Our predictability is our vulnerability; hackers are unpredictable, and that is their asset. Instead, we need to be less predictable, and deny hackers their unpredictability.
Unpredictability is a more powerful cyber weapon than the array of expensive—and predictable—defenses you now rely on. Unpredictability is not an all-or-nothing solution. It is an every-bit-helps type of solution. So start today. Be less predictable, even by a little bit. It just might just save you from becoming a headline news victim.
There are many ways to inject unpredictability into payment systems. The more sophisticated means include weaving high-quality randomness into your data technology on every level. This will deny your cyber adversaries their winning asset.
Today, by and large, we are sitting ducks. We serve as stationary targets for our enemies to train on. We use standard, mass-produced hardware. We run the very same operating systems. Our network protocol is in the open. We download the very same application programs. In fact, this standardization is the key factor in hackers’ success.
You don’t need a truckload of math to appreciate this simple principle: To hack into a system, you need to know it better than its routine operator. Hackers are studious. Over time, they figure out how to hack it.
If, prior to the attack, just as a matter of security policy, the running protocol changes and the deployed tools are switched, then the hackers are left hanging. The knowledge they gathered is no longer relevant. Think about it. Now, instead of being surprised by the hackers, you surprise them by taking the initiative.
My clients frown when I talk about this. “We are in a cutthroat business,” they say. “Efficiency is a top priority. Streamlining our operation and getting used to a smoothly working protocol is golden. Yet, you tell us to undo what we try so hard to do!”
“No!” I respond. “I don’t ask you to use an inferior protocol, I ask you to use a different protocol, and to switch randomly.”
Here’s an example of this idea. A financial user kept CNN news programs open on his work computer. He got them by clicking on a phishing email. The site accurately displayed the running CNN page, except that one picture each day was stealthily loaded with malware that kept coming. It was a dormant code with an unknown ultimate objective. And then, by chance, the user switched to another news source, cutting off the hacker’s channel.
One simple means is to add an extra control number to validate transactions. This can be done efficiently, and it wreaks havoc on abusive code, since hackers are unaware of the unpredictable add-on. Another simple and helpful trick is to switch the order of two procedural activities that can be done in either sequence.
You may not even be aware that your latest unpredictable protocol change has catapulted a small army of professional hackers in Latvia into a frenzy.
It takes some creativity, but changes can be initiated by anyone on the protocol sequence line.
The principle does have its high-tech side, mainly through effective use of randomness. Quantum-grade randomness is already commercially available. As Einstein, Bohr, and Feynman assured us, quantum randomness is the essence of unpredictability. A new family of ciphers is coming out, based on effective use of randomness, to build up payment technology into a thoroughly unpredictable operation, namely a thoroughly unhackable operation.
The flip side is worth mentioning: If we allow convenience to dictate our policy, if we strive to make security invisible and unburdensome, if we embrace our predictability and just pay more to some security vendors, then we will see the cost of security rising along with the frequency of security breaches.
It’s so simple, yet so hard to swallow. Astute financial executives admit to but ignore the maxim, “Our predictability is our vulnerability.”
“This realization creeps into me,” confessed an experienced chief information officer: The more predictable we are, the more hackable we are. If we introduce random changes, or any changes, we take the initiative.
My clients often say: “The vendor pooh-poohed your advice!”
“Of course,” I retort, “he has a fixed predictable solution to sell you!”
—Gideon Samid • Gideon@BitMint.com