In a previous post I wrote about cases in which machine-learning adds little to the reliability of security tools, because it often does not react well to novel threats. In this post I will share a thought about overcoming the limitation of machine-learning, by properly augmenting it with other methods. The challenge we tackle is not that of finding additional methods of detection, as we assume such are already known and deployed in other systems. The challenge we tackle is of how to combine traditional detection methods with those based on machine-learning, in a way that yields the best overall results. As promising as machine-learning (and artificial intelligence) is, it is less effective when deployed in silo (not in combination with existing technologies), and hence the significance of properly marrying the two.

I propose to augment the data used in machine-learning with tags that come from other, i.e., traditional, classification algorithms. More importantly, I suggest distinguishing between the machine-learning-based assessment component and the decision component, and using the tagging in both components, independently.

Do you know what all security documents have in common? — they all were at some time called “threat model”… A joke indeed, and not the funniest one, but here to make a point. There is no one approach to threat modelling, and not even a single definition of what a threat model really is. So what is it? It is most often considered to be a document that introduces the security needs of a system, using any one of dozens of possible approaches. Whatever the modelling approach is, the threat model really has just one strong requirement: it needs to be useful for whatever purpose it is made to serve. Let us try to describe what we often try to get from a threat model, and how to achieve it.

We have seen many of those by now. Starting with old ones like FIPS 140, and concluding with more recent additions as the NIST CSF (Cyber Security Framework). The question is: are whose worth my time? What are they good for? Do we need to adhere to them? In a nutshell, I think they have their value, and need to be consulted, but not worshiped.

I have been saying that one of the challenges with securing IoT is that IoT device makers don’t have the necessary security background, and the security industry does not do enough to make cyber-security more accessible to manufacturers. We should therefore not be surprised that 150 years of experience in making robust safes and transferring money securely, did not help Brinks once they introduced a USB slot into one of their new models.

Today I attended CyberDay 2015, where I delivered a lecture titled “Challenges in Securing IoT”.

Some of the lecture was devoted to discussing the issues mentioned in this post. Other issues were discussed as well.

A few days ago I gave a lecture about innovation and one topic that came up was the security of e-voting. It is widely accepted by the security community that e-voting cannot be made secure enough, and yet existing literature on the topic seems to lack high level discussion on the basis for this assumption.

Following is my opinion on why reliable fully digital e-voting cannot be accomplished given its threat and security models.

A few days ago, a critical bug was found in the common OpenSSL library. OpenSSL is the library that implements the common SSL and TLS security protocols. These protocols facilitate the encrypted tunnel feature that secure services – over the web and otherwise – utilize to encrypt the traffic between the client (user) and the server.

The discovery of such a security bug is a big deal. Not only that OpenSSL is very common, but the bug that was found is one that can be readily exploited remotely without any privilege on the attacker’s side. Also, the outcome of the attack that is made possible is devastating. Exploiting the bug allows an attacker to obtain internal information, in the form of memory contents, from the attacked server or client. This memory space that the attacker can obtain a copy of can contain just about everything. Almost.

There are many essays and posts about the “everything” that could be lost, so I will take the optimistic side and dedicate this post to the “almost". As opposed to with other serious attacks, at least the leak is not complete and can be quantified, and the attack is not persistent.

I attended CyberTech 2014 on January 27th-28th. CyberTech is a respectable conference for technologies related to cyber-security. The conference consisted of lectures and an exhibition. The lectures were most given by top notch speakers from the security space, both from the public sector and from the private sector; most being highly ranked executives. The exhibition sported companies ranging from the largest conglomerates as IBM and Microsoft, to garage start-ups.

I am easy to disappoint by cyber-security conferences. Simply put, there are more cyber-security conferences than what the security industry really has to say. This implies that for the security architect or practitioner, most cyber-security conferences lack sufficient substance. I take CyberTech 2014 with mixed emotions too. The exhibition showed interesting ideas, especially by start-ups, while the lectures left more to wish for.

The concept of “Cyber Security” is surely the attention grabber of the year. All security products and services enjoy a boost in their perception of importance, and sales, by merely prepending the word “cyber” to their description. But how is cyber security different than just security?

It differs, but it is not an entirely different domain, at least not from the technology perspective.

Security protects against malicious attacks. Attacks involve an attacker, an attack target, and the attack method, which exploits one or more vulnerabilities in the target. When speaking of cyber attacks, it is common to refer to a nation state attacking another, or to an organization attacking a state. Referring to unorganized individual hackers as executing “cyber attacks", while being a common trend, is a blunt misuse of the “cyber” term in its common meaning. And still, cyber security is not as dramatically different than traditional security.

Smart Grid security is one of the new emerging fields of security. Everybody knows that the new generation of electricity grids requires a new level of security against cyber-wars, cyber-terrorism, and all the rest. Yet, for the purchaser of Smart Grid solutions, it is not always obvious where to start and that to require. The topic is wide, complex, and not very well documented. I do not intend to write a compendium here, but I will share my perspective on how an integrator, or purchaser, may prefer to approach the problem of evaluating Smart Grid solutions from the security perspective.