[BreachExchange] Cybersecurity pervasiveness subsumes all security concerns

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 9 18:54:59 EDT 2018


Given the increased digitization of society and explosion of devices
generating data (including retail, social media, search, mobile, and the
internet of things), it seems like it might have been inevitable that
cybersecurity pervasiveness would eventually touch every aspect of life.
But, it feels more like everything has been subsumed by infosec.

All information in our lives is now digital — health records, location
data, search habits, not to mention all of the info we willingly share on
social media — and all of that data has value to us. However, it also has
value to companies that can use it to build more popular products and serve
ads and it has value to malicious actors too.

The conflict between the interests of these three groups means
cybersecurity pervasiveness is present in every facet of life. Users want
control of their data in order to have a semblance of privacy. Corporations
want to gather and keep as much data as possible, just in case trends can
be found in it to increase the bottom line. And, malicious actors want to
use that data for financial gain — selling PII, credit info or intellectual
property on the dark web, holding systems for ransom, etc. — or political

None of these cybersecurity pervasiveness trends are necessarily new for
those in the infosec community, but issues like identity theft or stolen
credit card numbers haven’t always registered with the general public or
mass media as cybersecurity problems because they tended to be considered
in individual terms — a few people here and there had those sorts of issues
but it couldn’t be too widespread, right?

Now, there are commercials on major TV networks pitching “free dark web
scans” to let you know whether your data is being sold on the black market.
(Spoiler alert: your data has almost certainly been compromised, it’s more
a matter of whether you’re unlucky enough to have your ID chosen from the
pile by malicious actors or not. And, a dark web scan won’t make the awful
process of getting a new social security number any better.)

Data breaches are so common and so far-reaching that everyone has either
been directly affected or is no more than about two degrees of separation
from someone who has been. Remember: the Yahoo breach alone affected 3
billion accounts and the latest stats say there are currently only about
4.1 billion people who have internet access. The Equifax breach affected
148 million U.S. records and the U.S. has an estimated population of 325

Everyone has been affected in one way or another. Everything we do can be
tracked including our location, our search and purchase history, our
communications and more.

But, cybersecurity pervasiveness no longer affects only financial issues
and the general public has seen in stark reality how digital platforms and
the idea of truth itself can be manipulated by threat actors for political

Cyberattacks have become shows of nation-state power in a type of new Cold
War, at least until cyberattacks impact industrial systems and cause real
world harm.

Just as threat actors can find the flaws in software, there are flaws in
human psychology that can be exploited as part of traditional phishing
schemes or fake news campaigns designed to sway public opinion or even
manipulate elections.

For all of the issues that arise from financially-motivated threat actors,
the security fixes range from relatively simple to implement — encryption,
data protection, data management, stronger privacy controls, and so on — to
far more complex issues like replacing the woefully outmatched social
security number as a primary form of ID.

However, the politically-minded attacks are far more difficult to mitigate,
because you can’t patch human psychology. Better critical reading skills
are hard to build across people who might not believe there’s even an issue
that needs fixing. Pulling people out of echo chambers will be difficult.

Social networks need to completely change their platforms to be better at
enforcing abuse policies and to devalue constant sharing of links. And the
media also needs to stop prioritizing conflict and inflammatory headlines
over real news. All of this means prioritizing the public good over
profits, a notoriously difficult proposition under the almighty hand of

None of these are easy to do and some may be downright impossible. But,
like it or not, the infosec community has been brought to the table and can
have a major voice in how these issues get fixed. Are we ready for the
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180509/d9b06c0b/attachment.html>

More information about the BreachExchange mailing list