Future directions of research on systems security

FutureSecurityThe computing scenario has changed a lot over the years, provoking an explosion of new technologies, interaction scenarios and. most importantly, a democratization of technology usage. In the fascinating research area of Systems Security the goal has been always to make these systems (the new ones but also the old one) as secure as possible both in a proactive or reactive fashion. In general, we can state that the current technologies have enhanced the user interactions and increase their number of functionalities, providing us a better and easier life.

Each new system that has appeared over the years has been widely studied by both the industry and the academia. New security methods and solutions have appeared to solve the typical Systems Security issues. However, this evolution, although it is completely innegable that has provoked an incredible explosion of new innovations and applications, has also offered attackers a very extensive variety of threats and vulnerabilities to jeopardize users’ security and privacy. Between these threats, there are several of major relevance to the field.

A classic threat is malware or malicious software and it  has usually been used as the main vehicle to perform any kind of malicious actions. Malware is still an important and strong threat, still compromising systems. A specific type of malware or a consequence of it, are botnets. In order to organize the infected computer to attack a third party in a structured fashion, malicious code writers organize their network of infected computers in botnets. In the last years, botnets have evolved to evade detection and to re-organize themselves in the case of some of their members are taken down.

Besides, in the past few years, malware has been specialized to become part of the so-called Advanced Persistent Threats (APTs). There has been an increasing number of attacks aimed to industrial environments, e.g.,  SCADA systems, or countries themselves. This type of attacks used state of the art malware and remained undetected during several weeks after their initial infection. These attacks are usually backed by important human resources and financially financed, and therefore, they represent a major challenge for researchers. In the business and enterprise scenario – and also in domestics – is important to notice the damage caused by insiders since they have access to large amounts of data and even other systems that are restricted from the outside. These insiders have been responsible of large number of data leaks and also financial fraud attacks. In the future, because more and more data is accumulated online, we can predict that typical insider will pose as a crucial agent in complex cyber-attacks.

Regarding Web and Online Services, the proliferation of more web applications with a big variety of user activities such as online gaming or web banking applications have provoked the rise of new vulnerabilities and attack vectors for exploitation.  However, the classic attack vectors such as Software Vulnerabilities are still being exploited by attackers and they will continue to be. Likewise, DoS Attacks will probably continue to be part of the threats security have to face in the future. In the recent years, a high and increasing number of users’ activities are performed online.  These activities are recorded and stored by  various entities. Some of these actions are clearly sensitive e.g., online banking, government and state interactions, etc. and may represent a high importance asset or target for attackers. The possibility for ordinary users to chose whether or not their data to be recorded does not exist. Therefore, their data, even though their sensitiveness, will be stored. There may be potential leaks of these data that may put people in danger.

Online tracking has increased. This technique, despite being highly-desired by online advertisers, is a data breach and the problem is that users are not usually aware of it. New techniques have been created and behavior tracking currently can track what users access, where they they have been, what they have bought, and so on. In a similar vein, spoofing and impersonation attacks have become more used since several transactions can be made without a strong authentication. This impersonation may happen at different levels and may lead to important damage to individuals and organizations. Social engineering is for attackers one of the most and also oldest methods used to acquire information. Since the technology is advancing faster than the users’ understanding of it, attackers will exploit this fact and also the little understood concept of trust relationships in this evolving and changing environment. The wide employment of WiFi, the new popularity of infrastructures using proxies and the current storage capabilities of technology employed by most ISPs, is already changing the classic Passive/Active Eavesdropping attack, used by MitM, easier than ever.

These threats pose as the most important ones in the current computing scenario and may damage users, their organizations and even governments or countries as a whole. These attacks usually damage one or more assets. In particular, the most important assets to be protected have been identified by systems security research community are life, health, environment, privacy (recognized as a human right), freedom (or freedom of speech), identity, anonymity, or money. Even though the aforementioned topics; e.g., attacks, vulnerabilities, assets, include several active research areas, there also exist important horizontal research lines. First of all, and often forgotten, usable security. To be early or even adopted at all, any solution has to be easy. Another possibility is to make it completely transparent. Secondly, authentication and authorization is an important integral to authenticate the user of a communication or transaction.  Finally, another important research direction is to measure security. Without a measurement, security research and security can be defined more as an art rather than a science. Therefore, objective measurements are needed and should be researched.

It is important to note that many attacks highly depend on users’ data in order to convert the information into an attack vector. Besides, attacks to privacy and anonymity itself have become the user to a mere spectator. Indeed, the users create or share data that does not own to them. So, what is the future of research in Systems Security? In our research group, we are focusing on different topics that fall under the classic topics in Systems Security (i.e., Web Security, Network Analysis, Program Analysis, and so on), but focused and directed towards solving three major challenges in a combined fashion:

First, regaining the lost anonymity in online services. To this end, we should invest our efforts towards new anonymization protocols and in making the user control their data (probably with an usable security approach). The emergence of Big Data has made user data more valuable than ever and approaches to control them are becoming important.

Second, generic and cross-platform methods for major inter-domain threats. There are more and more systems and platforms and it has become really difficult to provide generic solutions. However, since APTs and other type of attacks explicitly focus on targeting different platforms, providing this capability will allow to defend us from sophisticated and complex attacks. These methods should be an extension of current Program and Network Analysis Techniques but adapted to become more generic.

Finally, specific new platform securing methods to fight against new threats. Since new systems appear, we, the systems security research community, will still need to focus on finding and publishing their vulnerabilities and their possible solutions to make this systems stronger and securer.
Of course, at a more specific level, these three challenges derive in classical research questions in the topics of Web Security, Network Analysis and Program Analysis, but since this is just a blog post, I’m not going to bore you with the details. However, if you are interested in our research do not hesitate to contact us. Every help or interest is more than welcome!

Igor Santos
Cybersecurity Researcher
Expertise: Systems Security; Project Management