ROBOT Attacks and Resilient Security
Another day, another big security vulnerability announcement. Let’s see if this one qualifies as big news by 2017 standards…
Cheesy logo? Check.
Catchy name? Check.
Okay, time to patch all the things…
Seriously, if your organization runs a secure website, you should check with your systems administrators about disabling RSA-based security modes or applying the latest patches. Then come back, because that’s not the important lesson to be learned here.
Ready? So let’s look at these two statements from the researchers who discovered the attack:
[…] the designers of TLS decided that the best course of action was to keep the vulnerable encryption modes and add countermeasures. Later research showed that these countermeasures were incomplete leading the TLS designers to add more complicated countermeasures. […] It is not surprising that these workarounds aren’t implemented correctly.
The surprising fact is that our research was very straightforward. We used minor variations of the original attack and were successful. This issue was hiding in plain sight.
We tend to think of security in terms of tools and technology. Firewalls. Anti-Virus software. Spam filters. Products we buy. Services we use.
But in the end, these tools are all flawed. None of them will guarantee the security of your business, computers, or personal information. And even if they did, none of them will last without constant maintenance. Current estimates are that businesses will spend more money than ever on information security in 2018 – does anyone believe the rate of vulnerabilities and breaches and incidents will go down due to all that spending?
Of course not.
We need to think of information security like we do for every other type of security. There’s a reasonable set of precautions we take based on the perceived threat. We make plans to deal with the fallout if those precautions don’t work.
That way of thinking is about resiliency rather than protection – we don’t think it makes our homes and businesses perfectly secure, but we’re realistic and prepared, come what may.
That’s how information security can be a “solved problem.” Take precautions, yes, but then make a plan for what happens when the precautions fail so you can continue to operate regardless.
Which means learning more about the threats and precautions, it’s true. But I promise, that’s not so hard. Ask us about it – we’ll help you learn how to do that, free of charge.