CYBER SECURITY: Hope Is Nature’s Veil For Hiding Truth’s Nakedness
Governments have made cyber security a cornerstone of their policies. Regulators are desperately trying to implement various rules and regulations in order to keep our key infrastructure protected in a world where just about everything is now plugged into the www. Even tooth brushes and TVs are now connected – and providing unprotected routes into our most secret data.
Various agencies are tasked with the job of making sure that our concatenated world is secure. Some are not tasked but stick their ore in anyway. Over in the US, for example, almost 50 government departments are running many initiatives intended to keep our data safe. It is inevitable that amongst such complexity, like the systems which all these organisations attempt to police, holes in the coverage are missed or new ones created.
Regulators are kept awake at night worrying about financial companies. These are the axles around which are complicated 21st Century lives rotate. If the banks go, we’re all in deep doodoo. The banks are twixt the rock and the hard place. Customers demand ever more convenient methods of getting at their assets. The banks run just to stand still. Developers, who frequently know nothing about security, develop. Security becomes more complex. Holes are missed and new ones created. Most of them are subsequently seen. Some of them are not. Meanwhile, the criminals work diligently away to find vulnerabilities and, once they do, ways to exploit them. Technology advances, holes are left behind – perhaps they have been overlooked, maybe they have been forgotten about. Holes equal vulnerabilities. Vulnerabilties are the hackers’ bread and butter. Lined up to assist them are millions of little people who unknowingly do daft things on their computers on a daily basis. Often, the hard bit for the hacker is finding the vulnerability and creating the exploit which may take months to construct. The easier job, frequently, is to gather the data he needs to execute it. There are criminal gangs who make a healthy living selling huge quantities of personal data to hackers so that they can target and socially engineer hundreds, thousands or millions of victims for an exploit. Take it from me, a mega-breach is coming.
Criminal hackers are always going to be more agile than the monoliths against which they operate. The recent Ebay/Paypal incident in Australia is a good case in point. An ethical hacker reported a vulnerability and described how it could be exploited to the companies and was, apparently, fobbed off. The companies then, apparently, did nothing with his report. Three months later, the vulnerability was still there. Apparently, nothing had been done. Our experience tells us that the word apparently can probably be removed. The chances are that large corporate inefficiency led to poor housekeeping. Hubris may also have been present.
The problem for all institutions is that they face millions of attacks on a daily basis. Under such sustained and incessant attacks, things will inevitably give. Only one has to get through. Imagine, if you will, a bank which is breached. The customer can’t identify the attack and the bank cannot either. To both everything seems ticketyboo. Eventually, the attacks will come to light when a customer notifies the bank that he is short some cash – this could be weeks if the hacker is careful and the customer does not diligently check his account frequently. It might take customers a long time to notice that tiny amounts – a couple of £’s or $’s here, a couple more there – are bleeding from their accounts. Worse, are there any other victims? How to identify them? What to do? How to stop it once the exploit has been identified? Clever, devious and dedicated hackers will eventually outwit the defences arrayed against them, if only because those defences are so complex that there are bound to be some gaping holes in them.
But it is not just our financial institutions which are being targeted. Hackers are sniffing around all manner of other targets; hospitals, sewerage systems, traffic lights, oil terminals, airports, etc. Some of these systems are woefully unprotected and relatively easy to disrupt or even destroy. Most are vulnerable to malicious attacks. Just think, if the Iranian’s can take control of a US drone and land it, and if the Chinese can hack into Israel’s Iron Dome missile defences, it is highly likely that the banks will be a relative cakewalk for competent hackers.
Regulators are straining every sinew in the Sisyphean task of ensuring our institutions and key infrastructure are protected and safe. But the nature of government and their agencies is that they are conservative, clunky and, often, hugely inefficient. Hiring good staff is becoming a huge problem, simply because the demand for skills is so much higher than the supply. To make matters worse, governments usually don’t pay that well so business gets the cream. That means that it is very easy for everyone to end up with decidedly suboptimal defences where assurance is given when it most definitely should not be.
So What? So a lot actually. For lack of alternative options and the shortage of hands at the pump, there is, now, far too much reliance on automated defences. When the machine goes wrong and no-one is watching except another machine, the results can be carnage. There are too many systems which use out of date software and hardware. Many systems are poorly patched. Hackers can see this during a virtual drive-past. They don’t have to go anywhere near systems. End-point security is a nightmare akin to cutting the head off of a Hydra. If there is one thing you can guarantee, it is the multitude of bad things that individuals will do to undermine good security. Entering through a third party’s portal makes life even easier. Unusual activity sniffing software doesn’t, can’t, spot everything. Denial of vulnerability, often after assurances from the in-house (or third party vendor) help, is standard fare. Denial is frequently automatic – and is often a lie. Post Steinhafel, the head shed, the ‘C Suite’, is looking straight down the barrel of personal responsibility gun. Permission to quiver bottom lip Sir?
Bronzeye Group is a Business Risk Management company. We have a wide array of programs which help our clients to stay out of harm’s way and at the head of the ‘threat curve’. Please call us to investigate how we can assist you in ensuring your information assurance.
Until you do, mind your eye………….











