Ask HN: What are current problems or trends regarding cybersecurity?

30 points by yasinaydin ↗ HN
I am asking for possible subjects and ideas for my cybersecurity bachelor thesis. I have 10+ years of experience as fullstack dev and sysadmin. I have been following HN for a long time and learned so many things. I am not expecting a thesis idea, but a discussion would definetely help me think about possibilities and widen my horizon.

I already have few items in my list, but I can't find any of these strong enough, because they are either too general or too vague: - Container (Docker, etc) security - Media originality check (eg anti-deep fake or propaganda) - Security of IoT data, especially in cloud - Security of health care (don't know how)

21 comments

[ 4.0 ms ] story [ 61.6 ms ] thread
What about companies not taking responsibility of their own data?

You could talk about how FB makes $15 per quarter from users and they give up X,Y,Z of data. Yet 90% of the userbase wouldn't pay $15 a month for a advertisement free platform.

Alternatively, how about the Equifax hacks? And your Thesis could be on pricing users data. And viable compensation measures.

Thank you very much for the thought. A quick Google Scholar results showed almost no researches about this subject. I find this subject very important, but I also don't see the impact of a such research, since these "big evil corps" done or caused much worse problems and they still exist.

Another thing is, I don't know if I can do this research by myself, or need some other professionals/academicians and where to start.

Could you please provide more info or insight, if you have?

I think that a lack of a simple identity and authentication solution is a problem. In some sense, it makes no sense that file permissions and website logins are two different authentication schemes.
Permissions are not authentication, they are authorization. AAA Schemes exist (authentication,authorization,auditing) such as TACACS. Perhaps a web version of TACACS+ with modern public key cryptography and back-end agnostic standard would be ideal?
I don't think it's that the stack doesn't exist anywhere. It's more that the best authentication systems are siloed within a few select organizations and trust across organizations is spotty.

If I had to recommend a single simple+powerful auth system right now, it would likely be Duo Security[1].

And there are countries (SKorea, Estonia) and even organizations within the US (US DoD) which have largely solved authentication. SKorea and Estonia allow (require?) digital transactions to use their state-issued digital ID. The US DoD has ID cards, digital login systems, etc (although it's not clear to me how homogenous or "simple" it is).

Windows is working on "Hello".

Apple has (TouchID + FaceID + iTunes/iCloud).

Facebook properties use the FB auth stack(s).

Google properties use its auth stack.

Amazon properties use its auth stack.

I think the complexity is that there is no "one account to rule them all", but I'm not sure I would trust any organization listed above to not screw it up. The US DoD is probably best equipped to understand the needs of building a robust authentication solution, but they also have physical control of their persons and don't necessarily need to work on the timeframes that the other companies listed here work on. Every single organization I've listed has had at least one high profile data/IP breach, so I would argue it's the asymmetric nature of defense versus attack that is the problem in the current internet space.

[1] https://duo.com/

I thought projects like OpenID and Oauth were created to solve this problem (yet it didn't).

Also, Zero Trust also made my possible subjects list, thanks!

I live in Estonia for last 3 years and I only had to use my physical signature once. Estonia has various authentication methods[1] where everything is signed digitally, so finding a good idea is hard because of competition.

I wouldn't trust US DoD or any US gov institutions to build systems which does not have a backdoor. As for data breaches: it whouldn't be a problem if data is encrypted, would it? That's why I think distributed systems might be a solution for this.

[1]: https://e-estonia.com/solutions/e-identity/mobile-id/

Generally, the biggest problem is that many companies just don't see updates as all that important unless they're offering a computer program or internet service. Many smart devices, IoT devices, etc don't get updates at all, which leaves them wide open to anyone with the technical knowhow to attack them. Especially if they're internet connected, like many of them are.

Getting companies to issue updates and fix security problems in these devices seems like one of the most important issues we're dealing with security wise.

> Getting companies to issue updates and fix security problems in these devices seems like one of the most important issues we're dealing with security wise.

I would argue this is tangential to another massive problem: corporate IT teams are largely overwhelmed with the number of security patches required to keep their entire network updated (my company is in this space).

Device manufacturers not patching their devices is one issue (zero day), but it's not likely the largest issue. I would say that devices that have patches available, but unapplied (Unpatched Vulnerabilities) are at least 10x bigger problem. I don't think your observation and the UV problem are unlinked -- most electronics manufacturers don't have a streamlined way of developing a patch, notifying the device owners/controllers, and pushing it quickly+easily to their devices.

The {CVE database, OVAL, OSQuery} are useful, but it's very difficult for network owners to identify devices and know whether they are patched, let alone act on that and test+apply patches organization-wide.

I agree. Between 2005-2009, I used to work in systems of factories which has some CNC machines that were using Windows 95 and 98. They were not connected to internet or company network and were receiving the files required via USB sticks. That was also how Stuxnet infected power plants.
Supply chain security is another interesting one. Both hardware and software. Products are built with components from many suppliers, from all over the world, and understanding the security of these is hard. All the current geopolitical excitability / nation state influences make this topical. NSA intercepting networking hardware and implanting monitoring, or AV software build pipelines being compromised; there’s a lot to think about and improve.
Along these lines, I've considered trying to come up with a system for evaluating risk to your software applications based on observable risk factors for any given (3rd party) library used in your application.

Basically the idea revolves around identifying data points of risk for the project including: comprehensive unit tests, integration tests, public design documents, adhering to some non-trivial code standards, automated linting/static analysis, dynamic analysis, automation of builds, automated updating upstream libraries as soon as they are released, all project developers have some sort of public identity + verifiable employer + reputation.

Bonus points for security audit, whitehat communication guidelines, bug bounty program with incentives, fast fixes for reported security issues.

Negative points for the absence of any of these coding practices, slow to respond to security reports/incidents, lack of 2FA on accounts, high number of historical CVEs, difficult to protect languages/frameworks/architectures, etc.

These likely aren't easy to identify (probably the largest reason this hasn't publicly happened yet), but imagine some of them can be automated or MTurked or at least approximated. I imagine the large nation-states (could) have dossiers on (many/most/all?) developers and code projects they have come across and their code projects.

Institutional challenges in implementing information security best practices.

We know how to be secure, but lots of folks still ignore doing so until it’s too late.

SOAR platforms and how ML can help is a good topic for you. (Check out siemplify and demisto). No FOSS solutions to date for SOAR!

Cheap and good cross-platform endpoint security,reducing and simplifying the overhead of managing endpoint security is also another.

Email security is also big but not as popular of a topic (again,no cheap or foss solutions other than a DIY mess you hope management will accept).

I am personally interested and working around the area of methodical approaches to blue teaming. MITRE's ATT&CK techniques have laid some basic foundations. Different people or companies basically throw money on an expensive solution(s) and even more expensive staff and basically put forth a best effort use of tools and skills,which isn't bad but even with good threat modelling,attackers will still find a way and typically you just throw darts in the dark or use buest guess (or popular trends). Methodically defining attacker techniques against your specific environment,threat hunting based on attacker techniques,continually updating your tools+skills+processes will allow for measurable increase in maturity and actual ability to find and respond to attacks.

Like it or not,the biggest gaps in security are architectural,process and managerial in nature. But I hope the more technical ideas I mentioned helps, there are also other trendy things like "zero trust". As a dev and admin you should definetly look at SOAR and challenges around collecting and storing very high volume of logs efficiently and cheaply.

C code is rather suddenly toxic due to advances in fuzzing and reverse engineering and needs to be moved away from quickly.
Can you point me to any reading or resources on this topic?
Not a specialist in C and I'm not sure about the "suddenly" (it's always been a "powerful but dangerous" language), but for fuzzing look into AFL[1] (a fuzzing program which uses a genetic algorithm to search a massive space of all possible inputs, but gravitate towards interesting fuzz inputs once a crash is observed) and for recent reverse engineering, the NSA released Ghidra[2] (reverse engineering framework).

[1] http://lcamtuf.coredump.cx/afl/

[2] https://github.com/NationalSecurityAgency/ghidra

Yeah, the "suddenly" part refers to new techniques for using non-random inputs to fuzzers like AFL, combined with massive compute power from e.g. Google's ClusterFuzz. I don't have any good summary links, though.
Cryptocurrency has some pretty interesting security implications. There are threats to individual keys, as well as threats from hackers who find flaws in smart contracts.
A few observations. Make of them what you will.

Basic fraud is still 100x larger of a problem than the more exotic/interesting cybersecurity problems. Former Facebook CSO Alex Stamos had a convention talk[1] about this. The average cybersecurity problem is still of the template like:

  - Nigerian 419 scam (or similar social media fake account used to pull heartstrings)
  - Romanian spam email e-commerce
  - 12 year old boy steals parents credit card info to pay for $100s in Fortnite (or similar vidya game) customizations
  - 15 year old girl is convinced to give her website credentials to her friend for fear of social reprisals
  - Harvesting of contact info + Open Source Intelligence for more traditional phone scams
There is an arms race in just about every aspect of cybersecurity:

  - Detection of fraud versus bypass
  - IDS/WAF attack signatures
  - Email spam filters
  - Endpoint malware detection signatures
  - Behavior detection (like conditional challenges via ReCaptcha or for Google authentication)
  - Math+security researchers try hard to break cryptographic hash schemes (using techniques more efficient than just brute force)
Game theory is a large part of cybersecurity, because it's largely a human endeavor (even if it's executed by software/bots). The paid bug bounty programs are an interesting exercise in economics and markets (as a bug bounty hunter how they choose a target from all of the possible companies that participate in bug bounty programs).

Cybersecurity is an asymmetric game, as it is currently set up. The attacker "only has to be right once", whereas the defender "has to be right all the time". IT teams "think in lists", whereas hackers "think in graphs".

It's easier than ever to automate security and updates, but increasingly it takes more and more cognitive effort to set up those systems (which inevitably slow down business) so the long-term-optimal is frequently abandoned for the short term convenience.

The massive explosion of social media in the past 10 years could have compromised OpsSec for an entire generation of computer operators. When we post credit card details on Twitter[2], it's clear that the average person needs to have better OpsSec.

OpsSec is bad even when not on social media, as shown when hackers saw account credentials on a desk in the background of a television interview[3]. Kids are conditioned by their parents to share their passwords, then develop the bad habit of sharing passwords as a sign of affection for their social peers[4].

AI/ML and Quantum Computing have the potential to cause a massive shift in the current attack/defense posture and current security practices, but when it might show up in practical applications is anyone's guess.

There are legal+policy questions about whether we should try and entrust secret keys to all smart devices to the manufacturer, police, or intelligence services. Even among the Five Eyes countries, the answers to these questions are currently in very different places.

[1] https://youtu.be/YJOMTAREFtY?t=1099

[2] https://twitter.com/Needadebitcard

[3] https://arstechnica.com/information-technology/2015/04/hacke...

[4] https://www.nytimes.com/2012/01/18/us/teenagers-sharing-pass...

I'm currently interested in mining bug bounty disclosed reports and bounty hunter profiles to come up with archetypes of both defending organizations and attacking groups/individuals.

Long term, I would like to see attack+defense hacking incidents run as computer simulations (in a framework like OpenAI's "gym"), but I suspect the public (outside of intelligence and a few select private cybersecurity companies) doesn't have enough information to build this type of model yet. Developing sensors and converting raw data into information to be able to build those models is a prerequisite.

Log management. Specifically tracking what you are currently ingesting vs what you could be. Basically a visibility dashboard.

Another is automated testing of detections on a regular basis. Although some people are doing this with the automated pentests and stuff. I would like to see a platform that imports your current rules and generates attacks based off of them. Then it can run once a month to make sure your alerts are firing.