March 29, 2018
On Thursday, March 29, as part of the SIA Webinar series, a webinar titled “If You Only Knew What Hackers Could Do”. Speakers Kent Browne (IBM Security) and James Marcella (Axis Communications) covered the following topics:
• Cybersecurity vulnerability areas
• Cybersecurity attack types
• What is a security breach?
• Defending against yesterday’s attacks
• The financial impact of being hacked
1. Cyber security is a process, not a product
It is important to understand that threats must be managed on a system level. The responsibility to secure the network, its devices and the services it supports falls across the entire vendor supply chain as well as on the end user organization. It falls across people, process and technology. Technology and features are important but will not eliminate all risks or threats.
2. There are no secure systems, you can only make them secure.
You can always make a system more secure by adding different measures and policies. However, there will always be tradeoff between protection and availability. Increasing protection will reduce availability and vice versa. In Cybersecurity terms this is called “reducing risks by minimizing the exposure area”. The balance needs to be defined by the system owner.
3. Cybersecurity=Risk management. Accept, mitigate or reject the solution.
It is practical impossible to eliminate all risks. It could become extremely costly. The recommendation is – “Identify your crown jewels and protect them fiercely”. Risks needs to be accepted, mitigated by some measures or the solution needs to be rejected. Or one could try to transfer the risk. Sometime like insurance – “If I get hit someone will cover the expenses”.
Accepting risks should be a deliberate decision. If you do not know the risks, you cannot make that decision. A cyber threat analysis will indicate how much you can lose and this indicates how much you should spend on protection. A poor analysis will result in too much or too little protection.
Cybersecurity vulnerability areas
Vulnerabilities can be categorized into three areas. Experts and research says that more than 90% of all successful breaches is a result of people mistakes, poor system configuration and lack of maintenance. An attacker will always start with the least expensive attack. Users -> System -> Implementation flaws.
Users poses the biggest threat to any system. They are in many cases careless and irrational.
• Social engineering
• Bad passwords
• Untrusted app installation
• Lost/misplaced devices
Poor hardening, lack of competence, policies, processes opens up for exploitable vulnerabilities
• Poor system design
• Poor configuration
• Poor maintenance
• Poor monitoring
• Lack of policy & processes
Exploiting implementation and design flaws requires technical skills and used when there are no other ways.
• Design flaws
• Poor API validation
• Poor secure development
Cybersecurity attack types
You can categorize attacks into two different groups. An opportunistic attack is when an attacker exploits well-known vulnerabilities to attack unknown (to the attacker) victims. If the selected attack vector fails, the attacker will proceed to the next victim. An opportunistic attack will target users and poor configured systems.
A targeted attack typically involves intelligent planning and occurs when an attacker selects and engages a specific target to achieve a specific objective. It will target users a system vulnerabilities and later implementation flaws when needed. Opportunistic attacks are more likely to occur. Targeted attacks are considered more dangerous as there is often more value at stake.
Things that work
• A good password and good password management stops most attacks. An attack is not the same thing as a breach.
• System maintenance process…will keep the system intact and monitored
• Intuitive and user-friendly IT policies…could stop users of storing company files on Drop-Box
• User education – Embrace security into culture. Make users more cautious, see when they are being attacked, report suspicious behavior.
“The goal for defenders is to make attacks expensive rather than impossible.” Security is about managing risk while the managed object is constantly moving and changing. Your infrastructure is only as strong as your weakest point.
What is a security breach?
“They hacked me!”
“They changed my password!”
“They gave me ransomware!”
Security breach example: Mirai
Last year, hackers launched some of the biggest cyberattacks in Internet history. These were “distributed denial of service” (DDoS) attacks, executed by taking over multiple hacked surveillance cameras, routers, DVRs, and other “connected” devices – IoT Devices, and then using those devices for coordinated DDoS assaults on the web sites of journalists, hosting providers, etc. (25,000 IP Cameras (IoT Device)35,000 HTTP Requests per SECOND).
Are security teams up for the challenge?
New threats require new thinking, but most are defending against yesterday’s attacks. Threats have evolved into broad attacks (indiscriminate malware, spam and DoS activity), and targeted attacks (advanced, persistent, organized, and politically or financially motivated). Most security teams are still using siloed, discrete defenses.
Defending against these attacks require new approaches to protection:
Tactical approach (compliance-driven, reactionary)
• Build multiple perimeters
• Protect all systems
• Use signature-based methods
• Periodically scan for known threats
• Read the latest news
• Shut down systems
Strategic approach (intelligence-driven, continuous)
• Assume constant compromise
• Prioritize high-risk assets
• Use behavioral-based methods
• Continuously monitor activity
• Consume real-time threat feeds
• Gather, preserve, retrace evidence
The financial impact of being hacked
The estimated cost is $100 in per customer record!
• 1,000 customer records = $100,000
• 10,000 customer records = $1,000,000
• 50,000 customer records = $5,000,000
• 100,000 customer records = $10,000,000
*Note: this does not include lawsuits and or loss of the customer.
To see a list of all the latest hacks, visit Privacy Rights Clearing House.