deletion of a PC hard-drive, to serious money loss resulting from home banking or digital identity theft. Achieving human interface with technology is extremely difficult. It can be done by improving ICT interfaces on the one hand and on the other hand educating users as to the real nature of a computer. This type of problem necessitates security as an independent product or service. When we consider ICT security, we should take into account not only the first type of problem mentioned above but also the second. When humans enter the picture, one solution is not valid for everyone. Even in controlled and limited environments it is difficult to find a security solution which fits everybody. Let us again consider biometrics to illustrate this point. Identification of users by means of biometrics is never exact. Biometrics offers us the probability that the sample just measured matches what has been previously memorised. When matches need to be precise, such as in military situations, users are often not identified due to, for example, local conditions such as temperature, humidity, human health status, etc. Many false negatives will result, that is, users who should have been authenticated but were not. When matches need to be less precise, users who should not have been authenticated may be authenticated because they are mistaken for another user. These matches are called false positives and they may be worse than false negatives, depending on the situation. They would be worse in a military situation but they may not be in a commercial application. The outcome also depends
upon who the users of the biometric system are, how physically homogeneous the group of users is, how trained they are in using it, and so on. Biometrics, therefore, cannot be embedded in a product. The adoption of biometrics requires local evaluation, user intervention, etc. Similarly, most security issues related to human interactions with ICT cannot be solved by technology alone and, therefore, they cannot be embedded in ICT products and they require external solutions.
Better security We need an ICT security market that provides us with solutions to security problems, and today we also need an ICT security market for products that solve the problems of other ICT products. At first glance it would seem that if ICT producers had done things correctly, we would not need this kind of ICT security product. The situation is more complicated, though, than it appears at first sight. First, software and hardware products are becoming larger and more complicated every day. Many years ago it was already clear that the ICT industry was, and would be, dealing with what was probably the most complex product that human beings had ever known. The product is so complex that humans cannot really be sure of what they are doing with it. Although computer science is an exact science in theory, in practice it is impossible to write complex software or design complex hardware while remaining sure of all possible relationships between inputs and outputs, and without making the tiniest mistake or even a simple misjudgement on all possible outcomes. Large and complex hardware and software products are intractable. They will unavoidably have bugs.
November 2008
SHINY BOX Second, security is so complex that it requires people who have trained and specialised in it. These security experts cannot at the same time be software designers and programmers. This does not mean, though, that we should have different products because we have specialists in different aspects of ICT. On the contrary, a good team would combine all professions, obtaining the best from each one. This sounds easy, but it is difficult to achieve if the different professions do not understand each other on a technical level. Typically, a feature required by the designer would already be difficult for a programmer to implement, but the addition of a security specialist to the mix makes the situation impossible. The result is that you either have to forget about the feature or about security.
“It doesn’t seem right that some ICT products should be fixing the security problems of others” ICT will take an extremely long time to evolve to the point where ICT software and hardware will be produced with built-in security as a default. This is so far off that we are unlikely to see it in our lifetime. Still, it doesn’t seem right that some ICT products should be fixing the
security problems of others and business has already clearly requested a solution to this problem. Companies do not want to have to deal with ICT products separately from associated ICT security products. Companies have business needs which should be fulfilled by ICT solutions. The intricacies of how these needs are fulfilled are not as important as the end goal. In other words, security should be an issue solved by those who provide the solution and not by a company that has purchased an ICT product. This idea is supported by the slow but sure movement of the ICT market towards a commodity market in which all technological issues will eventually be solved within the ICT industry and only the service will be offered to the customer. If we cannot expect to have security embedded by default in all ICT products, we can work towards transforming the ICT market into a market of services and product bundles, where customers will be offered solutions which include both features and security. This would not be all that different from other markets. A good comparison is the automotive market. Cars include many security devices, from belts to airbags, which are designed and produced by specialised companies. But when we
buy a car we are not requested to add belts or air-bags to it, the car comes with them already installed and tested. What we can hope for and expect in the near future, is the transformation of the ICT market towards a market of ICT solutions that bundle relevant technologies and instruments and necessary security features, offering the customer (individual or company) a single secure product.
About the author Andrea Pasquinucci (PhD in theoretical physics, CISA, CISSP) is a freelance ICT security consultant. His main activities are strategic and global ICT security projects, governance, compliance, audit, and training. His main technical fields of expertise are the security of networks and operating systems, and cryptography. Pasquinucci previously had a 10 year academic career in the USA and Europe. He still teaches and involves himself in academic research projects. He is a member of AIEA, the Milan Chapter of ISACA, has been a member of the board of the Italian Association for Computer Security (CLUSIT) and is a co-founder and member of the board of the Italian Association of Security Professionals (AIPSI), the Italian chapter of ISSA.
The glamour of the shiny box solution Wendy Goucher, security empowerment consultant, Idrach Ltd.
Wendy Goucher
When computers emerged, blinking (metaphorically) from the depths of IT departments, they were exposed to predators everywhere. Viruses were introduced by floppy discs or even straight from the internet by unsuspecting users. If staff members happened to have computers at home there was a good chance they had poor or inadequate antivirus software and very little chance they had a home network with firewall. People working at home were a huge risk to the IT security of any organisation in the 1990s. Then antivirus software became easier to install and people became aware of November 2008
it. I remember an intense discussion in the staff room of the college where I was
working on the merits of various makes of antivirus software – and there was Computer Fraud & Security
7
The practical impossibility of embedded ICT security Andrea Pasquinucci, PhD, CISA, CISSP, freelance ICT security consultant When someone mentions ICT security we immediately think about firewalls or cryptography if talking about ICT personnel, or anti-virus if talking about normal ICT final users. The words ‘ICT security’ should instead prompt us to consider how well our ICT systems are behaving, which accidents have happened or been prevented, or which security features are present or missing. Why do we always think about assessing or buying new security devices, without considering the intrinsic security of our ICT products? Nowadays we view ICT security as an add-on to ICT products and solutions. When we buy an ICT product we usually evaluate security as a separate issue, with its own budget and personnel to manage it. It would be nice not to have to worry about security and spend money on it, but nowadays that is a utopian dream.
Insecure ICT Add-on ICT security products are needed because ICT products are insecure. The lack of security in current software and certain hardware ICT products goes back to the origin of ICT and its fast-paced development in the last 20 years. For example, internet protocols were designed in the 1960s and not written for today’s needs, so we deal with them by trying to patch them up, adding extra security features which will hopefully help to fix the problems. Another reason we find ourselves in this situation is the need to release new products within time-lines fixed by management, coupled with trying to provide the maximum number of features at a lower price. In this situation security features are the first to be cut out. Rather than looking at the past, let’s try to consider the present and the near future. As mentioned, ICT products are insecure because they adopt standards and protocols that have not
November 2008
been designed with security in mind. They are also inherently insecure due to bugs and mistakes in design and implementation.
The dual market It is natural that because security has not been considered enough in the development of ICT products, ICT security products have been created to provide those missing features. At first glance this seems to be a good idea, but in the long run it is not. It has resulted in two markets which rely on each other to prosper. From an ICT industry point of view this is most convenient. Developers and manufacturers of ICT products do not need to worry that much about security. They concentrate on features, time-to-market, and prices and they rely on someone else to fix security issues and make the products usable. They depend, therefore, on the existence of the ICT security market in order to sell their products. Security product manufacturers depend on the weaknesses of ICT products for which they can offer solutions. If ICT products had no bugs, weaknesses, or missing security features, the security product manufacturers’ market would almost disappear. For example, consider the anti-virus market and what would happen if viruses did not exist in the next release
of software. The ICT security industry relies on the fact that most products on the market are very weak from a security point of view. The loser in this game is the final user. The user gets a product that is weak in terms of security, is sometimes missing security features and, all too often, has security bugs. In order to use this product, the user is forced to buy a second product which supposedly fixes the problems of the first. A third product may even be needed to fix the problems of the second, and so on. The user is now in a lose-lose situation. He has to buy two products instead of one and, even more worrying, he knows that the first product has problems, maybe big ones, and that the second is only a palliative, avoiding the problems without really eliminating them. Another remarkable factor in this scenario is that ICT market producers are not responsible for their products. Customers have to buy, manage and maintain two products instead of one and if something goes wrong, neither the first nor the second producer will be responsible for what happened. This is a no-win situation.
ICT security becoming more difficult The current ICT and ICT security markets situation has not been imposed by bad market practices, rather it is almost an unavoidable result of what has happened and the intrinsic problems of ICT. Why it is so hard to achieve ICT security? Security problems in ICT can be divided into two broad types: Computer Fraud & Security
5
EMBEDDED SECURITY • Problems, bugs or mistakes in the design or implementation of ICT products • Incorrect usage of ICT products by humans Even though these two types overlap, drawing the distinction helps us understand the kind of problems we face. The first type involves problems of a primarily technical nature within ICT, whereas the second type involves problems that arise from human usage of technology.
“The user gets a product that is weak in terms of security, is sometimes missing security features and, all too often, has security bugs” The second type is often overlooked, although it is receiving more attention recently due to the phenomenon of phishing. Humans and computers adopt different logics, and it is not easy to design an interface which would allow humans to interact with computers without error or confusion. Most ICT users do not have a clear idea of the consequences of certain uses of technology, and ICT itself does help to make these consequences clear to the user or limited in their effects. Let’s consider a simple example, the use of biometrics as an authentication method. At first sight it looks like a good idea, because nobody would be able to impersonate me if the authentication method used is my fingerprint. But what about a serious criminal who will not hesitate to cut off my finger in order to access the ICT system? Or, what about the possibility that my biometric credentials could be stolen or leaked from the system and that someone else could use them? We can always change a username and password, but we cannot
6
Computer Fraud & Security
change our fingerprint, or at least we cannot do so easily and without pain. The crux of this example is that because most users are not aware of the consequences of using ICT they could use it inappropriately which may lead to security problems, ranging from deletion of a PC hard-drive, to serious money loss resulting from home banking or digital identity theft. Achieving human interface with technology is extremely difficult. It can be done by improving ICT interfaces on the one hand and on the other hand educating users as to the real nature of a computer. This type of problem necessitates security as an independent product or service. When we consider ICT security, we should take into account not only the first type of problem mentioned above but also the second. When humans enter the picture, one solution is not valid for everyone. Even in controlled and limited environments it is difficult to find a security solution which fits everybody. Let us again consider biometrics to illustrate this point. Identification of users by means of biometrics is never exact. Biometrics offers us the probability that the sample just measured matches what has been previously memorised. When matches need to be precise, such as in military situations, users are often not identified due to, for example, local conditions such as temperature, humidity, human health status, etc. Many false negatives will result, that is, users who should have been authenticated but were not. When matches need to be less precise, users who should not have been authenticated may be authenticated because they are mistaken for another user. These matches are called false positives and they may be worse than false negatives, depending on the situation. They would be worse in a military situation but they may not be in a commercial application. The outcome also depends
upon who the users of the biometric system are, how physically homogeneous the group of users is, how trained they are in using it, and so on. Biometrics, therefore, cannot be embedded in a product. The adoption of biometrics requires local evaluation, user intervention, etc. Similarly, most security issues related to human interactions with ICT cannot be solved by technology alone and, therefore, they cannot be embedded in ICT products and they require external solutions.
Better security We need an ICT security market that provides us with solutions to security problems, and today we also need an ICT security market for products that solve the problems of other ICT products. At first glance it would seem that if ICT producers had done things correctly, we would not need this kind of ICT security product. The situation is more complicated, though, than it appears at first sight. First, software and hardware products are becoming larger and more complicated every day. Many years ago it was already clear that the ICT industry was, and would be, dealing with what was probably the most complex product that human beings had ever known. The product is so complex that humans cannot really be sure of what they are doing with it. Although computer science is an exact science in theory, in practice it is impossible to write complex software or design complex hardware while remaining sure of all possible relationships between inputs and outputs, and without making the tiniest mistake or even a simple misjudgement on all possible outcomes. Large and complex hardware and software products are intractable. They will unavoidably have bugs.
November 2008
SHINY BOX Second, security is so complex that it requires people who have trained and specialised in it. These security experts cannot at the same time be software designers and programmers. This does not mean, though, that we should have different products because we have specialists in different aspects of ICT. On the contrary, a good team would combine all professions, obtaining the best from each one. This sounds easy, but it is difficult to achieve if the different professions do not understand each other on a technical level. Typically, a feature required by the designer would already be difficult for a programmer to implement, but the addition of a security specialist to the mix makes the situation impossible. The result is that you either have to forget about the feature or about security.
“It doesn’t seem right that some ICT products should be fixing the security problems of others” ICT will take an extremely long time to evolve to the point where ICT software and hardware will be produced with built-in security as a default. This is so far off that we are unlikely to see it in our lifetime. Still, it doesn’t seem right that some ICT products should be fixing the
security problems of others and business has already clearly requested a solution to this problem. Companies do not want to have to deal with ICT products separately from associated ICT security products. Companies have business needs which should be fulfilled by ICT solutions. The intricacies of how these needs are fulfilled are not as important as the end goal. In other words, security should be an issue solved by those who provide the solution and not by a company that has purchased an ICT product. This idea is supported by the slow but sure movement of the ICT market towards a commodity market in which all technological issues will eventually be solved within the ICT industry and only the service will be offered to the customer. If we cannot expect to have security embedded by default in all ICT products, we can work towards transforming the ICT market into a market of services and product bundles, where customers will be offered solutions which include both features and security. This would not be all that different from other markets. A good comparison is the automotive market. Cars include many security devices, from belts to airbags, which are designed and produced by specialised companies. But when we
buy a car we are not requested to add belts or air-bags to it, the car comes with them already installed and tested. What we can hope for and expect in the near future, is the transformation of the ICT market towards a market of ICT solutions that bundle relevant technologies and instruments and necessary security features, offering the customer (individual or company) a single secure product.
About the author Andrea Pasquinucci (PhD in theoretical physics, CISA, CISSP) is a freelance ICT security consultant. His main activities are strategic and global ICT security projects, governance, compliance, audit, and training. His main technical fields of expertise are the security of networks and operating systems, and cryptography. Pasquinucci previously had a 10 year academic career in the USA and Europe. He still teaches and involves himself in academic research projects. He is a member of AIEA, the Milan Chapter of ISACA, has been a member of the board of the Italian Association for Computer Security (CLUSIT) and is a co-founder and member of the board of the Italian Association of Security Professionals (AIPSI), the Italian chapter of ISSA.
The glamour of the shiny box solution Wendy Goucher, security empowerment consultant, Idrach Ltd.
Wendy Goucher
When computers emerged, blinking (metaphorically) from the depths of IT departments, they were exposed to predators everywhere. Viruses were introduced by floppy discs or even straight from the internet by unsuspecting users. If staff members happened to have computers at home there was a good chance they had poor or inadequate antivirus software and very little chance they had a home network with firewall. People working at home were a huge risk to the IT security of any organisation in the 1990s. Then antivirus software became easier to install and people became aware of November 2008
it. I remember an intense discussion in the staff room of the college where I was
working on the merits of various makes of antivirus software – and there was Computer Fraud & Security
7