[BreachExchange] Cybersecurity in 2025: the skills we'll need to tackle threats of the future

[Audrey McNeil]

http://www.wired.co.uk/article/cybersecurity-2025-skills-risks

Two-thirds of large UK firms were targeted by cybercriminals in 2016. As
the number of attacks continues to rise, what skills will the next
generation of professionals need to protect us from AI hackers, rogue
self-driving cars and financial ruin?

Ethical hacking

The global cost of cybercrime is predicted to reach £4.9 trillion annually
by 2021 and new cybersecurity trends are emerging. To fight future threats,
society must develop the next generation of cyber skills. But how do
businesses identify weaknesses in their cybersecurity before they’re
hacked? They hire ethical hackers. After all, to beat a hacker you need to
think like one. That’s why businesses are training their employees in
ethical hacking techniques. Having researchers who can get into the minds
of cybercriminals and look for security vulnerabilities is a crucial part
of protecting against a breach.

Ethical hackers use the same tools and techniques as malicious hackers,
including social engineering techniques to crack company defences. If that
requires dressing up as a pizza boy to infiltrate a secure server room, so
be it. Also known as penetration testing, these skills are now essential
for organisations to defend themselves from real hackers. If even the
smallest flaw goes undetected, businesses risk hacker-inflicted chaos.
That’s why Facebook recently awarded an ethical hacker £32,000 – its
largest ever payout – for reporting a flaw in its servers.

But a critical lack of cyber skills in the UK – currently a deficit of one
million trained workers – means businesses are struggling to get the
ethical hacking knowledge they need. As more businesses migrate sensitive
data online to public and private clouds, there are now more targets than
ever for enterprising hackers. Without learning how hackers think,
businesses and consumers will fail to protect themselves. The demand for
ethical hacking skills will spike, especially as intelligent cyber threats
begin to emerge.

Artificial intelligence

Scrutinising systems to find vulnerabilities or sifting through data to
find abnormalities after a breach takes time and effort.

To speed things up, artificial intelligence is now being used to perform
cybersecurity tasks, instead of error-prone and expensive humans. According
to Darpa – a US Department of Defence agency – the world’s growing
dependence on computer systems demands the creation of smart, autonomous
security systems.

MIT is working on teaching its AI2 system how to stop cyberattacks. The AI,
developed to review data from millions of lines of code every day,
identifies potential threats using machine learning. AI2 relies on human
input to respond to any threats identified, so whilst it cannot yet replace
human analysts, this human-AI combination already correctly identifies 86
per cent of attacks.

Widely used AI cyberdefence systems are an inevitability and by 2025, human
input may not be needed. If AI cyberdefence systems are widely adopted, we
can expect to see a demand for professionals who can support these
infinitely powerful machines as they scan tirelessly for vulnerabilities.

AI cybersecurity systems will become a valuable tool in an organisation’s
armoury, but intelligent systems will also be used to attack. At the Def
Con hacker gathering last year, Darpa ran a competition that pitted seven
smart computer programs against one another to see which was the best at
defending itself. “Fully automated hacking systems are the final frontier.
Humans can find vulnerabilities but can’t analyse millions of programs,”
said Giovanni Vigna, professor of computer science at University of
California Santa Barbara.

The abundance of vulnerable businesses means more easy targets for hackers.
In 2025, one AI hacking tool could do the dirty work of 100 hackers,
continuously scanning thousands of networks for flaws to exploit. If
society is unprepared for intelligent hacking programs, we’re in for
serious trouble. Hackers lead the way in cybersecurity ingenuity, so we
should expect to encounter an offensive AI system before we can develop an
effective and scalable defence. The next generation of cybersecurity
professionals must be expected to both defend against relentless AI hackers
and develop intelligent systems of their own.

Internet of Things

The number of Internet of Things (IoT) devices is set to hit 15 billion by
2021, according to research from Juniper. As businesses and consumers
accelerate the adoption of internet-connected devices, we’re now on the
cusp of an IoT revolution. The benefits of IoT are massive and we’re only
scratching the surface of its potential. From wearable healthcare devices
that monitor vitals to intelligent heating systems, consumers and
businesses are already reaping the benefits.

This surge in connected devices has created an easy opportunities for
cybercriminals, though. A carefree approach to IoT security in this nascent
industry resulted in the largest DDoS attack in history, dragging Reddit,
Twitter and Netflix offline. The malware behind these attacks, Mirai,
continues to mutate and threaten vulnerable connected devices.

IoT security skills are seriously lacking and connected devices with poor
cyber defences are routinely hijacked. Whilst damaging to businesses, these
attacks haven’t yet endangered human life – but it won’t be long. Automated
vehicles are as hackable as your smartphone and connected cars could become
a weapon for black-hat hackers as early as 2017. “It usually takes about
two years for the best weaponised code to move from government to any
entity with enough zeros in their bank account,” writes Alec Ross, a former
adviser to US Secretary of State Hilary Clinton. How long before we become
accustomed to assassination by connected vehicle, and would we even know it
had occurred? An estimated 1.3 million people die every year in road
accidents, so this method could be less noticeable than other tools for
political assassination.

But assassinations are small scale compared to the damage that could be
inflicted by unsecure IoT devices. Internet-connected medical devices could
be the security nightmare of 2025. Researchers have already found security
flaws in cardiac defibrillators, meaning that right now vulnerable
healthcare devices could be accessed by hackers. Hospitals are also the
perfect target for ransomware. Such attacks tripled in 2016 and hackers are
now starting to target networks that hold sensitive data.

High-stakes cases of hospital ransomware attacks saw hackers hold patient
data hostage, directly endangering the lives of patients. Now with the rise
of internet-connected healthcare devices, what happens when hackers gain
access to life-sustaining devices like pacemakers? As dystopian as it
sounds, this is a very real scenario that cybersecurity professionals and
society as a whole must prepare for.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170406/b3781bbf/attachment.html>