The title of this blog post is what many of us techie folks dream of – free reign to build your own home network! It might seem like a pretty geeky dream (ok, it is a pretty geeky dream), but the reality is that we’re increasingly dependent on our home networks these days because of the amount of stuff we connect to them. That little consumer-grade combination modem and wireless access point your ISP gave you or the one you bought from the local PC store is going to struggle to provide fast, reliable connectivity across the house to all your devices; that very architecture predates smart phones, connected TVs and the (frankly ridiculous) array of IoT things we have spread all over the place. Think about it – one access point plugged into the most convenient location for the phone or cable line is precisely what we did 15 years ago and that just doesn’t cut it today.
Last year, I’d finally had enough of my own dodgy wifi and decided to fix it with Ubiquiti gear (that’s required reading before this post too, I’m going to refer to a lot of concepts already explained there). I went out and bought all the bits to extend wifi to every corner of the house and actually make it all reliable! I was fortunate enough that the house we’re in already had ethernet wired throughout (albeit the slower Cat5e kind) and ports in every room so I bought a 5 pack of their UAP‑AC‑PRO access points and did this:
The results in terms of network behaviour were awesome: no more dead spots, no more dodgy speed, no more degradation of signal quality requiring a reboot, just rock-solid performance in a way that frankly, I’ve never needed to really even think about. The only downside to this whole model is the 5 dish-like access points sitting in view. I could mount them permanently in less obtrusive positions (they’re presently just sitting next to ethernet jacks), but we’re looking at a combination of wiring and to be done and semi-permanent decisions to be made about where holes get drilled. Oh – the other downside is what the cupboard in my garage looks like. I’m going to show you a picture and I don’t want you to flip out, ok? Alright, brace yourself:
Now I’m sure there are many of you in a similar mess when it comes to cables under the desk or behind the TV or even with your own network setup, but I’m not real proud of this. Unfortunately, some design decisions made by whoever installed this when the house was built weren’t real good:
- The switch and patch board aren’t mounted in a standard 19-inch server rack
- There’s no space to mount other peripherals such as the Netgear Arlo base station
- There’s only 2 power points nearby hence the power board
- The switch embedded in the wall is only 10/100 and not gigabit hence the 8 port Ubiquiti switch
So whilst the mechanics of my network are functioning beautifully, it’s not exactly how I’d do things if I was designing everything from ground up and that left me… wanting. Fortunately, I found a channel through which to vent my wanna-be-network-engineer inner self courtesy of my brother and his wife buying a new house. Actually, it was better than a new house because it was an old house they were renovating which meant a significant amount of internal work and plenty of scope to design a network properly. This is a place they’ll probably be in for decades too so they wanted things done right.
Scott and Cathy are a pretty good example of a modern family with increasing connectivity needs. Scott runs the country’s third-largest personal training business and Cathy is an Apple Distinguished Educator who does many similar things to me in terms of travel, speaking etc. They both work from home a lot, they both have multiple devices and they’ve got 2 young kids who are both increasingly demanding on the existing network connected devices (by which I primarily mean Netflix!) and of course will have their own multitude of connected devices before you know it.
The first design network decision was easy – in-wall access points:
This is Ubiquiti’s UAP‑IW and it’s literally a wireless access point inside an ethernet outlet. What’s awesome about this is that you’re going to be putting these face plates in rooms you want ethernet run to anyway, doing it like this also satisfies the requirement for wifi so you don’t need wall jacks and access points. What’s less awesome though is that they don’t do 5G and they don’t do 802.11ac either so in other words, regardless of how cool they are, they’re yesterday’s wifi technology.
But there’s a new one, and that’s the UAP–AC–IW:
Physically, this is slightly different to the previous generation in that the jacks are at the bottom of the unit so the cables go straight down rather directly out into the room like most ethernet outlets. It looks like this underneath:
But more importantly, it can talk 5G and 802.11ac so in other words, it’s a modern-day spec wifi access point. It’s not quite as fast or has as long a range as the UAP-AC-PRO devices I put in my home, but it doesn’t need to either when the scope of coverage is predominantly the room it’s mounted in.
This was the perfect solution for wifi, only problem was… they hadn’t been released. There was a lot of pre-release info around but they hadn’t quite hit the market and Scott and Cathy were about to start making construction commitments that required devices we could wire in. I reached out to Ubiquiti and it turned out the delay was due to quality controls having not yet been fully met. Functionally they were perfect, but they weren’t yet 100% happy with the fitment of the covers. But if I wasn’t the fussy type, how many did I need and would I like them to send me over a box of near perfect ones for free? 7, and yes please 🙂
So that’s my disclosure bit, I got my hands on the APs courtesy of a manufacturing shortcoming that frankly, I can’t see. They look perfect to me and besides, they were going to be mounted and rarely touched anyway. With that sorted, the workers could start knocking holes in the right places and running Cat6 cabling:
The benefits of Cat6 over 5e includes speeds of up to 10 Gbps rather than only 1 and an improved signal to noise ratio. Cost isn’t much more and you’re basically making a lifetime decision on cable quality here so 6 was a no brainer. Consequently, we ended up with a bunch of cabling run to one corner of the house:
The wrong corner. Ultimately, all these cables needed to terminate at a patch board. That would sit alongside a switch. Ideally in a cabinet. In which we’d place other peripherals too. The electrician (in all his YOLO wisdom) had decided that placing all this stuff in the home office made sense. It didn’t and the main reason for that is that this is stuff you rarely touch once it’s set up. It’s also stuff that may have audible fans too and by the time it’s all put in a server cabinet (which I’ll get to soon), it’s going to take up a bit of space. Particularly because this was an older house with 1980s views on room sizes, space was important and it made absolutely no sense to unnecessarily chew up valuable bits of it in a location where it was at a premium.
I’d always wanted it out of the way in the garage or an otherwise non-premium location, preferably mounted up out of the way of everything else. Consequently, there was some arguing with the sparky followed by feet-stamping on his part and eventually acknowledgement that he ran the cables to wrong bloody place counter to instructions. So we got our way and it was re-run appropriately, but there’s certainly a moral to the story here about not letting tradesmen make decisions like this and watching them like a hawk.
With that now under control, there were a bunch of other bits to order. I’m going to list everything here in one go because it will make it easy for others to replicate should they want to do the same build:
- UAP-AC-IW in wall access points with ethernet jacks
- 24 port Cat6 patch panel
- US-24-250W 24 port gigabit switch
- USG security gateway
- UC-CK Cloud Key
- 6RU wall mount server rack
- Pack of 10 x 25cm Cat6 patch cables
Let me explain the mechanics of these parts here for those who may not be familiar with all of this (that included Scott and Cathy too so there was a bit of education throughout this) and we’ll start with the patch panel:
This is simply the other end of the cables that connect to each of those in-wall access points. It’s a dumb unit in that it’s not powered and it doesn’t provide any form of communication, it’s simply a row of female jacks. We didn’t need 24 of them, but by the time you buy a unit that can mount in a rack it’s that wide anyway, plus it was only a $95 purchase. (Also, all prices are Aussie dollars, multiple by about 75% for USD, 71% for EUR and 60% for GBP.)
Next up is the switch which is both the most essential and most expensive component of the whole setup:
This is a US-24-250W and as the name suggests, there’s 24 ports that’ll enable everything to be networked up together. It’s a “power over ethernet” switch (PoE) which means that each of those ports can send power down over the Cat6 so devices like the in-wall jobs don’t need a local power socket. The relationship to the patch panel above is simply that after each room is hard wired into the panel, it’s “patched” into the switch so you end up with a bunch of short cables from one to the other (I’ll show what that ultimately looks like a little later on). Strictly speaking, we didn’t need 24 ports and could have gotten away with 16, but even in the immediate term we were going to use 10 of them and I could conceive of future requirements getting us close to the 16 limit on the next model down. Besides, we’re talking a difference of $175 (tax deductible dollars) which was easily justified.
I won’t go into the purpose of the USG Security Gateway and Cloud Key here as I discussed them in detail in the previous post. Suffice to say that the former performs routing and firewall tasks whilst the latter contains the management software to configure the entire thing. You want both and cost wise they’re a small part of the overall spend.
To tie everything in neatly together, we ended up getting a pretty generic 6RU cabinet from Data World for $150:
I was undecided as to whether we should go that direction or a similar offering for nearly twice the price as I frankly wasn’t sure about the quality. But having now seen it, it’s absolutely fine. I can see where extra money could go (such as the quality of the hinges which make the door sag a little), but there’s certainly no regrets. We went for a 6RU (rack units, or how many standard height rack items it can fit) rather than 4 because we need 1 for the patch panel, 1 for the switch and then plenty of room to sit other devices such as the modem and other networking bits. Here’s what it looked like once it arrived:
And whilst sitting out by the pool opening goodies, here’s how the patch panel came out:
It’s hard building a network in a construction zone whilst trying to keep the dust out so I assembled the cabinet and patch panel outside then moved in with the box of Ubiquiti goodies:
You’ll also see there’s a UAP‑AC‑HD sitting on top. Ubiquity recently sent me over a few of these to try and they’re the big brother to the UAP‑AC‑PRO devices I have in my own home (that’s also the only other disclosure here – everything else was paid for by Scott and Cathy). They’ll support 500+ users which oughta do it! But it also gave us an easy way of getting everything set up in the one place given the in-wall units were spread around the house and the patch panel wasn’t yet wired.
Before starting to add hefty bits to the cabinet, we did a quick placement test:
This is such a good spot for it – it’s up out of the way in the room that’ll be used as a gym so a bit of fan noise is ok and it fits just perfectly in that gap. It could go high whilst being easily accessible with a stool yet still have sufficient room for airflow above and provide plenty of room underneath for shelving. And everything that needed to go in that unit could easily fit, so that’s what I did next:
About here, I started getting a bit jealous because this is looking very nice! The shelf in the rack is perfect for resting the Cloud Key on and we’ve got the NBN modem (Australia’s new National Broadband Network) sitting bottom left, Optus’ access point in the middle (they’re the ISP and the device apparently also provides phone connectivity) and the security gateway on the right. The UAP‑AC‑HD access point is sitting out of sight and wired into the bottom right port of the switch. And that’s how I left it, waiting for the cabinet to be mounted on the wall (it comes with the required brackets), the mass of cables you see in the background to be patched in and power outlets to be installed on the wall behind it and routed into the cabinet. I left all the patch leads in place to make it crystal clear which ports I’d like wired in to keep everything neat:
I mentioned the electrician was a bit unreliable, right? A week later things still weren’t patched but the cabinet had been mounted so I headed back over to take a look. I realised that all the Cat6 cables actually had RJ45s installed on them anyway (which is pointless when they should be wired into the patch panel) so whilst it wasn’t going to be pretty, I could wire the whole thing in and then setup the in-wall units. Here’s how it now looked:
Then it was just a matter of adopting each of the access points. This is ridiculously simple: plug it in, go to the list of devices in the management interface served by the Cloud Key and click “adopt” next to each one. Same for upgrades because there was new firmware available so a quick update on those and everything was connected:
Because they all inherit the existing wifi settings I configured for use with the UAP‑AC‑HD, as soon as the adopted clients around the house begin connecting, it makes for a very pretty picture:
You’ll see these are all named in a friendly: there’s a “locate” feature on each access point which causes the light on it to flash when triggered by the management interface so we figured out which was which then put a logical name on it (APs in the kids’ rooms have their names obfuscated for their privacy). We also named each client on the network which is why you see things like “Troy’s Lenovo P50”. This is great for troubleshooting, identifying which client is sucking down the most data or simply stalking who’s coming and going (it’s all logged). It also means you can make really cool maps like this:
This is the original 1983 floor plan loaded into Ubiquiti’s management interface then each access point is dropped in place. When you load in a map, you can drag a line between two points then tell it how long that distance is so that the range of each AP can be plotted appropriately. The UAP‑AC‑HD we named “Waterside” (every time I see this I can’t help but think they really need a water slide…) is the UAP‑AC‑HD so it has a greater range than the in-wall units. (This unit isn’t yet mounted in the indicated location, we’re still waiting on the electrician to run another Cat6 line.) Based on this diagram, signal strength is weakest around the deck area in the first picture but this is also plotted against the 5G signal which whilst faster, has less range. Here’s the same map with the 2.4G spectrum instead:
Devices can switch between either spectrum so the bottom line here is that there’s more than enough coverage everywhere. Of course there are many other variables such as the walls and floors the devices need to pass through, their construction, other radio interference and so on, but this gives you a pretty good idea of things.
Finally, let me show you what the in-wall access points look like fitted in the painted house because I suspect that’s what will really get a lot of people thinking differently about their home network. Here’s a good sample set:
I think that’s a sensational outcome! Each unit is really well integrated with the room and blends in well with the existing power outlets, not to mention the colour scheme. They’re slim enough and stylish enough that unlike the UAP‑AC‑PRO units I have scattered around my house, they actually feel like a part of the place. For the folks concerned that their non-tech-significant-other isn’t real keen on the larger units like I have messing up the room’s aesthetics, this absolutely nails it on the design front.
There was only one issue I ran into during the entire build and it was when I went back to setup the in-wall units after the cabinet had been mounted on the wall. I’d set everything up perfectly earlier on – it was glorious – but when I came back, the management interface was dead. The power had been pulled during installation (who knows how many times) and long story short, the Cloud Key wouldn’t boot and I couldn’t access the admin interface. I struggled with it for probably 20 minutes then decided to cut my losses and factory reset it with an expectation of having to spend another 20 minutes setting it all up again. But as soon as it booted, I was presented with the following:
I’d enabled automatic backups to the local micro SD card in the Cloud Key so once a day, the entire configuration was saved. When the device booted after factory reset, it allowed me to simply grab the latest backup and it was job done. That’s pretty cool.
I’ll finish this post where I started the first one I wrote about Ubiquiti:
I’m increasingly of the view that both my time and my sanity are worth more and more as the years progress
A new (or renovated) house is like a blank canvas when it comes to designing a network that helps you keep your sanity. We’re so increasingly dependent on connectivity for work and play alike be that via PCs, mobile devices or the IoT stuff we could barely conceive of even a few short years ago. If you’re in the same boat as Scott and Cathy, take the time to design a home network upfront and get it done right. It’s too early to give a full review of what it’s all like to use day by day but based on everything above I reckon it’s a pretty fair assumption to say that they’ll never even think about it, which is exactly how a home network should work!
The cybersecurity industry can be made stronger if we attract more women and non-males. I’ve had the pleasure of interviewing some in my series. I spoke to Dr. Jessica Barker, who advises organizations on information security and maintains a blog at Cyber.uk. Then I spoke to Emily Crose, a network threat hunter.Most recently, I had the opportunity to speak with Lesley Carhart. She leads a team in security incident response. She also writes an engaging cybersecurity blog, tisiphone.net.Kim Crawley: Your infosec focus is largely in digital forensics, and you have an impressive academic background that’s directly related to our field. How did you get into cybersecurity in the first place? How long were you interested before you went to college?Lesley Carhart: Very early on! I grew up on a midwest farm. While that meant a lot of hard work and time outside, it also meant early access to a computer when my father bought one to manage inventory and accounting. He is definitely an old school hacker, and we learned how to use MS-DOS together when I was 7 or 8. We both picked up scripting and BASIC, and it quickly became a contest between him building hardware and software controls to restrict my use and me evading the controls.By the time I was 15, I had been coding regularly for seven years or so, and the early dot com era was beginning to boom. Through connections, I was quickly picked up by a local firm as a SQL developer and did that through high school. That gave me a great segue to the burgeoning Chicago hacking community and introduced me to other fields of IT and tech.Of course, the dot com boom didn’t last forever. When the job market dried up after graduation, I enlisted in the Air Force, cheerfully requesting any job that got me hands on with electronics. I kept up my interest in hacking and digital forensics and read everything I could.KC: I’m happy to hear that you got into coding as a little girl. Now, I notice that you also work for Circle City Con. My friend Cheryl Biswas is going to speak there this year. She’ll be interviewed in this series, as well. How did you get involved with Circle City Con in the first place?LC: The Chicago infosec community is heavily involved in Circle City Con, simply due to numbers and location.KC: So you were just chatting with fellow Chicago infosec people and someone offered you the role?LC: We have a very active and tight-knit group of people here in the BurbSec meetups. There’s an infosec hangout almost every Thursday in the Chicagoland area. I’m very heavily involved in that organization, and many of the the primary Circle City Con organizers are, too. It was a logical move.KC: That reminds me of TASK here in the Toronto area. Let me ask you: what are some challenges you’ve had as a woman in cybersecurity?LC: My entire life has been a series of male-dominated industries, hobbies, and coursework. By the time I was working professionally in infosec, I was thoroughly used to dealing with this.All human beings are fundamentally biased in different ways – some are just more self-aware than others – so of course I’ve had to deal with some sexism. It’s frustrating when I’m questioned on fundamental IT skills before somebody trusts my advice as a subject matter expert. It’s irritating when I go to conferences and people ask me if my boyfriend brought me along. The trick is recognizing that prejudices exist and building the self-confidence to not let them phase you.We’re taught in our society to defer and apologize to others. We have to be able to break out of those conventions. Politely telling people they’re incorrect and backing that up with reasoning and evidence is a crucial skill learned over time. At the same time, we have to try to consciously avoid gendering activities ourselves. Just be a human and be good at what you love.KC: I’m dismayed to see much fewer girls and women pursue IT and computer science. Hopefully, articles like this one and your blog can help a little in showing people that women play a very important role in our industry. How do you feel that women uniquely benefit the cybersecurity field?LC: Being a good computer hacker relies on a broad range of experience and cross-discipline skills. Being good at detecting and preventing hacking does, as well. The more backgrounds, hobbies, previous careers, and methodologies we can bring into our field, the better we will be at responding to complex problems in an innovative way. The homogeneity of our industry, coupled with the absurd stereotype of a hacker in our culture, can only harm us as cybersecurity impacts broader and broader society.KC: What do you think will be the biggest problems in information security in the next several years? IoT is making me very nervous.LC: Ransomware will continue to get more diabolical. We’re already seeing local file encryption turn to public (s)extortion, and there are plenty more malevolent things malware authors can do to make people’s lives miserable in the age of IoT.As for IoT, the problems will likely continue (and get worse) until legislation requires security standards in internet-connected devices. We’re caught between a population wanting the latest gadget, sellers driving down prices to meet buyer demands, and manufacturers cutting security corners to reduce cost. I don’t see much chance of any of those factors changing independently.Finally, I predict that we will soon reach a breaking point in internet infrastructure attacks where fundamental problems that have been ignored for decades and lack of redundancy result in expensive enough catastrophes that solutions have to be implemented.KC: I’m not optimistic about cybersecurity legislation in the United States considering Rudy Giuliani’s appointment! Is there anything else that you’d like my readers to know?LC: If you want to be a hacker, don’t be afraid of illogical myths. Don’t be afraid of the myth of the hoodie-clad hacker who’s fundamentally “better” than you. Get out there and learn. Don’t be afraid of the myth of the infosec rock star as an untouchable paragon. Skill levels vary, but everybody puts their pants on the same way, and even the old-school hackers are usually pretty approachable. Don’t be afraid of the myth that a CFP rejection means you’re not clever enough. Everybody gets rejection letters, so pick yourself up and keep submitting. Don’t be afraid of the myth that you have to be a drunken raver to be a real hacker. It’s okay not to drink, and it’s okay to go home to your kids. Don’t be afraid of the myth that only 1337 hackers speak at cons. Bring your experience and unique perspective into a research project, work hard, then share it.KC: Thank you so much for speaking with me. I’ve learned a lot.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
The title of this piece is quite obvious, but it is also an unappreciated fact. Consider for a moment the change we have seen over the last 30 years: access to cyberspace was scarce, often limited to enterprise users such as governments, educational institutions, and the largest corporation, whereas today, there are billions of users that treat the Internet as some basic need for living–just like electricity–with access points into this domain continuing to grow.The entire Internet of Things (IoT) wave may very well clobber us as, even in 2017, we cannot figure out if there will be 20, 30, or 50 billion devices by 2020. (Don’t believe me? Just do a quick Internet search. Reports published over the last 18 months can’t make up their minds). And we are not making our lives any easier when 99% of computers are considered vulnerable and attackers are just plain better and faster than a defenders’ ability to protect a network.In brief, technological advancement does not seem to be the problem; we are pretty good at that (like 3D printing an ICBM, for example). But dealing with the technologies we create is a bigger problem. (The thought of your next door neighbor having the capability to “print up” a ballistic missile delivery vehicle should worry you.)So to better address this problem, we need to ask: how do we use our technology? And perhaps more specifically: how much do we rely on our technology?Consider this: up until the mid-2000s, we used to use our “cellular” phones to make calls, maybe send text messages, and little else. (By the way, bonus points if you know the difference between cellular, mobile, network, and very impressive if you know what “handy” means!) Today, a smartphone allows you to place calls, send multimedia messages, take pictures, watch videos, listen to music, make financial transactions, understand your voice, tell you what your heart rate is, and so much more. Smartphones can even be used to hack networks. (Long gone are the days when you were a cool geek amongst your friends because you knew a few GSM network codes and could do some funny things on your phone.)It’s important to note that there is something much more valuable than money: our information (remember from the previous piece: network security + information security = data security). And yet a paradox exists where we would rather not give up this valuable currency, but we continue to do so like we are addicted to some bad fashion. I would suggest to you a main reason for this is that the general public – and perhaps even so-called “experts” – do not have a uniform level of understanding of “cyber” issues.This lack of uniform understanding helps explain why human error is still responsible for 95% of cyber incidents and why, for some time now, malicious actors have shifted away from trying to take advantage of system vulnerabilities to trying to take advantage of users. And remember, if you cannot get at your target directly, you can always take a different route, like going through a third party that has trusted access, a tactic we are seeing more often as cyber incidents attributed to business partners is significantly on the rise. (This is largely due to the fact that both individuals and organizations do not know the details of the cyber policies in place at the third party.)So let’s think about that for a moment: we don’t really know what we’re doing and we know that we have problems, but now you’re telling us that we have to worry about our third party’s problems too?!Yes.This comment goes back to the title of this piece: technology changes much faster than humans. For well over 30 years, we have been trying to address our cyber problems through a patchwork of technical solutions, failing to appreciate the legal and social frameworks that have been in place for hundreds of years and that most of the cyber challenges we face are just an extension of some pre-existing conflict already happening in the physical domain.Furthermore, the mass hysteria over “cybersecurity” now in 2017 requires some context. If one examines the core of the issues we face today, such as networks being inherently vulnerable, they are not all too different from the ones professionals faced in the 1980s, except that many of the past lessons have been ignored and magnitude and complexity of today’s challenges are just that much more overwhelming.Therefore, while most humans are busy adapting to the Internet by changing our attitudes towards shyness, confidence, knowledge, imagination, and connections to people, or how we consume news, or by feeding new vices such as gambling and social media, malicious actors are having a field day taking advantage of all these psychological changes while still having the added benefit of inherently vulnerable networks on their side. Politely, things are a mess in cyberspace right now.So what is the solution this mess? Slowing down operations, taking the time to sift through our networks, and figuring out what is going is a solution. But I am a realist: we are not going to slow down operations despite all the social talk about “leisure” being needed in life. If anything, I would suggest to you we are adding more and more on our plates. (Totally unscientific study: ask yourself if you have more or less leisure time in your life as time passes.)My solution begins here: take seriously the “people factor” in the cybersecurity equation. I get mortified when I hear people say, “There is no point in training our people because they will just click random links anyways.” NO!!! All that means is that somebody is not taking personnel training seriously. And that comment is absolutely no different than saying, “There is no point in teaching my kid anything because kids will be kids.”How well would that approach turn out for you? How well does that approach turn out for society?I am not suggesting that you treat your personnel as children, but I am suggesting you support them through the necessary cyber education, which in turn, supports your enterprise (and is probably cheaper in the long term).The daunting challenge we face is this: technology changes so wickedly fast, but humans do not. We easily accept the benefits of technology but rarely have a clue about the associated consequences leading us to coping problems when things go wrong (and “wrong” feels like a permanent state right now). Remember, humans are still at the core of most of the decisions that are being made, whether that decision is to click a link or set a national cybersecurity policy. This simple fact means is all the more reason why people need to be informed and educated across the board.In the next piece, I will take a look at some of the macro-challenges we face, some of which began in 1648.
About the Author: George Platsis has worked in the United States, Canada, Asia, and Europe, as a consultant and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs, in the fields of: business development, risk/crisis management, and cultural relations. His current professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
ARLINGTON, Va. Defense Advanced Research Projects Agency (DARPA) officials launched a new program, System Security Integrated Through Hardware and Firmware (SSITH) that aims to protect against cyber intruders at the hardware architecture and circuit level, rather than relying only on software-based security patches. In a closed-door meeting of government contractors on April 21, the Pentagon scientists showed how the secure computer chips could stop 40 percent of current cyber attacks that are exploited through software.
Nobody’s thought of making the chips secure before.
“This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software. The SSITH program will complement DARPA software security efforts like High-Assurance Cyber Military Systems (HACMS) and the Cyber Grand Challenge (CGC) by taking advantage of new technologies to develop integrated circuits that are inherently impervious to software end-runs,” said SSITH program manager, Linton Salmon of the Agency’s Microsystems Technology Office.
America’s DARPA reckons too many vulnerabilities arise from hardware design errors, so it wanted experts and boffins to propose better hardware-level security mechanisms. Intel’s Security Guard Extensions (SGX) is a favourite target for attack boffins crafting proofs-of-concept against the architecture.
The $50 million program is looking initially for research proposals for that lay out how those design tools will work and the microchip security architecture they will build. Later phases will involve the building and testing of prototypes and demonstrations that the tools can be scaled for mass production.
SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration, a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world.
DARPA says it’s looking for “innovative approaches that enable revolutionary advances in science, devices, or systems.” The strategic challenge for participants in the SSITH program will be to develop new integrated circuit (IC) architectures that lack the current software-accessible points of illicit entry, yet retain the computational functions and high-performance the ICs were designed to deliver. They want designers to “limit the permitted hardware to states that are assured to be secure”, without sacrificing performance.
The idea is to break the cycle of fixing vulnerabilities through software updates, even when what’s ultimately being exploited is a security weakness in the hardware.
Another goal of the program is to develop of design tools that would become widely available so that hardware-anchored security would eventually become a standard feature of ICs in both Defense Department and commercial electronic systems. The anticipated 39-month program centres on covering development and demonstration of hardware architectures and techniques to measure the security of new hardware designs, including tradeoffs in things like performance, power efficiency, and circuit area.