Author: Carl Nerup

Carl is a long-time advocate for balancing security and privacy as a non-binary argument. Due to his limited number of IQ points, he also has the ability to take complex technologies and make them easy to understand. He is a strong advocate of the outdoors and will always tell you that he would rather be backpacking!!

Here a Hack, There A Hack, Everywhere a Hack-Hack

 by Carl Nerup

 

When Did you Stop Caring?

 

Here a Hack, There A Hack, Everywhere a Hack-Hack

I am befuddled.   If someone broke into your house and stole your wallet, birth certificate, medications, social security card and then came back and did it again after you replaced them all, again, and again, and again – would it bother you?

Being a good citizen, you would report the theft to the police.  Though they would do nothing, but they do offer you a card that says they will let you report it every time it happens for the next year.  Don’t worry, the authorities will still do nothing when it happens again, but they will give you another card.

Me personally, this personal intrusion would bother me, I would be genuinely hacked off and want to see some action taken so that it stops.  I am not interested in being a recurring victim.

Yet, this happens everyday to everyone of us.   And no one seems to care.

AT&T, Ticketmaster, Disney, JP Morgan, Dell, Roku, Fujitsu, American Express, the IMF, and Back of America.  That woefully incomplete list is only in the last four months.  An average of 400k medical records get hacked every day.  This data being stolen is not just your wallet – it is greater than that – it is the sum total of your life experience (medical, financial, personal, photos, relatives, your DNA).

We can all agree that hackers are clever, and some are exceptionally good at what they do.  But most of these attacks do not require a great degree of sophistication.  These companies could do more to protect our personal data, but they do not – and to be clear, it is a conscious choice driven by profit.

If it cost these companies, they would do something to protect our data.  However, the sheer volume of hacks has made all of us numb to it.  So, the companies do nothing.  Why should they spend money on cyber security when everyone seems to feel that the hack is a victimless crime that no one cares about?

So, if someone broke into your house every day to steal your wallet, you would turn to the law by demanding security, police protection, an investigation.  Your home is your sanctuary, and you would not tolerate the repeated violation of your sacred space.   And when that person breaking into your house was caught – you would demand justice.

So, while I am not advocating for bigger government, I am an advocate of law and order and justice for all.   So, let me posit a few ideas on how we might want to adjust our view on this topic.

  • Care.  If we keep ignoring the problem, then no one will think we have a problem.
  • Law and Order. The success of American capitalism is built on this simple concept. Codify the standard for protections that the NSA already publishes for the rest of Department of Defense for US Companies above a certain size.
  • Justice.  If a company gets hacked, the CEO loses his job with no golden parachute.  Plus, a financial penalty is paid into an insurance fund to recompense victims of identity theft.

It is up to us to demand change in an area that is easy to start affecting.  I am tired of people breaking into my ‘house’ and stealing my data.   Are you?

http://www.cog.systems

 

Battleships in Legoland

 by Carl Nerup

 

Security though Software and Hardware Based Modularity

Indulge me while I ruminate a bit on the whimsical world of technology, where modularity reigns supreme as the unsung hero of security – think of it as the bunch of individual Legos that are assembled to create your digital Fort Knox.  In both software and hardware design, embracing modularity is like putting up layers of defense against cyber threats, creating a fortress of digital resilience that even the most hardened security professionals endorse as the gold standard for securing embedded systems.

Let’s start with software-based modularity, shall we?  Picture your favorite connected device as a puzzle, with each modular component acting as a unique piece that fits snugly into place.  Using your favorite type-1 virtualization tool (seL4, Bedrock, etc) to enable the compartmentalizing of functions and data within these modules, developers can create barriers that restrict unauthorized access and limit the impact of potential breaches.  One wrinkle to consider, the puzzle still sits on a table (aka the chipset) which means the bottom layer is still not trusted.

Ships today are built on the construct of hardware-based modularity.  Modularity is a critical design principle when it comes to protecting ships from torpedoes. By compartmentalizing various sections of the ship and ensuring that each module is structurally independent and well-protected, the impact of a torpedo strike can be contained and minimized. In the event of a torpedo hitting the ship, the damage is less likely to spread throughout the entire vessel, as the modules act as barriers that limit the flooding and structural compromise to specific areas.

Software or Hardware based Modularity – which is right for you?   The answer is easy – yes.  The goal is the creation of a high assurance and resilient connected device.  Better answer – use both.

For the last decade, the focus of the embedded systems industry has been on leveraging software-based virtualization to achieve modularity.  This was primarily an exercise to take out cost while adding resilience because the chipsets in your processing devices have been the long pole in the total BOM cost of a connected device.   However, the increasing commoditization of chipsets is allowing industry to consider a swing back to leveraging hardware-based modularity while still achieving cost efficiencies.

What if you built (or were building…grin) a device with three chipsets in one mobile device, one for the radios, one for the encryption, and another for the UX.  Wrap a couple of the chips in Faraday cages and add some anti-tamper, then layer in some added software-based modularity to create modules in modules and voila….modularity squared.

This product would be a game changer that enables an improvement in SWAP-C, the assurance and resilience you demand, and packaged in a standard, commercial high-end mobile device.

That is right.  By leveraging both hardware and software-based modularity you can have an ultra-secure, connected device with a commercial look and feel that the market has been demanding for far too long.

Interested?   Call me.

 

 

Moving to your Pot of Gold: Backpacking and Cyber Security

 by Carl Nerup

 

As I slogged my way along the North Coast Trail on Vancouver Island, BC, a thought (or many) occurred to me.  Hence this blog post.   The trip was a solo-trip, 8-days with no resupply, active wildlife (bears), a ‘primitive’ trail, a very remote part of the world, and a challenge to me both physically and mentally.  

The next big cyber-attack is coming, and it will not be trivial.  A state actor, critical infrastructure, broad consumer impact, not sure when or how it is coming, and you know it will be a challenge to overcome.

It turns out that backpacking is like managing your company’s cyber security.

Do you have the tools in place to prepare your strategy for ‘Defense in Depth’ to ensure that you have a safe and secure hike but also for your business by leveraging a common set of principles to drive towards risk mitigation?

Prepare for the Trip.   

  • Understand the local landscape and determine if there are any specific rules or regulations that you need to be sure to follow for your trail or business vertical.
    • Read blogs, study the terrain to set your pace, and learn the rules for this trail (bear boxes).
    • Look for best practices, study other relevant use cases, and determine what certifications you need to gain to provide assurance to your business.

Pack for Contingency.

  • Weather, accidents, and wildlife happen. The same could be true for your infrastructure depending on your region, HW vendors, or network availability.
    • Pack rain gear, first aid kit, gear repair supplies, short or tall gaiters, and some extra food.
    • Rain, cold, ‘brown outs’ may require back-up generators or fuel supplies.

File your Itinerary. 

  • Study the terrain, determine your hiking pace, and establish camping sites. For companies learn industry practices, understand likely attacks, and read voraciously to understand your risk profile.
    • Publish your trip plan, share it with family, and then list it on your Permit.
    • Establish milestones, set contingency triggers, and educate your employees.

Paper Map.  

  • Sure, it is old fashioned. But, having a hard copy map matters.  As does, having written contingency plans available to your employees.
    • Bring a basic map, a topographic map, a waterproof map, a detailed map of each section.
    • That written manual of contingency plans could be the difference if your systems are off-line.

GPS Trail Guide.

  • Many applications are available for mobile devices that can guide your hike. Even airlines are using tablets for kneeboards and contingency manuals.
    • Even with no cellular coverage, your phone can still support a GPS application to help guide your hike safely or to get you back on course should you lose your way.
    • A digital set of manuals to guide your employees to maintain course and counter the inevitable threats that will present themselves.

‘Oh Poop’ Device.

  • Backpacking or in Business, it happens. Be prepared.
    • This is why people now carry a Garmin In-Reach because it has a ‘Oh Poop’ button that is there for you in case the un-foreseen happens.
  • Get a Red Team, get a Government Agency on file, or know who to call when the ‘Oh Poop’ moment of the hack comes for organization.

As I prepare for every hike, especially as I tend to go solo, the list above is exactly what I do to ensure that I lessen the risk as much as possible so that I can ensure a fun and safe trip for me and all of my loved ones back home wondering when I will get out.   And, in candor, most of the in-depth planning that I execute against today are from hard learned lessons on the trail over my many years of backpacking.

It is my view that this same accumulated knowledge of planning to mitigate the risk of a cyber attack to your enterprise is very similar.   Maybe the question to ask is whether you have six layers of ‘defense in depth’ to your cyber security preparation as I do for when I go backpacking?   Many lessons have also been painfully and publicly learned in the market today that you could directly apply to your own security posture.

However, if you want some help, then call me.   Call Cog Systems.  ‘Being Prepared’ is not a tired motto, it is an essential first step to lessening your risk and helping you to enjoy doing the best part of your business – delivering for your customers.

Thank you.

 

Satisfaction Brought Him Back….

 by Carl Nerup

 

As the saying goes, “Curiosity killed the Cat, but Satisfaction Brought him Back…”

Sunset West Coast Trail

For those of you that know me, I have always been curious.   Some call it a thirst for knowledge though I think it would be more accurate to say I have a craving for new experiences.   Lately, that drive for more experiences has pushed me to not just explore new things or activities but to add a mental component to those experiences that allow me to test the fortitude of my mental strength and endurance.

By way of an example, winning a pickleball game is way more fun for me after I rally from being down by 5 points or more.   The win is mostly moot for me, but that I dug in and won by coming from behind is what gives me the Satisfaction to keep coming back.

The cyber security industry offers a myriad of ideas to help the curious, but in the end none of us in the industry can promise that you will not be compromised (aka dead as a cat).   But, how to get to that elusive place of Satisfaction?

Continue to be curious.  Push harder.  Add the mental component to further enhance your Satisfaction.  Add these extra foundations to your requirements for solving your next problem beyond just buying a product, but by crafting a product for you and your business.

By way of an example, we had a customer who came to us that did not want to settle by just adding some software to their existing mobile devices, but asked if we could design and build a new mobile device from the ground up in the USA.  The customer was curious.  The customer pushed. We figured it out.  It was hard.  This is what creates that strong sense of Satisfaction that keeps us coming back for our customers.   The fact that it was a very hard problem to solve brought even provided that extra mental test that I seem to crave more and more in my life.

So, do you have a hard problem?

Are you curious as to whether the cyber security community can solve that problem?

Then call me.   Call Cog Systems.    Especially as trying to solve that problem seems to be our sweet spot that gives us all the Satisfaction to keep coming back.

Thank you.   http://www.cog.systems