2017 in review — The State of Cybersecurity
As we look back over 2017, we have seen the highest ever rates of cyber crime across some very high profile victims. Equifax, Uber and Verizon were just a few of the household names who suffered in some way from digital data breaches, sometimes from known attackers, sometimes not. The UK National Health Service suffered a high number of ransomware attacks — the type of attack that usually encrypts the data you need on your IT systems and demands payments in return for the decryption key.
We are constantly reminded that the largest and best-funded companies are falling foul of attacks, some of them relatively easy to commit, others much more complex and persistent and this perhaps leaves smaller companies simply holding their hands up and assuming that cybercrime is either only something that large companies should worry about or otherwise that the effort or cost to protect ourselves is too great and therefore we should simply cross our fingers and hope for the best.
What are these attacks, who is committing them and is there really any way, looking forwards to 2018 and beyond, that we can reduce either the number of incidents or the impact that they can have, because like it or not, computers are a large part of most businesses today and we cannot afford to hold our breaths and wait for this to pass.
The first truth to accept is that attacks happen — constantly. In fact, although it is hard to get a specific figure, the most recent Cyber Security Breaches survey from the UK Department for Culture, Media and Sport in April 2017 stated that 46% of all business had identified an attack or breach, which increases to 65% as the company size increases beyond £2M. Of course, this number is massively below the real figure since many people would either not admit to an attack or in many cases, would not even know they were under an attack unless the outcome was obvious.
What types of attacks do we commonly see? Phishing (where an attacker coerces you in some way to give them access to your machine or data) for login credentials; Phishing for access to company data; Bypassing web site protections to access data; Holding companies to ransom by taking away access to business critical data; Vandalism, either directed or just “because you can”; Deliberate damage against a competitor
The data of these could be general confidential company data, it could be login credentials that an attacker hopes can be re-used against other systems like your email account or it could be information that will be used to form another attack, perhaps trying to work out how your internal IT networks operate.
Hollywood has not helped. Their depiction of hacking in most TV shows borders on the ludicrous, their stereotype generally involving very fast typing, lots of computer monitors and some kind of personality disorder. The reality is often more mundane. For many attackers, hacking is simply a business — potentially a very lucrative business, certainly less risky than smuggling drugs and more anonymous than burglary or theft. In fact, cyberattacks are much like other crimes, the differences are that they are generally anonymous, can be geographically diverse, can be relayed via an innocent person’s computer to hide the real crime and, like some physical crimes, can go unnoticed for a long period of time. Prosecutions are hard, even when you know who the attacker is either due to differences in laws between countries or simply the lack of motivation of the attacker’s local police force to pursue a prosecution.
As internet-connected devices like Smart Home controls have also increased in the recent year, many of which have security that is way below that of web applications, the attack surface has increased even further — this is only likely to increase over time.
So against this backdrop where we are all potentially victims and the attacks appear so easy to pull-off, what will life look like moving into 2018?
It is safe to assume that attacks will continue and will probably increase rather dramatically, as more people copy other successful attacks, have access to cheaper hardware and ultimately until such time as the effort required or the risk taken is greater than the potential reward. This is true of all crime and needs to be the anchor on which all other policies and improvements are made.
Although there are many ways to combat cybercrime, they span multiple countries, organisations and even ideals. People can’t even agree whether Edward Snowden performed a public service or committed a gross breach of trust (or both?) so agreeing what is or isn’t acceptable to ensure security is not a decision that can be made easily. For instance, requiring some kind of formal education or training for practitioners would potentially exclude a part of the world where education is not easily accessible or affordable, it is also easy to fake and its effectiveness is only likely to be marginal since many “qualified” people in all kinds of trades do not automatically produce high quality in their work.
When all things are considered, the journey needs to work towards a time when people’s needs are aligned from the end-user all the way to the top of corporates and governments. Only a combination of measures and the desire to work together is going to achieve something that will work.
Government regulation is important but is usually only applicable to a single country at a time, not useful if your attacker is based offshore or if they work for a foreign government with no interest in stopping the attack. That is not a reason to avoid them however, if governments set out a workable set of rules that leads people to trust software from one country over another, perhaps it will help to segregate internet traffic between trusted zones and non-trusted zones a bit like avoiding certain countries for your holiday that are unsafe and instead choosing those that have invested in their tourism.
Industry organisations can add value to the work as well. People like the ISC2, IISP, NCSC and the IEEE (and others) have whole Chapters devoted to information security. The hard work of these organisations is how to avoid duplication of work or development of similar but different — and therefore confusing — guidelines for security. These organisations exist for the benefit of their members but whether there is a place for a cross-organisation body for information security and how that could even work, I’m not sure. The other problem in this domain is the number of people involved, especially any who might have a commercial interest in altering the course the work might take for their own ends. This also tends to be slow.
In the equipment domain, again, we have competing standards, little standardisation and in some cases, seemingly zero security in their products. This cannot be allowed to continue. Manufacturers need to up their game and I can see a day when a certification of a product for cyber security becomes a requirement for selling in countries like the UK. Features such as fixed passwords or storing certain types of data unencrypted would fail the certification. Even though this can be faked, at least a company can be blacklisted or fined if they knowingly pervert the certification process, in a similar way to a certain car manufacturer who cheated on their emission tests!
I also hope that one day we have a cyber equivalent to the Accident Investigation Branches that have investigative power to learn from previous mistakes and work out which part of our process or regulation is missing and how we never make the same mistake again (hopefully, this will also remove that terribly annoying expression that comes from the lips of every company after they get breached!). One of the biggest problems is that without collaboration, everybody does their own thing, which is horribly inefficient and no one learns from anyone else’s mistakes. With the independent reviewer and a number of hopefully ISO-level documents that come out of it, we reduce the room for error and therefore the attack surface of our IT that people are currently, sometimes too easily, taking advantage of.
So where does that leave us end-users? I hope that our organisations will become much slower to adopt technology for the sake of technology, that our suppliers will be more honest and objective about security and that we will stop using people to provide IT services that cannot provide proof that they understand how to configure our networks so that we are secure from the attacks that we cannot understand and that someone invents something to stop us clicking on internet links in emails and other click-bait sites that are attempting to drop programs onto our computers for nefarious reasons. I would like to think that we can have honest reservations when being asked to do things that are insecure like removing USB drives from work (where they could easily be stolen) and not simply be ordered to do what we are told. Could this be backed up by legal restrictions? I also think we will see a whole load of alternative products that will challenge our 20 year old security ideas and ultimately, as my colleague always tells me, “we need to make it easier to do it right than to do it wrong”.