Hacking is getting easier and cheaper, so every enterprise should do it.
Wait… what? Of course, I’m talking about reaping the benefits of ethical hacking as a way of preparing for an actual cyber attack – the odds of which are increasing as hacking services become simpler to obtain.
Just about anything can be bought in the Internet these days, legal or otherwise. Rocket launchers, hard drugs and indeed hacking services have become as easy to purchase as books and music.
While some such services are available on the regular Web, more serious customers turn to the TOR, The Onion Network. Also known as the Dark Web, TOR enables buyers and sellers to transact with full anonymity using cryptocurrencies such as BitCoin.
Through TOR, hacking services have proliferated in recent years. They’ve been used by individuals with an axe to grind, such as Edwin Vargas, an NYPD detective. Driven by jealousy he paid $4000 dollars for over 40 email passwords, half of which belonged to police officers.
Another reason for growth in these services is that they are simpler to deliver. Technology is more straightforward than it used to be — witness how people can create web sites or drive smart phones, for example. By the same token, the barrier to entry for hackers is lower.
As confirms a report from Rand Corporation, “Greater availability of as-a-service models, point-and-click tools, and easy-to-find online tutorials makes it easier for technical novices to use what these markets have to offer.”
Why Hacking Is Becoming Easier
As a result the threat is growing. But isn’t it always? Am I just going to say “be vigilant” and then we all get on with our lives?
Well, no, because there’s an additional factor which means this proliferation can no longer be ignored. It’s about the nature of the attack surface.
In traditional computing models, we could consider this in three parts: first the physical environment; then the computer hardware; then the software. Policies, procedures and protections would be considered for each.
In the virtual world, the physical and hardware layers have been architected to create a reasonably robust underlying platform. Yes, sure, this still needs protecting but to a large extent it already is — the controls are well known and straightforward to check.
On top of this platform we — the global we, of corporations and providers — have created a massively scalable, massively interconnected but massively complex virtual compute environment.
Here’s the point: even as it gets more complex and harder to protect, it is becoming simpler to hack and exploit. We can’t just stand by and hope it isn’t going to happen, because automation will ensure it will.
Continues the Rand report, “Hyperconnectivity will create more points of presence for attack and exploitation, so that crime will increasingly have a networked or cyber component, creating a wider range of opportunities for black markets.”
But Ethical Hacking is Easy, Too
What to do? There’s only one answer really, and that’s to get there first. Penetration testing (ethical hacking) has been around for years; indeed it used to be my job. And just as computers can be programmed, so can exploits — there are libraries of them freely available.
We should not be daunted by kicking off such activities, of running a program of checks for back doors into our own systems. It’s not that hard to do — that’s the point. If it was, the bad guys would be looking for easier ways to make money. The many benefits ethical hacking offer organizations will certainly outweigh the bit of time and effort required to implement it.
If you don’t want to do it yourself, you can engage an (ethical) service to do it for you. As we already know, there are plenty of them around. You don’t have to check all your IT systems and services, just the ones that give access onto the data you have that is worth protecting.
Which raises a final point: If you don’t already know what data you have that is worth exploiting, for heaven’s sake work it out. Then check whether it is accessible.
There will be a cost, but after all, it will be worth your while paying a relatively small sum up front, rather than shelling out to repair the damage later.
The difference ten years can make can be profound. 1966 looked nothing like 1976, and in each decade since, almost everything has changed. The Internet and globalization has meant that cultural shifts are less stark these days, but in terms of cyber security, 2006 feels like a long time ago.
This was a one year before the iPhone was launched, where 3G was just rolling out, and there was no such thing as apps. Streaming music, photo sharing, social networks were all in their infancy. In 2006, cyber security threats were very different to those today, as what was accessible to attackers was pretty limited.
Now, every aspect of our lives is stored in the cloud – from our banking and health records to our more personal identities – and we are generating significantly more data than ever before.
Evolution of threats
The type of threat has evolved to keep pace with this explosion in valuable data. Back in the early 2000s, most threats and malware were a nuisance, designed to simply disrupt or frustrate users.
Then in 2008, the Zeus Trojan was unleashed, that grabbed banking details via key-logging and form grabbing. Years later, 100 people were arrested for having stolen over $70 million thanks to the software.
This was the start of a much more professional approach to cyber-crime. Viruses, Trojans and worms started to be created to steal money or sensitive corporate information. Variants of the Zeus Trojan still plague computers to this day, and played a part in one of the biggest consumer hacks to date, that of Target in 2013.
It is key to remember, that as soon as something connects to the Internet, it becomes vulnerable. As we add connectivity to new things, everyone involved should be aware of the risks. Take connected cars for example. In car Wi-Fi and streaming video entertainment systems are becoming big selling points, but as demonstrated last year, weak security can let intruders in.
Shifting consumer perception
With such high profile breaches regularly hitting the news over the news, it has been interesting to witness how consumer attitudes have changed. Since 2013, there have been almost four billion records lost, and people are no longer shocked. At this scale, everyone from companies, to employees and everyday consumers now accepts that it’s a case of ‘when, not if’ they’ll be hacked.
Yet all is not doom and gloom. We surveyed millennials’ opinions to data security recently, in our Connected Living 2025 report. Two thirds said they would feel vigilant in the face of threats, well ahead of complacent and paranoid. This suggests people now understand the importance of protecting their data.
Breach prevention is dead (and so is the perimeter)
If the past ten years have taught anything, it is that perimeter defenses will be breached. No matter how tall or big the wall is, the enemy will find a way around it or under it.
Despite the increasing number of data breaches, companies continue to rely on firewalls, threat monitoring and other breach prevention tools as the foundation of their security strategies. Yet most IT professionals readily admit that their corporate and customer data would not be safe if theirperimeter security defenses were compromised.
This is not to say that perimeter security is not important. It just means that it should not be the only thing companies do to keep the bad guys out. Instead, IT professional should accept the fact that breaches are inevitable and work to secure the breach by placing security measures closer to the data and the users with encryption and multi-factor authentication.
Encryption and Multi-Factor Authentication Are King
Two additional developments have also made the dents in the capabilities of cyber criminals. Multi-factor authentication has shown its power in keeping records safe, and encryption is also becoming the norm so if data is lost or stolen, it’s useless.
Cyber security threats will continue to pose a significant problem. But as those born after the Internet hit the mainstream in 1995 approach adulthood, we’re well placed to face these threats head on. It’s a far cry from 2006, when 26.5 million U.S. military records were stolen, and the agency responsible waited three weeks to say anything to those affected.
The recent announcement by a European parliamentary committee to back a proposal that will require critical infrastructure operators and digital service providers, such as Amazon and Google, to maintain appropriate security measures, and more importantly report major data breaches, is a defining moment for businesses in the EU.
Business leaders should think of it as an early warning to evaluate their security practices before the proposal is approved by the EU Parliament and European Council. So, what is the current status in the EU at the moment and what steps do business leaders need to take to avoid falling foul when the law comes into effect?
The traditional form of security at the moment is dominated by a singular focus on preventing a breach through firewalls, antivirus, content filtering, and threat detection. However, if we are to learn anything from history, it’s that breaches are inevitable and attackers will get past that perimeter wall eventually.
Once this happens customer data or even a company’s IP could be compromised. Consumers entrust their vital information to companies that gather this data and must be confident that it is being kept safe and secure. Once that trust is broken, it can be very difficult for companies to get that back.
Why has there been this sudden change?
Security has always been a hot topic, but with hacks of companies likeTalkTalk generating headlines and companies collecting more and more data about us online, the issue of protecting data and securing consumer trust has never been higher.
Currently in the EU, companies are not obliged to report data breaches that have occurred and, as such, many don’t. With this new law due to be implemented soon, companies will be forced to reveal these breaches and must now consider a change in strategy.
But this isn’t a new policy; the US has been adhering to this practice for a long time now and is the main reason we hear more about breaches there than we do in the EU.
Now is the time to review what has already taken effect in the US and analyse what lessons can be learned.
Instead of focusing purely on protecting the perimeter wall, businesses should instead turn to a layered approach that protects the data at every level should criminals get past that first defence. This also means focusing on the data itself and ensuring it can’t be accessed or used by anyone that is not authorised to do so.
Surrounding the data with end-to-end encryption, authentication and access controls provides that additional layer of security which is vital to protecting customer and corporate information. With encryption tools in place, this means that any data that is taken is rendered useless in value to anyone that is not authorised to access it.
Authorization can be secured using keys to only allow those who are allowed to access the data the ability to do so. All this means, should the worst happen and a breach occurs, the customer data should still be secure.
Once these security measures are in place it’s important to tell customers. In order to build that trust, customers will want to know the processes have been put in place to protect their data. If businesses can show them they are going the extra mile, this will establish them as a credible innovator and trusted company.
Security must be a two-way street though, just as customers should be informed of what is being doing to protect them, they should also be told how they can protect themselves. A better-educated consumer will help to create a safe consumer service all-round.
With this announcement being made public, companies have the opportunity to get ahead of the game and show their customers they are taking protecting their data seriously. No longer can companies simply look at security as a compliance mandate, but rather as a responsibility that is crucial to their success.
Consumers are becoming far more educated and aware of the sensitive data they are releasing to organisations, and the responsibility that entails.
As this education increases, consumer demand will rise on what is expected of the security credentials of the companies that house their data. Failure to take this seriously could result in not only a big impact should a data breach occur, but also on the trust of the consumer. Lose this and face watching customers go to more trustworthy competitors.
It may have taken five years, but as far as the company is concerned, the effort has paid off: last week, Google announced the completion of its deployment of BeyondCorp, a zero trust IT and security architecture based on protecting identity and data, rather than looking to protect the perimeter of the organization’s IT hardware.
We can only applaud this move. As we wrote in our Secure the Breach Manifesto, “Whether internal or external, breaches are inevitable. In today’s environment, the core of any security strategy needs to shift from ‘breach prevention’ to ‘breach acceptance.’ And, when one approaches security from a breach-acceptance viewpoint, the world becomes a relatively simple place: securing data, not the perimeter, is the top priority.”
BeyondCorp equates to a complete overhaul of Google’s IT and security architecture. It focuses on user/device repudiation through authentication, user behavior and identity analytics, device reputation and intelligence statistics, all of which feeds into a completely new ‘Access Intelligence’ framework to protect company resources.
At the same time, the new approach removes any network controls or protections. The assumption is that the network is breachable, internally or externally, one way or another, so there is no point in trying to protect it. Rather that trusting the network to any extent, this zero-trust model puts all of its effort behind protecting applications, and the data they access.
In this model there is no room for BYOD: only company-issue devices are managed in the central asset register, and only these are given any kind of access to corporate applications and services via a centralised Mobile Device Management facility. For companies that follow the zero trust model they should also encrypt all of their sensitive data and communications.
At the same time as increasing security however, the BeyondCorp zero trust approach makes lives easier for Google employees, who can now work wherever they like without the need for tools such as VPNs. “We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet,” explained an initial brief on the topic.
The deployment has not been straightforward: indeed, it has taken the company five years with many lessons learned along the way — not least how to deal with edge cases caused, for example, by hardware reconfigurations such as moving a hard drive from one computer to another.
Overall, the company has found itself better off. By moving to a zero trust model it is not only better protected, but it also provides greater flexibility to deal with future attacks.
This move, from a company as large and as sensitive (from a vulnerability standpoint) as Google, could well be a game-changer in the industry, and we expect many other organizations to follow its lead. Quite clearly it should not be undertaken without a great deal of planning, but if Google is already experiencing the benefits, then other organizations can, too.
I had the pleasure of joining fellow information security experts and enthusiasts at RSA Conference 2016 (RSAC), and I wanted to provide some of my reactions to what I experienced at this year’s event.
The Keynote – The Sleeper Awakens and More of the Same
Over the last few years, one of the main themes at the RSAC has been about the need for a new approach to data security. Amit Yoran of RSA Security made this point in this year’s and last year’s keynotes, basically saying prevention, which relies primarily on defending the perimeter, has failed to stop the bad guys.
Despite the fact that many security professionals have accepted the failure of breach prevention, the darlings of the show and the security industry in general are those companies focused on the perimeter, offering threat monitoring and threat intelligence products that do varying degrees of the same thing.
They monitor the perimeter, detect potential threats and, if they can, isolate them. I raise this because it is interesting that the industry recognizes the problem with breach prevention, yet the companies that get the most attention are the ones focused on breach prevention.
What troubles me is that the attention these types companies get blinds the industry to the greater problem companies have – they have no idea where all of their sensitive data is stored, how it moves throughout the organization, and how to best defend the data.
Despite calls for a new mindset, many IT professionals gets caught up by the next new shiny thing. The simple truth is that we don’t need newer and better technology.
We need a new mindset that focuses on the basics of data security and uses simple logic: Knowing what data you have, understanding what data is sensitive, where it is stored, how it moves, how it is accessed, and how to protect your data best in a new world where the perimeter no longer exists.
If data moves everywhere and is stored everywhere, why would you logically invest the bulk of your budget on defending a perimeter that is as porous as Swiss cheese?
I do agree with Amit that authentication and identity management need to move front and center to the discussion, but even more focus needs to be placed attaching security directly to the data itself, and the best way to do that is to encrypt it.
Apple vs. FBI Encryption Debate Rages On
Speaking of encryption, the battle between the FBI and Apple was a constant theme, on the show floor and in several encryption panels where the debate took center stage.
While Apple is fighting the good fight, I do wonder what impact it will have on enterprises and how this topic is being discussed behind the closed doors of corporate boardrooms.
Immediately after addressing the crowd at the conference, U.S. Attorney General Loretta Lynch sat down for an an on-stage interview with Bloomberg’s Emily Chang, during which Lynch addressed the Apple case directly.
“…Up until recently, Apple maintained the ability to provide information to the government without any loss of safety or security of the data that they stored on their devices,” Lynch said. “But I think that one risk that we run into is making this all about Apple, when in reality it is about all of us. It is about how all of technology, how all of commerce, manages and protects our data.
“And the reality is American industry is very good at encryption and using every method that we have to protect our information while also maintaining the ability to use that information for security purposes, for marketing purposes, and also to be responsive to court orders. It happens all the time, every day of the week, all across America. This is a very different decision by Apple to not participate in that national directive.”
Chang followed up on that by summarizing what she believes to be Apple’s position in Lynch’s metaphor: Apple would have to create a key not only for one particular door, but the doors of hundreds of millions of people.
Lynch responded, “I think that Apple is a great company. All of our tech companies are fantastic. And they do an excellent job of protecting encrypted data, unencrypted data, our most private information we’ve entrusted them to, while also maintaining the ability to comply with court orders and also to use that data for their own purposes. This has been going on for years, and we have not had the parade of horribles that Apple is now asserting. What we’re asking them to do is help us with this one particular device. … Not to give the technology to us. They could keep it. They could destroy it. They could essentially be done with it. And it would let us try to get into the phone.”
However, while Lynch pointed to Apple’s willingness to comply with similar orders in the past, she and Chang went on to discuss the recent ruling by a New York judge that Apple did not need to comply with a similar order to help the Department of Justice access data on the phone of a drug dealer.
And in regards to Apple’s past compliance, why would we accept that saying yes in the past prevents an organization from saying no in the future?
Additionally, just because we have not had the ‘parade of horribles’ yet, that doesn’t mean it has been proven that compromising a technology company’s security measures won’t get the parade started.
Lynch asserts that Apple could keep or destroy the iOS technology, but Apple CEO Tim cook has argued that there is no way to ensure this wouldn’t create a backdoor that could be exploited at another time by another party.
Both sides have made their positions very clear, as we recently outlined on this blog, and it doesn’t appear they’re nearing a compromise, so it seems only time and U.S. legal rulings will dictate which side has the edge.
Internet of Things – Expect to See More at RSAC
I do hope we see more discussions and panels about the Internet of Things at future RSAC events. If we think data breaches are a problem now, just wait until the billions of IoT devices that are projected to be made actually come online over the next five years.
Gemalto’s David Etue delivered a very popular session titled “Explore the Security of IoT: Trust Comes First” which you can read about in this articleby Investor’s Business Daily.
In the Digital World, Trust Will Matter Most
To me, this is one of the more important longer term issues we will have to face both as consumers and as security practitioners. The issue of importance of trust in the digital world was addressed by Palo Alto Networks CEO Mark McLaughlin in his RSAC keynote.
It’s very clear that companies are failing in their ability to protect their customers’ personal information. In fact, according to the Breach Level Index, 53% of all data breaches were the theft of personal information and identities in 2015.
As our world becomes more digital, trust in the security of customers’ digital data will become a major factor in determining who consumers do business with.
However, there are numerous challenges that businesses and consumers will face.
First, as consumers, we are all sharing more and more of our information about ourselves in order to take advantage of more and more digital services, from online banking and social media to the cloud-based services where we store and share our digital lives with family, friends and coworkers.
Second, we are exposing ourselves to more points of attack by cyber criminals because we are accessing digital services from our phones, televisions, watches, cars and the other connected devices in our homes.
In order to be digital citizens, we have to surrender our identities and information in order to enjoy the full benefits of digital services that allow us to have ubiquitous access to information anytime, anywhere.
As a result, the cloud-connected and mobile nature of our digital lives means the security of our information is dependent on the security (or lack thereof) of these devices, services and the companies that offer them.
I also spoke to the Breach Level Index findings and today’s infosec challenges during my RSA interview with 4OntheFloor:
Moving Beyond Data Breach Prevention
For businesses, the digital world has totally destroyed traditional concepts of data security. For the past two decades, companies have protected data by securing it in only one place – in the data center behind a firewall with some intrusion detection, and threat monitoring technology.
Basically, security has amounted to building a wall data and maintaining guards to see who is trying to compromise the perimeter. This mindset no longer works in a world where the cloud and mobility have totally redefined traditional notions of data residency and accessibility.
Data is now fluid, living everywhere and accessed from anywhere.
Now let’s look to the future of this digital world, a scenario for greater digital mayhem, and what it could mean for trust. We have all seen different types of attacks on networks, but the one thing they have had in common is that they have all been an attempt to do one thing: steal data.
But consider a new type of attack. What if the data is not stolen, but is manipulated without any knowledge of that manipulation? Let’s call it an “integrity attack.”
A group of cyber thieves break into a commodities market or gain access to market moving data, and rather than just stealing the info they change it in a way in which they can reap millions of dollars on the financial markets.
The scary part is that no one knows this has happened and it takes one or two years for the malfeasance to be discovered. Imagine the impact on trust if such a manipulation took place on a massive scale in our financial system.
That is why when everything is digital, trust in the integrity of that data will matter most.
If that breaks down, people may not want their money to be represented by a series of digital numbers in a database. Rather, they may opt for paper money stuffed in a shoebox under the bed.
As I mentioned above, one of the things we looked at during RSAC was the Breach Level Index findings. You can learn more about last year’s data breach trends by downloading the complete 2015 Data Breaches Report. You can also check out our Breach Level Index 2015 infographic to quickly review some of the most notable breach statistics of 2015.
We hope that you’ll also connect with us on Twitter via @GemaltoSecurityto discuss your thoughts on this year’s conference, the Breach Level Index findings, information security news, and more.