网络身份安全_网络安全中的身份危机

网络身份安全

意见 (OPINION)

Cybersecurity as an industry still in it’s infancy, the term is used so liberally that it has become analogous with the term hacking, yet it means so much more. In its current state, cybersecurity is an industry that faces an identity crisis, the landscape evolves at such a rate that the good guys are having difficulty keeping up, there’s also a massive shortage in professionals, a misalignment of security between firms and governments, and the approach to tackle the issues are reactive rather than premeditated.

网络安全作为一个仍处于起步阶段的行业，其使用范围非常广泛，以至于它已与“ 黑客 ”一词相提并论，但含义还远远不止这些。 在目前的状态下，网络安全是一个面临身份危机的行业，其发展势头使得好人难以跟上，专业人员也大量短缺，企业与政府之间的安全错位，以及解决问题的方法是被动的，而不是有预谋的。

Given the dynamics of the system and the players involved, it boils down to this: It will always be easier to break than to develop and maintain. The versatility of the beast (innovation) is a curse on itself. The is no such thing as a 100% secure system. Any new feature will always have vulnerabilities and unintended consequences. It’s a balance but heavily favored to the wrong side.

考虑到系统和参与者的动态，它可以归结为这一点： 总是比开发和维护容易破坏。 野兽的多功能性(创新)本身就是一个诅咒。 绝对不是100％安全的系统。 任何新功能都将始终存在漏洞和意想不到的后果。 这是一个平衡，但在错误的一面备受青睐。

因果 (Cause and Effect)

Microsoft Windows is a perfect example of this dynamic. The core technology is great, yet there are so many libraries and applications built on the platform it turned into one of the most vulnerable operating systems to date. New applications or features developed will inevitably expand the canvas of attack.

Microsoft Windows是这种动态的完美示例。 核心技术很棒，但是在平台上构建了如此众多的库和应用程序，它已成为迄今为止最易受攻击的操作系统之一。 开发的新应用程序或功能将不可避免地扩大攻击范围。

The bad users will always try to manipulate and game the system to act outside of the software’s original intention. It’s a conflicting issue because technology cannot fix all problems, even if the system was 99% secure, humans are often miscalculated into the equation.

不良用户将始终试图操纵和游戏系统，以超出软件的初衷。 这是一个相互矛盾的问题，因为技术无法解决所有问题，即使系统具有99％的安全性，人类也常常被误认为是等式。

Unsplash — Sharon McCutcheon

Unsplash—莎朗·麦卡琴

A recent breach on Capital One is a direct result of the human factor within a secure system. Known as one of the biggest financial breaches in history, about 106 million credit cards, 140,000 Social Security numbers, and 80,000 bank account numbers were exposed. This was at the hand of a malicious employee that worked at the Amazon Web Service division. In a system that is usually secure by design, it was vulnerable not because of the abstractions, but due to the users involved.

最近对Capital One的违反是安全系统中人为因素的直接结果。 这是历史上最大的金融违规事件之一，大约有1.06亿张信用卡，14万个社会保险号和8万个银行帐号被暴露。 这是由在Amazon Web Service部门工作的恶意员工所为。 在通常通过设计是安全的系统中，它不是易受攻击的，不是因为抽象，而是由于所涉及的用户。

布吉曼 (The Boogeyman)

A 0-Day is a vulnerability that has not been disclosed to a vendor and is used as a one-time ticket to exploitation. These are far and few between but those that do find them can sell it on a gray market for thousands or honorably disclose it to vendors.

“ 0天”是一个尚未向供应商披露的漏洞，被用作一次性利用权。 这些之间相距甚远，但是找到它们的人可以在灰色市场上以数千美元的价格出售它，或者光荣地将其透露给卖方。

The Security Researchers that do find a 0-Day are those that know the system so intimately, they are able to find something that no one else has found before.

确实找到0天的安全研究人员是非常了解系统的人员，他们能够找到其他人以前找不到的东西。

The NSA developed an exploit in Windows called EternalBlue, the tools were exposed by hacker group Shadow Brokers years later in 2017 and was used in the WannaCry Ransomware Attack. One of the biggest ransomware attacks in history and among the first. All from one 0-Day. Since then there has been a diaspora of ransomware attacks. A full interactive map of all reported ransomware attacks in the US from the last 5 years can be found here.

美国国家安全局(NSA)在Windows中开发了一种名为EternalBlue的漏洞利用程序，该工具在2017年被黑客组织Shadow Brokers暴露，并在WannaCry Ransomware Attack中使用 。 历史上最大的勒索软件攻击之一，也是第一次。 全部从0天开始。 从那时起，流传了勒索软件攻击。 您可以在此处找到过去5年中美国报告的所有勒索软件攻击的完整交互式地图。

专业化的诅咒 (The Curse of Specialization)

This year I had the pleasure to attend two of the biggest hacker conferences that US had to offer. Black Hat USA and DEFCON. It was amazing to meet such great minds and borderline savants on one campus. I realized that there were many who specialize in one thing and only one thing.

今年，我很高兴参加了美国必须举办的两次最大的黑客会议。 美国黑帽和DEFCON。 在一个校园里遇见这么伟大的思想家和边缘专家真是太神奇了。 我意识到有很多人专注于一件事而只有一件事。

Black Hat USA 2019

黑帽美国2019

The many struggles of cybersecurity is due to the fact that these people are intimate with one cognate of technology, they can either choose to make it better or worse. They can know everything about drones and hardware yet know nothing about Windows or Macintosh architecture.

网络安全的许多挣扎是由于这些人与一种技术密切相关，他们可以选择使技术更好或更坏。 他们对无人机和硬件一无所知，而对Windows或Macintosh架构一无所知。

The problem this poses is the nature of specialization will favor the individual more so than industry. Often times, these people are contracted by agencies, but will not hold a full-time position as a security specialist. Another issue is that Cybersecurity education is also not mandated by the government to be taught in schools. This is why there is such a massive shortage of professionals.

这带来的问题是专业化的本质会比产业更偏向个人。 通常，这些人是由机构签约的，但不会担任安全专家的专职职位。 另一个问题是，政府也不要求在学校教授网络安全教育。 这就是为什么专业人才严重短缺的原因。

In parallel, cybersecurity firms are leaning towards using software to fix all of our problems. The truth can be seen when going to the vendor hall at Black Hat. While a software approach is important to have, there are many other factors that come into play when an attack can occur outside of the user space. Software will only secure the baseline. The attacks that deviate outside of the baseline are often the ones that cause the most damage.

同时，网络安全公司也倾向于使用软件来解决我们所有的问题。 当去黑帽的供应商大厅时可以看到事实。 尽管拥有软件方法很重要，但是当攻击可能在用户空间之外发生时，还有许多其他因素会起作用。 软件将仅保护基线。 偏离基准线的攻击通常是造成最大损害的攻击。

神奇的银子弹 (The Magical Silver Bullet)

A silver bullet solution, commonly advertised by firms plagues booths at Black Hat year after year. A one-stop shop solution for all your cybersecurity needs and at a six-figure price tag. Although these tools can bolster security, small and medium-sized businesses would not be able to afford them. As long as humans are in the equation, these products will never solve all your security woes and will tend to favor those that can put up the capital.

通常，公司每年都会在黑帽的展位上刊登广告，提出一种解决方案。 一站式解决方案可满足您的所有网络安全需求，价格为六位数。 尽管这些工具可以增强安全性，但是中小型企业将无法负担得起。 只要人类处于困境之中，这些产品就永远不会解决您的所有安全难题，而将倾向于青睐那些可以投入资金的产品。

The real problem is that firms are spending resources and time tackling only the technical aspects of cybersecurity, rather than tackling dynamics of the non-technical i.e. the human factor, security education, supply chain, emergency plans, specifications for emerging technologies and so on. A frightening future is upon us if these are continued to be neglected.

真正的问题是，企业只在花费资源和时间来解决网络安全的技术方面，而不是解决非技术方面的动态问题，例如人为因素，安全教育，供应链，应急计划，新兴技术规范等。 如果继续忽略这些，我们将面临可怕的未来。

未来 (The Future)

We live in one of the most exciting times for technology and innovation. Artificial Intelligence will seep into our lives like never before, and devices that were commonly offline will breathe life of the internet. Yet as these technologies are created, there’s a curse, a curse of imperfection that will plague them for the rest of their online lives. All whilst the industry struggles with hiring, firms are led by a software-first strategy, and the battle we’re fighting was never intended to be won.

我们生活在技术和创新最激动人心的时代之一。 人工智能将以前所未有的方式渗透到我们的生活中，而通常处于脱机状态的设备将使互联网的生活焕然一新。 然而，随着这些技术的产生，存在着一种诅咒，一种不完美的诅咒，将困扰着他们其余的在线生活。 在整个行业都在为招聘而苦苦挣扎的同时，公司始终以软件为先的战略来领导，而我们所打的仗从来就没有打算赢。

How are we to believe that the computers on the road, the computers in our homes and the computers in our minds will ever be secure? It’s time to rethink what security truly means for the next decade and the years to come.

我们如何相信道路上的计算机，家中的计算机以及我们头脑中的计算机将永远安全？ 现在该重新考虑安全性在未来十年和未来几年中的真正含义。

翻译自: https://medium.com/lotus-fruit/the-identity-crisis-in-cybersecurity-abe729969e48

网络身份安全