By now you've probably heard that a teenager in England was arrested for suspected involvement in the hacking group known as LulzSec. At first, members of LulzSec denied the teen played any role with the group, but later modified that account, according to PC World, which said:
Top 10 Cyber Security Threats of 2011 and Beyond
The next decade portends new threats that surpass those of years past in both intensity and impact.
In a further post Monday, Lulz appeared to acknowledge some association with the arrested man: "The Lulz Boat Clearly the UK police are so desperate to catch us that they've gone and arrested someone who is, at best, mildly associated with us. Lame."
And, not surprisingly, despite the arrest, the attacks continue. Word today is that "the Brazilian arm" of LulzSec hit a government website.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
It would appear that IT security as we know it now isn't working. At least that's the thought of Dave Lowenstein, CEO of Federated Networks. In an email to me, Lowenstein argued that cyber security is not only broken, but that the term itself is dangerously close to becoming an oxymoron. He told me:
LulzSec was able to hack into CIA and US Senate, as well as Nintendo and Sony, demonstrating the generally weak levels of online security. While the hacker group has been focusing on exploiting vulnerabilities on the server side, there are client side security issues that are as easy to hack into. Key logins and passwords are being stolen because client side protection is as pathetic.
Some of his general observations on the current state of cyber security are as follows:
- It is time to replace Secure Socket Layer (SSL) with something that can thwart common network vulnerabilities, such as phishing and man-in-the-middle attacks to provide ironclad security.
- The sterilization approach didn't work for Howard Hughes and it's not working in cyber security either. In short, he believes that immunizing users' systems against malware payloads through extended end-to-end reverse sandboxing is a much better approach than sterilization.
- Historically, various approaches such as code review, mathematical proofs and, more recently, application firewalls have been utilized to eradicate Web application vulnerabilities. The bottom line is that coding is a human process and humans make mistakes, which are very difficult to consistently and completely identify and rectify in software code bases that are constantly being modified. Therefore, there is a need to build in a layer of redundancy that can effectively immunize Web application code from being exploited.
Is Lowenstein right? Is cyber security as we know it ineffective? Does it need to be changed? Most importantly, can the security methods we have in place keep up enough with the bad guys who are always one step ahead?