Pt tragickch pochybev v Cyber bezpenosti

The five fatal flaws
in cyber security

napravnik.jiri@salamandr.cz

It's time to change the basics of Cyber Security

content

The cost of the Cyber Security

Users are dependent on IT

What was gone wrong

The five fatal flaw

A different approach

Three steps to resolve problems

The cost of the Cyber Security

Users, companies and State Institutions over the last few years give tens of billions dollars into IT security which shows how ineffectively purchase and solution

Still similar problems and attacks are repeated

Tha basic problems were still unresolved

Still is not a defense against sophisticated attack

Users are dependent on IT

Banks, trading or manufacturing companies depend on smoothly functioning IT

Hacker attacks know no borders

Sophisticated viruses can be modified and then attack back into computers of original author

A dangerous place PC, phone, etc.

PC and viruses

Over 25 years have not resolved problems with viruses in PC

Nearly 10 years we are using smart phones

Small box, small screen

The same problems as in a PC environment

Problems with PC or smartphones viruses are not resolved, and the same problems appearing in IoT, SCADA and a cars

What was gone wrong?

We criticize producers of food for horse meat in meat balls, ...

We criticizes the Volkswagen that smoking their TDI engine

But, we are afraid to criticize large SW manufacturers, although programming is a purely human work

The five fatal flaw

The software is still considered as a copyright work, but still missing responsibility creators for their work

Software supposedly can not be written better

The biggest threat for IT security are supposedly inexperienced users

Are created norms, standards and laws, but does not revise errors and backdoors in the basics of IT

The past 15 years grow new generation of IT specialists who teached only "the one correct
view" to computer security

Fatal flaw no. 1

Software is viewed in the same manner as a book or film but there is no responsibility from the side of the author SWSW development is the result only of human work

Programming is an exact discipline, where anything is possible clearly defined, programmed and tested

Software companies are looking for software engineers, analysts, testers. This is similar to other companies that develop and manufacture a product for which they are responsible

Fatal flaw no. 1 - comparison

Software is viewed as in the same manner as a book or film but there is no responsibility from the side of the authorThe engineers of bridges or engines must respect the laws of nature. For example, differential expansion of materials or chemical reaction of substances, etc.

For drugs are examined side effects. For the human body does not exist "manual" by which verifying what the new substance can influence

Error no. 1

The mistake is that ordinary users
(government officials, CEOs, lawyers, journalists, etc.) still tolerate opinion :

Software companies do not have to be responsible for their work

Fatal flaw no. 2

Software supposedly cannot be written better

Each product can be improved and manufactured better, this is the foundation of progress

Creating software is only human work. But, authors SW still argue that it can not be done better

Fatal flaw no. 2 - comparison

Software supposedly cannot be written better

In non-IT fields are customers and control authorities very demanding on the quality and safety of products

Non-IT manufacturers must emit large amounts to applied and basic research in physics, chemistry, etc.

Error no. 2

Users (politicians, CEOs, journalists, lawyers, etc.) tolerate the idea that is impossible create better operating systems and applications, without errors and backdoors

Fatal flaw no. 3

For nearly 15-20 years "experts" say that problems in IT security have been caused by inexperiened users

User behavior can not be changed

20 years excuses on inexperienced users

It is not possible to change the behavior of all users. Must be change SW author's access, work and resposibility

Fatal flaw no. 3 - comparison

Automakers know that drivers are careless and doing mistakes

Automakers do not say that the problem are inexperienced drivers, example drivers - IT professionals

Automakers recognize that they do not change the behavior of drivers. So they take the initiative and equip new cars systems which monitor driver behavior and errors

Error no. 3

It is a mistake, that IT professionals for more than 15 years rely on the change in user behavior, instead of to take the initiative. Similarly, as do car manufacturers.

Fatal flaw no. 4

Creating Standards, Norms, and Laws, but do not solve errors in the basics of IT and Cyber Security

Many people, companies and authorities devotes its energy to creating new standards

The same people, in next time experiencing disillusionment after a successful sophisticated attack. Because the standards do not prevent sophisticated attacks

Little effort is devoted to resolve mistakes in the
basics of SW

Fatal flaw no. 4

There are many standards for users and administrators. Exist only little laws and standards for authors SW anf for responibility of authors SW

The current situation creates the false impression that problems with viruses and hackers can be solved with using standards and laws

In fact, norms and laws only current solves consequences, not the causes of problems

Error no. 4

Current norms and laws do not solves the situation with a operating systems or applications, as it is in the case of aerospace (ISO 9120) or auotmotive (ISO 16949) norms

Current standards and laws solve current consequences, but does not solve the real causes that are associated with computer viruses and hacker attacks

Fatal flow no. 5

In the past 15 years grow new generation of IT specialists who teached only "the one correct
view" to computer security

Single-Sided teaching are related to inaccurate viewsThe authors SW supposedly can not guaranteet for their work

Software supposedly cannot be written better

For nearly 15-20 years "experts" say that problems in IT security have been caused by inexperiened users

Are creating standards, norms, and laws, but this do not solve the basic errors in IT

Error no. 5

In an SW environment totally lacking critical look at the work of programmers, testers, analysts. This misinformation views also use some journalists and politicians

Training of new IT professionals in many ways reminiscent of the education of the young generation in the Eastern Europe bloc before 1989. At that time, the people at the East Europe were also teached into the only one correct view on the issue of life and the world

Correction of the problem

Solutions exist !! This is the main and the significant information

Creating of software is purely a human work, which can be clearly described, programmed and tested.

Absolutely a different approach

Apollo Program
8 years from JFK's speech to the journey of Apollo 11 to the Moon

Resolved many new challengesRocket technology

Orientation in universe

Protecting people and electronics from radiation

And many discoveries from different fields of natural sciences

Creating software - more than 15 years of unresolved issues

The purely human work

The exact discipline where is possible
to clearly describe all

Responsibility of the authors

Manufacturers of children's toys, food or household appliances are responsible for their products

Volkswagen is responsible for smoky TDI engines

Solution no. 1

Creating software is purely human work. An error in the program is the result of bad work of authors

Must be set equally critical perspective on software like as in area of cars, toys or food

Solution no. 2

Verification of originality, origin and the integrity of system files in PC, phone, IoT, etc.

For solutions may be used "The three laws Cyber Security"

The tree laws of cyber security is a similar solution like in aviation, where is watching spareparts from manufacturers to installation in aircraft

Solution no. 3

Pyramid of Cyber SecurityThe verification of originality, origin and the integrity of system files is a necessity

Equally critical approach to cars and to software is a necessity

the need for more changes

It is necessary to promote regular testing software like crash tests cars

Authors SW must take the initiative, example
like car-makers

Summary

Exist a solution for 20 years old problems with viruses and hackers

Base of solution is a change of thinking all users. Claims for the authors of SW should be similar like demands on the food or car manufacturer

The technical part of the solution can be implemented almost immediately. The most important
is to change the mindset and
demands of users.

Summary

Creation of software is purely human work

Creation of software is a exact discipline in which everything can be clearly defined, programmed and tested

Changing of the basics SW can help solve the vast majority of problems with computer viruses and hacker attacks

About author

Ji Npravnk (*1968)
https://cz.linkedin.com/in/napravniksalamandr1997 2002 forensic expert, cybercrime

2003 - helped track down hackers - robbers bank accounts via internet banking

He described and tried the attack to secure electronic signature (eSign, PKI, eIDAS)

He described and tried the attack to chip card, with private key inside

2014 He defined The Three Laws of Cyber security

2015 He defined The Pyramid of Cyber Security