The Mendoza Line...

Anybody who has ever been a fan of baseball is familiar with the Mendoza line. It’s an expression?derived from Mario Mendoza, a player who was a strong defensive player, but a very poor hitter.?In a five-year stretch from 1975-1979, Mendoza’s batting average was well below .200, which for the non-fans means that Mario got a hit fewer than 20 times out of 100 attempts (or At Bats).?The clubhouse joke that established “the Mendoza Line” quickly became part of baseball lexicon, and today any position player’s batting average that falls below .200 in a given season is said to be “below the Mendoza line.”

This line is often thought of as the offensive threshold below which a player's presence on a major league?team cannot be justified, regardless of his defensive abilities. The term is often used in other contexts when one is so incompetent in one key skill that other skills cannot compensate for that deficiency.

While succeeding only 20% of the time as a baseball hitter is considered very poor performance, imagine if Mendoza had been a PKI Administrator??Based on a very insightful article written by CSO columnist, Roger Crimes, Mendoza would have been a rock star.?And why is that??Because his 20% success rate would be 4 times better than the roughly 5% of Public Key Infrastructures that according to Grimes “are set up correctly. Most have multiple errors. Most have?critical?errors -- which is not so great when PKI is supposed to be the building block of your security strategy.”

Maybe we need to give Mario Mendoza a break, and start defining abject failure as the PKI line.?

And poorly set up and badly administered systems aren’t the only issue plaguing PKI.?In 2018, a group of scientists from Georgia Tech came up with an ingenious method to hack PKI, by intercepting signals from mobile phones in order to reconstruct private keys.

And in 2019, according to Akamai, attackers have been tampering with TLS signatures at a scale never before seen using a technique called cipher-stunting, a TLS tampering methodology that helps malicious bot activity masquerade as live human traffic on the web.

“The TLS fingerprints that Akamai observed before cipher stunting was [first] observed [in Oct 2018] could be counted in the tens of thousands,” the researchers said. “Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.”

The analysis also worryingly showed that the majority (82 percent) of the malicious traffic (including application attacks, web scraping, credential abuse, etc.) that Akamai witnesses is carried out using [theoretically] secure connections over SSL/TLS [which rely on PKI].

So, the question I ask myself and that I encourage others to ask is why is our connected world still bent on trying to protect itself from outside threats by using security protocols that are long past their prime??

Now, I fully understand why it’s very difficult to quickly abandon a broken protocol that is widely deployed in embedded infrastructure – it’s akin to the challenges that the incumbent telcos faced when voice over IP emerged as a viable, reliable means of communication.?The telcos had to slow the erosion of their legacy networks, while building new revenue streams through new offerings, like mobile and media.?

The problem is that there is simply no time to adopt a slow, steady transition to whatever is next.?As has been reported in numerous publications, Russians and likely other rogue nations are constantly attacking American (and its Allies) critical infrastructure. ?And there is no doubt in my mind that the entry point is PKI, most likely through clever phishing expeditions (91% of cyberattacks originate with email phishing).?

We can’t continue down the same ineffective path – using PKI to protect critical infrastructure (and IoT) and expect different results.