Security, What Security?
There has been a recent spate of high-profile online security breaches in Australia. Private details of millions of individuals were stolen from the watchful eyes of multi-billion dollar companies and possibly sold on the dark web. Like many other people, I, too, have been alarmed and examined this problem from many perspectives. Before any further discussion, in full disclosure, by profession, I am not related to the security industry or have any formal qualification to be a subject matter expert. My motivation is grounded in being a concerned citizen and presenting an alternative view on how Machine learning (ML) and Artificial Intelligence (AI) can prevent future breaches.
Cause and Effect
In this connected world, hardly anything happens in isolation. There is always cause and effect. Instead of dollar figures, let’s focus on the human cost of a security breach.
When we part with our private information to commercial entities or social media sites, no matter how benign, there will always be cause and effect.
Security and World of Vendors
Let’s start this topic with a few idioms and buzzwords that will come in handy later, “ Kicking the can down the road.”, “Let sleeping dogs lie” and “Outsourcing”.
Throughout human history, if there is a need, eventually, there is a supply. The IT security world is not immune to this. Over the last few decades, a hoard of vendors has cropped up, claiming to be the very best in what they do. Not only do they provide software or hardware components that go into the making of a secure system, but they also have various certifications on security guidelines and system deployment.
What all of this means is that companies are more inclined to write a cheque and “outsource” the problem rather than dealing with it internally; I mean, who does not like “kicking the can down the road.”
Don’t get me wrong; this is not a blame game because those who try to do this their way also get ridiculed for not following industry best practices or putting private information at risk.
Finally, let's turn our attention to? “let sleeping dogs lie”. A few years back, I was planning to run a Large ML experiment, and by large, I mean more computing, more memory, multiple servers and, in the end, more dollars. I costed the experiment with our own (well-known) cloud provider and provided an alternative with a lesser-known cloud provider. Needless to say that the lesser-known provider was at least four times cheaper than the first.
Happy that I? finally had a cheaper alternative, my manager decided to explore that option. This was all good until the security team walked in and sensibly alerted us since we accessed the system outside the company's core infrastructure. I was told it just could not happen because that cheaper provider is not industry or vendor certified, and that is it.?
Mind you, the core computing infrastructure provided by both vendors was precisely the same in terms of specs and connectivity. When I probed with the security team why that is the case, the response I received was, “let sleeping dogs lie”. In my experience, security can sometimes be shrouded in the psyche of fear without rational thoughts. That can not only leave us vulnerable but also hamper economic and more creative outcomes.
So with all the vendors, guidelines and certified individuals floating around, why do data and data privacy breaches happen?
The Two Faces of Security.
To paraphrase Edward Snowden, “ you cannot make a system secure for the bad guys and insecure for the good guys.”. Security has always been a zero-sum game. Let's generalise this thought to the procedures of the security industry regarding the equipment they sell and the guidelines they publish.
Every year multiple vendors lead security conferences where all the latest tech and defences are up for display. But here is the thing, when vendors talk about how they can protect your information and secure your network, both security experts and hackers are listening. Let’s face it; if you are going to be in the business of stealing privileged information by default, you have to know the vendor's equipment and security guidelines better than the internal security team does. How else will you get past them?
Is blaming individuals worthwhile?
Over the years, whenever there has been an airline accident, especially where there are fatalities, the first instinct is to look for human error, often from the pilot. It's convenient and gets the significant players off the hook. IT security is no different; blame it on an individual or a few. That way, the rest can sleep easily. I must agree there is some truth to this, simple password, expired password, click on a link, and social engineering, to name a few. According to OAIC, 41% of the breaches are directly attributed to human error, and over 60% are some combination of human and social engineering. Only 4% are attributed to System or vendor fault.
The key takeaway is whether it is the people or the system. This obvious breach was not anticipated by the security experts or vendors despite repeatedly happening. When we turn this into a combinatorial problem search space for possible breaches is not very big.
领英推荐
How can Al and ML help?
No, not the ones floated by the industry or vendors; frankly, when I was doing the research for this article, I came across so many buzzwords related to security AI and ML my head started to spin. When I looked closely, they turned out to be just heuristics.
AI and ML can help in many ways; however, to keep things focused and concise, let's just focus on one thing, “Protect what matters the most.” When hackers break into systems or networks, what gets the maximum bang for the buck is customer private information; in most cases, that is what they are after. The recent two public data breaches in Australia were all about customer data. This is also the form of hacking that grabs news media attention. This kind of data also has a maximum dollar value, as ransom or out on the dark web.
The effects are not limited here; when there are mass break-ins like this, it has severe financial implications for the company involved. The public trust is mostly gone.
NN, I am not just a pretty face.
Often Neural Networks get the most headlines for their ability to generate pretty pictures. What gets less media attention is their ability to discover new things. Here are a few examples.
One thing common in all of the above is that these were all discovered by AI and ML without any human intervention.
This could be the start of something new.
So here is the basic idea. Inspired by the same generative methods, I started designing a? generative NN whose sole purpose was discovering new Hashing algorithms. Once trained, NN could generate over 1000? in a matter of a few weeks; the stability and security of each algorithm were comparable to SHA256. I am confident that given a vast combinatorial space to choose from, we can generate one of each person on the planet.
To be perfectly clear, these algorithms are mostly variations of SHA because this was more a case of a curious experiment rather than a full practical implementation. Only Security experts or Cryptographers can assess the quality of generated hashing or encryption techniques.
The End Game: Some possible solutions
Let's put some icing on this cake. We can further train a NN to predict unique decryption events or per time interval basis and regard anything as an anomaly when predicted decryption events do not match the observed within some tolerance band.
The Only Safe Computer?
The only safe computer is the one whose hard drive has been crushed, CPU fried, disconnected or kept in a vault. Having said that, I mean that there is no such thing as absolute, unbreachable security; I am sure people will find a way to breach even the most secure AI-encrypted systems. It is all about raising the ante. Most people or groups involved in personal data breaches are opportunistic; they always go for the low-hanging fruit. Taking on an AI-driven system like this will be beyond their capability for a considerable future.
What next?
Vendor-provided security is suitable as a baseline. However, companies, especially those with the resources, would have to develop these technologies independently. Time and time, it has been proven that outsourcing security may make good scapegoats; however, they do nothing to solve the ongoing problems. Organisations must invest in research labs to engineer proactive solutions for their unique circumstances and requirements. Resources need to be invested in real solutions rather than in a false sense of security acquired through outsourcing their problems.