Do we live in a state where there is “an absence of unmitigatable surprise?” This is a phrase from Dan Geer, a noted security authority. It was written in 2014. You might think we have just about worked out this cyber security thing by now. But no, we’ve hardly begun.
The thing is cybersecurity is just about impossible to achieve.
It’s an ongoing challenge and, as the cyber environment we all take for granted becomes more dynamic, the opportunities for potential attacks grows alongside. Now society ‘owns’ the cyber space and has specific expectations and demands then how can we ever really protect that environment?
First of all, it’s worth considering what elements will help secure this environment. What are we looking at? To begin, we need systems that are secure and can be defended, right? Well yes, but we also we need a real understanding of the environment we want to see secured and exactly what types of people or ‘actors’ might want to attack it.
Cybersecurity, attack and defense are different things.
This means there is a real need for high quality training that really works. In fact there is a distinction that needs to be made between education and training. There’s also the basic difference between cyber attack and defense. Or even computer network exploitation and computer network attacks. The catchall term ‘cyber security’ does not really get to the heart of the series of complex issues that have so quickly become an integral part of our everyday lives.
The former is associated with the theft of information and the latter is associated with disruption or destruction of Information Systems. You can get away with calling them cyber attacks but they are two distinct forms of malicious activity.
Things have evolved and differ from the initial computer based attacks. These used to be, in the main, viruses and computer worms. It was almost a case of ‘hey look how clever I am by making these!’ Then later, ‘hey look how notorious I’ve become!’ Other viruses and worms were created to show just how vulnerable popular software and hardware makers’ systems were. We are seeing this again with the vulnerabilities cropping up with IoT devices. Still, it’s always worth reminding companies they had more responsibilities apart from simply pleasing shareholders.
These original attacks did cause a loss of data or an interruption of service. But on the whole were initially considered annoying or at worst examples of vandalism. This set of suppositions also dictated the way system security developed. It was seen as a problem of technology and was also slightly reactive focusing on vulnerabilities more than threats themselves. You can now see why there are so many patches and updates as the cycle continues. Of course it’s not viable to continue this way.
Being reactive does not fit in the agile, creative, fast-paced, proactive world we live in. We can’t wait for sophisticated attacks by terrorists, the criminal fraternity or state sponsored threat actors. We need to consider the psychology behind such behavior. We need to ask the motives and goals of these cyber behaviors. This type of approach is more likely to impact positively on new cyber security strategies.
This game of cat and mouse has to end.
We know that agility and creativity works on both sides of the divide, of course. Malicious cyber actors work just as hard to penetrate our defenses. Darwin would be fascinated to watch this continuous ‘attack-defend- attack’ behavior creating what can only be termed a co-evolutionary relationship. So what can be done?
First of all it’s worth considering what we can do to remove our limitations regarding how we actually think about the problem. By changing this we might make progress with cyber security. So here are 6 things to consider:
Need to re-evaluate your cyber security strategy? Explore your options here.
6 Cyber Security Uncomfortable Truths
#1.Your systems cannot be 100% secure.
No one wants to hear this. We like to think we can prevent unauthorized access. As a consequence our thinking puts us in defensive or detection mode. We develop these defenses at our network perimeters. We pay special attention to gateway connections to our external networks. We develop the demilitarized zones that sit between an internal business network and the internet that is public. We might as well build a moat, organize some archers and a few buckets of burning oil while we’re at it. This kind of thinking is that antiquated.
We carry on developing additional layers to prevent a breach. But in spite of these medieval plans, things happen and penetrate our carefully constructed defenses. Advanced persistent threats (APTs) are far more sophisticated. They’re more organized and have access and more resources. APTs keep going; they are persistent and utilize sophisticated custom malware; they aren’t fighters that need to rest or tend the wounded. In addition, they have developed the ability to evaluate defenders’ responses - of course they have. They do this so well they can actually escalate their attack techniques as appropriate. Be aware if your assets are attractive and/or valuable; those who want them could get them. This changes attitudes and the solutions that might stem from them.
#2. Whatever you think, you cannot eliminate vulnerabilities.
If you don’t recognize this fact you are still trapped in the cycle of trying to defend the indefensible. Cyber criminals are not just interested in breaching your defenses for the fun of it; they are after something specific. So forget about just keeping them out. Think about what you can do to stop them getting their hands on your data.
Therefore you should be thinking about data encryption or finding ways to hide or disguise something of value. What if you tackle criminals once they have penetrated your defenses? That way you have an opportunity to come ‘face-to-face’ and discover a little more about your enemy. You can watch without them realizing. Call it collecting forensic evidence. If they come back you’re much more likely to recognize them, after all and maybe get their activities detected.
#3. Guess what? You are not alone.
You may think criminals have not got inside your network. But guess what? Their malware could well be inside already. Act as if it is. Therefore when you are considering your system security updates, controls and policies consider how you can stop an insider threats going all the way. Be suspicious of absolutely everything. Trust nothing; trust no one.
#4. Never relax.
You cannot afford to take the day off. You might have thwarted an attack but that’s today. Do not think that because your security compliance or network hygiene works well that you actually have network security. You may think you are up-to-date with what’s going on, but if someone is determined to get into your system - they will. You see, it’s worth remembering you are not alone. Work from that premise and it will transform how you behave.
#5. Whatever is happening right now is just beginning.
However sophisticated innovative or efficient we think we are by using AI, guess what? Your attackers have access to just the same solutions and more. If they’d been profitable in the past they will invest a lot in creating further success just like you do.
#6.Try not to make things worse.
As I said, do remember, your developments simply help the attack evolution to accelerate. It’s like becoming resistance to antibiotics. I’ll leave you to think about that one. In fact, it has been said the only security achieved in the cyber security community is job security. The irony is we need more experts and practitioners but what’s really important is we need the right kind that are left field thinkers, curious, suspicious and spoiling for a fight. Does that describe your cyber security team? Just asking.
Vivienne Neale is a Visiting Research Associate at the Cyber Security Centre, University of Hertfordshire, UK.