The Cybersecurity Cake

Defense in Depth is as synonymous to cybersecurity as frosting is to cake.

So, indulge me. It is your birthday, good on you for making it another year around the sun and to celebrate most folks would normally hope for a cake. If it is my house, you even get to pick what type of cake you want to help celebrate your special day. Now, it is the big day with your family and friends and out comes your celebratory dessert – a sheet cake. Be honest, you are still glad to get a cake (better than a bag of Twizzlers) but a sheet cake?

Yes, you are disappointed because if you are truly honest you were hoping for a layer cake. A robust three-layer cake with candles on top burning bright. Why the three-layer cake? The extra frosting protecting the three layers of stupendously tasty cake in between make all the difference. This is the difference between simply meeting the requirement and exceeding it.

So, if we stretch this overly simplistic analogy to your organization’s cybersecurity approach for your connected devices – a VPN is the sheet cake. A sheet cake should not be the extent of the cybersecurity approach for your employee’s connected devices (Mobile, Tablet, Laptop).

Defense in Depth is a layer cake. You deserve a layer cake. The world demands it for the protection of your privacy and critical data.

Let’s add some layers to your Defense in Depth approach for your connected devices. The VPN is the bottom layer, a Firewall is the middle layer, and a Protocol Break is the top layer. Now wrap it in an easy to configure admin/ user interface for frosting and you have delivered on the promise. You deserve it.

Aegis Secure

To meet this need, Aegis Secure is now making a world class Enhanced Retransmission device (ERD) to give you the top two layers to your Defense in Depth protection for your connected devices. In collaboration with Cog Systems, Aegis Secure is now offering a commercial ERD that gives you those added layers (Firewall & Protocol Break) with a simple device you tether to your connected devices to bring these added security features local to the end user.

You deserve it, you need it, and if you are honest with yourself – you want it.  You want the Enhanced Retransmission Device for your connected devices. Just like you want a layer cake for your big day.

Happy Birthday.

Ping Aegis Secure to get your Layer Cake and realize Defense in Depth for yourself and everyone in your company.

“Your Money or Your Life”

 
The saying, “Your Money or Your Life,” comes from the dreaded Highwaymen who were “as common as crows” between 1650 to 1800 in rural England. Travel was already hazardous due to the absence of decent roads and a lack of general rule of law. No one rode alone without fear of being robbed. In fact, travelers often wrote their wills before hitting the road.

 

Your phone is your life.

Not only when you consider all the time you spend on your phone (about 4.5 hours a day), but all the things that you keep in it. Think about it – 1) how would you call anyone since you have not memorized a number in a decade? 2) add all your banking, health, work, and social information; and then 3) it is now your electronic ID/ primary authenticator among everything else. What would you do if your phone disappeared? Is it the end of your life as you know it?

 

The 21st Century Highwayman.

Bring up ransomware and everyone knows what you are talking about thanks to the 21st Century Highwaymen who are shutting down hospitals, factories, power plants, and banks. Only your imagination limits what they attack next – and your phone is on that list.

 

It Happened, Now What?.

The dreaded ‘YMCA’ Ransomware attack has hit your mobile phone. It locks the phone, and it plays an un-ending loop of ‘YMCA’ by the Village People. Sure, ‘YMCA’ is fine in small doses – but not endlessly. You can make it stop – just pay the Highwayman!! Your ransom? Send $1,500 in Bitcoin to some random account. After all, it’s “your money or your life.”

Hold on, you say. This is not my fault! It is the hardware, an app, or the carrier allowing the bad bits get to me! The Highwaymen are not stupid, and the Highwaymen undertake rolling attacks of the ‘YMCA’ ransomware – hitting random manufacturers in dispersed geographic regions to keep the problem on the user. None of the hardware, app or carrier players are going to pay your ransom, but they will pay dearly in brand damage for failing to even attempt to prevent attacks with tools adoptable today from the folks at Cog Systems. Not to be cynical, but why would you even ask for help from the hardware, app and carrier providers?

No insurance exists for the attack of the ‘YMCA’ ransomware – it is on you. But at least you have a choice: 1) Pay the ransom ($1,500); or 2) Buy a new phone ($1,200) and then reinstall and configure your apps.

“The more things change, the more they stay the same.” Who would have thought that an aphorism by Jean-Baptiste Alphonse Karr from 1850 would still carry so much relevance today? The dreaded Highwayman to the ‘YMCA’ Ransomware attack separated by just 200 years.

The ‘YMCA’ Ransomware attack is coming.

Did you write your will?

Better Living through a Protocol Break

Protocol is the standard set of rules that allow all of us to communicate with each other using the proper procedure for conduct. Not that protocols do not change over time, or that they may be different by culture, but they do establish the norms for a safe and secure method for all of us to get along.

However, if you will allow, let me propose the counter-intuitive argument. Breaking protocol can lead to better living in one area – Ultra-Secure Mobility™.

As we look to how data is transmitted over a network, of course, it is governed by Protocol. This Protocol is a set of communication agreements, which ensure that as long as both sides of a communication channel adhere to it, the data gets delivered correctly. This protocol does two primary things: 1) that the data gets routed in the right direction; and 2) that it is chopped into parts where needed and reassembled again where possible. These protocols can also govern some other very complicated things like compression, tunneling, load balancing, authentication, caching, spooling, and all kinds of things to make the communication go smoothly.

However, these Protocols only work under the condition that both sides are cooperative. Security attackers leverage this ‘trust’ by not being cooperative for the express purpose of working to find an attack vector.

There is an answer. Introduce a Protocol Break.

A protocol break consists of two components that sit between the sender (upstream) and the receiver(downstream) of a message. The first component is a “catcher”, which, while adhering to the protocol, strips all traffic control data from the data it receives, and keeps only the payload data. The second component is a “thrower”. The thrower does the opposite: it takes bare payload data and sends the payload to another system by means of a chosen new protocol. To do this successfully, the thrower does all the complicated things that are necessary to adhere to this new Protocol specification.

For example, in a “protecting secrets” scenario it can generally be assumed that the attacker has access to the upstream network. From the upstream network, the attacker could attack the downstream network by abusing a design flaw in one of the systems on the downstream network. Though the attack may still cause harm in terms of availability on the downstream network, the Protocol Break effectively cuts out those attack vectors which live in the traffic control data from getting downstream.

In our view, Better Living through a Protocol Break can be achieved for the broader market – especially for IoT or Connected Devices.

At Cog Systems, we build solution that rely on a defense-in-depth resilience that includes an architecture that is layered, isolated, and modular, with commercial off-the-shelf hardware and software.

Ultra-Secure Mobility™: The Three Planks

The Ultra-Secure Mobility™ product has been a market need forever in demand by discerning customers that require a scalable, user friendly, and affordable product. At Cog Systems, the standard by which we measure success in this category of Ultra-Secure Mobility™ rests on three planks that fulfill a combination of the following: 1) high assurance, certified security; 2) end-user defined privacy; and 3) a top-notch user experience. Bonus points if it can be delivered on a commercial device that allows for both the obfuscation of the capabilities embedded and at a reasonable price point.

Some past and present build attempts to address this need for an Ultra-Secure Mobility™ product resulted in bespoke devices that rely on security through obscurity, using proprietary hardware and software components from the handset manufacturer. These attempts often lead to transparency issues related to chain of trust, dubious privacy, and almost certainly a clunky user experience. Even in the mass market, where mainstream device manufactures deliver on the user experience by leveraging the Android ecosystem, they often do not support the latest versions of Android or security patches and certainly do not even acknowledge privacy as a basic tenant of their delivery. Whether through bespoke or mainstream devices, the market is left wanting for a true Ultra-Secure Mobility™ solution.

It is our view at Cog Systems, that customers should not have to rely on point solutions that deliver security through obscurity or privacy through open inspection, however, but rather on a defense-in-depth resilience that includes an architecture that is layered, isolated, and modular, with hardened commercial off-the-shelf hardware and software.

Cog Systems is developing a commercial, Ultra-Secure Mobility™ product by building on a foundational approach that leverages type-1 virtualization using formal methods resulting in never-before-seen security, privacy, and a superb user experience – all maintained with three years of guaranteed security patches and android updates.

At Cog, we do not, and will not, compromise in our effort to deliver on the full premise of the ultra-secure mobility promise. It is our view that our approach is the most robust and cost-effective method of delivering the long-awaited solution to the Ultra-Secure Mobility™ segment.

Defence in Depth: How Many Layers is your Cake?

The mobile world today is largely divided into two worlds:  Apple and Android.  While their approach to many things may be different, they do share a common approach to security — think layer cake.  Yes, the one thing that seems to matter most in making a great cake is layers.   Just like your security posture.  Layers add depth, and the more the better.

Three Layer Cake

For Apple, the iPhone has (at least) three layers:  1) Applications; 2) iOS kernel; and 3) an added security chip.  The security chip is unique to Apple, which is a very good thing. However, don’t be misled as it only performs one core function.  The security chip is used for isolating the encryption keys and the use of those keys from the other layers.  The code in the security chip is small, which makes it easy to analyse, thereby validating its integrity.  Thinking in terms of layers, there is the iOS kernel, which focuses on isolating the application leveraging standard approaches to security at this layer.

When you look at Android’s approach, the end point devices don’t historically have a fixed security architecture.  This enables diversity and innovation that allow the chipset vendors do many different things.  However, on a typical ARM-based Android device you will find three security layers:  1) Applications; 2) Linux Kernel; and 3) TrustZone.  The first two layers are very similar to Apple’s approach at a conceptual level.  However, TrustZone is very different to the added Apple security chip.

TrustZone itself can be considered an Operating System (OS) of sorts along with its own inherent internal security separation.  This internal security separation is commonly referred to as a Trusted Execution Environment (TEE), or sometimes as a Secure Payload (SP), and even as Trusted Apps (TA).  TrustZone is where most Android devices keep their encryption keys (i.e. the crown jewels), and it implements the same key use functions that the Apple security chip does.

The huge difference between Apple and Android is the very different security profile of this configuration by Android.  TrustZone shares the same CPU with the Android OS, which leaves it vulnerable to side-channel attacks (i.e. Spectre, DDR Rowhammer, etc.)  TrustZone also has a much larger attack surface than a dedicated security chip.  To add to the risk for TrustZone is that third-party software (TAs) can be loaded and then leveraged to present an even larger attack surface.  Though the TA is supposed to be isolated from the TEE, this new larger attack surface, if compromised, can give the attacker new avenues to attack the TEE and its critical encryption key handling software.  Though, it is not my intent to provide a path forward for malevolent behaviour, there is precedent for successful attacks that lead to the extraction of the encryption keys from TrustZone.

Google has not stood idle. They have updated their security APIs to *require* the keys to be separated from the Kernel (i.e. using TrustZone or elsewhere), but it still only puts the onus for security on Android devices on TrustZone, which does have its issues as stated earlier.

Four Layer Cake

Qualcomm has recognized the danger, and now offers a similar security chip, the Secure Processing Unit (SPU), for the latest devices that performs the same functions as Apple’s security chip.  This does not mean that Android has achieved parity with Apple, but if you are using a Qualcomm-based Android device you now have four layers (apps, kernel, TZ, security chip) of security – which stands up as a much better security posture.

Five Layer Cake

Today, Cog’s security and virtualization APIs are available in select QualComm Snapdragon mobile platforms, including the recently launched Snapdragon 855. This will enable connected devices, such as Android phones and IoT devices, to access Cog’s virtualization based modular security technology, known as D4 Secure.

Given the above, Cog’s value-add vis a vis virtualization is a bit more nuanced, but very much relevant.

  • Firstly, TrustZone is not a friendly place to write apps. TA’s have many restrictions and can’t operate as applications in the usual sense – like an Application on the OS.
  • Second, virtualization solves this, as it provides the ability to add additional virtual machines that can be enabled to run anything from small to very large applications, and even whole operating systems. All of which are running in their own little worlds provided by the hypervisor.
  • Third, many of the things that are being put into TrustZone today would be better suited to run in a virtual machine. Virtualization provides a richer and more flexible environment that makes it much simpler to develop isolated components by putting them into virtual machines, where those components would have far fewer restrictions and greater capability.  Plus, the risk of a hacked component has much less impact on the security within the rest of the system.
  • Fourth, there are other benefits of virtualization, such as the ability to have more oversight on what’s going within each virtual machine and potentially detecting issues in the other virtual machines. A new capability is opened for applications that currently reside in Android due to lack of access to, or the unsuitability of the TrustZone environment, to be run within a VM.
  • Fifth, the Cog on Qualcomm solution offers five full layers of security that will just work right out of the box.

 

Let Them Eat Cake

In summary, if you want to make an even bigger leap to your defence in depth – adding virtualization is akin to adding another layer to your protection profile.  Virtualization offers greater flexibility, improved security, better architecture for secure application development, and new opportunities to move software that currently run (due to no viable alternative) as Apps on the Android system into their own isolated virtual machines.  There’s no reason to be satisfied with just three layers – Cog can help you get greater depth in your defence, regardless of your OS of choice.