Maybe you have a safe or lockbox at home, somewhere to keep your valuables. But how do you protect your digital data? Passwords have worked well, but the occasional phishing scheme from a Nigerian Prince can still slip through. E-mail filters try to stem the deluge of unwanted messages, but hackers are using sophisticated tactics to easily bypass our increasing levels of text- and e-mail-based verification.
Eventually, computers will be so powerful that passwords will be largely futile. In the past, security firms would anticipate the schemes, while crooks looked for the weakest point of entry. But the locks are piling up and they can’t keep out thieves anymore.
We need another strategy, a cutting-edge methods to predict and preemptively stop attacks. Call it Security 2.0. The strategies to the cat-and-mouse game are undergoing a paradigm shift.
To protect your home, you often need more than locks on the door. Maybe it’s a monitoring service. Maybe it’s a neighborhood watch to keep an eye out for suspicious behavior. Similarly, online security is moving beyond passwords to tracking behavior.
“There is not one magic word or hyperlink anymore,” Mark Risher, Yahoo’s former “Spam Czar” and CEO of online security firm Impermium, told me by phone. “We are shifting to behavioral patterns.”
In the past, developers focused on securing the software — the door — which is no easy task. That often means building multiple barriers to entry and keeping those defenses up-to-date, in a sort of arms race with the latest hacking techniques, Marc Maiffret, wrote in a piece for the New York Times.
In the case of computing, where each software, e-mail and social network represents a potential back door, how do you do secure everything? You can’t.
“Bad guys can write an infinite numbers of ‘get rich quick’ messages and the spam filters of last generation might let it go because it was slightly different, containing ‘Nigerian oil ministry’ rather than ‘Nigerian minister of oil’,” Risher said. “In this modern greed, we see criminals taking direct action that is much more sophisticated, on a larger scale and under the radar.”
Beyond the scope and sprawl of spam, security firms are finding it hard to match the stealth of Spam 2.0. The days of the Nigerian Prince, where scammers tried to lure you to play along, are long gone. Today, criminals use software to impersonate millions of people, hoping that one will infiltrate your life. And once they gain access, they rifle through and steal your most sensitive personal data, often without you even knowing it. They’re gone weeks or months before you even see a sign of the crime — without any broken locks to clue you in.
“Putting extra locks isn’t going to stop the person who already stole your key,” Risher said. “Now, we see criminals are getting creative and finding ways to use social networks.”
Algorithms to the Rescue
In a war where the enemy is constantly shifting gears, a more effective counter-strategy needed — one that monitors behaviors instead of gatekeeping. In the next-generation of security, algorithms, similar to that neighborhood watch, will scan the digital landscape for patterns of suspicious behavior, piecing together profiles of potentially dangerous hackers by identifying their locations, usage patterns and Internet interactions.
Think of it as seeing a suspicious man in a trench coat on a sunny day. Maybe you follow him; perhaps you take notes of where he goes, what he looks at and how he moves. Then, if someone else should come back that goes where he goes, looks at what he looks at, and moves like he moves, you know to be suspicious.
Those bits of data, which are then added to a broad database, can help firms better detect unauthorized behavior and thwart attacks before they become a problem.
“This strategy relies on a fundamental strength of computers,” Risher said: their ability to detect anomalies.
When you look at a field, for example, you often focus on a row of trees. That’s because our brains scan for similarities. But algorithms work differently. “Computers are very good at seeing differences,” Risher added. Instead of analyzing “a bunch of trees,” they measure the differences to separate unique attributes. For example, a computer can note how one tree that’s full of leaves is four and a half meters tall, while another, missing more than 50 percent of its foliage, is just four and a quarter meters.
Security firms harness that inherent ability of computers to record a precise level of detail. Profiling programs, though merely detecting behavior today, are expanding to thinking and acting — a big shift from filters that flagged e-mails with the word “Viagra” in it.
The biggest challenge to that vision is teaching computers how to think, Risher says. By allowing variance and flexibility into software, a “thinking” computer, just like a detective, won’t be 100 percent correct, all the time. But as the stakes get higher, mistakes are something we have to expect “is just going to happen.”
Few sites are as secure as you think. A hacker, for example, took control of the Associated Press’ Twitter account and tweeted about false explosions at the White House that purportedly injured President Obama, triggering a staggering drop that temporarily wiped-out over $130 billion in value from the Standard & Poor’s 500 Index.
“We believe these attacks will continue and that news and media organizations will continue to be high value targets to hackers,” Twitter wrote in an e-mail to media outlets, according to Forbes.
Bloomberg reported the attack was basic — hijacking the account with a stolen password through innocuous-looking e-mails. But that’s the kind of activity behaviorally-attuned algorithms will be able to spot.
By tracking earlier attacks that hacking groups, like the self-styled Syrian Electronic Army — which, according to NBC, was responsible for the AP attack — carry out, software can learn their digital signatures and build behavioral models to flag suspicious activities to set aside for review.
Much is riding on the growing sophistication of programs to protect our online interactions, especially as more people buy goods on Amazon.com, read news on Twitter and share photos on Instagram.
“There is true financial harm to victims as increasing numbers of websites and applications store sensitive data and documents,” Risher added. As our services move to the cloud, the AP attack is a hint of the threats on the horizon.
We’ve long known that the Internet isn’t safe, and we’re just beginning to see how heavily patrolled it will be in the future. ♦