A critique on cyber security, businesses, and the Web


I've been working in IT now for over 10 years, starting off from help desk to imaging tech, then a hop skip over into systems administration. Fourteen years ago, cyber security was not as serious a subject as today.

Somewhere around late 2010's there was a big shift in attitude and it seemed security for once was taken seriously, but it wasn't what I expected. It was more like a game of hot potato where shuffling risk and liability onto someone else rather than addressing the actual security issues was more important. Risk in the business world translates directly to liability while it's variable on whether or not a security issue is a risk worth addressing. It just so happens that since businesses can be held liable for damages as a result of their lax cyber security, security is now of concern. In the not so distant past, this wasn't always the case. This is really only made so due to recent regulatory pressure, especially among financial institutions.

This has lead to businesses flocking in droves to ready made security products and solutions, which aren't always as secure as what's written on the tin. Personally, and in my opinion, I believe this has produced the opposite effect to what it was supposed to alleviate. This is also further exacerbated by business strategies migrating to cloud services for literally everything.

The Web has been commandeered by digital fiefdoms inherently insecure because it was meant to be a digital library, not the circulatory system of a service economy. That didn't stop people from attempting to make it into one though, and as a result, we get data breeches on the daily and a constant anxiety around the security of these services.

I've seen simple things twisted into pretzel knots all because of this, and often we forget why or what lead up to some of the most egregious security practices in the first place because that last knot wasn't enough and needed to be twisted all the more.

Let's take passwords for instance... Why are they routinely changed? If you thought it was to eliminate persistence to an account or account takeovers, you've already lost the premise. This isn't the 90's anymore, the moment an attacker has gained access to an account, it's game over and your password update routine ceases to matter. In fact, I don't believe it ever helped, even as a precautionary measure. Was there a data breech? Did the account owner re-use the same password elsewhere and it was leaked there? Is there a backdoor method to get into the account? It wasn't Pasword123 was it? People in security make a big deal about this too, as if passwords over time just submit themselves to a public plain text ledger all because someone didn't change their password on time. No that doesn't happen and making people frequently change their passwords isn't actually addressing the problem here, and to clarify, the problem isn't the user. It's a lack of insight as to where, when, and how things occur and go wrong paired with a false sense of security in following irrelevant feel-good rituals rather than establishing a secured system. Here's a mantra to go by; if it's on the internet, it's not secure. Congratulations, we've established our first pretzel knot!

Now introducing MFA verification... Why do we have to verify our sign in with MFA? Because in theory, if someone happens to obtain your password and attempts to sign into the account it belongs to, it would perform as an additional verification step requiring the account owner to approve. We're now twisting another knot into our pretzel here because we still haven't addressed the original problem as to how someone got into the account in the fist place. If someone's able to sign into any of your business accounts from any device and location in the world, then we have a serious network security breech on our hands that needs to be resolved ASAP and MFA is a band-aid solution at best.

Now let's increase the frequency of MFA verification into a daily, if not multiple times a day routine. Why? Because in theory, again, someones session (namely session cookies), could be hijacked and replayed from an attackers device without requiring them to sign in or MFA with anything. This is just adding salt to our pretzel now, because still we're not addressing the original problem and have also introduced another theoretical scenario here. How in the world are user sessions getting hijacked!? Oh yeah, that wide open network we're still ignoring, that's how. Also daily MFA is a terrible idea because it fatigues the users to the point they don't even pay attention to what their signing into, much less verifying anymore. A screen pops up prompting them to "verify now! >:O" and they don't even think about it and just follow it thru.

Oh did you think I'm done here? Not even... Next up comes mobile authentication apps, biometrics, security PINs, endpoint monitoring and detection, travel restrictions, device attestation, SSL inspection, continuous verification, quarterly user cyber training, phishing tests - it just doesn't end, but it's certainly fueling a market and I suspect that's the point. There's a lot more I could go into, but I would have to write a book to contain it all and I don't have the time.

Behold, the World Wide Web!

It's as if we've boot and nuked the whole Web just to install Windows XP over it as a shared system set to auto login with the firewall disabled and call it cloud computing. Everyone's scrambling to secure their little corner, meanwhile the whole system is compromised from top to bottom. It's not going to work and will inevitably lead to nationalist "sovereignty" policies to erect mandatory security networks and data centers further restricting and controlling peoples communication and behavior on the Web all to preserve a parasitic economy desperately clinging onto anything to remain relevant.

There was nothing wrong with the Web as an open digital library, file sharing resource, social network or even a virtual store, but in hindsight, reinventing it into an IPC-like messaging bus to facilitate identity management services in front of sensitive infrastructure was careless and sloppy. Unfortunately this is the direction of technology these days, making cyber security a very lucrative field similar to the old adage of Microsoft keeping IT employed. It's really only been the last 20 years that any of this has existed and although people are hopelessly soulbound to it and their devices, it could take all of 20 seconds to come to a crashing end and maybe bring the world back to a sense of normalcy.

Thanks for reading my blog!



Comments:

Please by polite and refrain from using vulgar and derogatory language. Comments are moderated.


    [Back to top]