More than 300 cybersecurity professionals from Ireland as well as the UK, the European Union, the US and beyond joined each other in Dublin for the 2015 installation of IRISSCON. They came to attend the information security conference run by the Irish Reporting and Information Security Service (IRISS).
Brian Honan, Founder and CEO of IRISS, kicked off the event by providing the audience with an Irish cybersecurity state of the union. “In 2015, Irish businesses reported 26,137 security incidents,” said Honan. “This is a significant jump compared to the 6,534 incidents seen in the 12-month period prior, leading back to November 2014.”
As this comment by Honan signifies, the unfortunate reality is that we seem to be heading down a path where the vulnerabilities exposed remain while the number of attacks against them increase. The easiest example of this we can point to would be the OWASP Top 10: Why hasn’t this list changed much in years?
“The incidents we’ve seen in 2015 are the result of the same problems we saw in 2014, in 2013, and for the years prior to that,” proclaimed Honan.
Even if it’s too hard to write secure code and deliver secure website apps, we should at least be able to patch our systems to prevent attacks at that level, right?
The connected future holds even more risk
If our inability to secure the stuff we’ve known about for years didn’t paint enough of a picture of doom-and-gloom, consider the risk that the connected future holds. It’s possible to suggest we’re moving beyond a world of harm to our digital assets to one where human life is at stake.
“Trend Micro recently made a prediction that in 2016, we'll see the first death attributed to the compromise of the Internet of Things,” said Rik Ferguson, Vice President Security Research at Trend Micro (see Who Will Pay the Price When Tragedy Strikes the IoT?).
This prediction could easily come true considering all of the emerging technologies running rampant across the Internet. “We need to recognize that cloud computing is a disruptive technology that is at the core of enabling even more disruptive technology,” added Ferguson.
Through the cloud, we can see pretty much everything connected to the Internet: mobile devices, medical devices, cars, homes, buildings and cities (See The Need for a New Security Fabric - Specifically for a World Filled with IoT). While we often think about the Internet of Things in terms of the devices themselves, there’s a massive back end supporting all of this interconnectivity.
With this massive interconnectivity comes responsibility. “We can't just secure the devices as they also connect to some back-end service that could be compromised,” said Claus Houmann, InfoSec Community Manager at Peerlyst and a strong supporter of I Am The Cavalry, a grassroots organization focused on issues where computer security intersects with public safety and human life. “And it doesn't only have to be an issue of a malicious actor—the software can fail on its own,” Houmann added.
To address the possibility of failure, I Am The Cavalry, created a five-star cybersecurity safety framework:
5-Star Security Framework
|FORMAL CAPACITIES||PLAIN SPEAK|
|1. Safety by Design||1. Avoid Failure|
|2. Third-Party Collaboration||2. Engage Allies to Avoid Failure|
|3. Evidence Capture||3. Learn from Failure|
|4. Security Updates||4. Respond to Failure|
|5. Segmentation||5. Isolate Failure|
Source: I Am The Cavalry
The full framework for the automobile industry is available here: Download PDF (opens in new window)
Poor hygiene plagues us
Some companies could find it challenging to prepare for tomorrow’s threats given they can’t even protect themselves against today’s advanced threats.
“Some of the most dangerous words in information security are, 'we’ve always done it that way,'” warns Thom Langford, Chief Information Security Officer at Publicis Groupe. “Just because a risk hasn't happened doesn't mean the security problem has been fixed.”
As an example, while most companies won’t stop running antivirus software, Langford suggested that most in the industry agree it’s pretty much worthless in protecting against the threats we face. Yet, we continue to use it.
Why? Because we’ve always done it that way!
“Nobody wants to risk getting fired for not using antivirus software—not even me,” said Langford. “It’s an issue of not recognizing the difference between hygiene risk and real risk,” he added, explaining to the audience that people tend to focus on what they perceive needs their attention vs. what really matters.
Social engineering beats current human awareness training
At the end of the day, we rely on our people to do the right thing when it comes to security. Yet they seem to continuously fail at making good security decisions. Is it a matter of a lack of training? Or are the attacks just that clever?
According to a recent Irish Times report, sending phishing emails to 10 employees will get hackers inside corporate gates 90% of the time. The article cites the 2015 Verizon Data Breach Investigations Report that found more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing.
Phishing attacks usually result in some sort of compromise that can be the entry point that leads the attacker through the network to a point where they could extract valuable information. Maybe this is a case of not getting the message out to employees in the right way.
“Security awareness must be communicated on an emotional level, otherwise people do not rationalize the information,” said Lance Spitzner, Research and Community Director, SANS Securing the Human Program. “Unfortunately, 90% of InfoSec awareness training programs are run by some of the world's smartest, yet worst communicators,” he added, taking the position that it takes more than just sharing information to get people to understand and embrace it.
Sometimes it’s hard to detect that you’re being phished. Spear phishing is by far the most dangerous form of phishing as the attackers often use a lot of gathered information to directly target the top executives within the company—those that usually have unfettered access to the company’s crown jewels.
However, it may not be about selling data for cash. “For many social engineers, the money is almost incidental,” said Jenny Radcliffe, Director at Jenny Radcliffe Training. “Many just want to see how far they can push the envelope.”
Or perhaps they could use their successful spear phishing campaign for ransom?
“Over the years, we've seen ransomware run rampant on desktops,” said David Parkinson, Sales Manager - Mobile & Data Security at Check Point Software Technologies. “Companies need to prepare themselves for the rise of mobile-specific ransomware.”
And what happens when the non-payment of a ransom moves beyond the destruction of the data or the device? Trend Micro’s prediction could point to a case where another connected device is attacked if the ransom isn’t paid: such as the user’s car getting remotely hi-jacked and driven into a ditch. This totally supports the prediction of Trend Micro.
Three tips to prepare for when breaches hit
Whatever the cause of the security incident, Paul Keane, European Operations Manager at IDT911, suggests that companies prepare to respond. “If at the time of an incident you're asking, 'What do you do when you get breached?' Then you're too late,” said Keane.
To help the audience prepare before a breach occurs, Keane offered these three tips:
- Follow these six steps to implement a solid incident response plan:
- Assess the risk of the potential breach
- Manage or transfer the risk
- Develop the response plan
- Conduct employee training
- Assess vulnerabilities and perform penetration tests associated with the risks
- Run the response drills
- Documentation is critical: record what happened, what you're doing, who's doing it, and why.
- Have backup plans for your communications: the traditional means—phone and email, for example—may be compromised and/or otherwise offline during an incident.
The ultimate goal: built-in security
While we can’t realistically expect the number of incidents to decrease, we may still have a fighting chance if we join together, educate each other, and prepare to response quickly.
Houmann probably summed it up best when he said, "We want to achieve built-in security, not bolt-on security.”