IoT, BYOD, 3rd Party Vendors, State-sponsored Hacking: How Cybersecurity Has Evolved in 2016
By Michael H. Howland, CEO of Armored Cloud
In January 2016, I, along with other cybersecurity commentators, presented an outlook for key issues in cybersecurity for the year (you can read these predictions here). As the summer comes to an end, it is worth taking a moment to look at what has actually unfolded in several major areas.
Cybersecurity Threats Are Increasingly Complex and Sophisticated
Those of us who commented on this trend got it right. As I said in January, “All experts agree that 2016 will see a higher degree of collaboration and cooperation among bad actors, along with a higher degree of technical competency.”
Over the past six months we have indeed seen a steady increase in cyber crook and state sponsored hack attacks, with greater and more dramatic impact. Financially motivated cyber criminals are demonstrating increased capability, often at nation state levels of sophistication. Cyber threat intelligence firms like Hackmageddon have cyber crime as the motivator for roughly 70% of all attacks.
In addition to the usual official nation state sponsored hacking in countries such as China, Russia, and North Korea, we are seeing other countries (notably Iran) increase their cyber espionage efforts. Prior to last summer’s nuclear agreement, Iran’s cyber activities were classical political or military intelligence type probes. The potential, however, for reengagement in the global economy has provided motivation for Iran to expand its focus to key commercial sectors: oil and gas, finance and banking, aviation and automotive industries, and the legal world to list a few.
U.S. law firms have been specifically warned that they have become a major target for sophisticated Iranian cyber attacks. Press headlines scream the news of major breaches at the Democratic National Committee network, with their private emails being published on the internet. Investigations suggest that the breaches were the work of Russia’s official cyber operation.
State-Sponsored Cyber Activity vs. Public and Private Sector Cyber Organizations
What I did not comment upon in January is the highly unbalanced playing field between nation state-sponsored military or intelligence cyber collection organizations on one side, and the fragmented efforts of public and private sector organizations in the United States on the other side. On this playing field the bad guys significantly out gun the good guys.
These bad guys have nearly unlimited resources and work as a coordinated, well-oiled military command. They enjoy the backing of their nation’s financial and political leadership. In our country, the response to these threats has been soft at all levels. The main challenge is there is no unified response and, at best, limited sharing of information between the public and private sectors.
The industry is starting to respond with a new offensive approach to cyber-security, and new products and services are continually coming out. We are also starting to see pockets of information sharing, mainly in the financial services industry, but on a whole it is still a stovepipe world.
Several years ago a few wise men recognized this growing threat and called for a 21st Century version of the WWII Manhattan project for cyber-security. Sadly, there was no response to that call, and here we are today.
Cyber-Security as a C-Level Priority
There is no question that cyber-security now has the attention of corporate executive suites and boardrooms. Corporations are rushing to add cyber-security officers to their dictionary of “C” positions. The corporate world as a whole has recognized that their business is neither too small nor too large to be a target. Cyber-security is now part of enterprise risk management, as victims have to struggle to survive the hard (financial losses) and soft (loss of reputation) impact of a cyber-security breach.
We now have entire segments of the retail and service industry whose leadership are aware that their company will not survive a cyber-security breach. In most cases they are not afraid to spend against this threat, but are challenged by conservative CIOs who are unsure what to do. At a recent Cybersecurity Summit I counted 150 cyber-security industry experts representing 62 different product firms. There clearly is no shortage of security solutions, only confusion about what to do with such abundance.
The Scope of Cyber Security Threats is Increasing
It used to be that a CIO only worried about his corporate network. Today, the CIO has to be concerned about any network that touches theirs. Bad actors have figured out that in the world of outsourcing, specialized services, and enterprise cost reductions all corporations rely on secondary vendors for services.
These secondary networks are often smaller firms that lack sophisticated cyber-security defenses, making them easy targets. Bad guys have learned how to ride theses networks into the larger enterprises they service. Once inside, the scope of the damage they can do is unlimited. And, if they are patient and careful, they can sit in these networks undetected for years.
It is not uncommon for CIOs to not even know of some of the secondary networks or unique users with access to their networks. For example, imagine the scenario where a consultant was hired to conduct a study for the CEO and given network access. The consultant completes the work but no one thought to alert the IT staff to terminate the access. Months later, that consultant’s laptop is stolen or otherwise compromised along with the unwitting firm’s network.
IoT Devices: Unsecure, Ubiquitous, Unavoidable
The Internet of Things (IoT) presents an entirely new galaxy of threats. Not only in devices but also in the applications that sit on those devices. The number of data applications that sit on an individual’s smart phone alone is mind numbing, and many of these smart phones have access to their owner’s corporate accounts. Each application represents a potential threat to an enterprise network. Like outside vendors, IOT devices cause an organization’s threat vectors to increase exponentially.
Corporate or Government issue devices for employees or contractors are not the only problem. BYOD (bring your own device) practices are common these days. These devices are often given network access for whatever reason, and with that each application becomes a potential penetration threat. Unfortunately, in the rush to make the device or application function, cyber-security is often an afterthought. Security officers face immense pressure to keep everyone and everything connected, while ensuring that all devices, networks, and data troves are protected from innocent or malicious discovery.
A Proactive Cybersecurity Mindset is Critical for 2016 and Beyond
Thanks to outside vendors, contractors, and IoT devices, the size of public and private networks is growing exponentially every day. What once was a manageable sandbox is now a bustling playground. This, coupled with increasingly coordinated and sophisticated group of bad actors with a variety of agendas, makes it harder than ever for executives and security officers to feel secure that their networks are protected. Until there is a coordinated effort by the public and private sectors to address these threats, individual organizations are on their own in protecting their networks.
To address this very challenge, I wrote the white paper, "Five Ways Executives Can Rethink Cybersecurity" that frames today’s cybersecurity efforts as a war between good and bad. Security officers and the executives and the corporate boards they report to must embrace a warrior’s mindset when dealing with today’s cyber criminals. We must be prepared to study our enemy’s methods. Think like them. Hide like them. Deflect like them. I encourage you to download this paper as you consider how cyber-security is evolving throughout this year and into 2017.
Armored Cloud was created to give organizations the power to evade cyber criminals using anonymity and obfuscation online. Through a variety of solutions that enable enterprise managed attribution you can remove your network’s attack surface no matter its size or scale. We offer free trials and demos to qualified organizations. Contact us at (877) 978-1688 or fill out the form on this page to learn more.