the five fatal flaw in cyber security
TRANSCRIPT
Pt tragickch pochybev v Cyber bezpenosti
The five fatal flaws
in cyber security
It's time to change the basics of Cyber Security
content
The cost of the Cyber Security
Users are dependent on IT
What was gone wrong
The five fatal flaw
A different approach
Three steps to resolve problems
The cost of the Cyber Security
Users, companies and State Institutions over the last few years give tens of billions dollars into IT security which shows how ineffectively purchase and solution
Still similar problems and attacks are repeated
Tha basic problems were still unresolved
Still is not a defense against sophisticated attack
Users are dependent on IT
Banks, trading or manufacturing companies depend on smoothly functioning IT
Hacker attacks know no borders
Sophisticated viruses can be modified and then attack back into computers of original author
A dangerous place PC, phone, etc.
PC and viruses
Over 25 years have not resolved problems with viruses in PC
Nearly 10 years we are using smart phones
Small box, small screen
The same problems as in a PC environment
Problems with PC or smartphones viruses are not resolved, and the same problems appearing in IoT, SCADA and a cars
What was gone wrong?
We criticize producers of food for horse meat in meat balls, ...
We criticizes the Volkswagen that smoking their TDI engine
But, we are afraid to criticize large SW manufacturers, although programming is a purely human work
The five fatal flaw
The software is still considered as a copyright work, but still missing responsibility creators for their work
Software supposedly can not be written better
The biggest threat for IT security are supposedly inexperienced users
Are created norms, standards and laws, but does not revise errors and backdoors in the basics of IT
The past 15 years grow new generation of IT specialists who
teached only "the one correct
view" to computer security
Fatal flaw no. 1
Software is viewed in the same manner as a book or film but there is no responsibility from the side of the author SWSW development is the result only of human work
Programming is an exact discipline, where anything is possible clearly defined, programmed and tested
Software companies are looking for software engineers, analysts, testers. This is similar to other companies that develop and manufacture a product for which they are responsible
Fatal flaw no. 1 - comparison
Software is viewed as in the same manner as a book or film but there is no responsibility from the side of the authorThe engineers of bridges or engines must respect the laws of nature. For example, differential expansion of materials or chemical reaction of substances, etc.
For drugs are examined side effects. For the human body does not exist "manual" by which verifying what the new substance can influence
Error no. 1
The mistake is that ordinary users
(government officials, CEOs, lawyers, journalists, etc.) still
tolerate opinion :
Software companies do not have to be responsible for their work
Fatal flaw no. 2
Software supposedly cannot be written better
Each product can be improved and manufactured better, this is
the foundation of progress
Creating software is only human work. But, authors SW still argue that it can not be done better
Fatal flaw no. 2 - comparison
Software supposedly cannot be written better
In non-IT fields are customers and control authorities very
demanding on the quality and safety of products
Non-IT manufacturers must emit large amounts to applied and basic research in physics, chemistry, etc.
Error no. 2
Users (politicians, CEOs, journalists, lawyers, etc.) tolerate the idea that is impossible create better operating systems and applications, without errors and backdoors
Fatal flaw no. 3
For nearly 15-20 years "experts" say that problems in IT
security have been caused by inexperiened users
User behavior can not be changed
20 years excuses on inexperienced users
It is not possible to change the behavior of all users. Must be change SW author's access, work and resposibility
Fatal flaw no. 3 - comparison
Automakers know that drivers are careless and doing
mistakes
Automakers do not say that the problem are inexperienced drivers, example drivers - IT professionals
Automakers recognize that they do not change the behavior of drivers. So they take the initiative and equip new cars systems which monitor driver behavior and errors
Error no. 3
It is a mistake, that IT professionals for more than 15 years rely on the change in user behavior, instead of to take the initiative. Similarly, as do car manufacturers.
Fatal flaw no. 4
Creating Standards, Norms, and Laws, but do not solve errors in the basics of IT and Cyber Security
Many people, companies and authorities devotes its energy to creating new standards
The same people, in next time experiencing disillusionment after a successful sophisticated attack. Because the standards do not prevent sophisticated attacks
Little effort is devoted to resolve mistakes in the
basics of SW
Fatal flaw no. 4
There are many standards for users and administrators. Exist
only little laws and standards for authors SW anf for responibility
of authors SW
The current situation creates the false impression that problems
with viruses and hackers can be solved with using standards and
laws
In fact, norms and laws only current solves consequences, not the causes of problems
Error no. 4
Current norms and laws do not solves the situation with a operating systems or applications, as it is in the case of aerospace (ISO 9120) or auotmotive (ISO 16949) norms
Current standards and laws solve current consequences, but does not
solve the real causes that are associated with computer viruses and
hacker attacks
Fatal flow no. 5
In the past 15 years grow new generation of IT specialists who
teached only "the one correct
view" to computer security
Single-Sided teaching are related to inaccurate viewsThe authors SW supposedly can not guaranteet for their work
Software supposedly cannot be written better
For nearly 15-20 years "experts" say that problems in IT security have been caused by inexperiened users
Are creating standards, norms, and laws, but this do not solve the basic errors in IT
Error no. 5
In an SW environment totally lacking critical look at the work of programmers, testers, analysts. This misinformation views also use some journalists and politicians
Training of new IT professionals in many ways reminiscent of the education of the young generation in the Eastern Europe bloc before 1989. At that time, the people at the East Europe were also teached into the only one correct view on the issue of life and the world
Correction of the problem
Solutions exist !! This is the main and the significant information
Creating of software is purely a human work, which can be clearly described, programmed and tested.
Absolutely a different approach
Apollo Program
8 years from JFK's speech to the journey of Apollo 11 to the
Moon
Resolved many new challengesRocket technology
Orientation in universe
Protecting people and electronics from radiation
And many discoveries from different fields of natural
sciences
Creating software - more than 15 years of unresolved issues
The purely human work
The exact discipline where is possible
to clearly describe all
Responsibility of the authors
Manufacturers of children's toys, food or household appliances are responsible for their products
Volkswagen is responsible for smoky TDI engines
Solution no. 1
Creating software is purely human work. An error in the program
is the result of bad work of authors
Must be set equally critical perspective on software like as in area of cars, toys or food
Solution no. 2
Verification of originality, origin and the integrity of system files in PC, phone, IoT, etc.
For solutions may be used "The three laws Cyber Security"
The tree laws of cyber security is a similar solution like in aviation, where is watching spareparts from manufacturers to installation in aircraft
Solution no. 3
Pyramid of Cyber SecurityThe verification of originality, origin and the integrity of system files is a necessity
Equally critical approach to cars and to software is a necessity
the need for more changes
It is necessary to promote regular testing software like crash tests cars
Authors SW must take the initiative, example
like car-makers
Summary
Exist a solution for 20 years old problems with viruses and hackers
Base of solution is a change of thinking all users. Claims for the authors of SW should be similar like demands on the food or car manufacturer
The technical part of the solution can be implemented almost
immediately. The most important
is to change the mindset and
demands of users.
Summary
Creation of software is purely human work
Creation of software is a exact discipline in which everything can be clearly defined, programmed and tested
Changing of the basics SW can help solve the vast majority of problems with computer viruses and hacker attacks
About author
Ji Npravnk (*1968)
https://cz.linkedin.com/in/napravniksalamandr1997 2002 forensic
expert, cybercrime
2003 - helped track down hackers - robbers bank accounts via internet banking
He described and tried the attack to secure electronic signature (eSign, PKI, eIDAS)
He described and tried the attack to chip card, with private key inside
2014 He defined The Three Laws of Cyber security
2015 He defined The Pyramid of Cyber Security