Thirty-some-odd years ago, my older brother wrote a “book” entitled The Christmas That Was Coal. It begins with a tale of a boy who’d been very naughty (not unlike Cousin Constantine), followed by a few more miscellaneous short stories, including (a personal favorite) “Christmas on the Moon.” Every year, my parents set that fabric-covered, satin-ribbon-wrapped book on their coffee table. And every year, I read it. Just as I do Charles Dickens’ A Christmas Carol.
Much as I love my brother’s oeuvre, it’s the Dickens that tops my list of annual, near-ritualistic indulgences. Never has it ceased to kindle nostalgia for the past, encourage awareness of the present, and sound a cautionary note for the future. In other words, it’s my time to reflect, take stock, and look forward.
And if you’ll indulge me, I’d like to steal you away, as did Ebenezer’s ghosts, for a wee journey down cybersecurity lane. See how far we’ve come, and where we’ve yet to go.
The Cybersecurity Ghost of Christmas Past
Last Christmas, I gave you my heart . . . Wait, no. I didn’t. Sorry about that. And besides, we need to go a bit further back than that anyway. Back to the early 80s when films like Red Dawn, The Day After, and WarGames had me shaking in my red Swoosh Nikes. Back to when President Reagan announced the Strategic Defense Initiative. Back to when the network started to take hold and when people started to care about network security.
In the 80s, ARPANET led to the Internet, which, in late 1988, was temporarily crippled by the first significant denial of service (DoS) attack—the Morris worm. Created and launched by a lone grad student, the worm was a wake-up call for a complacent online community, forcing it to take security more seriously and even giving rise to the Internet security profession.
With the 90s and naughts came more malware (worms, viruses, Trojans, bots), but also more security technologies such as antivirus programs, SSL encryption, stateful and stateless firewalls, DLP (birthed in 2007, resurrected in 2016), and all variety of intrusion detection and prevention systems. Businesses began to depend more and more on the Internet and, as would follow, its security. And average Joes began to realize they couldn’t blindly trust, say, emails from unknown sources or that everything that goes out over the Internet is safe (e.g., email is forever, and it’s not private).
The Cybersecurity Ghost of Christmas Present
Today, one thing is certain. Perimeter security is as dead as a door-nail. Or is it?
Some say yes, and that the mobilization of the workforce has made it irrelevant, that firewalls can no longer keep the bad guys out. This contingent believes it’s necessary to work under the assumption that most—if not all—networks have been breached, and that time and resources should be dedicated to limiting the blast radius of attacks.
Others disagree, saying perimeter security has just been improperly handled and must be deployed as part of a defense-in-depth strategy. So don’t go doing away with traditional perimeter defenses, but augment them, you know, maybe with better visibility inside the network in order to uncover and block malicious lateral movement.
In a recent survey of network and security-focused IT professionals, advisory firm Enterprise Strategy Group (ESG) found that the majority of respondents believe the complexity of network security operations is worsening—primarily due to increased traffic, more connected network devices, and a growing number of security point products. Nearly the same percentage of respondents agreed network visibility is limited and could be improved.
In case you haven’t noticed, I’m all about the importance of network visibility. And this year, to save me from tears . . . I do hope you’ll agree that better visibility can start to bring order to the kluge that is the modern-day network, accelerate threat detection and mitigation, and reduce the complexity and costs associated with security deployments.
The Cybersecurity Ghost of Christmas Yet-to-Come
Like a mist along the ground, the future will arrive and, already, predictions are being made. So whose will come true?
McAfee’s, perhaps? The McAfee Labs 2017 Threats Predictions (PDF) report has two main sections. One that takes a long view of three topics: hard-to-solve security challenges, cloud threats, and IoT threats. Another that outlines specific predictions, including: ransomware receding halfway through the year; improved threat intelligence sharing; further merging of IT and OT; more cooperation between security vendors and law enforcement to take down cybercriminals; and a rise in machine learning to enhance social engineering attacks.
Okay, those. Or . . . Maybe next year . . . Maybe we’ll see drone-jacking toolkits sold on the Dark Web. Simple IoT devices turned into unwilling bots. More industrial control systems targeted. Smaller nation states engaged in cyber warfare. In an era increasingly marked by cyber warfare, this last one intrigues me quite a bit.
Some argue that what we’ve seen on the cyber front shouldn’t be classified as war at all because it hasn’t involved true military conflict. Others consider any type of kinetic attack a form of invasion. Either way, a colleague of mine set me thinking with a prediction that smaller nation states will turn more and more to cyber to flex their might and fulfill their will. They don’t have the huge bucks to raise huge armies, but they might make a smaller investment in cyber, which could still make a significant impact.
Although I don’t believe a cyber war between Eritrea and Ethiopia is likely, I could see a client group or state acting on behalf of a regional power (e.g., Iran, Russia) or emerging superpower (e.g., China). The more sophisticated the society, the greater its vulnerability to cyber warfare.
Take, for example, the United States and the European Union. Both have a con
siderable number and variety of potential targets to protect, including power grids, pipelines, transportation systems (commuter lines, freight networks moving volatile cargo, etc.). And that’s not even to mention the possibility of intellectual property theft. Criminal groups or those with irrational ideological beliefs could cause considerable damage to well-connected societies, perhaps working with tacit “letters of marque” from adversarial nation states hiding behind a veil of plausible deniability.
What do you think? Uplifting and joyous as the season? Or just about enough to keep the “prioritize security” ball rolling in 2017?