[BreachExchange] Assuring Security in a Hyper-connected World
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Jan 12 13:58:17 EST 2018
http://www.nojitter.com/post/240173209/assuring-security-
in-a-hyperconnected-world
Disruption is happening all around us in the incredibly fast-moving world
of real-time communications. Prime examples include the movement to telco
cloud, full network functions virtualization environments, and
software-defined networking inside enterprises. Other examples of
disruption include the embedding of voice and video messaging into business
applications, as well as the rise of artificial intelligence (AI), Internet
of Things (IoT), biometrics, and more.
Yet even as we change the channels, connecting and communicating in so many
creative ways, we know one of the biggest disruptors of all is likely to be
challenges presented by cybercrime.
Do the math, and you'll see the disruption is inevitable. The more
connected we are as people and as people interacting with things and
systems, the more opportunities there are for invasions of our privacy,
identity, and assets.
Targeting Voice
The expansion of the "attack surface" is growing as fast as the number of
endpoints, clouds, mobile apps, Web apps, and the application programming
interfaces that glue a lot of software together.
And while the media has devoted a ton of emphasis and coverage to massive
breaches of databases connected over what enterprises thought were secure
data networks, it's paid less attention to one of the fastest-growing areas
of vulnerability -- attacks on voice and video applications.
VoIP services aren't immune to data theft. In 2015, one major breach
compromised 70 million records across 37 states and went largely
unreported. The breach affected 14,000 phone recordings, including
confidential attorney-client conversations.
The Communications Fraud Control Association says international
revenue-sharing fraud (one of the most prevalent types of telecom fraud)
costs global service providers nearly $11 billion annually. This type of
activity consists of fraudsters utilizing illegal resources to gain access
to an operator's network in order to bring traffic to phone numbers
obtained from an international premium rate number provider.
The value of extracting information by listening in is growing in parallel,
considering the increased ease of conversing via over-the-top messaging
platforms along with the rise in conference calls, including those during
which enterprise professionals discuss confidential strategies,
transactions, and deals.
And so are "pivot attacks" in which hackers use voice or video systems to
tunnel into databases or to initiate malware or ransomware attacks.
Think about contact centers where live agents take credit card and other
personal information over the phone. Cybercrime is a multitrillion-dollar
global industry on its own, not because cybercriminals are stupid or
underfunded. They're increasingly sophisticated and make their own capture
nearly impossible as they understand how to make their own communications
deeply dark.
Think about healthcare records, which privacy regulations like HIPAA in the
U.S. and similar laws globally aim to protect. Making healthcare more
available and far less expensive through telemedicine applications has
enormous value, but unlocking that value will be challenging when voice,
video, and messaging between physicians and patients can be hacked because
the security software hasn't been built into the real-time communications
platforms and networks.
Think about trading; negotiating the exchange of equities, derivatives,
bonds, currencies, commodities, and more; and the movement to blockchain
systems, which are starting to displace traditional currencies with
cryptocurrency. Talk about disruptive! Who are the new "Barbarians at the
Gates" when our global financial exchanges are having to adapt to
innovation in real time, reduce their operational costs, improve quality
and transparency, and comply with tighter regulations, including the
upcoming General Data Protection Regulation (GDPR) going live in the EU
next May?
Security-First Thinking
Voice, video, and messaging security today and forever will require
building security into applications, not just relying on traditional
encryption and firewalls. Given that enterprises are driving everything
forward digitally, information and communications are part of everything we
do -- and just as networking can no longer be an afterthought, enterprises
are moving from cloud and mobile-first strategies to "security first."
The world is moving rapidly toward new security paradigms, including
"authenticate first, connect second" (rather than the other way around).
But this and other approaches can't slow down performance or increase cost.
In addition, they must comply with much stricter privacy laws, which vary
from region to region and country to country, and be built to last.
New services must be secured within the context of our new architectures,
and strong enough to withstand not only attacks, but massive fines that
will be levied against any enterprise or enterprise partner that doesn't
comply and experiences a privacy breach.
In the case of GDPR, the highest-level parent company can be fined 4% of
its total annual revenue. So, for example, a technology giant could acquire
a small IoT company and sell a smart product controlled by Alexa voice
activation, but for whatever technical reason makes it possible for a
cybercriminal to steal private information. The technology giant's risk is
in the billions for the fine alone, not to mention the cost in reputational
harm.
There should be no quality voice, video, or other messaging service in the
future without security as part of its DNA, and as part of its ability to
co-exist with applications. Enterprises and service providers can disrupt
and be disrupted unless they put security first inside of everything they
offer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180112/ced27f3e/attachment.html>
More information about the BreachExchange
mailing list