Endpoint Security Quotes

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

Snowden put it like this in an online Q&A in 2013: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

By tracing the early history of USCYBERCOM it is possible to understand some of the reasons why the military has focused almost completely on network defense and cyber attack while being unaware of the need to address the vulnerabilities in systems that could be exploited in future conflicts against technologically capable adversaries. It is a problem mirrored in most organizations. The network security staff are separate from the endpoint security staff who manage desktops through patch and vulnerability management tools and ensure that software and anti-virus signatures are up to date. Meanwhile, the development teams that create new applications, web services, and digital business ventures, work completely on their own with little concern for security. The analogous behavior observed in the military is the creation of new weapons systems, ISR platforms, precision targeting, and C2 capabilities without ensuring that they are resistant to the types of attacks that USCYBERCOM and the NSA have been researching and deploying. USCYBERCOM had its genesis in NCW thinking. First the military worked to participate in the information revolution by joining their networks together. Then it recognized the need for protecting those networks, now deemed cyberspace. The concept that a strong defense requires a strong offense, carried over from missile defense and Cold War strategies, led to a focus on network attack and less emphasis on improving resiliency of computing platforms and weapons systems.

Out in the modern world, no matter how much we want to help others, we are distracted from the service mindset by the desire to be financially and emotionally stable and secure. If you’re lost and disconnected, your service will be cumbersome and less fulfilling. But when is the time right? Will it ever be right? Internal exploration has no endpoint. It’s an ongoing practice. Your problems will never be completely solved.

An agent is a combination of data known about the actors in a request. This typically consists of a user (also known as the subject), a device (an asset used by the subject to make the request), and an application (web app, mobile app, API endpoint, etc.). Traditionally, these entities have been authorized separately, but zero trust networks recognize that policy is best captured as a combination of all participants in a request. By authorizing the entire context of a request, the impact of credential theft is greatly mitigated.

Smart endpoints and dumb pipes: Each microservice is developed for a well-defined scope. Once again, the best example is Netflix.42 Netflix started with a single monolithic web application called netflix.war in 2008, and later in 2012, as a solution to address vertical scalability concerns, they moved into a microservices-based approach, where they have hundreds of fine-grained microservices today. The challenge here is how microservices talk to each other. Since the scope of each microservice is small (or micro), to accomplish a given business requirement, microservices have to talk to each other. Each microservice would be a smart endpoint, which exactly knows how to process an incoming request and generate the response.

The idea that the material is safe because it is encrypted is shockingly naïve: it is child's play for a sophisticated adversary to place malware on a computer, remotely and invisibly, which logs every key stroke, and records everything that appears on the screen. Such 'end-point vulnerabilities' render even the heaviest encryption pointless. They can be delivered via a mobile phone or through an internet connection (or by some other subtle and secret means). Snowden knows this. It is possible that someone with his technical skills could keep the stolen data secure on his own computers, at least for a time and if he does not switch them on. But that becomes ever less likely over time.