What should we do about 'systemic' cyber risks? Wait, what even are those In a report published this week addressing "systemic" cybersecurity risks, several infosec experts noted that as the number of significant network intrusions rises, an understanding of the problem and the ability to address the larger issues remain lacking. Even something as basic as defining which online security risks are …
Quite so. For some, who may be many, is it certainly a hellish problem to beware and made aware of. However, to others with all necessary smarts though, a whole host of heaven sent opportunities to exploit and expand upon.
Indeed so. "Band-Aid" point fixes for narrowly specific technical problems keep emerging, making the infrastructure ever more complicated. Unfortunately, complexity tends to make things less secure because it increases both the attack surface and opportunities for unforeseen interactions and side effects to occur. That trend also assists in driving constant 'upgrade' churn which keeps everyone on a permanent learning curve - the opposite of good security as thorough familiarity with the idiosyncrasies on one's systems assists their robust management. Furthermore, the growing tendency to replace human decision making and judgement with (inevitably attackable) automation is causing us to lose touch with the adversary at the metal level where it's most important to be clear about what's going on. The result is that we become increasingly reactive, rather than pre-emptively resilient.
The majority of cybersecurity incidents is triggered by malware infections at end user devices. Endpoint security software is a major market but has essentially failed to reliably prevent such malware infections, and there is no hope whatsoever that this will change in the future.
The root cause: All of today's end user devices are software-controlled, and hence are threatened by malicious software. In addition, they do accept code downloads via the network. Furthermore, typical end users just aren't security experts and sometimes can be tricked, and there are so many more vulnerable end user devices than those usually better protected central applications. The latter can be infeted too (eg. by ransomware), but this very often happens via an previously infected end user device.
The cure: For critical applications, we ought to switch to hardware-controlled end user devices. This is very good and proven practice: Before PCs were introduced, all our end user devices were hardware controlled - and we then had no malware problems whatsoever.
We would need to develop new hardware-controlled devices supporting today's needs including grahics, multiple screen windows, multimedia, teleconferencing etc., which is entirely possible but requires a significant architecture change. Those new and secure end user devices would be cloud/edge-oriented, and wouldn't contain an OS such as Windows or some Linux variant. This results in much better functional stability, reliability and ease of use.
An article in the [US] National Defense Industrial Association magazine ...... https://www.nationaldefensemagazine.org/articles/2022/3/8/software-supply-chain-security-turns-to-risk-mitigation ..... highlights the same sort of problems which be valid causes and sources of real concern for there is scant, if any at all, effective risk mitigation, ergo is there a catastrophic vulnerability present for exercise and unhindered development/0day exploitation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
