Even if it’s never perfect, it can always improve
You may have heard that there was a recent breach at a major mobile provider, exposing the personal information of around 40 million people. And what was the public response to this outrage? They yawned.
This hack was just one of thousands of publicly reported breaches in the first six months of 2021, hacks that exposed a total of 18.8 billion records. Most have never made the evening news. Apparently, even criminals are bored. Reuters cited a report by Vice saying the vendor offered data on 30 million cell phone victims for 6 Bitcoins, or about $270,000. However, later reports suggested the asking price dropped and the entire data cache was offloaded for just $200.
With so many data thefts going on, even a heist as massive as this doesn’t cause much public concern. But getting used to the loss of privacy and getting bored of personal information leaks is in itself a great danger. Indeed, ignoring data breaches ignores the fact that in the United States today, just about everything is connected to the internet – and therefore susceptible to attack. Advanced hacking tools, many of which were developed by US intelligence agencies for their own espionage purposes, have been stolen and made available to hostile countries. In some cases, they have been sold to criminal enterprises on the dark web. These exploits not only have the ability to siphon your personal information, but they can also be used to shut down the power grid, computer networks, air traffic control system, banks, water treatment plants, factories, communications and just about everything else. .
In a well-researched recent book with the disturbing title “That’s how they tell me the end of the world“, New York Times Cybersecurity journalist Nicole Perlroth explored the secret market for zero-days — unpatched vulnerabilities discovered in frequently used software capable of providing covert access to a network — as well as companion software created to exploit those flaws. Sometimes these hacks actually string together a series of zero days. And hostile nations are eager to acquire these tools. But while the offensive capabilities they present are enormous, at least in the United States, they have not been accompanied by developments to defend against them – a dangerous imbalance.
Yet, despite growing public indifference, businesses and other organizations whose operations are vulnerable to disruption are taking cybersecurity very seriously. Security budgets have increased. Cybersecurity specialists are in greater demand than ever. And security-related software is selling very well. These are all good things. But there is also a downside: as more and more security tools are deployed and multi-vector attacks become more sophisticated, the number of alerts keeps increasing. But not all achieve the same level of attentiveness from the staff.
In this respect, it resembles the problem of automatic fire alarm systems in many commercial buildings, which react to a wide range of potentially threatening events, including minor events. Whenever something sets them off, local firefighters are forced to suit up and respond. However, the incidence of actual fires associated with these alarms is typically only about 2%. Especially for volunteer fire companies, this high rate of false alarms gets old fast. The problem is that these two percent can be devastating and therefore cannot be ignored.
In the computer world, it’s the same. More than 2,000 cyberattacks a day were reported to the FBI last year. But that doesn’t include the much larger number of unreported attempts that were thwarted by various defense mechanisms. An NSA data center in Utah, for example, experiences an incredible 300 million hacking attempts every day. This massive volume of alerts can easily overwhelm staff, preventing security teams from investigating the alerts that really matter.
Because sorting through an avalanche of alerts can be exhausting, SIEM or Security Information and Event Management software systems, aka Threat Intelligence Gateways, have become particularly valuable. These are systems that block known bad IP addresses and then learn by simulating attacks on the organization’s production network, essentially training themselves to spot and interpret unusual patterns associated with attacks. As a result, security teams can prioritize their efforts by eliminating low-stakes threats and instead focusing on telltale signs of a serious compromise. The result: faster containment and shorter resolution times.
But while smart software advocates can be great, promoting good digital hygiene throughout the organization will always be valuable. Strong passwords, multi-factor authentication, zero-trust access, and vigilance against phishing attempts are some of the best-known defensive methods. They can all help. But as the Solar Winds debacle demonstrates, even when you do everything right, malicious code can slip into your network, sometimes hiding undetected for months before being activated and causing harm.
With that in mind, here’s how I think businesses should view cybersecurity:
1. Nothing is completely secure
2. No organization is too small to be hacked
3. Chances are some of your information has already been stolen
4. There’s nothing you can do to prevent persistent state-sponsored hacking
5. There are, however, significant steps you can take to deter or block hackers
6. Plan in advance how you can react if you suffer a cyberattack
Cybercriminals and malicious hackers have been very creative in finding ways to manipulate people and technology to steal data, infect systems and take control of assets. As a result, defenses against cyberattacks keep changing. Security isn’t a one-size-fits-all proposition – it’s an ongoing process, and despite what different vendors might tell you, it’s not easy and it never ends. But no matter how far you are from a perfect system – or how close you are to a perfect system – pursuit is still an essential and worthwhile investment of your time.