When one compares cyber security today to what it was ten years ago, the two are almost unidentifiable as the same industry . The iPhone had only just launched; Facebook was still in it s infancy; the Internet of Things (IoT) was still a dream . The routes a hacker could use to access a system were limited, and because of this, cyber security was built around walls . One was encouraged to block attacks with firewalls and other perimeter security that could be plugged into existing systems . There was no wider strategy, with little thought given to what would happen if those walls were breached . This created a very segmented landscape, made up of a multitude of different products, all with varying capabilities and from different suppliers. Today s landscape is utterly different .
The routes into a system are so numerous they are impossible to police effectively, with the IoT making this problem greater by the day. Yet this same technology that is causing a headache for cyber security professionals is the exact same technology that can help drive a business forward . Consider the transformational potential of IoT . Data between previously distant departments or operations can now be collected, shared and used automatically, dramatically improving the efficiency with which those two business areas work. The consequences for cyber security, however, are serious .
Access across a large multinational corporations systems can be gained through one chink in the armour of one small department . Recent hacks have shown this time and again . The hack against Target, one of the biggest ever and responsible for the loss of details of 110 million customers, stemmed from a phishing attack on a contractor1 . USB sticks infected with malware are an ever-present threat; once plugged in, hackers quickly spread throughout an organisations system and begin to do serious damage . This has been proven to chilling effect in the health sector,where patient monitors have even been accessed2. To counter this, the cyber industry must work to develop a security protocol a standard that can operate effectively across all different elements of modern, large-scale computer systems; a system of systems . Such a protocol will allow for the effective identification and quantification of any security and privacy issues in any part of a business IT systems .
Other industries have used similar models of ever-presenting testing and evaluation to ensure their services are as rigorous as can be . Engineering, constantly evolving since the industrial revolution, is built upon testing . From product design through to end-of-life decommissioning, the industry constantly tests the performance and capabilities of its devices. A system of systems will allow cyber security to the same . All parts of the IT supply chain, from the service provider to the OEM; the management consultancy to the market researcher; all will be able to scrutinise their business operations from a cyber security stand point, and all to the same high level of quality.
This will align with and be underpinned by the National Cyber Security Strategy, supported by the NCSC . It aims to create an ecosystem of innovative and thriving cyber security by bringing together the best minds from government, academia and the private sector to deliver this system of systems, solving the issues presented by a divergent and complex online world . It will be the beginning of a new era of cyber security protection, based not on unrealistic goals but on our ability as a nation to mitigate and minimise risk through collaboration .
It will give the UK and its population assurances that its data and systems are safe and the base from which a successful digital economy can flourish.
Last month s Mr Chow ransomware1 attacks serve as a timely reminder that security should be at the top of any business IT strategy . Ransomware is on the increase, at least according to the FBI2 and while it is not all email borne, it is an example of how sophisticated hackers and criminals are getting with technology. Certainly the recent spear phishing attack3 at sports anti-doping agency WADA was a clear indication of the lengths attackers will go to creating detailed and personal emails to hoodwink targets . Clearly, email is still one of the biggest threats to business security and will continue to be so for a very long time. In some ways it s no surprise .
Email use is as healthy as ever . According to research company Radicati Group s Email Statistics Report (PDF)4 2015-2019, over 205 billion emails were sent and received every day last year . A six percent increase is expected this year and although numbers vary dramatically from report to report, it seems to average out that around one billion of those emails are spam or malicious emails.
Back to the ’70s
In security terms email is of course just the delivery vehicle but it has history . Computer viruses date back to the days of the mainframe and early IBM PCs in the 70s and 80s but it wasn t until the increased proliferation of email in the late 90s and 2000s that email started to really kick off as a security threat . The Michelangelo virus, Melissa worm and Anna Kournikova virus all became synonymous with computer security threats during the internet boom and dotcom years . Spam email was rocketing too. In fact, according to Professor Alan Woodward from the Department of Computer Science at the University of Surrey, all that we see on email is exactly what has happened on regular snail mail .
The big difference is that it can be done on a massive scale, and you can deliver electronic payloads that once opened are harmful, unlike the normal spam mail you get through the letterbox.
I have to say I think things have become a great deal better . In many ways junk mail filters on corporate mail servers like Exchange are something of an unsung success story, he says . Sadly it takes only a few to get through to cause problems but these servers are routinely blocking vast amounts of junk, spam, phishing and malware. It s a good point . We often forget about the good work and how quickly security firms react to new threats . Of course, email is not about to disappear from business either . It s too useful and is a good way of storing a messaging dialogue but as Woodward points out, it s not the only messaging form that can be open to abuse.
I ve seen scams only this week using WhatsApp, and phishing using SMS, he says .
If anything I suspect people who have learned about the dangers of email will end up learning all over again (probably the hard way) that other messaging vehicles can be used to deliver a variety of attacks as well. For businesses this is a perennial problem . Threats from email are as old as, well email and keeping pace with any technology change is a constant challenge . Security is however a unique challenge with increased remote working, a variety of devices with an ability to roam networks and an increasingly sophisticated cybercriminal. Prevention, as security firms have been saying for years, is better than cure .
Ask US presidential candidate Hillary Clinton . She is something of an email security expert now, especially when it comes to understanding the consequences of not taking email security seriously . After being caught using a personal email server for official communications while acting as the US Secretary of State, Clinton has also been hacked, supposedly by the Russians. She is not alone of course . Large businesses and government departments, as well as well-known names, are consistent targets for hackers.
Consequently, says Joe Diamond, Director of Cybersecurity Strategy at Proofpoint, Customers demand more from their security solutions today more than ever before . That s why we see security in board level conversations . Visibility about who is attacking you, what they are using, who in the organization they are targeting and even understanding whether your organization is being singled out or caught in the crossfires of a broad attack campaign, are all insights to help organizations respond. So are people doing enough to protect themselves?
I think companies can do only more of what they are already doing, says Woodward . Use of up to date mail servers, anti-virus and so on is an obvious point . Education is equally important, especially with BYOD muddying the waters . One has to be careful to educate users that not all mail clients are the same.
Education or lack of it has of course led to human error enabling threats to sneak through cyber defences . Interestingly the number of security breaches reported to the Information Commissioner s Office (ICO) has doubled this year, up to 2,048 from 1,089 in 2015 . Around 70 per cent of these reports were due to human error.
It does suggest that the protection is best done at the server but that is not always possible, adds Woodward . Plus if one person is hacked their system can send emails that will appear perfectly valid to any automated system, so the human in the loop has to be on guard . I don t think any technology is leading the charge but what you are seeing is a more sophisticated scoring system for spam emerging and some of that is being supplemented by heuristics .
The systems are learning from what you delete, what is junk.
Some estimates put the number of IoT devices at one trillion by 2025, but it is unlikely that we will ever be able to patch all of them, he told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 20152 in Munich.
But that does not mean companies such as Maersk cannot benefit from IoT . In fact, Maersk has one of the largest deployments of industrial IoT, said Jones.
The shipping company uses IoT to ensure its refrigerated containers all maintain the correct temperature.
Maersk vessels typically carry 12,000 to 19,000 containers, and around 5,000 of those are usually refrigerated, he said.
In the past, it took an engineer roughly around two days to inspect all refrigerated containers on a vessel, but by fitting them with internet protocol3-enabled sensors the company can now monitor them all in real time.
Readings from the sensors are continually fed into Maersk s monitoring systems via satellite link.
This means that not only can engineers at sea identify any problems immediately, the shipments can also be monitored continually by Maersk s land-based operations, said Jones.
The problem arises, he said, where IoT systems are connected to something physical such as the braking or airbag systems of vehicles or the heating and cooling systems of buildings.
The security challenges are many, said Jones, not only because of the difficulty in keeping all devices and software patched, but because the internet protocol (IP)4 used by IoT devices is inherently insecure.
Combine this with the fact the internet does not have any form of service level agreement, that there are millions of devices in the hands of unsophisticated users, and that the internet is accessible worldwide, and you have the perfect storm, he said.
However, Jones is optimistic . This is an exciting time in IT, but it is important to remember that things should not be done just because they are possible.
Instead, he advocates isolating IoT devices on the basis of risk .
Any risk assessment should include the criminal mindset and learn from past analogies, he said.
The most powerful control, according to Jones, will be deciding whether or not to connect things to the internet and he suggests anything that is safety critical should not be connected on principle.
IoT does not have to be a disaster, because there is a growing focus on this issue .
Although we will never be able to patch one trillion things , there is hope, he said.
Jones believes that industry-specific cyber security standards are just beginning to emerge and so we will see a lot more of that in the future. ……………………………….