March 31, 2016 By Rick M Robinson 2 min read

Privacy and Hackable Devices

Controversy over law enforcement unlocking smartphones has the power to capture broad public attention. But for the information security community and anyone interested in data security, the truly interesting story in these cases is the underlying one.

This story is not about individual companies or government agencies, but instead the overall state of play in information security and where we are going. What does it mean to talk about the security of backbone structures such as operating systems when these systems are inherently hackable? Who determines their security? How is it assessed? Does the very process of security assessment introduce vulnerability risks?

However privacy and security disputes are finally resolved, the security community will continue to face some fundamental challenges.

Security Design and the Inside Risks

The general principles of good application security design are well-understood, with best practices being widely promulgated if not always applied. These apply not just to ordinary applications, but also to fundamental backbone structures such as operating systems.

At the heart of these best practices is building in security from the outset rather than bolting it on. But how do you know if the job has actually been done correctly? The only way to know is to perform a security assessment or audit, examining and testing the security features.

But whenever you bring in an auditor or review team, you are giving more human eyeballs access to security features. Every new set of eyes constitutes an added risk. As Dennis McCafferty noted at CIO Insight, professionals now rate social engineering and insider threats at the very top of the threat hierarchy, which makes the review process itself a major risk.

From Road Maps to Back Doors

A backdoor controversy with respect to government agencies is really just one specific instance of this general principle. To have a road map to a system — which a security assessment team must have to do its job — is to know that it is hackable, how its defenses are put together and how those defenses might be circumvented.

Put another way, any system complex enough to be useful is potentially hackable. No formal back door is needed; just sufficient detailed knowledge of the application and how it works.

Even more to the point, at a basic level, it does not matter whether a security assessment team comes in from outside (such as a government agency or an audit service) or is assigned in-house. On the one hand, the additional eyeballs are needed to assess and confirm security. On the other hand, those eyeballs become a potential security threat.

In the end, there is no purely technical solution to this problem. So long as computers are being designed and used by human beings, the human factor will continue to be the most crucial element of their security. The issues of identity and access will continue to pose a challenge for information security leaders.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today