With the spread and sophistication of cyber-attacks and cybercrime, how can vulnerable organizations better protect themselves?
British public services warn of impending cyber-attacks following ongoing diplomatic confrontation with Russia following chemical attack on Salisbury involving former Russian spy Sergei Skripal and his daughter British institutions are working closely with the UK’s national cybersecurity center to identify potential risks to rate.
Cyber attacks and cybercrime, however, are not new and, in fact, their incidence and impact are increasing.
Criminals renew their way of working by searching for injury systems and developing their attacks.
John Moor, Executive Director of the IoT Security Foundation, explains, “The general trend is that cyber attacks are increasing and we are aware of other government-sponsored activities (which are often disguised as corporate hackers), an increase in ransomware, the Internet Arming things (IoT) to launch attacks.
“We’ve recently discovered pirated websites exploiting crypto currencies, which has led to increased concern among individuals, businesses and agencies such as the European Commission and the US National Security Agency.
“Cyber attacks are getting bigger,” says Art Dahnert, chief adviser at Synopsys. “Millions of users are now affected, and we’re seeing the bar increase as you consider the amount of traffic being sent during an attack.”
Dahnert emphasizes that they also become more demanding.
“Everything is now organized – you are no longer led by the lonely” 400 pounds “sitting in your room.” This pirate’s view is no longer valid. “Attacks are coordinated and typically involve poorly networked hackers, united by a common idealistic vision We are also seeing state-sponsored cyber-attacks with a growing list of countries with advanced capabilities to infiltrate and attack others. ”
With increasing connectivity, the world becomes more susceptible to cyberattacks.
Gartner analysts predicted that by the end of 2017, more than 8 billion connected devices were up and running and that we’d seen more than 20 billion devices in just three years, an increase of 150%.
“The general trend is that cyberattacks multiply and we are aware that more activity is being sponsored by the state (often disguised as corporate hackers).”
John Moor, CEO of the IoT Security Foundation
At present, cyber defense crime would cost the world economy $ 400 billion a year, but if billions of devices are connected, it could be a “small change.”
Why are the costs of cybercrime so high? Well, according to CEO Simon Segars, poor, “because the security of systems and equipment in all areas is simply not enough.”
“Internet of Things (IoT) is of course very involved,” says Moor, “because it’s the next wave of Internet technology.”
IoT is extremely vulnerable. By using sensors and attached devices, hackers can track paths because most devices are poorly configured with weak credentials.
“The most mature companies go for it,” suggests Dahnert. “Small businesses in the consumer sector are a problem, they are safety-critical because of the cost, they need to be shown how a security failure can affect them negatively, they need to be included in the discussion about the financial impact or damage to their brand and perhaps safety as a key differentiator when it comes to marketing their products, not at the end of their life cycle.
Despite their shortcomings, these networked systems are used to improve services, drive innovation, create wealth, and are considered essential to addressing some of the most pressing social and environmental challenges.
“Connectivity is so cheap that many traditional products are connected to the network, which can also be connected to Internet and cloud services,” says Moor.
At the conclusion of the Royal Academy and EIT report, Connecting Data: Increasing Productivity and Innovation, increased connectivity between physical and digital systems will increase risk.
The report recommended that work should be carried out to investigate the measures needed to improve the safety and resilience of all connected systems, in particular the critical infrastructure on which society now depends.
However, he suggested that innovation alone would not be able to solve security issues. Users are the first line of defense themselves, which means users need to stay away from suspicious sites, watch for downloads, keep passwords, and keep their devices up-to-date with the latest security patches.
“We need to focus more on consumers and focus on the cyber-psychology of technological security,” Dr. Mary Aitken, a cyber psychologist working at the University of Dublin and scientific advisor to the Europol Cybercrime Center. ,
“We need a human-centered approach that is aware of how people actually use connected things.
Dr. Aitken says it is critical to understand how human behavior in cyberdomain can “mutate, amplify, or degrade,” a security breach.
It suggests that, given the rapidly changing threat landscape in which product designers work, a more agile approach to research and development is essential.
In the future, she suggests that human vision combined with robust machine learning collaboration could provide a reasonable basis for reducing the impact of security attacks.
As cyberattacks become more sophisticated, it is important for organizations to consider security as a primary design consideration and to ensure that security evolves with increasing threats.
“When it comes to safety, the first thing you should avoid is the frequent mistakes of speaking in safety language and spreading a sense of fear,” says Moor.
“Security professionals understand that business risk and business language security risks need to be translated, so it can be appropriately valued, quantified and managed, so it’s important not to lose interest because of exaggeration and the spread of fear – it’s important To understand Commercial Risk Awareness and Reduce Risk According to Moor, “Understanding the risk of properly valuing and communicating in a language managers can understand”
More recently, Barr Group research has shown that security is still secondary to many embedded designers. More than 20% stated that security for their current project is not considered a product requirement.
Barr’s chief technology officer, Michael Barr, commented on the report’s findings: “It’s important to prioritize security in every embedded device connected to the Internet to maintain the integrity of the IoT.
But although it is fair to say that many companies do not consider security in the development phase, that is beginning to change.
Moor: “Although that certainly changes, we have to go much faster.”
Many technology vendors accept what Segars calls the “digital social contract” that forces them to protect users regardless of the circumstances.
“It means that we look at problems, but we can do more and more,” he wrote in Arm’s Safety Manifesto, which was released last year. “We are working with our ecosystem to improve communication and visibility into attacks and exploits so that mistakes do not recur.”
Is there a risk that such a non-binding obligation will be affected by a changing competitive landscape?
If industries are already subject to legal due diligence, such as the automotive sector, this is less of a problem.
According to Seagers, time-to-market is the main source of risk for the contract and warns that the fast market segment model could be a security catastrophe because product weaknesses can remain a system vulnerable. ”
He argues that a new, more resilient business model is needed, a model that makes technology-based technologies available to developers.
“This will enable a new business model that is specific to the Internet of Things, but also aligned with the responsibilities of the contract.”
According to Seagers, the role of standards and regulations is limited in this fast-changing world. He believes that product manufacturers need to be proactive, flexible and resilient to meet the challenges of today’s hackers.
Although Seagers does not see much in standards and regulations, Moor disagrees.
According to Moor, governments and regulators are increasingly concerned about finding new control measures.
“The speed with which markets and innovation are evolving, and the concerns about security, security and confidentiality increase the pressure for new laws and regulations,” he says. “There is a fear that brutal regulation will paralyze future innovation because the situation is complex and anything but simple, regulation is not as straightforward as it seems, and new problems need to be addressed.
According to Moor, safety is a moving target.
“What is safe today can not be tomorrow when new vulnerabilities and techniques emerge, which means that we have to behave differently from a compliance and pre-market certification system that is largely governed by security rules.
“Sustainability is now required across the lifecycle of products and systems, which will have a significant impact on product maintenance and support.
“What is positive is that security is already well known so that the way forward can be taken immediately by promoting best practices and adopting well-known standards.”
Regulation comes, he suggests. “It’s not a case of when, but when.”
“I do not think new rules will affect innovation,” says Dahnert. “We work in an industry that is always innovative, regardless of the regulatory environment, but that does not mean that regulatory costs have no impact.”
A lack of user awareness and design security means the cybersecurity industry is redistributing traditional cyber security products or creating new products and services, Moor says.
“This will continue for the foreseeable future, especially considering the perspectives of the quantum computer and the application of AI and machine learning.”
The use of machine learning and AI to accurately predict and identify attacks is considered a boon to the cyber world.
According to Dahnert, when he looks at the cybersecurity sector, he sees, “Blood in the water, every vendor faces snake oil vendors offering products that save you all, and that’s just impossible.
“Anyone who defends an application, network, or organization needs to understand the size and scope of their attack surface.You need to understand the different flavors of cakes, from network security to physical security.A method or product does not work, you have to Create a defense that can handle certain types of attacks. ”
There are too many companies that are not ethical in selling security products, warns Dahnert.
“Most of the products are just for a specific scenario, they can not solve all your problems, no matter what you tell them, but to manage that security you need a suite of partners, products, and processes, keep that in mind, and only through Education and training make us better able to improve safety and it becomes a crucial element of the business. ”
According to Dahnert, much is said about AI and machine learning and the development of predictive safety.
“It’s certainly the new taste, but it’s primarily rationalizing existing methods that makes them easier to understand.” “For AI and data analysis, look out for snake oil providers.” I doubt that your company is an AI expert and that If you depend on someone who sells you tools, your opponent can adjust and adjust their attacks. Will your AI solution be able to do the same?
“Everything is now organized, the cyberattacks are no longer carried out by the” lonely 400ib “in his room. This view of the pirate is no longer valid.
Art Dahnert, Business Consultant at Synopsys
According to Dahnert, companies must also check their supply chain.
“The entire supply chain needs to work together, work with them, understand their security and what they’ve set up, and what do they insist on their suppliers?
For sure, it can be overwhelming.
“There’s a lot going on in this area,” admits Dahnert. “Most people need a partner to run them, but they can also come up with a plan that explains what happens when you are exposed to a violation and interact with the media and analysts, to show that you understand the issues and to plan a solution.
“Take your punches and work hard, most people forgive.”
“Never stop learning and do not work in a silo,” says Moor. “Cooperate and share knowledge because effective defense is a team sport.”Tags: Computer Security