Sunday, October 25, 2020

Time and awareness and other security musings (Cybersecurity Awareness Month, Day 25)

Because October is the designated month for cybersecurity awareness, and because this year is 2020, that means the 25th day of the month is a Sunday. So today's security awareness blog post will be less like a work day call to action, and more like a mediation on time as it relates to security.

You see, this is not just any Sunday, it's the one that may seem longer than the others, the one on which, during the wee hours of the morning, the clocks go back one hour, marking the end of Daylight Saving Time in many countries, but not all. Folks in many parts of North America will have to wait another week for their "extra" hour. 

For everything you ever wanted to know about Daylight Saving Time, including where and when it happens in every country of the world, check out this page. And if you are one of the many people who will be holding international conference calls and Zoom meetings next week, check out this cool page for coordinating the timing of events across time zones

But what, you may well ask, has time and timing got to do with cybersecurity? 


That would certainly be the answer if you asked my good friend Winn Schwartau "what does time have to do with security ?" (and Winn often speaks like THAT.) Indeed, Winn wrote a whole book about this very question; it's called Time Based Security (1999). And while you can still buy a copy on Amazon, it is also available from Winn as a PDF (a gesture that other noted security "mavens" have made with their earlier works, as you can see from the upper right of the web page you are reading now).

You can think of time-based security like this: the longer it takes a burglar to break into your house, the greater the chances that:

  • the burglar will give up and move on to another house
  • the burglar will spotted by a neighbor or security camera
  • your stuff will not be stolen

Time also matters if you hear someone trying to break into your house and call the police. The less time they take to respond, the greater the chances the burglar will be apprehended. So, if you substitute network and cybercriminal for burglar and house you can see that Time Based Security makes a lot of sense, even before you dig deeper, which Winn does in the book.

The goal is to give cybersecurity professionals: "a process methodology by which a security practitioner can quantifiably test and measure the effectiveness of security in enterprise and inter-enterprise environments." The book also lays out: "a quantifiable framework so that the security professional and management can make informed decisions as to where to smartly invest their security budget dollars."

But what if you're not a security professional or IT manager? Why is time an important factor in cybersecurity awareness for the general populace, all of whom are now, in one way or another, interacting with computers? 

Let me give you an example: when my mum gets an email that she thinks is a scam she forwards it to me. The one shown here is an attempt to scare recipients into clicking on a link to "update their details," in other words gather information, such as account numbers and passwords. 

The fear factor leverages the fact that every household in England is required to have a TV license (the fees from which fund commercial free television programs from the BBC). However, my mum immediately spotted the false claim that she missed a payment on her TV license, because she doesn't have to pay! (An exemption based on her age.)

When mum sends me something like this, I notify the malware analysts at ESET and they immediately make sure it is blocked by ESET security software. If they have not seen this particular scam email before, they let me know. In the last few years, my mum has supplied ESET with several "first seen" scam messages. Clearly, the speed with which one person—in this case a retired English teacher in her nineties—can identify a cyber threat has the potential to make a difference for millions of other people.

Time for some spam

Remember, Time based Security was published in 1999, clearly ahead of its time, but also at a time when I was seriously distracted by spam, unwanted mass emails that were a particularly serious problem in the late nineties because a) they were not illegal at that time, and b) organizations were struggling to prevent spam traffic overwhelming email systems and networks. As part of my research back then I was collecting spam, purposefully receiving any and all email sent to any address at one of the Internet domains that I owned, even if that address did not exist.

To make a long story short, when some friends and I founded a company to address the spam problem, I used my analysis of that collection of spam to prove that delaying spam delivery would be very painful for spammers. One of those friends, a person with amazing network skills, devised a way for organizations to slow down incoming spam. This led to several patents and the development of a very successful product which was eventually acquired by Symantec, due in part to customer testimonials like this: "Thanks to your product, we were able to reduce the number of email servers from four to one, saving us a ton of money." 

End times

Sadly, I'm running out of blogging time this Sunday, so I need to wrap this up and bring it back around to the beginning (cue theme song from Bron/Broen, the original TV series Bridge, about 1 minute and 26 seconds in). 

I won't go all the way back to the beginning of time, or even the beginning of Daylight Saving Time, the topic with which I began. And I won't get into agents of the apocalypse, which really is a topic that I covered in my recent conference talk: How Hackers Save Humanity - a cautionary tale.

But I do want to go back 15 years to the time when America broke the DST norms, namely 2005. That is the year "George W. Bush Ruined Daylight Saving Time" according this very enjoyable 2010 article. In effect, the president broke the DST norm, putting America out of step with many of the countries with which it does business. 

Apparently, "the rationale for the new daylight savings calendar was that it would reduce energy use by encouraging people to use less electric light," but as the author of the article points out, that was a poorly tested assumption. The result has been the addition of two periods of annoyance and confusion twice a year, with no serious reduction in energy consumption (numerous serious proposals for which were on the table in 2005, but were rejected by Bush and the Republicans).  

As you might know, if you read the article from Day 23, I am a big believer in norms if they are universally agreed and enforced for the common good. For example, it would be great if all humans could embrace a norm like this: "thou shall not access, use, or abuse someone else's device or data without their permission." 

So how about this: the first president of the United States who negotiates a global commitment to establishing and enforcing that norm gets to decide when DST begins and ends?


No comments: