The Internet is all-encompassing. Between mobile devices and work computers, we live our lives on it -- but our online existence has been tragically compromised by inadequate security. Any determined hacker can eavesdrop on what we say, impersonate us, and perform all manner of malicious activities.
Clearly, Internet security needs to be rethought. Retrofitting security and privacy controls onto a global communications platform is not easy, but few would argue that it's less than absolutely necessary.
Why should that be? Was the Internet built badly? No, but it was designed for a utopian world where you can trust people. When the fledgling Internet was populated by academics and researchers communicating with trusted parties, it didn’t matter that trust relationships weren’t well-implemented or communications weren’t secure by default. Today it matters very much, to the point where data breaches, identity theft, and other compromises have reached crisis levels.
To meet the challenge of an Internet teeming with cyber criminals, we've applied a pastiche of half-measures. It's not working. What we really need are fresh, effective trust and security mechanisms.
Here are several promising security proposals that could make a difference in Internet security. None are holistic solutions, but each could make the Internet a safer place, if they could garner enough support.
1. Get real about traffic routing
The Internet Society, an international nonprofit organization focusing on Internet standards, education, and policy, launched an initiative called MANRS, or Mutually Agreed Norms for Routing Security.
Under MANRS, member network operators -- primarily Internet service providers -- commit to implementing security controls to ensure incorrect router information doesn’t propagate through their networks. The recommendations, based on existing industry best practices, include defining a clear routing policy, enabling source address validation, and deploying antispoofing filters. A "Best Current Operational Practices" document is in the works.
“Every ISP that signs up [for MANRS] reduces the danger in their corner of the Internet,” says Geoff Webb, a senior director of security strategy at Micro Focus.
It’s Networking 101: The data packets have to reach their intended destination, but it also matters what path the packets take. If someone in Canada is trying to access Facebook, his or her traffic shouldn’t have to pass through China before reaching Facebook’s servers. Recently, traffic to IP addresses belonging to the U.S. Marine Corps was temporarily diverted through an ISP in Venezuela. If website traffic isn’t secured with HTTPS, these detours wind up exposing details of user activity to anyone along the unexpected path.
Attackers also hide their originating IP addresses with simple routing tricks. The widely implemented User Datagram Protocol (UDP) is particularly vulnerable to source address spoofing, letting attackers send data packets that appear to originate from another IP address. Distributed denial-of-service attacks and other malicious attacks are hard to trace because attackers send requests with spoofed addresses, and the responses go to the spoofed address, not the actual originating address.
Sign up for CIO Asia eNewsletters.