Cyber security top of the agenda in 2016
January 7, 2016 |
As far as data breaches go 2015 was a banner year. The list of breaches is long. The amount of personal information accessed was significant, with the breach of the Office of Personal Management being the biggest in US history, involving theft of the personally identifiable information of some 21.5 million current and former federal employees and their close contacts, including 5.6 million people’s finger prints being compromised. In addition to breaches of computer networks there have also been systemic problems in the handling of personal information by organisations with disturbing reports of privacy violations by government departments, such as US Veteran’s medical facilities. The US cybersecurity bill that will be passed is a significantly flawed response to this growing problem according to experts and privacy advocates. Nothing new there. Unfortunately.
The problem remains chronic as the Economist sets out in its brief article Cyber-security: bad and getting worse which provides:
Headline-grabbing breaches of computer networks mushroomed in 2015, from Ashley Madison (a dating site for adulterers) to American government databases. The bill rocketed, probably into the hundreds of billions—a huge wealth transfer from law-abiding victims to cyber-criminals. Most attacks depended on exploiting carelessness with simple trickery, not computer wizardry. The online criminal economy is evolving fast, with crime-as-a-service businesses offering customers technical support and profit-sharing schemes. Though the internet is fundamentally insecure, the means to foil most attacks are readily available: keep data encrypted, on well-designed networks, with access and connections carefully managed—and stay vigilant for anomalies. The biggest vulnerability for managers is people (“carbon-based errors”), not machines. In 2016 politicians, regulators, insurance companies, credit-rating agencies, shareholders, customers, suppliers and employees will demand more care from those entrusted with other people’s data. But change will come only after a lot more pain.
In the absence of adequate cybersecurity regulation and enforcement the focus needs to be organisations properly attending to their own cyber security as is made clear in the Guardian’s review by experts in We have to address our vulnerabilities’ – tech security predictions for 2016.
It provides:
Jennifer Arcuri, co-founder, Hacker House
We will need more cyber skills
Securing a network isn’t just about an intrusion detection program, another firewall or a virtual private network for redirecting traffic. Your online privacy is not dependent on how much you know about Tor or fiddling with settings in your apps. In business operations in 2016, the one “dude” in the IT department will become a core focus for the company. Chief executives will be forced to understand and learn how to implement security infrastructure in their companies – and no longer will it be okay to “not know” what went wrong.
Instead of the same circular conversation around what automaton tool you can use to defend your perimeter or access encrypted files, there will be a clear focus on cyber skills – the lack thereof and the need to implement them.
media & tech network
After all, the problem we’re dealing with is about humans fighting humans: a cognitive behavioural problem. The more we recognise and foster education, ethics and awareness, the more able we will be to reach a legitimate solution.
What 2016 won’t bring is another who’s-to-blame debate between privacy and security. The two concepts are no longer mutually exclusive. Because of the burgeoning threat of the internet of things and shared economies, creating vulnerabilities in business and government, there will be no way to drive towards a solution more effectively than to teach the relevant skills.
We also have to do something to address how the rise of connected devices means increased vulnerability to cyber-attacks. The threat of our national infrastructure being compromised is very real. But this is not about another firewall. Automate that all you want, but at the end of the day, we will absolutely need more cyber skills.
Sean Sullivan, security advisor, F-Secure Labs
Adblocking, Flash and end-to-end encryption
Adblocking technology was trending during 2015 and it looks to continue this year. Wherever you sit on the debate, their increasing use will have a positive impact because it will mitigate malvertising (malicious advertising). Besides convincing consumers their content is worth viewing, ad networks will also need to do a better job with security in 2016. Amazon banned Flash from its ad network during 2015 and I’m hopeful we’ll see that continue with other networks this year. Flash does have its uses, but nobody needs it anymore for ads. Flash needs to go.
I also think we will see an increase in the amount of end-to-end encryption applications in use during 2016 – but not because of security and privacy concerns. Rather, these apps are simply the smartest way for new businesses to develop their services. As new apps are taken into use, they will simply have such encryption baked-in. It will be about smart business development: spending less to secure a service by using the best encryption available (whether the government likes it or not).
Bruce Schneier, security expert and fellow at the Berkman Center for Internet & Society
Advertisement
Incident response matters
We’re living in a world where attack is easier than defence and where a sufficiently skilled, motivated and funded party will always succeed. Defences are important, both to raise the bar for the attacker and keep low-level hackers out, but good security increasingly centres around response. In a world of sophisticated adversaries – hacktivists, criminals and nation states – and network penetrations that go undetected for months, this is where we need to focus our security.
Security teams need to be able to detect, mitigate and recover from attacks quickly and effectively. This means they need tools to automate whatever can be automated and to coordinate everything that can’t. They need tactical tools to help them at the moment of attack and strategic tools to build up their response capability.
For more than a decade I’ve been saying that security is a combination of prevention, detection and response. The 1990s was the decade of prevention. The 2000s was the decade of detection. This is the decade of response – and it will be the final element that pulls everything else together.
The Guardian also has an excellent article on security with Usability v safety: how to design our way to better security.
Industry groups have taken steps to provide guidance to organisations to provide proper cyber security. In October 2015 the New York Stock Exchange published the comprehensive, at 369 pages, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. Unfortunately without proper enforcement guides will only go so far. In Australia the Privacy Commissioner has published extensive guidelines yet compliance remains poor. The culture is resistant because the risk of enforcement is seen as remote and breaches seemingly occur to others. But as the saying goes, an organisation has either been hacked or is going to be hacked. With proper preparation that risk can be minimised. With the usual business practice the chances of a breach increase exponentially.
There is real friction between proper cyber security, of which encryption is a key element, and the ability of the authorities to access communications. Some authorities are tempted to force organisations to provide their encryption keys or have back doors installed in encryption programs. As the Economist point out in in When backdoors backfire this is a flawed, if not foolish approach to security.
It provides:
WITHOUT encryption, internet traffic might as well be written on postcards. So governments, bankers and retailers encipher their messages, as do terrorists and criminals.
For spy agencies, cracking methods of encryption is therefore a priority. Using computational brute force is costly and slow, because making codes is far easier than breaking them. One alternative is to force companies to help the authorities crack their customers’ encryption, the thrust of a new law just passed in China and a power that Western spy agencies also covet. Another option is to open “back doors”: flaws in software or hardware which make it possible to guess or steal the encryption keys. Such back doors can be the result of programming mistakes, built by design (with the co-operation of the encryption provider) or created through unauthorised tinkering with software—or some combination of the three.
The problem with back doors is that, though they make life easier for spooks, they also make the internet less secure for everyone else. Recent revelations involving Juniper, an American maker of networking hardware and software, vividly demonstrate how. Juniper disclosed in December that a back door, dating to 2012, let anyone with knowledge of it read traffic encrypted by its “virtual private network” software, which is used by companies and government agencies worldwide to connect different offices via the public internet. It is unclear who is responsible, but the flaw may have arisen when one intelligence agency installed a back door which was then secretly modified by another. The back door involved a faulty random-number generator in an encryption standard championed by America’s National Security Agency (NSA); other clues point to Chinese or British intelligence agencies.
Decrypting messages that involve one or more intelligence targets is clearly within a spy agency’s remit. And there are good reasons why governments should be able to snoop, in the interests of national security and within legal limits. The danger is that back doors introduced for snooping may also end up being used for nefarious ends by rogue spooks, enemy governments, or malefactors who wish to spy on the law-abiding. It is unclear who installed Juniper’s back door or used it and to what end.
Intelligence agencies argue that back doors can be kept secret and are sufficiently complex that their unauthorised use is unlikely. But an outsider may stumble across a weakness or steal details of it. America, in particular, has a lamentable record when it comes to storing secrets safely. In the summer it became known that the Office of Personnel Management, which stores the sensitive personal data of more than 20m federal employees and others, had been breached—allegedly by the Chinese. Some call that the biggest disaster in American intelligence history. It is rivalled only by the data taken by Edward Snowden, a former NSA contractor now living in Moscow. (The authorities responsible for airport security also let slip the details of master keys that can open most commercially available luggage—a form of physical back door.)
Push back against back doors
Calls for the mandatory inclusion of back doors should therefore be resisted. Their potential use by criminals weakens overall internet security, on which billions of people rely for banking and payments. Their existence also undermines confidence in technology companies and makes it hard for Western governments to criticise authoritarian regimes for interfering with the internet. And their imposition would be futile in any case: high-powered encryption software, with no back doors, is available free online to anyone who wants it.
Rather than weakening everyone’s encryption by exploiting back doors, spies should use other means. The attacks in Paris in November succeeded not because terrorists used computer wizardry, but because information about their activities was not shared. When necessary, the NSA and other agencies can usually worm their way into suspects’ computers or phones. That is harder and slower than using a universal back door—but it is safer for everyone else.
[…] Cyber security top of the agenda in 2016 […]