Andrea Danti - Fotolia

How IT can be more defensible

A renowned Google engineer calls for the IT industry to build devices capable of being defended and for enterprises to take a balance sheet approach in managing risks

The lack of market power from technology buyers to compel IT suppliers to deliver more secure products is contributing to the security challenges that enterprises are facing today, according to an engineer at Google.

Thomas Dullien, a reverse engineer and vulnerability researcher at Google, told a packed audience of IT security practitioners at Black Hat Asia in Singapore that part of the problem lays with the fact that the IT market is dominated by a few large suppliers.

“With these massive conglomerates on one side, enterprises really have no market power,” said Dullien, also known as Halvar Flake, the founder of security analytics software company Zynamics that Google acquired in 2011.

“Realistically, most enterprises buy hardware and software for which they have very little input into the design process – and the CISO [chief information security officer] has even less say,” he added.

As a result of such market dynamics, an entire cyber security industry was spawned to bridge the gap between the secure products that enterprises want and what is available in the market, Dullien said.

“We have security suppliers that recognise that we can’t get what we want, so they try to sell us an approximation of what we would like to have,” he said.

Dullien pointed out that security products are “very puzzling to look at”. Some antivirus software, for example, is built on antiquated code that runs with root privileges to scan email attachments on local machines, he said.

“Anybody who architects software knows this is a bad idea. It’s puzzling why there’s still a market for products that are not all that useful,” he said, adding that such products work only by the grace of cyber attackers who may not perform quality assurance checks on the security software they are attempting to bypass.

To minimise security risks, CISOs often buy a variety of security products that are hardly differentiated, leading them to base purchase decisions on how manageable the products are, Dullien said.

Whether the security products work or not is secondary, he added, as long as the CISOs have shown they have done something to mitigate the risks.

Cyber insurance is another way to mitigate security risks and elevate the financial impact of cyber security measures to a business. For example, companies that employ better security products and a more secure infrastructure can enjoy lower premiums, Dullien said.

Dullien added that cyber insurers can also help to aggregate the buying power of enterprise customers to pressure technology suppliers to deliver better and more secure products.

Balance sheet of benefits and risks

Taking a leaf from the financial industry, Dullien called for enterprises to view their IT infrastructures as a balance sheet, with every application and line of code potentially creating risk for an organisation.

“It’s important to realise that when you install third-party software, you are adding risks to your balance sheet,” he said, adding that the majority of risks come from software that is used infrequently. “90% of software risks are in code that provides 10% of the benefits.”

This balance sheet approach could be augmented with measures to incentivise security and reduce complexity. “Nobody gets promoted for deleting 800 lines of code that could have security issues,” Dullien said.

Read more about cyber security in APAC

  • Indonesia, India and the Philippines are among the top 10 countries with the most number of malware infections, according to a Malwarebytes study.
  • Find out what security initiatives IT decision makers are planning in 2017.
  • Cyber security has enabled Asia-Pacific organisations to enter new markets and deliver services in new ways.
  • Lab facilities have been established at Singapore’s Republic Polytechnic through partnerships with RSA Security, Palo Alto Networks, Trend Micro and Ixia.

With most organisations still in the dark about of how secure their devices are, Dullien called for the industry to build devices that are capable of being defended.

“We should be building devices that allow us to enumerate all system code, and display a hash of everything that can run on a device including all firmware,” he said.

“This would need to be part of a public ledger where device and software makers make their software publicly visible to avow that they have written and stand by their software. The hashes should not be updatable, so there’s no way of messing around with integrity checks.”

Read more on IT risk management