Overview of Cybersecurity challenges :
David Kennedy is in the above youtube video first 25 min and he has a good overview of where we are in Cybersecurity, a single employee can take down your company. It is not just the technical details, but also includes people learning best practices to defend from hacking type activities by the bad guys(black hat hacker). David also ‘hacks’ a person that came up from audience and finds her social security number in a few minutes.
The Harvard Business Review also has an article on “Why is Cybersecurity so Hard?”
The Differing Rules in Cyberspace paragraph explains why this is such a difficult subject:
Physical-world models do not work in cyberspace – you cant assign a local police department for a network that connects the whole world.
What about responsibility between government and private sector? Who is responsible for a virus infection that infected your own company and another company (due to address list emails being sent)?
When the NSA has specific bugs/hacks so that they can use to keep track and see enemies of the state that may be good for national goals, but it becomes bad when the enemy steals these hacks…
Who is responsible for this software flaw in the first place? Is it Microsoft that should have known better?
The problem with Cybersecurity is that security flaws sometimes are not found until later in the software development cycle.
The flaw is found and then the vulnerability is introduced to the world, the exploit is released somehow it always is. The wannacry vulnerability was found by the NSA first, then stolen by the Russians before actually being released. But the vulnerability was there nonetheless for anyone with a unique computing talent to find.
This is actually the crux of the Cybersecurity issue: there are unique hacking computer talents that can take advantage of our computing infrastructure. Somehow there are flaws in various aspects of the operating systems or other pieces of the information technology puzzle and these computer whizkids (we call them hackers) find these flaws and create exploits so that they can make some money. The criminal underground has built a method of monetizing this phenomena with ransomware.
Here is another interesting issue that just arose:
gSOAP Flaw Leaves thousands of IoT devices vulnerable to remote code execution.
gSOAP is used in many applications and products including IoT devices (apparently as many as 34 different kinds), although this is a unique vulnerability which requires some doing to exploit it, the exploit would likely veer more towards using devices without permission such as the Mirai event as David Krebs notes.
The Mirai event was a DDOS attack, by using these IoT devices online to make the cyberattacks on various infrastructures. In this case the criminal element sells time on these illegally obtained usage rights to attack systems.
So this is another reason of the difficult problem, as the complexity of software and understanding of what happens is not trivial. The very nature of this problem then causes some confusion, or apathy. The problem only rears its ugly head when it is your software being attacked or being used.
The only way to combat this is to elevate your game and to perform audits of your IT infrastructure and software. The audits must be done to further understanding and the end result (which is to deny criminals).
Contact us to review and audit your environment.
We are CISA Certified Informations Systems Auditor