Free Chapter of Cybersecurity: Issues of Today, a Path for Tomorrow, by Daniel Reis

What made you write this book?

In writing this book I wanted to answer a fundamental question. What does it mean for an organization to be secure? And, how can they determine that they’ve achieved this? In twenty-five plus years in high tech, and sixteen in security, I observed that determining effectiveness or potential gaps in a security implementation were near impossible. Continually pushing this is a constant growth in new security product as well as methods to implement and maintain an enormous mix of security and other products. This book is meant to kick off a broad discussion of security and set a baseline of the issues and potential means to get as close to an overall secure environment as possible for secure computing today as well as in the future.

What new knowledge did you gain whilst writing the book?

Based on my experience and research for this book, it became even clearer how hard a lot of people work to keep information secure. The problem is, that based on the current trajectory of sophisticated threats, and security complexity, data exposure is increasing, not the other way around. The research I did was stunning as to how many security product companies there are globally, and with the products and their variations in implementation and use, no wonder organizations struggle. It became clear that this is the time to rethink security overall.

Daniel Reis

Following is the first chapter of the book. To acquire the full book please visit  www.cybrcomm.com.

Chapter 1- Computing in the Age of Everything

Various forecasts have consistently alluded to the evolving sphere of computing—spanning from interconnected automobiles to health-tracking gadgets, from sophisticated refrigerators to smart factory machines. This assembly of contraptions and data interchange is commonly known as the "Internet of Things" (IoT). Neil Gross, a sociology professor at the University of British Columbia and guest researcher at the Institute for Public Knowledge at New York University, once stated in 1999, "The forthcoming century will see the earth cloaked in an electronic layer, utilizing the Internet as a framework to convey and relay its sensory experiences."

So now there are watches with sensors to monitor an individual’s physical state and ship the content off via Bluetooth or some other narrow broadcast methodology to a receiving device. Once received, compilation and analysis can be performed on the data, perhaps with the intention of alerting medical staff of a potential condition, or of an actual emergency, or just to record and analyze physical activity. Information gathered from this device can also be correlated with other information from other devices, displayed on large screens to better enable a viewer to see and analyze it and look for cues from the mix of data. A device may be local in that it only connects within the owner’s device family, or it could have global connections and be able to upload or download content to remote systems within the amorphous thing-of-things called “the cloud” (more on that later).

A question that needs to be asked by society, but is already being driven to redefine our world and our view, is whether people and societies either wish to create or augment reality, and if so, what are the benefits of doing so. Clearly all social media and other elements of the ongoing electronic tidal wave have altered reality already, changing how we interact, both inwardly and outwardly. New expectations of our interactions with personal, societal, and world views are already a part of the framework of people’s lives today, whether we like it or understand it. In the area of security, all of these new devices and their interfaces represent a multitude of new access points and doors to
places that security has no control over. The fact is we need to better capture the flow of information within these systems to better understand their influence on each every respective domains security is slated to protect.

Regardless of the current hype as to the origination of the “Internet of Things” (IoT), it effectively arrived far before anyone called it by this name or had even considered what connecting ubiquitous devices, or “things,” to each other meant. What could be called a “thing” in the 1960s or 1970s to a layperson of that time was a device that could perform a useful task for an expert. For instance, troff1, which is an old document-processing software system developed by ATT for UNIX, was a programmable input language (document processing = a word processor) that had the ability to have areas designated on a screen for elements, such as fonts, spacing, paragraphs, margins, and footnotes, which is something we’ve taken for granted for decades now. This is done by today’s word processing or publishing applications that everyone uses. A connection that might be made to on old processing system could be an input device, such as card-punch reader (a thing), for loading in a computer program or some type of an output device, such as a printer (another thing), run by troff to produce printed output on a printer of that era. It meant the devices had to have some type of a physical link (or means to communicate between devices) to another type of computing device that all of us take for granted today.

The telegraph, which has been around for well over a century, connected ubiquitous devices (IoT) into a physical communications network, using agreed-upon electricalpulse patterns or code as the means to communicate information. At the time of the telegraph, the creators, readers, and translators of the pulses were human. As long as a message or some form of information can be transmitted and read between two or more devices or parties, you essentially have a network with “things” attached, crude as one may be when compared to modern systems. If you think about a town of any size in the heyday of the telegraph and a person coming in to either send or get a message, the device that message came in through certainly looked like no other “thing” that person may have been familiar with. So though it wasn’t coined as the IoT at the time, it surely was a “Connection of Things” (CoT) that allowed fast and efficient communication relative to its time in history.

The IoT scenario today enables the complete mobility of information regardless of whether it’s mundane or high value content. It also means that whatever the value the content may have it lives indefinitely everywhere and nowhere. As well, a content owner may no longer even have knowledge or actual control as to where there content will end up or who may have access to it. And in all likelihood, the content will outlive the actual creator. This is another avenue that continues to exacerbate the risk to information and its owners, whether on a personal level or for an organization. Any area content exists is a potential environment that always has some risk of exposure. For instance, environments that use industrial SCADA (Supervisory Control and Data Acquisition)2 devices that communicate within a factory floor, as well as to their company’s business systems, could have information related to each device stored all over the place. The SCADA devices can have information that relate to production results, operational parameters of production or other systems, and areas that can impact product quality— all of which might be a target for a competitor or state actor. The factory’s computing systems may be monitoring and comparing specifications during product runs while compiling information and delivering reports to other production systems or a management system for data compilation and review.

All the activities of any production system can take place within a single factory or include multiple facilities located anywhere in the world in order to calculate, monitor, and manage important production, material, inventory and other business aspects. The interchange of information between factory systems allows operators to better keep devices functioning within operational guidelines for goods production as well as keep inventory and supplies at levels the organization requires, whether for just-in-time or other types of manufacturing inventory control. And, most likely, production systems, from factory floor systems to their controlling servers can contain specific intellectual property, for instance about a product or a product process that would need to be protected. They could also contain information on production capabilities, potentially costs of production, along with other types of information that an organization will usually want to keep private.

The Connection of Connections for IoET

Modern device interconnections constantly recur, taking place when something is being sent and/or received between systems, making intermittent connections for short durations based on the overall communication specification between various devices and systems. During transfer, devices are not really connected but are, in essence, doing controlled handoffs of information between multiple devices. I contrast this with a connection that is either a direct physical link or a dedicated path through a network to guarantee the traffic flow and communication process speed between multiple devices. Being able to ensure streaming information operates at a specified minimal rate can be done by logically locking down a portion of a network between devices so that no other device can impact the rate for that communication activity. This is a very useful capability in use today to support areas such as video streaming and other high bandwidth demand technologies.

Today’s networks transmit and process information utilizing various units of data. For our purposes here, I’m going to use the term packets to refer to any communication between devices. An important point here is that whatever the communication, it happens so quickly and effectively that users don’t perceive much in the way of a delay. Any transmission of information passes between communicating parties and through many intermediaries so quickly that, for users, it looks real-time as though on a dedicated link. The communication from a transmitting system doesn’t need direct information from a receiving system’s physical or network location since intermediary devices can contain all the required information, utilizing an endless selection of paths to deliver the necessary communication requested. The communications taking place today may be from person to person (via some type of viewing system), person to device, device to person, and device to device.