Whenever someone submits a list of the most serious ____ (fill in the blank), I always question their objectivity. For example: Who paid for the study? Do the authors’ professional interests bias the findings? Example: NOAA 2017. Are there any political motives? With that in mind, I now offer my list of the most serious issues in cyber-security for 2017.
First, let’s consider the origins of vulnerabilities found in cyber-security. Research indicates that vulnerabilities may fall under one of three categories:
People – intentional or unintentional actions by people cause over 50% of incidents
Process – good security is a process; every pen test or audit offers the opportunity to revise and improve your existing processes
Technology – is everywhere and therefore the likelihood of an exploitable vulnerability existing in your organization is high.
Frequently, vulnerabilities are not isolated in silos that can be addressed simply by making technological changes. Consequently, approximately 50% of INFOSEC vulnerabilities are found in the realms of people, and process, not in technology. With this in mind, I have labelled each issue accordingly.
- Improved Security Awareness of End Users (People)
It doesn’t matter how good your technology is if your people don’t actively participate in good security practices. Failure to follow established best practices may be an educational issue or a cultural one. Either way the result is a major vulnerability. Employee and contractor training must be on-going and applicable to every level of management and non-management. Successful completion of security training by every employee should be documented and maintained by HR. This should be a part of each employee’s annual review. Security is everyone’s responsibility, not just those who hold the titles.
- Improved Code Development (Process)
This is an international problem but since most code is written for the United States, it is a critical problem here. This is a problem with a known solution. Poor implementation of the solution is why this remains a major issue in security. In their rush to be the first to the market, companies who know better, release bad code with the intent of issuing updates at a later date. Sometimes, these updates are delayed indefinitely leaving the consumers in extremely vulnerable positions. There is a secondary issue involving the receptiveness of software companies to accept, test, and respond quickly to vulnerabilities identified by third-parties.
- Attacks on Personally Identifiable Information (PII) (People, Process, and Technology)
A twelve-month period across 2015-2016 contained a series of high-profile cyberattacks, starting with the compromise of 80 million medical records at Anthem Blue Cross/Blue Shield, the Veterans Administration, the Federal Bureau of investigation, Walmart, and concluding with breaches at Starwood, Hilton and Hyatt hotel chains. In 2016, Raytheon’s Websense analyzed threat data from 22,000 customers in 155 countries and states that hackers will target PII and emerging technologies, such as mobile payments and top-level domains.
- Existential Crisis in the Governance of Cyber-Security (People)
Talk about cyberwar has been heard for at least the last twenty years. Yet, cyberwarfare has maintained a guerilla persona with the possible exception of STUXNET. Now, US intelligence agencies report that Russian interests interfered in the recent election. The consensus points to state action rather than disaffected hacker groups. Is this an escalation or merely more harassment? You need better intelligence (HUMINT) than I possess in order to answer that question.
Throughout our history, both friends and foes have attempted espionage against the United States. Today, the US is both heavily dependent on its electronic infrastructure and equally unable to protect it from a determined, sustained attack from a hostile nation state. The same charge applies to American businesses. In this case, offense is our best defense. That is, our ability to retaliate via cyber-attack and destroy the networks, systems, and databases of our attacker may act as a deterrent to a nation state. But what if our attacker is not a nation state?
“Contested spaces” and “failed states” are geographical areas where non-state actors such as terrorist and criminal organizations, including cyber-criminals, may train, re-supply, recruit, and plan without reprisal. It may be argued that the Internet is a virtual, “contested space” where alternative forms of governance compete for control and power. To date, few academic studies have addressed cyber governance. The few existing courses on cyber governance draw from public administration and legal theories. The crisis in cyber-governance is that we are under attack and without academic guidance. What’s past is not prologue. Reliance on brick and mortar governance will not get the job done.
- Shortage of cybersecurity professionals (People)
According to the Bureau of Labor Statistics (2016), there are approximately six million software specialists in the United States. Only 89,000, or just 1.5% of this group, specialize in cyber-security. The median pay for a security specialist with a bachelor’s degree is $90,120. This skills gap has not gone unnoticed by the federal government. The Obama/Trump 2017 budget calls for a 35% increase in spending on cybersecurity, bringing it to $19 billion. How this money should be spent is the topic for another article.
- Attacks on mobile payments and other non-traditional payment systems. (People, Process, and Technology)
As mobile devices become the preferred source of authentication for many financial transactions, malware creators will increase their efforts to steal funds from consumers’ Apple Pay, Google Wallet and other mobile payment systems. Once attackers learn to infiltrate consumer’s mobile wallet they will attempt to breach the associated corporate network. Specialized apps, emails, contacts, and authentication procedures will become a great source of insider information which will facilitate future attacks.
- Cyber-security Insurance. (Process)
The cost of cyber-insurance rose in 2016, as an increasing number of companies considered purchasing indemnification coverage. To maintain profitability, insurance carriers will require more client intelligence and will seek to develop baseline requirements for issuing cybersecurity policies. Such policies may evaluate a company’s defense and risk profile, breach history, as well as it’s documented capability to halt attackers and remediate breaches. Insurers will send auditors to conduct hands-on assessments of cybersecurity systems, reinforcing the need for advanced threat detection. Cyber-insurance is an effective means of addressing residual risk. With the cost per breach estimated at 4M, the insurance industry must respond quickly if this alternative is to remain viable. See Ponemon/IBM Study June 2016.