Cybersecurity Best Practice: Guilty Until Proven Innocent

Perhaps guilty until proven innocent isn’t so bad an idea after all.

It’s often been said the “lawlessness” of the Internet is similar to the American “Wild West.” I have always cringed when hearing that, because it’s just too much of a stretch for me, but there’s at least one aspect of it that is worthy of consideration when it comes to securing our data systems. In this case, guilty until proven innocent may actually have some merit after all.

No, I’m not talking about applying this notion to humans. Most of you reading this live in places where the opposite is applied in our court systems: innocent until proven guilty. And, it’s likely we all value that principle very highly for all the right reasons. But that’s not what I’m talking about.

I’m talking about applying the opposite principle to shoring up our information security practices. We already see it applied in some places, such as setting firewall rules and such, but we need to take it further.

In government circles, the term information assurance is used often. We’ve also heard terms like trustworthy computing, reliable systems, and others. For these to be successful, they must all have at their core a common principle of guilty until proven innocent. I’ll explain with a few examples as well as counter-examples.

• Firewall rules. As I said above, this is a great example of applying the guilty until proven innocent principle. Most firewalls today are configured to only allow authorized services, and to disallow all others. I’m sure this is mostly a result of the security community rallying during the 1990s to enforce this sort of positive validation model, sometimes to the dismay of the application developers who wanted to run their software over network services that were being blocked. Unfortunately, we haven’t been consistent at applying the same principle in enough other areas.

• Input validation. The cornerstone to secure software, input validation, when done poorly is the root cause of many of today’s most prevalent security defects. This includes buffer overflows, cross-site scripting (“XSS”), and injection flaws such as SQL injection. Input validation is most often the purview of the application itself, and not (just) the firewall protecting it. For input validation to be as robust as our firewall rules, we have to code the guilty until proven innocent principle into our applications, and that’s where we all too often fail. That is, our software must use positive validation on all of its inputs, throwing away anything that can’t be validated on the presumption of guilt. That, I’ve found, is a concept few software developers take to easily, but it is vital. We’re seeing Web application firewalls (“WAFs”) trying to ease this burden by doing the application-layer input validation in a separate security component (installed and configured by the security team), but that’s not a long-term solution for all sorts of good reasons.

• Anti-virus scanners. Here’s a classic failure of the principle. From the earliest days of the anti-virus scanner, a negative validation model has been used. That is, scanned software is assumed to be safe unless it matches a signature of a known bad thing. We’re living with this failure every day in combating email-borne malware, viruses, etc. A fairly recent trend has been the so-called “whitelisting” of presumably safe applications, but that too is not a long-term solution.

• Application vulnerability scanners. Much like their anti-virus counterparts, vulnerability scanners, including application scanners, use a negative model to detect bad things on our systems and in our applications. Although this approach no doubt finds plenty of “low hanging fruit,” it is superficial and insufficient in the long term.

• Intrusion detection/prevention systems. Same old same old here. The vast majority of deployed IDS and IPS installations operate on a negative model that is doomed to failure and at the worst possible moments—when novel attacks are discovered and launched on our unprepared systems.

So where do we go from here? Well, let’s revisit our principle: guilty until proven innocent. It is a design principle that must be considered against every single aspect of our data processing systems in order to be effective. That means we can’t stop at just the firewall.

In my Web application security classes, I always tell my students they must never trust anything coming in an HTTP Request (that is, from the user). On day 1, they always giggle or just kind of scratch their heads in confusion when I say this, but by the time they’ve seen the likes of cross-site scripting in action, they begin to believe. By the time they leave the class, the number one comment I get from them is how “eye opening” this notion was for them.

We’ve got to inculcate a culture of guilty until proven innocent in our digital world throughout our organizations, from our information security staff through our software developers. Only then will our software—whether in the form of operating system kernel code or web applications—be resilient and worthy of trusting our businesses to.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020