Things are just starting to get interesting in cyber security. We’re seeing a ramp up of attacks, from corporate breaches through to election tampering and disabling critical healthcare services. Governments are posturing and hinting at their warfare capabilities. There is almost no regulation and most end-users are failing to protect themselves.
Security is still talked about by the uninformed as a binary state. To be secure, or not.
Actually, “defense” isn’t a single thing. It’s not a question of whether you will suffer a security incident, but when. As such, good security is implemented through layers and with a mind to mitigating breaches through compartmentalisation:
In every instance, it is the lack of compartmentation between accounts and personas that has been the cause of the pain. Without proper compartmentation, attackers are able to leverage information from one compromised account to access another related account. Increasing privileges and traversing across the persona’s exposed and interlinked account control centers.
The human element of security is often the weakest. We hear a lot about zero-day vulnerabilities and elaborate hacks because they are cool, but it’s the simplest breaches – users with poor password hygiene and no 2-factor authentication – that are the biggest cause for concern. People are used to frictionless access to their computers, and the UX around 2FA and strong passwords is usually less than frictionless.
E-mail continues to be a popular communication platform despite it having minimal built-in security. With history of all your communication, files, personal conversations and direct access to all your other accounts (through password reset), it really is a single point of failure. Nobody uses PGP properly so most have given up and moved to encrypted apps like Signal and WhatsApp.
PGP is like memory management: a very useful technology that is functionally impossible to give to end-users directly in responsible manner. https://t.co/QXXdthm6OF
— Patrick McKenzie (@patio11) November 23, 2017
Yet email continues to be a critical part of business and governmental infrastructure.
The security industry is also full of vendors with vague, fluffy marketing. It can be difficult to know precisely what you’re buying and it’s difficult to compare products because they’re often hidden behind enterprise sales processes. The big cloud providers are starting to offer data-driven products and there are some promising businesses like Cloudflare, but for the vast majority, the market is confusing.
- Unlimited attack surfaces
- Users not paying attention to basic security practices
- Frustrating and inconvenient UX
- Enterprise vendors selling vague security promises
- An increasing number of attacks from criminal gangs, hacktivist groups and nation states
To me, it looks like a very immature landscape where things are just getting started. We’re still in v1.0 of the cyber security era and things are only going to get more interesting!