How “complexity has killed security” was an issue that dominated this year’s Black Hat Asia, taking place in a completely virtual platform for the first time.
Speaking at the second-day keynote session, Daniel Gruss, InfoSec Professor, Graz University of Technology, encapsulated the issue best when he said, “The thing is we are putting layers on top of layers that depend on each other and make assumptions about each other but it’s not really clear whether these assumptions always hold”. Daniel compared cybersecurity to a complex building where floors upon floors are built on top of each other but at the risk of its stability.
Cybersecurity has been getting more and more complex since the Internet radically changed, well, everything. Over the years, organisations have had to implement various cybersecurity layers on top of each other to achieve their “defence-in-depth” strategies. However, many have discovered that this complexity can also kill security if not done properly and if the basics are not met in the first place. This results in the rising cases of cyber incidents and breaches we keep hearing on a daily basis.
Daniel suggests that we should approach cybersecurity in a natural science method because according to him, the complexity of modern software or hardware is reaching the level of complex biological organisms. Hence, he said, “We have to study it like nature, and we have to go through the regular natural science methodology”.
This includes asking questions, formulating hypotheses, predicting the outcome, testing if the prediction holds, analysing the result and comparing it to previous studies and materials. “This is how our science works and our artificial science, where we study computers, works in the same way. Our systems are getting more and more complex and that means we will have to invest more into studying them like nature, expecting a significantly larger number of people studying security and analysing the security of our systems today”.
He wrapped up his session by saying that we have to observe how the complexity of hardware and software systems continues to increase and how our perspective on security changes over time. Throughout the four-day event, Black Hat Asia 2020 presented attendees with the chance to attend briefings on a wide variety of information security subjects and explore the various layers in complexity that have been added to cybersecurity over time.
These concerns, of course, have grown ever greater during the pandemic, which also became a hot topic of discussion during the event.
Ever since work-from-home setups were widely implemented throughout many organisations globally, there has been numerous security breaches and cyber attacks which capitalised on the situation. These also require organisations to “go back to the basics”.
For example, the employees working from their homes should be the first step in improving cybersecurity. Companies should deploy more secure connections like VPNs, and take other security measures starting from the workforce and throughout their overall systems.
Cybersecurity should be addressed from its roots and all the simple steps should be taken first. Perhaps the “natural science” method, endorsed by Daniel Gruss, is one way that can help organisations better understand their systems and security. What’s certain is that businesses have to start looking for ways to unravel the complexity of their cybersecurity sooner, rather than later.