[BreachExchange] Managing Cyber Security in Today’s Ever-Changing World

[Audrey McNeil]

http://www.infosecisland.com/blogview/24997-Managing-Cyber-
Security-in-Todays-Ever-Changing-World.html

When it comes to victims of recent cyber-attacks, their misfortune raises a
few critical questions:

Is anything really safe?
Do the security recommendations of experts actually matter?
Or do we wait for our turn to be victimized, possibly by an attack so
enormous that it shuts down the entire data-driven infrastructure at the
heart of our lives today?

As the Executive Director of the Information Security Forum (ISF), an
organization dedicated to cyber security, my own response is that major
disruptive attacks are indeed possible, however, they are not inevitable. A
future in which we can enjoy the benefits of cyber technology in relative
safety is within our reach.

Nevertheless, unless we recognize and apply the same dynamics which have
constructively channeled other disruptive technologies, the rate and
severity of cyber attacks could easily grow.

Technical Advances

It may seem surprising, particularly in light of the tremendous
technological achievement represented by the Internet and digital
technology generally, that further advances in technology – which are both
desirable and inevitable – may be the least important of the forces taming
cybercrime. Progress in the fields of encryption and related security
measures will inevitably continue. And they will just as inevitably be
followed by progress in developing countermeasures. Some of those
countermeasures will be the creations of technically savvy individuals –
even teenage whiz kids, born in the digital age, to whom every security
regimen is simply another challenge to their hacking skills.

Over time, the contours of cybercriminal enterprise have grown to become
specialized, like that of mainstream business, operating out of
conventional office spaces, providing a combination of customer support,
marketing programs, product development, and other trappings of the
traditional business world. Some organizations develop and sell malware to
would-be hackers, often including adolescents and those with relatively
little computer skill of their own. Others acquire and use those tools to
break into corporate networks, harvesting their information for sale or
ransoming it back to its owners. Still others wholesale those stolen data
files to smaller operators who either resell them or try using them to
siphon money from their owners’ accounts.

Artificial intelligence using advanced analytics could offer a significant,
if temporary advance in thwarting potential attackers. IBM, for example, is
teaching its Watson system the argot of cyber security, which could, at
least in principle, help it to recognize and block threats before they
cause significant harm. But technological advances tend to be a cat and
mouse game, with hackers in close pursuit of security workers. And security
workers themselves can be compromised to bring their best tools over to the
dark side.

Still, having even modest security technology in place can slow the pace of
malicious hacking. By making it more time-consuming for someone to hack
into a digital device, an attacker is less likely to try. Yet many
Internet-enabled consumer devices – elements of the so-called Internet of
Things, or IoT, are largely unprotected, exposing them, among other risks,
to becoming unwilling robots in a vast network of slave devices engaged in
denial of service attacks.

That’s not inevitable; it’s a manufacturer’s choice, driven by economics.
The fact is that security can be expensive, and these devices were never
designed with security in mind. They were created from the outset to
provide and process information at the lowest possible cost. But by
maintaining an open connection to the individual’s home computer – a device
which may, in turn, be connected to an employer’s network – it offers
intruders a portal to inflicting damage that goes well beyond the owner’s
home thermostat or voice-driven speaker device. Securing them may become an
appropriate topic for government regulation.

Cyber Culture

Although no one is feeling nostalgic about it, there was a time, not
terribly long ago, when conducting cyber mischief was a personal
enterprise, often a lonely teen operating out of their home basement or
bedroom. But today, in the eyes of institutions eager to secure sensitive
digital files, the solitary teenage hacker is less a problem than a
nuisance.

What has largely taken his place – and the overwhelming majority of hackers
are male – are well organized, highly resourced criminal enterprises, many
of which are based overseas, with the ability to monetize stolen data on a
scale rarely if ever achieved by the bedroom-based hacker. The most
persistent of them – and the hardest to defend against – are
state-sponsored. But it is among young people that cyber-culture, including
its more malevolent forms, is spread and nourished. And they don’t need to
be thugs to participate.

Last year alone, the value of cyber theft was estimated to have reached
into the hundreds of billions of dollars, and it’s growing. But unlike bank
robberies of years past, cyber-theft bypasses the need to confront victims
with threats of harm to coerce them to hand over money. In fact, at the end
of 2013, the British Bankers Association reported that “traditional”
strong-arm bank robberies had dropped by 90 percent since 2003.

Instead, with just a few keystrokes – often entered from thousands of miles
away – the larcenous acts themselves, which produce neither injury nor
fear, seem almost harmless. And, at least in the eyes of adolescent
perpetrators – eyes which are frequently hidden behind a mantle of
anonymity and under the influence of lawless virtual worlds that populate
immersive online games – the slope leading from cyber mischief into cyber
crime is very gradual and hard to discern.

Other hackers have different motives – some feel challenged to probe and
test the security of an institution’s firewalls; others to shame, expose,
or seek revenge on an acquaintance, and a few posturing as highly
principled whistleblowers unmasking an organization’s most sensitive
secrets. But even the most traditional notions of privacy and secrecy have
themselves undergone something of a metamorphosis lately.

Examples are legion:

Earlier this year, as I was flying from Chicago to New York, I couldn’t
help but overhear the gentleman on the opposite side of the aisle telling
his seatmate – a complete stranger – all about his recent prostate surgery.
Attractive and aspiring celebrities regularly leak – actually, a better
term for it might be that they release – videos of the most intimate
moments they’ve had with recent lovers.
Daytime TV are shows in which a host gleefully exploits the private family
dysfunctions of his guests have become a programming staple.
People working for extremely sensitive government organizations
self-righteously hand over the nation’s most confidential data files to be
posted online, purportedly to serve the public interest.

A Seismic Shift

There’s a common thread running through each of these examples.  It’s that
conventional notions of privacy and appropriate information sharing have
changed dramatically. It is a shift which is particularly apparent in the
way younger people use the Internet in their private lives, which
frequently includes the exchange of highly personal information and images.

However, for their employers, whose electronic files typically contain
sensitive personnel, financial and trade information, that behavior is not
only a security concern, it is a journey into treacherous legal territory.
And it is a journey which knows no jurisdictional lines. Different national
cultures exert a powerful influence on their citizens’ online behavior.
What are considered harmless pranks and cyber horseplay and among young
people in Iraq would be seen as hostile cyber attacks in the U.S.

What we find perplexing is not so much a rapid advance in technology as a
profound cultural shift – a sea change that needs to be recognized, shaped
and ultimately accommodated to support appropriate and lawful use of these
powerful cyber tools. That shift has a direct impact on the workplace.
While an employee’s online behavior can certainly damage the organization,
those acts are rarely deliberate. In fact, the greater risk comes with
behaving too trustfully – opening suspicious emails, clicking on links and
uploading files which inadvertently create access to the organization’s
network. From there, a malicious attack can move in any direction, creating
massive damage.

A New Sheriff?

The heady combination of cyber whiz kids, seismic cultural change, anomic
virtual realities, sophisticated criminal gangs, state-sponsored attacks
and a vigorous, web-enabled marketplace for all sorts of contraband has
produced a kind of Wild West on steroids – something like the early days of
automobiles, only this time on a global scale with major incidents reported
almost daily.

At the same time, however, even the Wild West brought on by the motor car
was eventually tamed, or at least absorbed into the mainstream of commerce
and culture. That transformation was achieved through a trifecta of
improved technology for both vehicles and infrastructure, more
comprehensive laws coupled with better law enforcement, and a gradual shift
in driving culture affecting the perceptions and behavior of motorists.

In the cyber world, much the same dynamic applies. Improvements in
technology will continue making private data more secure. A more
encompassing regimen of laws and treaties affecting users and suppliers of
equipment as well as service providers will help codify the public’s
requirements for security. The European Union’s recently adopted General
Data Protection Regulation (GDPR), which gives back control of citizens’
personal data while unifying regulation within the EU, is an encouraging
example. And more imaginative forms of cyber education to strengthen the
culture by supporting appropriate uses of the technology – some of which
are already underway in elementary and high school classrooms – will help
to crystalize public expectations and inform behavior for the next
generation of cyber citizens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171026/bd87aa86/attachment.html>