There’s a detail in Richard Bach’s Final Cut, his account of the disastrous making of the movie Heaven’s Gate that at once seems quaint and prescient from today’s cyber perspective. Michael Cimino, the notorious control-freak director, whose machinations ultimately caused the collapse of United Artists in 1981, hired his own personal armed guard to prevent anyone from the studio taking away the motion picture negative for the film.

As long as anyone trying to get their hands on the negative (shot by the masterful Vilmos Zsigmond) could be potentially shot to death, Cimino was in charge.  Though United Artists had paid to produce the film, Cimino effectively controlled the asset. Oh, how things have(n’t) changed.

Some movies are still shot on 35mm film, though most are now captured on advanced digital systems. The hard drive is the new negative. Without it, there is no movie. Even film-based productions usually wind up with such extensive Computer-Generated Imagery (CGI) that the digital edition of the material is what counts, what has value.

Richard Blech, CEO of Secure Channels

How much value? For today movies, which are, in essence, simply massive collections of data, the value of their bits and bytes is astronomical. It’s not just the cost of production, which can be in the hundreds of millions. It’s the full value of the movie, the future cash flows, often measured in billions, that sit on those motion picture hard drives. Are these vulnerable to hack? Ask Amy Pascal, former Chairperson of Sony Pictures, who lost her job after the company was hacked by North Korean operatives in 2015.

Imagine the ransom you could get if you locked up the data for the next Star Wars movie, for example. Given such risks, encrypting motion pictures is a critical requirement now in the entertainment industry. This is the challenge that Secure Channels has taken on. The Irvine, California-based self-funded startup, is bootstrapping itself using the entertainment industry as a proving ground for its advanced encryption platform. Secure Channels is able to encrypt video material right off the camera shooting an 8K raw video file. It’s a real time cipher that does not add size or time overhead to the process.

“You really have to protect the shot right on the set, honestly,” said Richard Blech, CEO of Secure Channels. “It’s vulnerable the moment it’s created. That’s the problem we solve.”

The company is already working on engaging beyond Hollywood, however. Its cryptive primitives are generating interest in the insurance, medical and government arenas.  In this regard, Blech made a point that was repeated in a number of venues at Black Hat 2018: There’s a serious imbalance in the cyber security world. While organizations like corporations and government agencies are bound to adhere to certain standards like FIPS and GDPR, the attackers have no such limits. “We have to get ahead of them, be stronger than the bad guys or we’re going to get in a lot of trouble.”

One area where Secure Channels also appears to be making some welcome innovation is in the administration of encryption. Their platform encrypts endpoints and central storage arrays, but their admin is cloud-based. They provide a central point of control for far-flung encryption processes. This will likely help them achieve inroads with mature enterprises that struggle with integrating new cyber security solutions.

Photo Credit: Arbron Flickr via Compfight cc

If you’re in SecOps and feeling overwhelmed by an abundance of attackers and a shortage of good recruits for your team, we’ve got good news for you. Now, you can open up a good ol’ can of Whoop-@ss on the bad guys. Security automation Whoop-@ss, that is.

While he was of course far too refined to use this term in our discussion, I am convinced this was the very concept envisioned by Swimlane CEO Cody Cornell. Swimlane offers a solution for Security Automation and Orchestration (SAO). SAO automates routine cybersecurity tasks. It orchestrates workflows to help streamline incident response.

For instance, if an IDS discovers a suspicious binary, the SAO solution can automatically check a threat intel system and initiate a response process that includes automated email notifications, ticket creation and the like. The time saved makes the SecOps team more productive. As a result, the current security personnel shortage becomes less burdensome.

Swimlane CEO Cody Cornell

But about that can…  Swimlane is also pioneering a community-oriented approach to security problem solving. Users of the solution are able to contribute their workflow patterns for common use. That way, if a Swimlane user develops an audit support workflow, he or she can make it public on the Swimlane community. Users at other organizations can then take advantage of the creator’s work.

Cornell refers to this as a “building block” approach to security. I like the idea of a can of whoop-@ss better. Got a security threat? Go to the shelf and get a can of Whoop-@ss designed to lick that problem right away. It’s fast. It’s efficient. It’s a serious, pre-packaged beatin’ for threats and security incidents.

Swimlane’s community now has pre-packaged workflow templates for a variety of scenarios and industries. There is a financial industry set of building blocks, one for healthcare and so on. Think of it as a supermarket aisle lined with different brands of SAO whoop-@ss in cans.

One further advantage of the community, according to Cornell, relates to its ability to establish and lock down security procedures. With today’s board-level focus on cyber security, it can be useful for the CISO to have a set of preset responses ready to go for a security incident. With tooling like Swimlane, outfitted with pre-packaged workflows, SecOps can execute a planned and proven set of procedures in the event of an attack or breach.

This readiness protects the CISO. He or she can tell the board, in essence, “I did exactly as I discussed, according to plan.” (But we know that he really just opened a big ol’ can of you-know-what on that hacker.)

Photo Credit: Leo Reynolds Flickr via Compfight cc

Ready for your post Black Hat 2018 eye-opener of the day? According to Brian Vecci, CISSP and Technical Evangelist for Varonis, 58% of companies have more than 100,000 folders open to anyone who happens to be on their networks. How well do we think those companies understand what’s in those thousands of folders? Thought so…  But, at least they have no idea who is accessing them, either. In fact, Vecci pointed out that 34% of users in these organizations are, in his words, “stale.” They may have left the company but retained their network access credentials.

As you might imagine, there is serious security risk exposure in this level of control laxity for unstructured data like Word files and PDFs. Even companies with strict data life cycle policies for databases tend to be bad at deleting unstructured data on a schedule. It just sits. “You could have confidential financial information, personal contact data, trade secrets and more in document files that are open to much wider access than most people realize,” Vecci said. “This is the challenge we have taken on.”

Brian Vecci, Technical Evangelist for Varonis

Varonis offers solutions for data governance and analytics affecting unstructured data on file drives, SharePoint sites and Office 365 file repositories. It’s not Data Loss Prevention (DLP) or Identity Management. Rather, Varonis finds sensitive data and sets up access control rules. The solution can monitor who is trying to get at sensitive files, issuing alerts when there is suspicious activity.

Alert scenarios range from outside hackers to an employee who is planning to leave the company suddenly downloading a lot of files for no apparent reason. In this latter context, the security of unstructured data is about more than just cyber security. It’s a matter of effective business management. Letting sensitive information fall into the wrong hands can disrupt a company’s competitive edge or denigrate its public reputation.

The Varonis solution can also help with classification of unstructured data, a massive headache that many organizations either avoid altogether or do in a superficial way. This process aligns with compliance. For example, under GDPR, companies must control and disclose how they handle personally identifiable information. This is relatively straightforward, if time-consuming with databases, but it can be nearly impossible with unstructured data in the absence of a solution.

Xage Security just announced its new Policy Manager product, which can automatically enforce security policies

James Cagney, who hated “Dirty Rats”

across distributed critical infrastructure and Industrial Control Systems (ICSs). The news is another welcome drumbeat in the march toward a workable solution for the United States’ highly vulnerable power grid and oil and gas infrastructure. The announcement also aligns with new FERC regulations and legislation that will give the Department of Homeland Security more influence and responsibilities for ICS cyber security.

The threats against ICS and critical infrastructure are growing demonstrably worse, according to Duncan Greatwood, CEO of Xage. “Attacks are escalating,” he said. “The government is receiving a series of wakeup calls, and they’re not hitting the snooze button anymore.” Specifically, attackers are now taking advantage of Internet-connected devices at the edge of critical infrastructure networks. From such remote endpoints, malicious actors can inject a Remote Access Trojan (RAT).

Duncan Greatwood, CEO of Xage Security

A RAT can sit inside ICSs like SCADA systems and await remote activation, like Triton did in the attack on Schneider Electric in early 2018. They can spread laterally. Once active, RATS can disrupt systems, escalate privileges and steal information and generally wreak havoc on critical infrastructure. “RATs and the general problem of vulnerable endpoints makes the core of the ICS much less secure than it once was,” Greatwood added. “Historically, SCADA systems were insulated from most outside threats. Not true today.”

Screen shot of Xage Policy Manager

Xage Policy Manager offers power operators and other ICS owners an automated, decentralized security solution for distributed critical infrastructure. Policy Manager uses BlockChain to provide automatic, verifiable replication of security requirements across large numbers of devices, no matter how geographically dispersed they might be. For example, with Policy Manager, the ICS admin can set and enforce a rule to rotate complex passwords according to centrally defined timetables and policies. These features make Policy Manager useful for industrial companies that want to comply with government regulations as well.

Photo Credit: wwward0 Flickr via Compfight cc

Inspector Clouseau, of Pink Panther fame, had Cato Fong, his manservant, attack him by surprise to keep his self-defense reflexes strong. (And funny) Businesses and government agencies today should have their own version of Cato in the form of attack simulation software. Black Hat 2018 had several vendors offering this kind of solution, sometimes called Breach and Attack Simulation (BAS). These included AttackIQ, XM Cyber, Cymulate and others.

This is a good time to have, or at least be aware of, BAS.  Because, just as Cato hid in closets and freezers waiting for the right moment to ambush his boss, so too do Advanced Persistent Threats (APTs) lurk inside networks in search of cyber vulnerabilities. Effective protection requires constant checking of countermeasures. That’s what BAS does.

Peter Sellers (Left) as Inspector Clouseau, fending off one of many surprise attacks by Cato Fong, played by Burt Kwouk, in the Pink Panther film series. (Copyright MGM)

Vulnerable, Despite an Ethos of Diligence

BAS providers understand that even the most diligent SecOps teams and IT departments can leave systems exposed through unexpected attack surfaces. For example, according to Verizon, 80% of organizations have misconfigured controls. Each misconfiguration is waiting for an APT.

“The attacker only has to be right once,” said Carl Wright, Chief Revenue Officer of AttackIQ. “The defender has to be right 100% of the time, which is essentially impossible.” Wright is the former CISO of the US Marine Corps. He cited the example of an organization that left S3 buckets exposed in Amazon Web Services (AWS).

“The attacker only has to be right once.” – Carl Wright, Chief Revenue Officer of AttackIQ

In some cases, the accidents are simply due to the scale and scope of organizations. Indeed, what counts as an organization today may actually be an agglomeration of connected but separate entities. This structure, which is inevitable in most modern industries, is notorious for poorly configured security controls.

The Need for Automation in Security Controls Testing

In Wright’s view, security is five year behind IT in its workflow automation capabilities. “The attackers are getting increasingly automated, though,” he pointed out. “Security has to keep up.” A human “red team” can only assess a small fraction of a organization’s security controls. To remedy this deficit, AttackIQ offers automated control validation.

“APTs can use techniques and methods that go around the controls as attackers often employ legitimate tools and leverage real user behavior.” – Maya Schirmann, VP of Marketing at XM Cyber

The company is responsible for compiling and curating the Common Vulnerabilities and Exposures (CVEs) listed in the Mitre Corporation “Body of Knowledge.” They base their vulnerability assessments on this collection of CVEs. Wright asked, “If you know the attacks, why not exercise all known attacker behaviors against your people, your processes and your security technologies?”  He added, “That is what AttackIQ does. If it doesn’t block, you haven’t done it right.” They work on this basis with DoD contractors, healthcare companies and financial institutions.

Cato, the world’s first APT (Copyright MGM)

Varying Approaches to Breach and Attack Simulation

BAS providers come at the APT challenge differently. AttackIQ offers what is essentially an open system testing platform. Users can develop their own tests to measure the effectiveness of their security controls. XM Cyber is more oriented toward revealing security holes like misconfigurations as they appear, regardless of controls. “APTs can use techniques and methods that go around the controls as attackers often employ legitimate tools and leverage real user behavior,” explained Maya Schirmann, VP of Marketing at XM Cyber. “We want to make sure you’re safe by identifying in advance the attack vectors that attackers will use to compromise your critical assets.”

Cat hacker wants to hack your email and banking app? Dream on, kitty!

The theme of reducing attack surfaces emerged repeatedly at Black Hat 2018. While many cyber security professionals acknowledge the risk exposure hidden in today’s proliferating collection of attack surfaces, not everyone is taking action. It can be a bit frustrating. Bemoaning the vulnerability of stored data and password repositories rings hollow when all you’re offering are more layers of protection for digital assets you more or less admit you can never truly protect.

Two companies I met at the show are actually turning surface reduction theory into practice. Others are also rising to the occasion, for sure. These two are worthy of highlighting, though, for strong innovations and a pragmatic approach to business development. In my experience, it takes both to succeed at the early stage. HYPR is taking on the challenge of decentralized authentication, which takes passwords and PINs out of the log in process. PreVeil is on a similar track, eliminating passwords and providing end-to-end encryption of email.

Addressing the Credential Re-Use Problem

How many more massive, costly and embarrassing data breaches will it take before the world concludes that system credentials are insecure? This was the context for the founding of HYPR. The company is tackling the threat of credential re-use by malicious actors, which is at the heart of many of the worst security incidents of recent years.

George Avetisov, CEO of HYPR

Once stolen (through phishing) or guessed (based on weak usernames, passwords and PINs), credentials allow hackers and fraudsters access to any data on the network that isn’t encrypted or extremely well-guarded. Targets of course include huge credential repositories. From there, the attackers can loot pretty much anything they want.

“The password store is the hacker’s favorite target,” said George Avetisov, CEO of HYPR. Their solution is to remove the password store altogether. “We take that juicy target off the board,” Avetisov added. “You can’t hack what’s not there. You can’t phish for credentials that don’t exist.”

 HPYR takes a decentralized approach, moving the equivalent of log in credentials to the user’s smartphone or other devices. There’s no intermediary in the middle, either, which can also serve as a locus for hacker eavesdropping and credential theft.

“You can’t hack what’s not there. You can’t phish for credentials that don’t exist.”

For example, with HYPR, a bank customer stores his or her credentials on the bank’s mobile app. When the user wants to conduct a banking transaction, the bank sends an authentication request to the device. The user then unlocks the app to complete the transaction. The key never leaves the phone. The bank stores no user credentials.

HYPR is now applying this approach to customers of clients like Aetna and Mastercard. PINs are their first use case. Avetisov believes HYPR could help with GDPR compliance as well. By removing passwords from the equation, it’s easier to secure customers’ private data.

What happens if a device is lost or stolen?  For this potentiality, the HYPR solution features revocability to secure the enterprise and user. If a device is misplaced, lost or stolen, the user simply reports its loss to the service provider, which revokes the public keys, rendering the device useless to anyone who finds it. The user then re-registers in accordance with the enterprise’s onboarding and “Know Your Customer” (KYC) policies. This process may require an email.

Protecting Email Repositories

You don’t have to be a presidential candidate to be concerned about breaches of email. It’s almost assumed, in some circles, that you should write emails with the assumption that they could be made public. Thus, we all start to sound like mobsters. “Hey, did you do the thing? You know, that thing we talked about.” “Yes, I took care of it.” “What about the other thing?”

“Taller walls are harder to breach, but as we see, they continually get breached nonetheless. We felt email security needed a fundamental rethink.”

This is no way to run a railroad. For Sanjeev Verma, Founder and Chairman of PreVeil, the vulnerability of email presented a challenge of imagination. “If you think you can protect something better with taller walls, you’re going to be disappointed,” he said. “Taller walls are harder to breach, but as we see, they continually get breached nonetheless. We felt email security needed a fundamental rethink.”

Sanjeev Verma, Founder and Chairman of PreVeil

Based on a model proposed in an MIT thesis, PreVeil assumes the attacker will get through to the email server. What’s important, though, is what happens once the attacker reaches the target. Their approach is to combine end-to-end email encryption along with a password-less authentication model. PreVeil is offered on a “freemium” basis.

PreVeil encrypts email at every stage of the message delivery and storage process. “If you can get to it, it’s essentially worthless,” Verma said. With PreVeil every account has a unique 256-bit encryption key on the user’s mobile device. Even the user can’t change it. The user doesn’t know it.  No other device can access the user’s email account. The user can only access the account from the right device. This precludes impersonators trying to access email from abroad or alien devices. To the end user, PreVeil appears as another email folder which encrypts its contents.

PreVeil also takes on the associated administrative challenge that comes with encrypting emails and getting rid of passwords. Their innovation here is what Verma calls an “approval group,” a collection of administrators who share responsibilities for one or more email accounts. When two out of three admins the approval group authorize a change to the account, it will happen. No single admin can do it all, by design. Similarly, the approval group can agree to decrypt email messages, as might be required in an evidence preservation scenario.

Photo Credit: lauracoughlin Flickr via Compfight cc

The subject of Industrial Control Systems (ISCs) came up frequently at Black Hat 2018. The threats are very real, with serious potential consequences in the event of a successful attack. Talking to various experts at the conference, the state of industrial cyber security seems to be on a trajectory of improvement, but with much work to be done in many “spheres of activity.

The Importance of Industrial Safety Knowledge in OT Security

One of the first things that struck me was how firms with backgrounds in industrial operations and safety are now parlaying their expertise into successful cyber security businesses in the Operational Technology (OT) space. PAS Global, for example, which cut its teeth in industrial safety in the oil and gas industry over two decades, is now offering products and services for OT cyber security.

It’s a natural evolution for PAS. Indeed, CEO Eddie Habibi remarked that it would be quite difficult for a traditional IT-centric security firm to get a good grip on how the OT world functions. “It’s just a totally different environment,” Habibi said. “For example, in OT, one of the biggest questions in security revolves around how long it will take, and how safe it will be, to turn a system back on after an incident. In IT, you flip a switch. In OT, people’s lives might be in danger if you do it wrong.”

“It’s about safety. Your unknown, Reagan-era hardware might control valves and pipes that could explode if they get overloaded by an attack.”

Eddie Habibi, Founder and CEO of PAS Global

Industrial safety practices and ICS cyber security practices are deeply linked. One issue in OT, per Habibi, is the age of the equipment. “You might have an electronic control device installed in 1980 and forgotten about, honestly,” he said. “But then, it becomes connected to an Internet-connected set of devices and all of a sudden, you have a black box, essentially, affecting your security. And again, it’s not just about hacking. It’s about safety. Your unknown, Reagan-era hardware might control valves and pipes that could explode if they get overloaded by an attack.”

PAS works with industrial companies to understand their ICS cyber risk exposure, starting with a discovery process for devices that affect security. It can be an eye-opening experience. “In one case, a client told us at the start that his oil refinery had 500 endpoints to protect. The actual number was closer to 30,000 once we were done. They had a lot of work to do there.”

Studying an ICS Hack in Real Time

Israel Barak, CISO of Cybereason

Cybereason, which made news at RSA with its financial institution honeypot project at RSA, was back at it at Black Hat 2018. This time, they set up a fake electrical power station to see what kind of malicious mischief they could attract. It was an elaborate process, according to Israel Barak, Cybereason’s CISO.

They built a network that closely resembled that of an electric utility, with IT and OT components. They then gave various elements in their “power station” architecture IP addresses that are commonly used in such operations. To a hacker, it looked legit.

After opening up their honeypot to the Internet, they watched for two days as seemingly random “noise” and a huge number of automated probes hit the site. Then, as they expected, they were compromised by an automated tool that was most likely a discovery point for dark web sale of stolen access.

Five days later, actual attackers showed up. Their approach was to start at the IT level, taking over IP-enabled devices, but then quickly moving into the OT segment of the “power station.” This is where things got interesting, from Barak’s perspective. “They absolutely pounded on controls until they broke through to what they wanted,” he said. “We were not expecting this. We assumed the attackers would be highly sophisticated and set about getting OT access through quiet, stealth means. They were setting off all sorts of alarms.”

“We were not expecting this. We assumed the attackers would be highly sophisticated and set about getting OT access through quiet, stealth means. They were setting off all sorts of alarms.”

What did this mean? Barak’s interpretation was that it was a criminal attack, not the kind of nation state security agency operators that have gotten so much attention in recent news stories. “This was not an APT,” he concluded. Is this good news? It’s hard to say.

Duncan Greatwood, CEO of Xage Security

The apparent lack of sophistication in ICS attacks also drew the attention of Duncan Greatwood, CEO of Xage Security and Sergio Caltagirone, Director of Threat Intelligence at Dragos. Both men have observed a wide range of attack techniques, some of them quite crude. Greatwood, for example, is seeing a rise in OT ransomware schemes, where attackers try to lock up industrial systems until they can be paid off in Bitcoins.

Caltagirone, who has studied numerous attacks in the electrical sector, felt that the majority of attackers are relatively low-level in terms of skills, with only about a quarter of attacks actually resulting in ICS disruption. “It’s early, though,” he said. “Give them time and things may get a lot worse.”

Just How Bad Could It Get?

I posed the same question to several experts: Could attackers take down entire sections of the United States’ power supply? Could they, as Ted Koppel warned in his bestselling book “Lights Out,” shut off the electricity in the US for years—by triggering an explosive overload of the grid while simultaneously masking the monitoring tools a la Stuxnet? Opinions were mixed on this question.

“There is no grid. That’s the first fallacy.”

Xage’s Greatwood, while dismissing the potential of the kind of total attack Koppel fears, is concerned about how easily attackers can penetrate the IP-connected edge of electrical networks. He felt that malware could spread far faster and further than many people assume. Power outages could be widespread with a successful, sophisticated attack.

Sergio Caltagirone, Director, Threat Intelligence at Dragos

For Dragos’ Caltagrione, the Koppel-level scenario seemed far-fetched. “There is no grid,” he said. “That’s the first fallacy. There are over 3,000 separate entities in the American power supply system, an agglomeration of generation stations, transmission line operations and so forth. No group in the world has enough manpower to disrupt such a big thing.” That said, he is still worried about localized damage, which could be quite destructive and disruptive. Caltagirone’s point resonates with a recent Axios article called “There Is No Grid to Crash.”

Ryan Brichant, VP/CTO – Global Critical Infrastructure Cyber Security at ForeScout, offered a comparable take. “This would be very difficult for any adversary to do today, and I don’t believe it is possible,” he noted.  He then added, “Although power transmission is interconnected, the individual IT networks of power companies are not, and thus would prevent overloading all of the lines at once or an ‘infection’ (i.e. malware) cannot spread like ‘wildfire.’” This opinion puts him at odds with Greatwood. We’ll have to set up an arm-wrestling match to resolve the matter at next year’s Black Hat. Stay tuned.

“These were developed over a century in locations all over the country before they were interconnected. An adversary would have to coordinate several tailored attacks, which ups the level of difficulty significantly.”

Brichant also felt that the considerable amount of diversity among power generation systems offered another layer of protection. “These were developed over a century in locations all over the country before they were interconnected,” he said. “An adversary would have to coordinate several tailored attacks, which ups the level of difficulty significantly.”

Ryan Brichant, VP/CTO – Global Critical Infrastructure Cyber Security at ForeScout

However, Brichant is not worry-free. He explained, “The key thing to focus on is that our adversaries appear to be persistently targeting control systems. So, whereas it is not possible today for them to create an attack that would infect wide swaths of our power infrastructure in one fell swoop, they may be intent on penetrating them methodically over time. We need to be concerned that our adversaries seek not just the ability to interrupt power, but the ability to destroy infrastructure with the (presumed) intent of being able to disrupt parts or all of American society.”

He elaborated by commenting, “Right now, the physical systems that comprise our power grid do not have the redundancy to withstand destructive attacks (localized or widespread) and this is one reason why DHS has announced a greater focus on identifying and managing risk to the critical sectors.” Brichant concluded by sharing, “What the power industry does have – worth noting – is a strong culture of mutual assistance.  Much as we have seen with recent major storms, the entire industry responds to incidents.” He does agree with Koppel’s other premise, though, which is that the United States needs to be better prepared for possible attacks on the electric al system.

Photo Credit: Urban Woodswalker Flickr via Compfight cc

If you want to protect your data, you encrypt it. That’s a well-established countermeasure. We encrypt data at rest. We encrypt data in transit. What about when your data is memory or being processed in the CPU? That’s been a tricky area, historically. This is where Fortanix offers a solution.

According to Ambuj Kumar, CEO of Fortanix, data is vulnerable at runtime. Threats include malicious insiders, root users, firmware compromise, operating system zero day attacks and others. While this insight is not new, the intensity of the threat has increased in recent years. And, earlier solutions introduced their own challenges.

Ambuj Kumar, CEO of Fortanix

Homomorphic encryption, which encrypts data at runtime, is viewed as cumbersome by some in the industry. A CPU processing runtime data with homomorphic encryption is dramatically slower than it would be with unencrypted data. As a result, use cases for homomorphic encryption tend to favor situations with extreme protection requirements, like national security.

Fortanix provides an alternative approach to runtime encryption. Their solution takes advantage of Intel’s Software Guard Extensions (SGX). As aptly described by MIT computer scientists Victor Costan and Srinivas Devadas, SGX is the “latest iteration in a long line of trusted computing designs, which aim to solve the secure remote computation problem by leveraging trusted hardware in the remote computer.” As they put it in their paper, “Intel SGX Explained,” The trusted hardware establishes a secure container.

With SGX and the Fortanix runtime encryption platform, it is possible to conduct general purpose computation on encrypted data without exposing either plaintext application code or data. The cryptographic protection does not have the level of performance overhead that comes with homomorphic encryption. It is also more flexible, able to work on any Linux machine.

The Fortanix model is gaining traction. IBM Cloud Data Guard, for example, is powered by Fortanix Runtime Encryption platform. Cloud Data Guard provides services and toolkits for users of containerized applications. This enables organizations with sensitive data to work with cloud computing.

When you apply for life insurance, you have to disclose whether or not you smoke and have dangerous hobbies like skydiving. If you do, you’re at higher risk for premature death. (But, please, by all means, enjoy!) However, if you want to live longer, you’re better off avoiding high risk activities.

Ian Eyeberg, CEO of NanoVMs

Cyber security is not so different. We seem dedicated to technologies that we know are bad for us. Like the smoker who can’t quit, even though he knows it will affect his health, IT departments rely on constructs like shells, which are open to exploits. I’m going to pick on shells in this article, but I don’t want to lose sight of the broader point: Structure determines security, to a great extent.

Shells enable multiple processes to run on the same system. They facilitate remote code access. There are good systemic and operational reasons for this, but the technology was devised in the era predating today’s cloud computing phenomenon and toxic threat environment. Designed for ease of administration, shells have become attack surfaces. Hackers can use shells to run malicious code remotely. Indeed, the massive Equifax hack, for example, started with an exploit carried out on the Apache Struts shell.

What can be done about shell vulnerabilities and the multi-process mode of system operation they enable? One approach is to adopt a unikernel architecture. A unikernel, as its name suggests, is a virtual machine that can be configured to run just one piece of code and nothing else. It cannot be accessed by a shell. It will not accept remote code access. It can be secure by design.

Ian Eyberg, CEO of NanoVMs, was at Black Hat 2018 advocating for unikernels for security reasons. NanoVMs is a single process system. It has neither users nor shells. It can run one program at a time. In general, it’s far smaller, in code terms, that comparable Linux VMs. “Compared to a bloated system like Linux, which has hundreds of millions of lines of code and drivers for virtually every device you can imagine, unikernels are remarkably small,” Eyeberg said. “Less code translates into fewer exploits.”

It is taking some time for unikernels to catch on, however. As is often the case in IT, entrenched incumbents don’t tend to budge very easily. This is not a knock on IT departments. You can’t just magically make decades of legacy infrastructure and application architecture disappear overnight, even If you wanted to. Major vendors have massive installed bases of the conventional setups. It will take years for ideas like unikernel to gain traction.

Complacency is not okay, however. Containers and other multi-process technologies still exert a strong grip despite their acknowledged security flaws. Perhaps it’s time to kick the habit.

Photo Credit: keith.bellvay Flickr via Compfight cc