[BreachExchange] Cyber breach — a new normal?

Tue Mar 14 19:07:32 EDT 2017

https://tribune.com.pk/story/1352154/cyber-breach-new-normal/

WikiLeaks has once again caught the world by surprise with the release the
other day of a large set of files that it calls “year zero” and which mark
the biggest exposure of CIA spying secrets ever. The massive set of
documents includes a host of hacking secrets.

Here are some of the biggest secrets and pieces of information yet to
emerge from the huge dump: The CIA has the ability to break into Android
and iPhone handsets, and all kinds of computers. Apps like Signal, Telegram
and WhatsApp are rendered entirely insecure. The CIA could also use smart
TVs to listen in on conversations that happened around them. The agency is
said to have explored hacking into cars and crashing them, allowing ‘nearly
undetectable assassinations’. And it is said to have hid vulnerabilities
that could be used by hackers from other countries or governments.

Something on these lines but lot less sensational was already being
anticipated. When global leaders met recently for the World Economic
Forum’s annual summit in Davos, Switzerland, there was much talk regarding
threats to our everyday lives and businesses from cyber-attacks. Experts
aired their concerns at the summit and here are some of their observations:

• Worries about increased hacking of political systems as well as
enterprises and organisations.

• Issues of privacy, bullying and trolling as well as the need for a global
internet charter.

• Agreement that the Fourth Industrial Revolution, the theme of Davos 2016,
is disrupting everything from computing to medicine to manufacturing at a
speed that was inconceivable until a few years back.

• Huge opportunities for businesses today in which Internet of Things (IoT)
and internet services have created a hyper-connected world that will have a
huge impact on every aspect of our lives. This will be a boon for
productivity, but it will come with a big price if we can’t build effective
cyber-security.

It’s time for corporate directors, government entities and industry groups
to band together in a multistakeholder dialogue to collectively fight the
ever-growing threat of cyber breaches. The threats posed by hackers,
weaponised IoT devices and other forms of cyber-attack are not science
fiction – they’re happening now. We need to come together, share our
experiences and best practices and ensure the internet remains the
incredibly transformative resource that it is today.

During ‘Insiders on cyber-security’ session at Davos (February 8, 2017)  it
was pointed out that new technology is making things a lot easier for
hackers – ‘witness the recent weaponisation of webcams and other IoT
devices used to bring down portions of the internet.’

Meanwhile, the economics of cyber-attacks are said to be skewing favorably
to attackers. Exploit kits and other tools are easily acquired and can be
reused against multiple targets while the likelihood of detection and
punishment is low. All this means governments and businesses have to be
more nimble than ever in dealing with threats.

In a cyber-context, it was advised that we should be managing – and
preventing – threats before they can do damage. Individuals and
organisations have to do what they can to manage risk. It’s important to
implement a comprehensive strategy for threat reduction that covers people,
process and technology.

This means everything from practicing good online and digital hygiene, to
updating operating system software and outdated antivirus programmes, to
ensuring that security should be, it was further advised, made part of the
design of hardware such as IoT devices.

Organisations and governments also have been told to consider proactively
finding weaknesses in their systems by hiring experts – including hackers.
>From bug bounty programmes, penetration testing and phishing exercises,
it’s critical to understand areas that are vulnerable to attack both on a
technical and human level.

More than 70% of breaches are said to exploit non-technical vulnerabilities
– for example, attacks that trick users into revealing legitimate
credentials. Thus, users must devote considerable effort to increase their
knowledge and learn to ask the right questions.

Users have been advised to understand, assess, and quantify cyber risks
that they face today or in the future. They need to know how technology
changes cyber risk exposure.

Finally, while prevention is what should be strived for in today’s world,
an organisation and a government have to accept that it will be breached.
That’s unfortunately the new normal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170314/77b06eac/attachment.html>