Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/15/2019
10:30 AM
Dr. Mike Lloyd
Dr. Mike Lloyd
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

On Norman Castles and the Internet

When the Normans conquered England, they built castles to maintain security. But where are the castles of the Internet?

I recently had the pleasure of attending the ninth annual Workshop on Internet Economics (WIE) at the University of California, San Diego. It might not seem a likely place to discuss English castles after the Norman Conquest, but that turned out to be a strong analogy for the security challenges of our modern Internet.

Explaining why takes a little bit of context. The Internet's early history is a great example of a runaway experiment escaping from the lab that went on to conquer the world. The intent was a network for exchange of scientific and technical data among a select few institutions. It was so good at information exchange that it grew far beyond that.

The Internet began with a great deal of optimism — open communication and a belief that connecting people would lead to wonderful things. While some wonderful things did happen, so did some unfortunate things. The Internet has become an important tool for those keen to manipulate elections and public opinion as well as a breeding ground for extremism.

Every new technology begins with a rush of optimism, followed by coming to terms with the downsides and limitations it has; the Internet is no different. The WIE conference gathered experts from many disciplines — Internet measurement, public policy, economics, security, and more — to look at what we know, what we don't know, and how we can close the gap through measurement. The perspective that emerged was not optimistic.

Today, a new computer will be attacked within minutes of getting on the Internet. Bad guys are relentless. They use automation on a seriously large scale looking for weaknesses to exploit. They often don't know exactly what they are looking for, so they go into any computer they can. They either find something valuable on it, use it as an anonymous base for future attacks, or even add it to a network of enslaved devices — see, for example, the Mirai botnet. It's like a neighborhood where any packages left on the porch or mail in mailboxes are immediately taken, and every door and window are repeatedly tested to see if anything was left open — a scary and untrusting place.

It's in this context that Norman castles came up. After the Normans conquered England in 1066, they needed to hold on to the power they won. They built castles — first of wood, then of stone. These classic castles combined a raised, fortified area (the "motte") with a much larger walled courtyard (called the "bailey") where people and livestock could shelter. Life in the bailey was crowded, smelly, and restrictive, but it beat living in the countryside, which was full of bandits who would attack anyone passing by. Travel by road was a very dangerous affair, undertaken only when necessary, and ideally with guards. 

How does this aromatically challenging environment compare to the modern Internet? Well, consider what we call "the cloud." For businesses that have been around for a while, the cloud isn't an abstract notion of "computers somewhere else" — it's a concrete proposition, just like a motte and bailey castle. A few cloud service providers have built serious walls around their courtyards. If you set up shop inside one of these spaces, you can benefit from the protection against the brigands who will constantly test you if you strike out on your own. The consensus of the discussion at the workshop was that today's Internet is like that medieval countryside — far too dangerous a place to live. Adopting cloud technology may not be about price or productivity — it's about protection.

This picture of the Internet as a dangerous wilderness dotted with forts and enclaves where people can huddle in relative safety is a long way from its optimistic beginning with the free flow of information.

Does this dismal view mean the Internet is broken beyond repair? Certainly not. Our world is far more peaceful, productive, and pleasant to live in than Norman England ever was. To emerge from the confines of the few castle enclosures dotted around, we need either the rule of law or better ways to defend ourselves. A new international system for policing the online world doesn't seem imminent — the global political winds are currently fanning flames of nationalism and isolation, exactly the wrong direction for Internet safety. We need to get better at defending ourselves — finding our defensive weaknesses before the bad guys do. Relying on the castle makers to protect us in our confining compounds isn't a long-term strategy. Businesses run the risk of "vendor lock-in," the modern-day equivalent of being stuck as a feudal vassal of the guy who can muster a fighting force and build a wooden wall around you and your compatriots.

What Can Be Done
The takeaway from all this is actually good news. These problems can be managed, first by realizing that the situation is serious, and then using modern automation to build digital resilience. Resilience means understanding that attacks are inevitable, but planning to survive them, rather than hoping to just get lucky and stay out of harm's way. The Internet has become a quite dangerous place, and it requires strong defenses, as well as recovery plans.

If you're not sure where to start, the best place to begin is mapping — map your defenses so you can find defensive gaps, map your business processes so that you can recover from compromise, and map out your recovery steps. The wandering marauders are out there. What you need to do is plan ahead, find protected places to hide your valuables online, and know what to do when they do breach your defenses.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Dr. Mike Lloyd, CTO of RedSeal, has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, Mike was CTO at RouteScience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14345
PUBLISHED: 2019-11-15
TemaTres 3.0 allows remote unprivileged users to create an administrator account
CVE-2019-14343
PUBLISHED: 2019-11-15
TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin.php?vocabulario_id=list URI.
CVE-2019-14869
PUBLISHED: 2019-11-15
A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could esc...
CVE-2019-18987
PUBLISHED: 2019-11-15
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Once a specific abuse filter has (accidentally or otherwise) been made public, its previous versions can be exposed, thus potentially disclosing private or sensitive information within the filter's definition.
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.