Protecting the future: the roots of security

November 25, 2014

Today’s information technologies are a rather mishmashed system comprised of top-notch innovations interspersed with legacy technologies, some of which have been in use for decades and rarely changed. This “coexistence” of new and old led to the discovery of dramatic bugs that had stayed below the radar for years.

640-3

 

Haunted by the past

Earlier this year, we discovered Shellshock, a big bad Bash vulnerability introduced back in 1992. Bash is an integral part of most of the Unix-like systems, whose code wasn’t reviewed thoroughly enough to find a wide-open vulnerability. Its discovery led to a worldwide panic, especially since the first attempts to patch it failed for various reasons.

More recently, Microsoft disclosed a bug in Internet Explorer that existed since Windows 95. It is anyone’s guess whether or not there were zero-day flaws in the popular software actively exploited by cybercriminals, unbeknownst to the developers of the software and white-hat security experts.

Software vendors, especially operating systems developers, have to carry a huge load of legacy code in order to ensure backwards compatibility with legacy hardware and software for which popular demand exists. Occasionally, they may choose to keep support of the old versions of their operating systems to keep customers content. That was the case with Windows XP, which stayed in use for too long – many users chose to stick with it along with its old-shoe interface… and old bugs. Those bugs won’t be patched since Microsoft stopped their support of XP in April 2014. That means the aforementioned antique bug in IE isn’t going to be fixed for the remaining (legions of) Windows XP users, leaving them wide open for attacks. This isn’t going to improve overall cybersecurity.

Roots and grafts

Yet another example of security problems due to the inosculation of the older and newer technologies is a troubling situation with critical infrastructure. The equipment is sometimes decades old. It was designed as “close box”, and then – “all of sudden” – Internet connectivity was added to the legacy equipment, which immediately decreased its security.

Adam Firestone, president and general manager of Kaspersky Government Security Solutions, points out a silver lining: There’s now a unique possibility to upgrade security radically, replacing the older systems with new ones, with security built-in by design.

And that’s what we mean by “roots of security.” There are two approaches to security – “added” and “built-in”. The first one suggests security wasn’t in place by design, and had to be introduced afterwards, usually with a very relative success. It’s like grafting the trees: some yield to it, some don’t, no matter how many attempts are made.

A more adequate and proper approach is “built-in” security that had been taken into consideration since the very beginning of the development process.

wide_1-2

The Smarternet

It’s not news that the future lies in the Internet of things, with the world increasingly interconnected. Every imaginable device will be “smart” one day, connected to the Web and remotely operable.

What would living in such a world look like? We can only assume the variants. Definitely there will be more convenience, but more risks too. Would it be possible to “trigger an economic crisis” with a single, well-placed click? Or turn critical infrastructures across the globe into shambles with a small piece of malware served to the proper vulnerability?

With many technologies not fully understood (or capable of being handled), the dystopian predictions we spoke of in the previous post seem probable. Is it inevitable? No.

Slowly, the interested parties are coming to an agreement about the necessity of considering cybersecurity wherever information technologies are used, and they are used almost everywhere.

Security must be – and hopefully will be – in the roots of the information technology “tree”, instead of being grafted to it. There will still be mishaps and errors, but cybersecurity vendors such as Kaspersky Lab will be around to protect users no matter what the future holds.

wide_video2-2