Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

CHEW on This: How Our Digital Lives Create Real World Risks

Adults today have witnessed video stores becoming streaming services, book stores vanishing into cyberspace. Traditional, even beloved, consumer brands are being supplanted by digital replacements. Even interpersonal relationships now occur largely online.  

Adults today have witnessed video stores becoming streaming services, book stores vanishing into cyberspace. Traditional, even beloved, consumer brands are being supplanted by digital replacements. Even interpersonal relationships now occur largely online.  

Digital transformation is not only making the anonymous personal. It is significantly affecting all industries and sectors — oil and gas, power and utilities, insurance, banking and securities, the public sector, real estate, the media and telecommunications. 

With each entity, process or service that moves from the physical world into cyberspace, there is a corresponding transformation to the threat landscape. Digital transformation doesn’t just change the business model or the supply chain dynamic. It also introduces significant new threats that go beyond monitoring web traffic and securing networks. 

Those threats take a variety of forms known as “CHEW”: criminal, hacktivism, espionage and (cyber) warfare. Driving CHEW is the idea that digital transformation has given individuals, small countries and other minor players the ability to affect even the largest organizations, corporations, governments, political and industry associations. 

CHEW isn’t just exploits on networks or code vulnerabilities. The attacks also include elements of psychological operations, information warfare and fraud — threats designed to target people instead of the systems themselves. 

This is particularly important as more of our social lives move into cyberspace. Social media is a great way to stay current, but it’s heavily influential and can become a new attack vector, not just for individuals, but also for companies and even institutions. 

Let’s take a look at some ways this is playing out. 

Criminal 

Advertisement. Scroll to continue reading.

Everyone is familiar with phishing, but we don’t always consider the other side of it. To carry out the fraud, someone is either rebuilding or cloning a website for a bank or online retailer, connecting it to all kinds of back-end systems. 

Those attacks are generally designed to dupe someone into giving up credentials for access. But now that there is so much information about people online, criminals can clone an entire individual’s history, blurring the lines between attackers and legitimate users. 

The amount of exposure here is significant, so the controls needed to mitigate this kind of fraud becomes much more extensive. While the kinds of biometric authentication shown in movies like “Minority Report” seem like, well, the movies, at some point it may be the only solution because nothing else will actually work. 

Hacktivism 

Given its ability to create societal movement and change, the influence held by social media platforms has become a new target. While activists can certainly leverage the platforms for altruistic purposes, those same platforms can also be used to gauge sentiment and target users or organizations with faux online personas and automated bots—creating real risks for companies or public figures. 

Last fall it was revealed, for example, that the Federal Communications Commission’s open public commenting period to discuss net neutrality rules had been “hacked” — 57 percent of comments originated from temporary or duplicate email addresses, and seven comments were repeated so often that they accounted for more than a third of the total. The most common email address used? [email protected], which appeared more than 7,500 times.  

We’ve already seen political movements and hot button issues affected in this way. How long before we see a financial forum exploited similarly in an attempt to short a stock? Protecting against this kind of risk exposure means an organization must consider its affiliations, advertising channels, the online communities that affect them, world political events — and how those might create motivations for harmful intent.  

Espionage

Just about every national government is engaged in some form of cyber espionage, another example of technical capabilities colliding with real world consequences. And the stories are as fascinating as any Tom Clancy novel. 

Using new tools and technologies for espionage stretches back decades. Go back to 1997, when a disgruntled Gillette employee sent designs for a new razor to competitors via email. Since then, there has been a litany of intrigue and sabotage. In 2008, both presidential candidates were hacked, with sensitive information stolen on foreign policy and other concerns. In 2010, there was Operation Aurora, where more than 20 companies including Google, Adobe Systems and Yahoo were breached. In 2014, the U.S. Office of Personnel Management (OPM) was breached, with millions of records pertaining to security clearance applications for sensitive government jobs stolen. 

For security organizations, this again shows the importance of an expanded view into risk. Companies have to keep their eye on world events and political factors that could put them under the crosshairs. 

Warfare 

While in the military, I worked in the Air Force Information Warfare Center (AFIWC), when cyber warfare was rudimentary. It was a big deal when an adversary put in new infrastructure such as a T-1 line.  

Today we can see the world’s next battleground is digital, and cyber warfare is an increasing threat no one can ignore. Countries are targeting one another’s infrastructure and institutions to gain not just a political advantage, but a very real tactical one. Nation states that previously could not compete in a traditional war are now on level footing for warfare in cyberspace. 

When the movie “The Interview” was released, for example, North Korea compromised one of the principles Americans hold dearest: the freedom of speech. Leveraging both psychological warfare and Information warfare, they not only blocked the release of a feature film, but also threatened attacks on movie theaters to keep consumers from attending. 

But perhaps nothing is as new and misunderstood as the recent Russian interference with national elections in the U.S., France, Denmark and other places. While the U.S. government was looking for flaws in the voting systems, new digital platforms for social media allowed malicious entities to gain legitimate access to detailed demographics, and offered new avenues for targeted marketing, giving them the ability to influence targets in a very cost-effective way.  

To combat this, the government would have to have been studying how people ca
n be reached within their social media communities — how the advertising works, how echo chambers evolve and influence people, and the extent to which those could be abused. But as is often the case, the attackers were simply a step ahead. 

Securing applications and understanding vulnerabilities in code and IT systems will always be important. But today security pros must open their eyes to a much bigger picture. 

Across every industry and every part of life, there will be business logic and processes in the physical realm that transition to the digital world. As each of these new systems is introduced, your risk analysis must consider the motivations of those who would exploit that business logic for their own means. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...