Categories: "Analysis"

About the Analysis category

  By Hagai Bar-El   , 48 words
Categories: Analysis

The Analysis category contains articles that discuss security analysis of requirements and analysis of solutions. This category is further divided into sub-categories that address cybersecurity (critical infrastructure and homeland security), IT security (deployment of IT security tools and operations), security engineering (the development of security tools), and policy.

Pages: 1 3 4 5 ...6 ...7 8 9 10 11 12 ... 13

  2020-10-26

SDL and Agile

  By Hagai Bar-El   , 2439 words
Categories: Security Engineering

One of the challenges that agile development methodologies brought with them is some level of perceived incompatibility with security governance methodologies and SDLs. No matter how you used to integrate security assurance activities with the rest of your engineering efforts, it is likely that Agile messed it up. It almost feels as if agile engineering methodologies had as a primary design goal the disruption of security processes.

But we often want Agile, and we want security too, so the gap has to be bridged. To this end, we need to first understand where the source of the conflict really is, and this also requires understanding where it is not. Understanding the non-issues is important, because there are some elements of agile engineering that are sometimes considered to be contradicting security interests where they really are not; and we would like to focus our efforts where it matters.

We will start by highlighting a few minor issues that are easy to overcome, and then discuss the more fundamental change that may in some cases be required to marry security governance with Agile.

Read more »

  2020-09-26

Your Bitcoin wallet will never be your bank account

  By Hagai Bar-El   , 1399 words
Categories: Analysis, Security Policies, Security, Counter-media

Don’t get me wrong; Bitcoin and crypto currencies are a big deal, at least technology-wise. Bitcoin and blockchains taught us a lot on what can be done with security protocols, and at a lower level, it even taught us that computation inefficiency is not always a bad word, but something that can yield benefits, if that inefficiency is properly orchestrated and exploited. It was also the most prevalent demonstration of scarcity being artificially created by technology alone. As I wrote before, blockchains will probably have some novel use-cases one day, and Bitcoin, aside of being a mechanism for transferring money, also provides a target of speculation, which in itself can be (and is) monetized.

What I truly do not understand are the advocates who see Bitcoin wallets as the near-future replacement for bank accounts, and Bitcoin replacing banks (and other financial institutions) in the near future. I understand the motivation, as those are dreams easy to fall for, but for crypto-currency wallets to replace financial institutions much more is needed, and for the sake of this discussion I will not even delve into the many technical difficulties.

Read more »

  2020-09-13

An obvious limitation of machine-learning for security

  By Hagai Bar-El   , 726 words
Categories: IT Security, Security Engineering, Security, Counter-media

I recently came across this study titled “Unknown Threats are The Achilles Heel of Email Security”. It concludes that traditional e-mail scanning tools, that also utilize machine-learning to cope with emerging threats, are still not reacting fast enough to new threats. This is probably true, but I think this conclusion should be considered even more widely, beyond e-mail.

Threats are dynamic. Threat actors are creative and well-motivated enough to make threat mitigation an endlessly moving target. So aren’t we fortunate to have this new term, “machine learning”, recently join our tech jargon? Just like many other buzzwords, the term is newer than what it denotes, but nonetheless, a machine that learns the job autonomously seems to be precisely what we need for mitigating ever-changing threats.

All in all, machine-learning is good for security, but yet in some cases it is a less significant addition to our defense arsenal. Why? – Because while you learn, you often don’t do the job well enough; and a machine is no different. Eventually, the merits of learning-while-doing are to be determined by the price of the resulting temporary imperfectness.

Read more »

  2020-08-16

Blockchains: useful or not?

  By Hagai Bar-El   , 976 words
Categories: Security Engineering, Counter-media

One of the biggest technological controversies of the decade are blockchains. There is no debate on how brilliant the technology is. It is very clever, if not genius. The only debate is on how useful it really is. Crypto currencies like Bitcoin are a strong use-case for blockchains, but how many other real use-cases are there? Some people claim that blockchains will change the Internet for good, while others consider it as a clever solution still seeking a problem. Reality is probably somewhere in between, as it usually is.

Blockchains often appear to be more useful than they really are, because their proponents bring up uses for blockchains which could also be facilitated using other, simpler and traditional techniques. Most of those uses, which could also be attained without blockchains, are indeed better off without them. As clever as blockchains are, they always add complexity where they are deployed. In other words, I have not yet seen a single problem that could be solved by either blockchains or other technical means, and where the blockchain-based approach was the simpler one. It follows that if we want to discuss the true merits of blockchains, then we shall identify those problems that could be solved using blockchains, and which could not be solved by simpler existing technologies.

Read more »

  2020-08-01

The effect of cloud services on our intimacy with IT

  By Hagai Bar-El   , 1775 words
Categories: IT Security, Security, Day-to-Day Security Advice

Years ago, we did not trust cloud service providers, or we trusted them only when we had no choice. Then, consumers started using web-mail and other such services, and finally companies also moved into replacing their own IT with cloud applications. By now, we trust our service providers sufficiently, for the most part. We model our risks, we consider the benefits, and we usually decide that it’s worth it. But often enough, our trust in service providers still does not cause us the necessary warm and fuzzy feeling that is required for us to hand off all our data to the cloud and live a truly digital life. As it seems, thinking you are secure is one thing, and feeling you are sufficiently secure, even with your most critical data, is something else.

What do we do for now? – Use the cloud, but not for everything…

Read more »

  2020-04-17

The Fake News problem will not be solved by technology

  By Hagai Bar-El   , 903 words
Categories: Analysis, Security Policies, Counter-media

One reason we struggle with finding a solution to the fake news problem is that we have never defined the problem properly. The term “fake news” started as referring to publications that look like news but are entirely fabricated. It then migrated to consist also of news articles that are just grossly inaccurate, to later expand further into consisting also of news one doesn’t like and tries to dispute.

It is amusing to see how we seek technical mitigation towards a problem which is entirely semantic. Just like a lie detector does not detect untruths but only the artifacts of a lying person, all technologies that are considered for fighting fake news do not detect untruths but mostly willful propaganda. However, just like plain deceiving, publishing propaganda also consists of many shades of grey, implying that whatever solutions we find, we will never be happy with them.

We should recalculate our route.

Read more »

  2020-03-05

Useful threat modelling

  By Hagai Bar-El   , 1633 words
Categories: Security Engineering

Do you know what all security documents have in common? — they all were at some time called “threat model"… A joke indeed, and not the funniest one, but here to make a point. There is no one approach to threat modelling, and not even a single definition of what a threat model really is. So what is it? It is most often considered to be a document that introduces the security needs of a system, using any one of dozens of possible approaches. Whatever the modelling approach is, the threat model really has just one strong requirement: it needs to be useful for whatever purpose it is made to serve. Let us try to describe what we often try to get from a threat model, and how to achieve it.

Read more »

1 3 4 5 ...6 ...7 8 9 10 11 12 ... 13


Form is loading...

  XML Feeds

Search

License

All contents are licensed under the Creative Commons Attribution license.