To answer this question logically and truthfully we have to go back to how computers have evolved and connected to each other.
During WW2 the beginning stages of electronic machines tabulating artillery tables faster and more accurately than humans (Colossus mark 1 and 2)
(public Domain picture)
As the computers evolved more and more effort was put in for how the programming and processing abilities occurred and security was not even a worry, as security was physically done not networking wise.
So when and what was the first networked computer?
The first network was the precursor of the internet as we know it and it was called ARPANET (Advanced research Projects Agency Network): EDN Network article discusses this. On Arpanet in 1969 and shortly thereafter the focus was on making the network operational (it finally was deemed “operational” in 1975 at six years later). The work on this technology is available for everyone to see: TCP Transmission Control Protocol as it was developed in the public domain : The RFC 793 September1981
If you look at the Table of Contents of the TCP RFC (Transmission Control Protocol – Request For Comment) document there is no place for security or encryption. It is up to you to develop security. So that is what we have done. New technologies with SSL(Secure Socket Layer) and TLS(Transport Layer Security) have been built on top of the TCP technology.
As you may know from our past blogpost SSL is no longer PCI compliant
So THIS IS THE PROBLEM !!!
We are developing our current software on an insecure platform.
Until there is a computer built from scratch for security using a network mechanism that is also built with security in mind, we will always be fighting a losing battle.
So we have developed Compliance mechanisms:
- PCI – Payment Card Industry (2004 major credit card companies came together)
- HIPAA – Health Insurance Portability and Accountability Act of 1996
- Other public company compliance regulations (SOX)
The compliance systems are not designed to make you 100%secure, they are designed for you to mitigate security problems. If you follow all the rules for the most part you will keep problems in check and thus business risk is reasonable.
The bottom line is for IT resources to provide business capabilities, in that environment security has to be mitigated. Until someone develops a 100% secure platform this is the life we have. We will have to keep up on patches, and review logs while always looking over our shoulders to see if the criminal hackers have finally come into the environment or not.
Interesting to note, that as more people get connected we stop to think about our security, I mean who thinks about cybersecurity as they get a new phone or tablet/laptop? especially if that is their first foray into smartphones. The new connectee is interested only in how I can connect (usually with free WiFi or an unlimited data plan. The reason we stop to think about security is that we expect security to be there.
The unfortunate aspect of more people connecting is that not all people are knowledgeable about phishing emails and other cyber security problems. It takes time to become knowledgeable in anything, so the overall understanding is pushed down (common denominator).
So my theory is as more people connect the average knowledge about cybersecurity is pushed down. Thus allowing more attacks to be successful by the criminal hackers.
In the following image Cisco predicted IoTs to balloon to 50billion devices by 2020. (this seems correct or low).
So nothing has changed – we are so busy connecting to the Internet we are not focusing on Security. This phenomenon is moving faster towards a larger Chaotic environment.
Contact us to discuss