[BreachExchange] Cyber security: Time for a rethink on boosting immune system

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 27 19:56:54 EST 2016


http://www.todayonline.com/commentary/cyber-security-
time-rethink-boosting-immune-system

Recently asked to share his thoughts on cyber security, United States
President Barack Obama commented: “Traditionally, when we think about
security and protecting ourselves, we think in terms of armour and walls.
Increasingly, I find myself looking to medicine and thinking about viruses,
antibodies. Part of the reason why cyber security continues to be so hard
is because the threat is not a bunch of tanks rolling at you, but a whole
bunch of systems that may be vulnerable to a worm getting in there.”

This immune system analogy inspires us to rethink how we do cyber security.
By understanding and continuously refining our grasp on what is inside us —
the “self” and what is “normal” — the human body can detect abnormalities
and respond in real-time to anything it identifies as a threat.

In 2017, organisations looking to secure their networks can take a cue from
our body’s smart and automated reactions.

Enterprises that have been successful in mitigating threats have
acknowledged that security professionals cannot be expected to do all the
heavy lifting. It is impossible to manually track and secure every part of
an organisation’s network. Hence, they have turned to unsupervised
machine-learning technology that mirrors the mechanism of the human immune
system, allowing them to eliminate more than 18,000 serious early-stage
threats globally in the past two years.

Cyber attacks that have made headlines this year have proved more than ever
that companies have a visibility problem — they cannot see what is
happening beneath the surface of their own networks. While we can already
expect more Internet of Things (IoT) and Artificial Intelligence (AI)
powered hacks moving forward, we need to use an immune system approach in
cyber defence to keep up with the evolving threats that await us.

CHANGING DATA

Today’s most savvy attackers are moving away from pure data theft or
website hacking, to attacks that have a more subtle target — data integrity.

Ex-students successfully hack college computers to modify their grades. In
2013, Syrian hackers tapped into the Associated Press’ Twitter account and
broadcasted fake reports that President Obama had been injured in
explosions at the White House. Within minutes, the news caused a 150-point
drop in the Dow Jones.

Next year’s attackers will use their ability to hack information systems
not to just make a quick buck, but to cause long-term, reputational damage
to individuals or groups by eroding trust in data itself.

The scenario is worrying for industries that rely heavily on public
confidence. A laboratory that cannot vouch for the fidelity of medical test
results, or a bank that has had account balances tampered with, are
examples of organisations at risk. Governments may also fall foul of such
attacks, as critical data repositories are altered and public distrust in
national institutions rises. Local firms will not be immune from such
attacks, especially as they digitise and consequently become more reliant
on online data.

With a growing focus on integrating MedTech, FinTech and GovTech as a part
of our Smart Nation drive, and the acknowledgement by the Cyber Security
Agency that Singapore has come under 16 waves of online attacks since last
April, local organisations must guard against the possibility of these
“trust attacks” hitting our shores.

“Trust attacks” are also expected to disrupt financial markets. An example
of this is falsifying market information to cause ill-informed investments.
We have already glimpsed the potential of disrupted mergers and
acquisitions (M&A) activity through cyber attacks — is it a coincidence
that the hacking of one billion Yahoo accounts was disclosed while Verizon
was in the process of acquiring the company?

THREATS FROM WITHIN

Insiders are often the source of the most dangerous attacks. They are
harder to detect, because they use legitimate user credentials. They can do
maximum damage, because they have knowledge of and privileged access to the
information required for their jobs, and can hop between network segments.
A disgruntled employee looking to do damage stands a good chance through a
cyber attack.

But insider threats are not just staff with chips on their shoulders.
Non-malicious insiders are just as much of a vulnerability as deliberate
saboteurs. How many times have links been clicked before checking email
addresses? Or security policy contravened to get a job done quicker, such
as uploading confidential documents on less secure public file hosting
services?

The Employee Cyber Security Kit was introduced by Singapore’s National
Security Coordination Secretariat in late 2015, to guide local firms’
employee cyber security awareness efforts. Despite this, we cannot
reasonably expect 100 per cent of employees and network users to be
impervious to cyber threats that are getting more advanced. They will not
make the right decision, every time.

Organisations need to combat insider threat by gaining visibility into
their internal systems, rather than trying to reinforce their network
perimeter. We do not expect our skin to protect us from viruses — so we
should not expect a firewall to stop advanced cyber threats which, in many
cases, originate from the inside in the first place.

In the past year, immune system technologies have caught a plethora of
insider threats, including an employee deliberately exfiltrating a customer
database a week before handing in his notice; a game developer sending
source code to his home email address so he could work remotely over the
weekend; a system administrator uploading network information to a home
broadband router — the list goes on.

Due to the increasing sophistication of external hackers, we are going to
have a harder time distinguishing between insiders and external attackers
who have hijacked legitimate user credentials. These forms of attacks are
inconspicuous, and can remain in a network for weeks or even months, before
sounding any alarms.

Companies must ask themselves a crucial question: How do you stop an
attacker already inside your network, before it escalates into a crisis?

In the months ahead, there will be mounting pressure for organisations to
make themselves more resilient and adopt new technology that can provide
the visibility they currently lack. An immune system approach is far more
perceptive to intrusions and suspicious behaviour than the legacy tools
that are still being relied upon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161227/6dcf1d76/attachment.html>


More information about the BreachExchange mailing list