Security Experts:

CHEW on This: How Our Digital Lives Create Real World Risks

Adults today have witnessed video stores becoming streaming services, book stores vanishing into cyberspace. Traditional, even beloved, consumer brands are being supplanted by digital replacements. Even interpersonal relationships now occur largely online.  

Digital transformation is not only making the anonymous personal. It is significantly affecting all industries and sectors — oil and gas, power and utilities, insurance, banking and securities, the public sector, real estate, the media and telecommunications. 

With each entity, process or service that moves from the physical world into cyberspace, there is a corresponding transformation to the threat landscape. Digital transformation doesn’t just change the business model or the supply chain dynamic. It also introduces significant new threats that go beyond monitoring web traffic and securing networks. 

Those threats take a variety of forms known as “CHEW”: criminal, hacktivism, espionage and (cyber) warfare. Driving CHEW is the idea that digital transformation has given individuals, small countries and other minor players the ability to affect even the largest organizations, corporations, governments, political and industry associations. 

CHEW isn’t just exploits on networks or code vulnerabilities. The attacks also include elements of psychological operations, information warfare and fraud — threats designed to target people instead of the systems themselves. 

This is particularly important as more of our social lives move into cyberspace. Social media is a great way to stay current, but it’s heavily influential and can become a new attack vector, not just for individuals, but also for companies and even institutions. 

Let’s take a look at some ways this is playing out. 

Criminal 

Everyone is familiar with phishing, but we don’t always consider the other side of it. To carry out the fraud, someone is either rebuilding or cloning a website for a bank or online retailer, connecting it to all kinds of back-end systems. 

Those attacks are generally designed to dupe someone into giving up credentials for access. But now that there is so much information about people online, criminals can clone an entire individual’s history, blurring the lines between attackers and legitimate users. 

The amount of exposure here is significant, so the controls needed to mitigate this kind of fraud becomes much more extensive. While the kinds of biometric authentication shown in movies like “Minority Report” seem like, well, the movies, at some point it may be the only solution because nothing else will actually work. 

Hacktivism 

Given its ability to create societal movement and change, the influence held by social media platforms has become a new target. While activists can certainly leverage the platforms for altruistic purposes, those same platforms can also be used to gauge sentiment and target users or organizations with faux online personas and automated bots—creating real risks for companies or public figures. 

Last fall it was revealed, for example, that the Federal Communications Commission’s open public commenting period to discuss net neutrality rules had been “hacked” — 57 percent of comments originated from temporary or duplicate email addresses, and seven comments were repeated so often that they accounted for more than a third of the total. The most common email address used? [email protected], which appeared more than 7,500 times.  

We’ve already seen political movements and hot button issues affected in this way. How long before we see a financial forum exploited similarly in an attempt to short a stock? Protecting against this kind of risk exposure means an organization must consider its affiliations, advertising channels, the online communities that affect them, world political events — and how those might create motivations for harmful intent.  

Espionage

Just about every national government is engaged in some form of cyber espionage, another example of technical capabilities colliding with real world consequences. And the stories are as fascinating as any Tom Clancy novel. 

Using new tools and technologies for espionage stretches back decades. Go back to 1997, when a disgruntled Gillette employee sent designs for a new razor to competitors via email. Since then, there has been a litany of intrigue and sabotage. In 2008, both presidential candidates were hacked, with sensitive information stolen on foreign policy and other concerns. In 2010, there was Operation Aurora, where more than 20 companies including Google, Adobe Systems and Yahoo were breached. In 2014, the U.S. Office of Personnel Management (OPM) was breached, with millions of records pertaining to security clearance applications for sensitive government jobs stolen. 

For security organizations, this again shows the importance of an expanded view into risk. Companies have to keep their eye on world events and political factors that could put them under the crosshairs. 

Warfare 

While in the military, I worked in the Air Force Information Warfare Center (AFIWC), when cyber warfare was rudimentary. It was a big deal when an adversary put in new infrastructure such as a T-1 line.  

Today we can see the world’s next battleground is digital, and cyber warfare is an increasing threat no one can ignore. Countries are targeting one another’s infrastructure and institutions to gain not just a political advantage, but a very real tactical one. Nation states that previously could not compete in a traditional war are now on level footing for warfare in cyberspace. 

When the movie “The Interview” was released, for example, North Korea compromised one of the principles Americans hold dearest: the freedom of speech. Leveraging both psychological warfare and Information warfare, they not only blocked the release of a feature film, but also threatened attacks on movie theaters to keep consumers from attending. 

But perhaps nothing is as new and misunderstood as the recent Russian interference with national elections in the U.S., France, Denmark and other places. While the U.S. government was looking for flaws in the voting systems, new digital platforms for social media allowed malicious entities to gain legitimate access to detailed demographics, and offered new avenues for targeted marketing, giving them the ability to influence targets in a very cost-effective way.  

To combat this, the government would have to have been studying how people can be reached within their social media communities — how the advertising works, how echo chambers evolve and influence people, and the extent to which those could be abused. But as is often the case, the attackers were simply a step ahead. 

Securing applications and understanding vulnerabilities in code and IT systems will always be important. But today security pros must open their eyes to a much bigger picture. 

Across every industry and every part of life, there will be business logic and processes in the physical realm that transition to the digital world. As each of these new systems is introduced, your risk analysis must consider the motivations of those who would exploit that business logic for their own means. 

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.