Privacy and Hackable Devices
Controversy over law enforcement unlocking smartphones has the power to capture broad public attention. But for the information security community and anyone interested in data security, the truly interesting story in these cases is the underlying one.
This story is not about individual companies or government agencies, but instead the overall state of play in information security and where we are going. What does it mean to talk about the security of backbone structures such as operating systems when these systems are inherently hackable? Who determines their security? How is it assessed? Does the very process of security assessment introduce vulnerability risks?
However privacy and security disputes are finally resolved, the security community will continue to face some fundamental challenges.
Security Design and the Inside Risks
The general principles of good application security design are well-understood, with best practices being widely promulgated if not always applied. These apply not just to ordinary applications, but also to fundamental backbone structures such as operating systems.
At the heart of these best practices is building in security from the outset rather than bolting it on. But how do you know if the job has actually been done correctly? The only way to know is to perform a security assessment or audit, examining and testing the security features.
But whenever you bring in an auditor or review team, you are giving more human eyeballs access to security features. Every new set of eyes constitutes an added risk. As Dennis McCafferty noted at CIO Insight, professionals now rate social engineering and insider threats at the very top of the threat hierarchy, which makes the review process itself a major risk.
From Road Maps to Back Doors
A backdoor controversy with respect to government agencies is really just one specific instance of this general principle. To have a road map to a system — which a security assessment team must have to do its job — is to know that it is hackable, how its defenses are put together and how those defenses might be circumvented.
Put another way, any system complex enough to be useful is potentially hackable. No formal back door is needed; just sufficient detailed knowledge of the application and how it works.
Even more to the point, at a basic level, it does not matter whether a security assessment team comes in from outside (such as a government agency or an audit service) or is assigned in-house. On the one hand, the additional eyeballs are needed to assess and confirm security. On the other hand, those eyeballs become a potential security threat.
In the end, there is no purely technical solution to this problem. So long as computers are being designed and used by human beings, the human factor will continue to be the most crucial element of their security. The issues of identity and access will continue to pose a challenge for information security leaders.