[BreachExchange] Who's Responsible for Cybersecurity?

[Audrey McNeil]

http://sfmagazine.com/post-entry/october-2017-whos-
responsible-for-cybersecurity/

Aside from geographical information, data about data (also known as
metadata) is captured with each digital activity. For example, when an
individual takes a photograph on a cellular device, the device stores
information about where the photograph was taken, the time the picture was
taken, and information connecting a user to social media outlets. Much of
this process is done without the user’s knowledge or control. For data to
be truly destroyed, the digital device must be physically destroyed. Even
when data is destroyed, security professionals must consider other means of
contact that data could have had. Organizations should be aware of
information and activities of employees on the internet. While dealing with
proprietary or sensitive internal material, security professionals are
responsible for developing a process to securely encrypt sensitive data in
transit.

Cybersecurity is control of which digital devices are used to interface
with other devices. This entails giving operators control over how data is
distributed, exposed, manipulated, and transmitted to the outside world.
When early digital devices were released, security was of little concern.
Only once malicious adversaries gained unauthorized access to digital
devices did manufacturers implement security mechanisms to mitigate the
risk of unauthorized data access. Cybersecurity isn’t the responsibility of
a single party. Each individual involved in operating a digital device,
from manufacturer to end user, is responsible for ensuring safe usage.

With most devices, locational information is an optional feature that can
easily be disabled with consent of the operator. In most cases, an
individual’s location and information serve little value to any
organization or government. But in extreme cases, if someone commits a
crime, law enforcement has little difficulty in tracking the suspect down
based on that person’s digital footprint. Other instances may not involve
law enforcement but an unknown party tracking down an individual based on
the user’s immersive digital footprint on the internet. Many users of
social media outlets voluntarily give up locational information. Just
because a social media profile limits a viewer to “friends” doesn’t mean
information can’t be used in a criminal or civil prosecution. The phrase
“everything can and will be used against you” is applicable in the cyber
domain.

As with any digital signature, computer scientists can easily tamper with
digitally generated geographics in the form of a virtual private network
(VPN), Tor onion routing, or even MAC address spoofing. This has made 21st
Century cybercrime investigations a difficult job. Unless validated with
multiple sources, digital signatures aren’t valid in a court of law. These
methods made the investigation of the Democratic National Convention and
other government breaches in the United States difficult to report
accurately. While a cyberattacker may physically reside in one country, he
or she could use tampering techniques to spoof the recorded location,
compromising investigations. Organizations should look for mistakes that an
attacker may make while the actual location is spoofed, such as if an
adversary logs into any social media platform while under investigation.

While some organizations allow employees to bring personal devices to work,
many security professionals strongly discourage it. In most cases, such
permissions are the result of budget cuts and a lack of resources to
provide employees with the proper digital devices they need to complete the
job. Allowing employees to use personal devices may save an organization a
substantial amount of resources, but the risks typically outweigh the
savings. Because few users take personal device security seriously, they
can inadvertently infect an organization’s network. If an organization
issues a bring-your-own-device (BYOD) policy, new practice suggests that
security measures to secure allowed devices should also take place, such as
requiring devices to have antivirus, antimalware, and a validated VPN, even
with mobile devices.

Cybersecurity professionals are classified under three hats: white hats,
who conduct cybersecurity practices ethically to protect digital users;
black hats, who access digital systems unethically and have malicious
intents; and gray hats, who are a mix between white and black hats. Some
cybersecurity professionals believe that privacy is important, but they
also have personal ambitions to challenge digital security implementations
and gain unauthorized access to devices. Organizations often run incentive
programs, also known as bug bounties, to encourage researchers to
self-report discovered vulnerabilities. Bug bounties allow researchers to
study products in a safe environment, and they also help an organization
identify holes in a system that adversaries could easily exploit.

Researchers have proven that it’s possible to gain unauthorized access to
an assortment of devices. Through university research, cybersecurity
conferences, and capture-the-flag information security competitions,
hackers have shown that it’s possible to remotely hijack drones, industrial
control systems, automobiles, traffic lights, and essentially anything
connected to the internet or digitally powered. With endless possibilities,
a team of skilled computer scientists could cause a lot of havoc given the
right circumstances. The most commonly reported cyberattack is a data
breach, which involves dumping stolen digital files from an organization.
Data breaches cost organizations a lot of money and put employees,
customers, and citizens at risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171003/6b0f24e7/attachment.html>