|
|
|
Contributors | Messages | Polls | Resources |
    |
 |
|
Comments
Threaded | Newest First | Oldest First
 JohnBarnes
11/17/2017 2:42:13 PM User Rank Platinum 
Not immediately but soonish
The zero-day exploit problem will be getting worse because it doesn't demand a high level of skill among malicious hackers; just lots of cheap space and time (both of which keep getting cheaper) and some simple brute-force methods. Defending against it demands smarter systems over time, as the more subtle and clever exploits are discovered, and eventually you'll need a backstop realtime monitor that can say "This fits the general category of things that probably shouldn't be happening" to do your sandbox routing -- which is going to be an AI job. No need right now -- but the industry will probably get burned a couple of times before they decide the time has come to put AI on the job.
 Kishore Jethanandani
11/17/2017 3:12:18 PM User Rank Author
Re: Not immediately but soonish
<<The zero-day exploit problem will be getting worse because it doesn't demand a high level of skill among malicious hackers; just lots of cheap space and time (both of which keep getting cheaper) and some simple brute-force methods>> I am surprised by this comment from you, @John Barnes. I wrote an article earlier about this topic and the challenge is that these exploits don't have signatures, they target specific vulnerabilities that have not been patched, which should surely require a lot of skill to pinpoint. AI is also not working against them because there isn't enough data on them to train the AI engine. I am not sure what your point is.
JohnBarnes
11/19/2017 10:41:51 PM User Rank Platinum
Re: Not immediately but soonish
Kishore Jethanandani,
The process by which malicious invaders find zero-day exploits is a cookbook process. It does require thorough analysis of the target (which open systems unfortunately facilitates), but the basic process is 1) identify fields or more likely pathways of fields, changes in which can work to the malefactor's advantage (e.g. the path that leads to a payment being sent to an account, and the amount of that payment, or the path that leads to a response of a credit card number, password, SSN, etc. That requires careful analysis but not a great deal of cleverness. 2) locate the modules, methods, free-standing functions, whatever the small units of code are called in that system, which modify fields in that path. Find the ones that are far enough down the code path so that they don't have their own security (or perhaps have very simple easily spoofed security). This is done with huge brute-force code-tracing algorithms -- again, not clever works of brilliant minds, just something that looks in every bowl to see if there's a crunchy there. 3) code trace outward from all those small units, looking for unsecured (or again poorly secured) pathways that eventually lead to an outside contact point. You need huge, superfast systems to do it (or a lot of time on merely-big, merely-fast systems). And obviously you have to understand the target software pretty well. But the actual work of finding the exploit is just writing the brute force software to write a long list of "doors" in the maze, and what doors they lead to, and then check to see if there's a pathway that is all unlocked (or poorly locked -- some internal safeguards are very simple and predictable, more error traps than bad-guy traps). It needs sophisticated machines and a lot of hard study, but I stand by what I said: It is not a high skill thing, and plenty of low level grunt coders would would be quite capable of doing it (and in some places there's someone to pay them to do it). Kishore Jethanandani
11/19/2017 11:00:42 PM User Rank Author
Re: Not immediately but soonish
@JohnBarnes: Thanks for the detailed listing of the steps involved in malicious entry into enterprise networks. From your account, it does seem simple. However, the skill from an intruder's point of view is more in the ability to evade detection software which they are doing better every day. They are able to even beat AI software. If you leaving few footprints, able to masquerade as trusted authorities, and change their guise as they are traced, surely there is a lot of skill involved in that. I am still surprised by a somewhat cavalier attitude towards them.
JohnBarnes
11/19/2017 11:08:18 PM User Rank Platinum
Re: Not immediately but soonish
Kishore Jethanandani,
Oh, I'm not cavalier about them at all (unless you mean an attitude of "Off with their heads!") And you're right of course that they have to know some things and stay up to date as security against them improves. But it's unfortunately a field where the bulk of what they need to do can be done by a "dumb" bulk process, which means they can produce more frequent and credible threats just as a function of buying more processing power. Beating them can't be done the same way; I don't see a "dumb" brute force security solution. So the bad guys need to know some stuff and spend whatever it takes; the good guys need to know a lot of stuff, spend whatever it takes, and be really clever. There's the asymmetry. JohnBarnes
11/19/2017 10:59:15 PM User Rank Platinum
Re: Not immediately but soonish
Kishore Jethanandani,
Okay, now on this one: yes, you're right that zero-day exploits are hard to trap, because most of the malware detection out there consists of just opening up the incoming suspected software or input, looking for known-to-be-bad code, and shutting it down, isolating it, and wiping it if any is found. It's the equivalent of a no-fly list or of locking the barn when a known horsethief shows up on the security cameras. Because by definition zero-day exploits are built around code that no good guy has seen before, that approach will not work. You're right again that AI so far has been ineffective; and that's because what AI can do is take more time, read more code, and thus find more of that bad-guy-identifying code, in more subtle places, much faster than people. And as you say, to do that, it has to train on the code. What is currently in its infancy is having AI watch what the code is doing, decide "that looks weird", investigate, discover by some mixture of its own records and by asking humans "Is this weirdness possibly an attack?", and build up a knowledge base that way. Right now a serious zero-day attack is most likely to be found (slowly, eventually) by an accountant noticing that the company is bleeding money, an engineer spotting the company computers being used to coordinate a DDoS, a routine review that asks "Why did we send this gigantic file -- which turns out to hold 100,000,000 credit card numbers -- to an address in Nowhereia?" Obviously the disaster is the damage being done before it can be detected. What AI could do -- eventually, which is why I say "soonish" -- is be trained to identify "weirdness" and particularly "harmful weirdness" and step in to ask "What's all this about then? Hold it right there" when it does. That will require training on simulated systems that do a huge array of weird things, which means writing test data generators that have "random weirdness" and "random viciousness" generators built in ... and all that is going to require a lot of smarts and skill from some of the very best minds for many years. So my point is: there's a realy bad asymmetry here. Zero-day exploits can be built witha fairly cookbookish procedure; all that's needed is some medium level expertise, time, money, and malice. The defenses are going to require substantial advances in AI and probably in computational semiotics in the design of those AIs. The times are going to be interesting, I'm afraid. Kishore Jethanandani
11/19/2017 11:08:36 PM User Rank Author
Re: Not immediately but soonish
@JohnBarnes: Now I think we are on the same page. A bad actor's skill is the ability to go undetected and it does not really matter what software skills they use for the purpose. Some of the software you described which could have the ability to simulate and detect a range of intrusions was mentioned in my article on cybersecurity. I am curious how well it works in actual situations.
JohnBarnes
11/20/2017 7:56:05 AM User Rank Platinum
Re: Not immediately but soonish
Kishore Jethanandani,
There's a good analogy to a modern burglar -- who has to be alert to where security cameras can (and can't or probably won't) be, motion detectors, etc. -- but after using the knowledge and skill to get to a door or a window, he's still just picking a simple lock, using a stolen key, or breaking something with a crowbar, and the plan once he gets inside is just to head for the most likely places for valuable stuff, load up fast, and leave. Unfortunately in the software world there's much more he can do; in a way it's fortunate that there are still abundant rewards for the relatively dumb and lazy (but still good at evading security) thief, because otherwise the potentially smart and creative ones would be motivated to do "better" work. Sidenote for forward-thinking security people: every time you come up with a really improved set of barriers that cuts down your security problem ... you are creating a bigger prize for the smarter bad guys.  clrmoney
11/17/2017 3:07:56 PM User Rank Platinum
Cybersecurity Trade Offs
I know that cybersecurity is something that is very needed when you are dealing with things online like when you want protections fron online criminals or hackers. I think that it may be more expensive depending on what you want secured that something that is minor but I know that only time will tell.
 afwriter
11/17/2017 4:26:36 PM User Rank Platinum
Re: Cybersecurity Trade Offs
Cost will be a factor in the future but as the saying goes, an ounce of prevention is worth a pound of the cure.
 Ariella
11/18/2017 6:53:56 PM User Rank Author
Re: Cybersecurity Trade Offs
@afwrtier very true; that's why it pays to be proactive.
 mhhf1ve
11/19/2017 10:34:31 AM User Rank Platinum
Re: Cybersecurity Trade Offs
An ounce of prevention is worth a pound of cure -- so minimizing your attack surface seems like a more cost effective strategy than trying to develop superhuman AI to outwit attackers. That makes sense to me.
Kishore Jethanandani
11/19/2017 12:33:13 PM User Rank Author
Re: Cybersecurity Trade Offs
@mhhf1ve: It does make sense. The question is whether it is possible to achieve zero-defect software given the volumes that are generated.
mhhf1ve
11/19/2017 5:13:01 PM User Rank Platinum
Re: Cybersecurity Trade Offs
Maybe it's more cost effective to develop AI that can minimize defects by identifying bugs before they're deployed?
 mpouraryan
11/19/2017 5:43:00 PM User Rank Platinum
Re: Cybersecurity Trade Offs
As I reflected upon your thought, what was bothersome was the title--about trade offs--There should be no compromise on security--right?
Kishore Jethanandani
11/19/2017 7:15:05 PM User Rank Author
Re: Cybersecurity Trade Offs
@mpouraryan: No compromise on security, yes. The trade-offs are more about the means you use to stop the bad guys. For example, prevention versus AI.
mpouraryan
11/19/2017 7:17:45 PM User Rank Platinum
Re: Cybersecurity Trade Offs
The key is to have a hybrid startegy no doubt--this is where AI can be a positive contributor--although one wonders whether the very agents deployed will end up taking up a life of their own!!
Kishore Jethanandani
11/19/2017 7:13:25 PM User Rank Author
Re: Cybersecurity Trade Offs
@mhhf1ve: Great point about the costs. Didn't think about that. AI, however, has its limits. The bad guys are feeding bad data to the defenders' learning algorithms and throwing them off. In fact, they are attacking the defenders' algorithms. Seems like a dead-end to me.
Ariella
11/20/2017 9:30:53 AM User Rank Author
Re: Cybersecurity Trade Offs
@Kishore You're not optimistic about the ability of AI to make businesses more efficient?
Kishore Jethanandani
11/20/2017 5:38:50 PM User Rank Author
Re: Cybersecurity Trade Offs
@Ariella: Great question to ask. The AI tools that have been implemented so far have all been bummed. Worse, they are being attacked so they are actually on the defense. Some new tools have arrived on the scene which John alluded to and one I discussed in my article on cybersecurity that looks promising. But you never know what next the adversaries do. So far, they have consistently outmaneuvered the defenses. The fact that they are becoming polymorphic will likely be a huge problem for any AI engine.
Ariella
11/20/2017 6:33:44 PM User Rank Author
Re: Cybersecurity Trade Offs
@Kishore sounds pretty pessimistic to me. It sounds like these are some of the same problems we are encountering with "smart" devices and IoT in general.
Kishore Jethanandani
11/20/2017 7:05:44 PM User Rank Author
Re: Cybersecurity Trade Offs
@Ariella: IOT expands the sprawl and the number of intersection points. It is hard to make the rules as fast the technology is evolving. Now you have this new 5G phenomenon which increases the numbers of the antennas at the edge and that will only increase the vulnerabilities. No one really knows who is supposed to go where at these crossroads so the adversaries find more ways to deceive and move around with impunity. Hence the need to have zero-defect software to start with.
JohnBarnes
11/20/2017 10:11:27 PM User Rank Platinum
Re: Cybersecurity Trade Offs
Ariella & Kishore,
I think we're probably headed for a situation something like the relationship between germs and immune systems, or international balance of power; we have to give up on the idea of perfect security and move on to "tolerably imperfect security," in which a certain number of (non-fatal) breaches or (controlled) wars and insurrections are just expected and tolerated. How business will live with an imperfect-partial-security system, coexisting with ineradicable-but-not dominant cybercrime, I have no idea. But I think that is where we will end up, like it or not; I see no way for either side of the legitimacy line to either win a permanent victory or just go away. Kishore Jethanandani
11/20/2017 10:55:27 PM User Rank Author
Re: Cybersecurity Trade Offs
@JohnBarnes: With due respect, neither wars nor germs achieve a static equilibrium. In wars, attackers want more and more territory, or in our times, more and more influence. Similarly, infections wrought by germs grow over time. Either the body fights back or the germs grow. So, we are back to square one. We don't know the achievable outcome and must keep looking.
JohnBarnes
11/26/2017 10:05:38 PM User Rank Platinum
Re: Cybersecurity Trade Offs
Kishore,
Exactly my point. We live with wars and disease -- we don't solve them permanently and we don't avoid them completely. (The only possible static equilibrium would be if somehow our world could abolish war or our immune system abolish disease). Instead, we have elaborate procedures and contact networks for restoring a semblance of peace and then trying to make it more than a semblance; we have an enormous variety of defenses in depth against infection. And yet armed people fight each other for causes or goverments every day, and our bodies are always carrying around some cells that would kill us if they got out of hand. So we learn to live with imperfect protection. I don't quite know how to envision it, but I think eventually we will learn to live with always-compromised (but not totally destroyed) security. Kishore Jethanandani
11/27/2017 12:50:31 AM User Rank Author
Re: Cybersecurity Trade Offs
@John Barnes: For sure, it will be an imperfect world. The point I was making was it takes continuous effort to remain even at that imperfect equilibrium and not slide into chaos. It has become increasingly difficult with a tsunami of software in the marketplace.
JohnBarnes
11/27/2017 3:02:54 PM User Rank Platinum
Re: Cybersecurity Trade Offs
Kishore,
We seem to have a knack for agreeing vigorously with each other. Yes, absolutely, maintaining the security equilibrium where it is will cost more in coming years, as the arms race between bad guys and good guys heats up and expands. I think, though, that figuring out how to live with constant non-total breaches -- by having recovery methods in place and damage limiting procedures behind our defenses -- will be a rising cost, as well, and might be a good place for companies trying to get ahead on the security issues to invest in; assume you will be penetrated and exploited and figure out what you'll do in advance (as much as that is possible). Another coming thing (and something else that will require more money, time, effort, and skill than anybody actually has ...) Kishore Jethanandani
11/27/2017 3:48:32 PM User Rank Author
Re: Cybersecurity Trade Offs
@JohnBarnes: Agreement is so rare these days so kudos for the rare ability to do so. The military and wars actually pay back with commercial technologies. I am wondering whether cybersecurity investments will have a similar payoff.
JohnBarnes
11/27/2017 6:42:31 PM User Rank Platinum
Re: Cybersecurity Trade Offs
Kishore, well, classically many counterintelligence measures are also used for intelligence gathering and creative artists often use pirates as ill-paid marketers. Stranger things have happened!
Ariella
11/18/2017 6:53:57 PM User Rank Author
Re: Cybersecurity Trade Offs
@afwrtier very true; that's why it pays to be proactive.
mpouraryan
11/19/2017 5:44:54 PM User Rank Platinum
Re: Cybersecurity Trade Offs
I would humbly argue that being proactive is just part of it--but the problem is that many of the challenges are beyond our control though no matter what mitigating efforts we undertake--as eiptomized by the notion that there are "Trade Offs" .
Kishore Jethanandani
11/19/2017 7:19:18 PM User Rank Author
Re: Cybersecurity Trade Offs
@mpouraryan The problems are not beyond us. Eliminating the bugs at the outset is a sure shot way to solve the problem. Every other industry produces quality by eliminating errors. The auto industry went through a painful process of reorganizing production processes to achieve zero defects under pressure of competition from Japanese companies. The software industry is thinking about it and some methodologies are emerging as I discussed in my cybersecurity article. But it is unclear why it is taking so long to implement them.
mpouraryan
11/19/2017 5:43:50 PM User Rank Platinum
Re: Cybersecurity Trade Offs
No Expense must be spared for security--why is that even an issue? Look at all the challenging times we've deliberated right here in TT?
 grabbestoffer
11/20/2017 2:38:55 AM User Rank Steel
My opinion
The key is to have a mixture startegy no uncertainty - this is the place AI can be a positive supporter - albeit one marvels whether the very operators sent will wind up taking up their very own existence!!
StalkBuyLove coupon codes freehe
11/23/2017 10:17:01 PM User Rank Platinum
Cybersecurity Trade-Offs
I am not surprised that AI for cybersecurity is not viable. Cybersecurity is huge like IoT and uses a lot of resources. Since the best way to battle threats is to test them at every level more companies need to do that unfortunately they don't.
I currently work as a tester and always look for hidden problems that the average tester would not look for to reduce risks, defects and security issues. Kishore Jethanandani
11/24/2017 12:24:00 AM User Rank Author
Re: Cybersecurity Trade-Offs
@Freehe: Testing at every level must be tedious and time-consuming. What do you learn from testing in these hidden places that others overlook?
 dcawrey
11/24/2017 5:22:07 PM User Rank Platinum
Re: Cybersecurity Trade-Offs
One has to wonder if there will be a groundbreaking technology which will allow us to better manage cybersecurity.
I know it is not here yet, but applied AI towards this issue might be something of use. I'm sure many governments are already looking deeply into this. freehe
11/23/2017 10:20:32 PM User Rank Platinum
Using open software
I see why more companies are moving towards using open software since it is easier to secure than closed software. The more people that monitor open software the more opportunities to find security risks. With closed software companies assume vendors will have enough security measures in place so that they don't have to monitor security risks. When a security incident occurs everyone points the finger at each other. Open source avoid these types of issues
freehe
11/23/2017 10:22:37 PM User Rank Platinum
SDN and Security
More companies are moving towards using SDN which is great. SDN makes it easier for companies to implement security meaures and migrate security risks. This is greatly needed given the number of reported data breaches that occur as well as the number of data breaches that are not reported.
freehe
11/23/2017 10:24:54 PM User Rank Platinum
Botnets Are Horrible
Wow. I didn't know the companies can rent botnets to perform an attack. That is horrible. That explains why there has been a huge increase in cybersecurity attacks and data breaches. It is great the this is a known threat. Awareness is the first step. Then companies can develop a strategy to address it.
freehe
11/23/2017 10:28:07 PM User Rank Platinum
AI
Threat intelligence is great to combat cybersecurity threats. This will help to greatly reduce cybersecurity attacks and data breaches which are a huge problem in the U.S. across all industries. Be allowing heat maps to identity risks will now allow companies to be proactive when mitigating risks. Hopefully companies have the budget to use threat intelligence and its features.
freehe
11/23/2017 10:30:22 PM User Rank Platinum
Data Analysis
"....we should be able to correlate it with other edge network data to develop an end-to-end view of security threats, while still benefitting from separation of concerns at the edge."
Allow AI provides many benefits there is still some uncertainty about how to address security concerns. Windstream is not completely sure if they will be able to correlate data to develop extensive views regarding security risks. |
Latest Articles
Italy's 5G auction could exceed a government target of raising €2.5 billion ($2.9 billion) after attracting interest from companies outside the mobile market.
The emerging-markets operator is focusing on the humdrum business of connectivity and keeping quiet about some of its ill-fated 'digitalization' efforts.
Three UK has picked Huawei over existing radio access network suppliers Nokia and Samsung to build its 5G network.
Verizon skates where the puck is going by waiting for standards-based 5G devices to launch its mobile service in 2019.
 On-the-Air Thursdays Digital Audio ARCHIVED | December 7, 2017, 12pm EST
Orange has been one of the leading proponents of SDN and NFV. In this Telco Transformation radio show, Orange's John Isch provides some perspective on his company's NFV/SDN journey.
 Special Huawei Video  Huawei Network Transformation Seminar The adoption of virtualization technology and cloud architectures by telecom network operators is now well underway but there is still a long way to go before the transition to an era of Network Functions Cloudification (NFC) is complete. Video
The Small Cell Forum's CEO Sue Monahan says that small cells will be crucial for indoor 5G coverage, but challenges around business models, siting ...
People, strategy, a strong technology roadmap and new business processes are the key underpinnings of Telstra's digital transformation, COO Robyn ...
Eric Bozich, vice president of products and marketing at CenturyLink, talks about the challenges and opportunities of integrating Level 3 into ...
Epsilon's Mark Daley, director of digital strategy and business development, talks about digital transformation from a wholesale service provider ...
Bill Walker, CenturyLink's director of network architecture, shares his insights on why training isn't enough for IT employees and traditional ...
All Videos
|
|
|
||
|
|
||
|
||
Tweet This