An Open Letter, A Call To Action Cyber security has reached a complete state of…
With billions spent on cyber security as a mission critical business objective, it’s hard to imagine that the problem is still spiraling out of control. To be fair, the ever increasing frequency, scale, and complexity of cyber attacks makes protecting sensitive data from theft, ransom, and manipulation extremely difficult. So difficult in fact, that the cost of cyber crime could grow to $2 trillion by 2019.
‘For-profit’ and state sponsored hacking organizations now have the time and financing to develop highly sophisticated and targeted attacks. They not only develop new tools for the job, they plan and map the exact path to defeating a targeted organization’s security. Expert cyber criminals then turn around and sell both credentials and new tools on the black market, enabling mediocre hackers to launch more advanced and effective attacks against everyone else.
3 reasons why cyber attacks will continue to grow:
- Valuable Data — Stealing, manipulating, or encrypting data for ransom has become incredibly profitable and thus a lucrative global industry.
- Low Barrier to Entry — High quality exploits, tools, and credentials are for-sale, making it incredibly easy for novices to get in the door and target smaller companies.
- Hidden Vulnerabilities — Vulnerabilities can be complex, combined, as well as exist across the internet/cloud, networks, systems, software/apps, and even employees.
Many company CIO’s have devoted a massive amount of time, energy, and resources to researching, purchasing, and configuring the best security hardware and software solutions. These products are supposed to lock down networks/systems, block malicious files/activity, detect software vulnerabilities, and find application flaws. The problem is that, a lot of time they don’t. Security hardware can be flawed ‘out-of-the-box’, and security software solutions often miss vulnerabilities that are obvious to a masterful hacker. For example, in 2015 a critical zero-day exploit was disclosed in FireEye’s core security products.
Researcher discloses zero-day vulnerability in FireEye | CSO Online …Kristian Erik Hermansen disclosed a zero-day vulnerability in FireEye’s core product, which if exploited, results in unauthorized file disclosure. As proof, he also posted a brief example of how to trigger the vulnerability and a copy of the /etc/passwd file. What’s more, he claims to have three other vulnerabilities, and says they’re for sale…
I think we can all agree that it’s going to be pretty hard to protect your organization when security hardware from a trusted cyber security company could potentially allow backdoors, worms, exfiltration of sensitive data, network traffic manipulation, and pivoting around the network. While FireEye’s vulnerabilities were quickly patched, the incident illustrates how human ingenuity can outmaneuver the best security architecture.
Of course, this is not the only case. In January of this year, it emerged that Fortinet’s ‘SSH backdoor’ was also present in the company’s new products running current firmware…
Secret SSH backdoor in Fortinet hardware found in more products | Ars Technica …Fortinet revised the statement to say the backdoor was still active in several current company products, including some versions of its FortiSwitch, FortiAnalyzer, and FortiCache devices…
It doesn’t stop there… Many of the recent high profile data breaches have occurred even though organizations used ‘good’ security practices, high-end hardware, excellent security scanners, and regularly patched their security issues in firmware and software. By and large, they also have talented management and engineers doing everything they can. Unfortunately, hackers always seem to be one step ahead. All you have to do is look at the recent list of data breaches… governments, politicians, celebrities, hospitals, banks, and many of the largest companies in the world… i.e. – Google, Apple, Facebook. The consequences ranging from bad press, to steep fines, to the well being and safety of the individuals compromised.
There are many facets to a comprehensive and effective cyber security strategy, but more often than not, the human element is forgotten. I’m not talking about manipulating employees. We all know that social engineering has become a major attack vector, and that’s another story. I’m advocating for battle-tested security ‘white-hat’ engineers that are skilled enough to go head-to-head with the real people behind cyber attacks. Don’t get me wrong, solid infrastructure, effective policy, automated scans, and well oiled hardware/software is essential to security. But, unless you have someone dedicated, passionate, and highly skilled on your team, regularly hacking your resources… you’re going to have unknown vulnerabilities.
The problem is that scanning against a known list of vulnerabilities will always miss problems that haven’t been discovered yet. Even up-to-the-minute threat data is going to miss zero-day packages for sale on the dark web. Having a machine or AI attempt to predict what a malicious user may do, is a game where patience, persistence, and resourcefulness will eventually win out. For instance, MIT’s new AI is incredible, but 85% threat detection is a long way from 100%. Again and again, we see that careful human analysis and creativity hold the key to gaining unauthorized access. Real hackers eat, breathe, and live in the latest vulnerabilities and exploits. If your defensive security team isn’t following suit, you don’t even know the rules of the game. If your organization is targeted by a skilled hacker, and you’re not running real-world attack scenarios, you’d better have a good breach response plan.
Real ‘vulnerability assessments’ and ‘penetration testing’ are essential to real security. I use the word ‘real’ because these phrases have become synonymous with automated security scanners and other software solutions, when they are not the same thing. While firewalls and security software are necessary first lines of defense, organizations need to be testing beyond known vulnerabilities, suspicious patterns, and individual findings.
Keeping your organization secure requires that your team is as smart as or smarter than a malicious team. The key to real security is to fight fire with fire, think out of the box, mimic what hackers would do, and launch realistic attacks against your own organization. Cyber security hinges on a great many things, but even when everything is done right, the endgame can quickly escalate to a battle of wits.
So, what makes a worthy opponent? Professional training and experience are important, but the best security engineers are exceptional at what they do because hacking is their passion. They are deft problem solvers in an incredibly complex arena. Many of them have been fascinated with electronics, computers, networks, and hacking since they were kids. After work, their spare time is spent building, learning, investigating, or reverse engineering recent attacks. There’s pride in having the advantage, to being a step ahead, to being undetectable, and ultimately to winning. There’s a spirit and enthusiasm in what they do, and the game is not only intriguing, but fun. The security engineers that are pen testing organizations to eradicate the real threat of a breach are the true unsung heroes of cyber security.