Ask HN: What are current problems or trends regarding cybersecurity?
I am asking for possible subjects and ideas for my cybersecurity bachelor thesis. I have 10+ years of experience as fullstack dev and sysadmin. I have been following HN for a long time and learned so many things. I am not expecting a thesis idea, but a discussion would definetely help me think about possibilities and widen my horizon.
I already have few items in my list, but I can't find any of these strong enough, because they are either too general or too vague: - Container (Docker, etc) security - Media originality check (eg anti-deep fake or propaganda) - Security of IoT data, especially in cloud - Security of health care (don't know how)
21 comments
[ 4.0 ms ] story [ 61.6 ms ] threadYou could talk about how FB makes $15 per quarter from users and they give up X,Y,Z of data. Yet 90% of the userbase wouldn't pay $15 a month for a advertisement free platform.
Alternatively, how about the Equifax hacks? And your Thesis could be on pricing users data. And viable compensation measures.
Another thing is, I don't know if I can do this research by myself, or need some other professionals/academicians and where to start.
Could you please provide more info or insight, if you have?
If I had to recommend a single simple+powerful auth system right now, it would likely be Duo Security[1].
And there are countries (SKorea, Estonia) and even organizations within the US (US DoD) which have largely solved authentication. SKorea and Estonia allow (require?) digital transactions to use their state-issued digital ID. The US DoD has ID cards, digital login systems, etc (although it's not clear to me how homogenous or "simple" it is).
Windows is working on "Hello".
Apple has (TouchID + FaceID + iTunes/iCloud).
Facebook properties use the FB auth stack(s).
Google properties use its auth stack.
Amazon properties use its auth stack.
I think the complexity is that there is no "one account to rule them all", but I'm not sure I would trust any organization listed above to not screw it up. The US DoD is probably best equipped to understand the needs of building a robust authentication solution, but they also have physical control of their persons and don't necessarily need to work on the timeframes that the other companies listed here work on. Every single organization I've listed has had at least one high profile data/IP breach, so I would argue it's the asymmetric nature of defense versus attack that is the problem in the current internet space.
[1] https://duo.com/
Also, Zero Trust also made my possible subjects list, thanks!
I live in Estonia for last 3 years and I only had to use my physical signature once. Estonia has various authentication methods[1] where everything is signed digitally, so finding a good idea is hard because of competition.
I wouldn't trust US DoD or any US gov institutions to build systems which does not have a backdoor. As for data breaches: it whouldn't be a problem if data is encrypted, would it? That's why I think distributed systems might be a solution for this.
[1]: https://e-estonia.com/solutions/e-identity/mobile-id/
Getting companies to issue updates and fix security problems in these devices seems like one of the most important issues we're dealing with security wise.
I would argue this is tangential to another massive problem: corporate IT teams are largely overwhelmed with the number of security patches required to keep their entire network updated (my company is in this space).
Device manufacturers not patching their devices is one issue (zero day), but it's not likely the largest issue. I would say that devices that have patches available, but unapplied (Unpatched Vulnerabilities) are at least 10x bigger problem. I don't think your observation and the UV problem are unlinked -- most electronics manufacturers don't have a streamlined way of developing a patch, notifying the device owners/controllers, and pushing it quickly+easily to their devices.
The {CVE database, OVAL, OSQuery} are useful, but it's very difficult for network owners to identify devices and know whether they are patched, let alone act on that and test+apply patches organization-wide.
Basically the idea revolves around identifying data points of risk for the project including: comprehensive unit tests, integration tests, public design documents, adhering to some non-trivial code standards, automated linting/static analysis, dynamic analysis, automation of builds, automated updating upstream libraries as soon as they are released, all project developers have some sort of public identity + verifiable employer + reputation.
Bonus points for security audit, whitehat communication guidelines, bug bounty program with incentives, fast fixes for reported security issues.
Negative points for the absence of any of these coding practices, slow to respond to security reports/incidents, lack of 2FA on accounts, high number of historical CVEs, difficult to protect languages/frameworks/architectures, etc.
These likely aren't easy to identify (probably the largest reason this hasn't publicly happened yet), but imagine some of them can be automated or MTurked or at least approximated. I imagine the large nation-states (could) have dossiers on (many/most/all?) developers and code projects they have come across and their code projects.
We know how to be secure, but lots of folks still ignore doing so until it’s too late.
Cheap and good cross-platform endpoint security,reducing and simplifying the overhead of managing endpoint security is also another.
Email security is also big but not as popular of a topic (again,no cheap or foss solutions other than a DIY mess you hope management will accept).
I am personally interested and working around the area of methodical approaches to blue teaming. MITRE's ATT&CK techniques have laid some basic foundations. Different people or companies basically throw money on an expensive solution(s) and even more expensive staff and basically put forth a best effort use of tools and skills,which isn't bad but even with good threat modelling,attackers will still find a way and typically you just throw darts in the dark or use buest guess (or popular trends). Methodically defining attacker techniques against your specific environment,threat hunting based on attacker techniques,continually updating your tools+skills+processes will allow for measurable increase in maturity and actual ability to find and respond to attacks.
Like it or not,the biggest gaps in security are architectural,process and managerial in nature. But I hope the more technical ideas I mentioned helps, there are also other trendy things like "zero trust". As a dev and admin you should definetly look at SOAR and challenges around collecting and storing very high volume of logs efficiently and cheaply.
[1] http://lcamtuf.coredump.cx/afl/
[2] https://github.com/NationalSecurityAgency/ghidra
Basic fraud is still 100x larger of a problem than the more exotic/interesting cybersecurity problems. Former Facebook CSO Alex Stamos had a convention talk[1] about this. The average cybersecurity problem is still of the template like:
There is an arms race in just about every aspect of cybersecurity: Game theory is a large part of cybersecurity, because it's largely a human endeavor (even if it's executed by software/bots). The paid bug bounty programs are an interesting exercise in economics and markets (as a bug bounty hunter how they choose a target from all of the possible companies that participate in bug bounty programs).Cybersecurity is an asymmetric game, as it is currently set up. The attacker "only has to be right once", whereas the defender "has to be right all the time". IT teams "think in lists", whereas hackers "think in graphs".
It's easier than ever to automate security and updates, but increasingly it takes more and more cognitive effort to set up those systems (which inevitably slow down business) so the long-term-optimal is frequently abandoned for the short term convenience.
The massive explosion of social media in the past 10 years could have compromised OpsSec for an entire generation of computer operators. When we post credit card details on Twitter[2], it's clear that the average person needs to have better OpsSec.
OpsSec is bad even when not on social media, as shown when hackers saw account credentials on a desk in the background of a television interview[3]. Kids are conditioned by their parents to share their passwords, then develop the bad habit of sharing passwords as a sign of affection for their social peers[4].
AI/ML and Quantum Computing have the potential to cause a massive shift in the current attack/defense posture and current security practices, but when it might show up in practical applications is anyone's guess.
There are legal+policy questions about whether we should try and entrust secret keys to all smart devices to the manufacturer, police, or intelligence services. Even among the Five Eyes countries, the answers to these questions are currently in very different places.
[1] https://youtu.be/YJOMTAREFtY?t=1099
[2] https://twitter.com/Needadebitcard
[3] https://arstechnica.com/information-technology/2015/04/hacke...
[4] https://www.nytimes.com/2012/01/18/us/teenagers-sharing-pass...
Long term, I would like to see attack+defense hacking incidents run as computer simulations (in a framework like OpenAI's "gym"), but I suspect the public (outside of intelligence and a few select private cybersecurity companies) doesn't have enough information to build this type of model yet. Developing sensors and converting raw data into information to be able to build those models is a prerequisite.
Another is automated testing of detections on a regular basis. Although some people are doing this with the automated pentests and stuff. I would like to see a platform that imports your current rules and generates attacks based off of them. Then it can run once a month to make sure your alerts are firing.