Security is hard. Security for new technology is even harder. Want to know more? Click here.
And you see it doesn’t always work. You’ll know that if you tried to click that link. It doesn’t work. I know because I secured that link. And since I didn’t really know how it worked because it’s so new, all my security defenses made it absolutely useless.
I’m a pretty forward guy when it comes to technology. I’m writing this on my phone through a cyber browser built on top of trust chains which uses crowd-sourced enclave whitelists. No limits to just using the old web here! And it’s completely privacy and security focused. How does that work you ask? Exactly.
You can’t secure something if you don’t know how it works. And it’s more than that. You also can’t secure something if you don’t understand the mechanics of the environment it’s in. Or how it communicates and interacts. Or all the resources it requires in both the physical and cyber worlds.
That what I just pointed out to you is called the Four Point Process or 4PP for short. It’s from the OSSTMM. Click that link. Go ahead. And what just happened when you clicked that link, hunh? I’m full of surprises.
The 4PP is how you can analyze, test, or build security for anything. It’s based on how all security is about interactions. And there’s four main areas of interactions which I’ll explain without using the technical OSSTMM words for it:
1. Interaction. You throw something at me and I throw it back. That’s an interaction. You ask me a question and I answer. Interaction. You make a loud noise near me and I react. Interaction. You see where I’m going with this I hope. If not, just keep saying more things like that to yourself and then say “interaction” afterwards and continue to point 2 when you’re ready.
2. Emanations. You approach the thing and it smells funny. Or it flashes a light. Or it makes a sound, an electromagnetic wave in the 2.4 GHz frequency range, and strange vibration coming from it accompanied by 5 volts of electricity. These are the things it gives off. Sometimes that emanation tells you something about the thing and sometimes it doesn’t. Sometimes you just don’t know enough about science to really understand what’s being leaked. As I said, security is hard.
3. Environment. The place where the thing resides is its environment. Applications have an Operating System as an environment. Servers have a network. Networks have allowed transport protocols. I’ve simplified but you get the idea. That environment does two things, it frames what the thing can do while in the environment and it frames what anyone can do trying to get to that thing in that environment. While that seems limited, knowing the environment lets you know what is likely running there and knowing the versions of the environment will tell you a lot more. It’s all about the details.
4. Resources. As you stuff your face while reading this I think you get the point of resources. It’s the stuff that the target needs to keep going. For an application it could be certain libraries or even specific variables and even formats of those variables. It could be climate control, power, vibration control, or, as in my case, little rainbows. The required resources show the limits of what the target can do during a specific time period. Changes in the resources lead to changes in outcome, like overclocking a computer or underpowering it in a brown-out. Sometimes they lead to vulnerabilities, like how buffer overflows are a form of too much of a resource.
The 4PPs are what you need to understand to secure something. Actually, it’s everything you need to know. And the real cat and mouse game here is how much more detail you can know about these things than your adversary. Which brings me to the next issue of being able to secure something, technology moves too fast.
The key here is that you need to know more about how something works than your adversary and that can go in two directions, deeper and broader. To know something deeper isn’t just the way it’s built but you can get right down to the physics of it, understanding the interaction of particles. The same is true of broader where you understand better the connectivity between things whether or not they’re in the same environment.
Our ability to see smaller or broader is understand changes at the smallest possible point of interaction. And that’s why as technology gets better we can see things we couldn’t previously see before. So technology moving fast doesn’t impact cybersecurity because there’s newer things always to secure in new ways, but because the race to the deeper understanding of what we need to secure is hard to keep pace with.
Thinking globally, at a nation state level, an investment in technology across all fields is an investment in security. And I mean everything from life sciences to cosmology. Even sciences that don’t seem to fit to security like particle physics, botany, beekeeping, paleontology, and even sociology matter because in all these sciences there is a drive towards new technology for deeper and broader understanding.
That technology can be also then be adapted to understanding other things as well, like security. You think the technique to get data off a CPU by observing its heat flow didn’t start somewhere else? No, the tools to observe and measure heat already existed and were then applied to breaking encryption. So yes, every field of science can lead to better understandings of security because of the technology and techniques they create.
When I coach organizations on improving their security, the first thing I map out with them is the breakdown of what they have to do to gain understanding. I use the Four Point Process to categorize and compartmentalize what needs to be done. It’s the first step to analyzing anything you don’t know and the first step towards improving security.