While it’s never perfect, it can always get better
You may have heard there was a recent breach at a major cell phone provider, exposing the personal information of about 40 million people. And what was the public response to this outrage? They yawned.
That hack was just one of thousands of breaches publicly reported in the first six months of 2021, hacks which exposed a total of 18.8 billion records. Most never made it into the evening news. Apparently even criminals are getting bored. Reuters cited a report from Vice saying that the seller had been offering data on 30 million of the mobile phone victims for 6 Bitcoin, or around $270,000. However, later reports suggested that the asking price had slumped, and the entire data cache was being unloaded for just $200.
With so much data theft going on, even as massive a heist as that one fails to generate much public concern. But becoming inured to the loss of privacy and bored about leaks of personal information is itself a great danger. That’s because shrugging off data breaches ignores the fact that in the United States today, just about everything is connected to the internet — and therefore susceptible to attack. Advanced hacking tools, including many developed by U.S. intelligence agencies for their own espionage purposes, have been stolen and made available to hostile countries. In some cases, they have been sold to criminal enterprises over the dark web. These exploitations not only have the ability to siphon off your personal information, they can also be used to shut down the power grid, computer networks, the air traffic control system, banks, water treatment plants, factories, communications, and just about everything else.
In a recent well-documented book with the ominous title “This is How They Tell Me the World Ends,” New York Times cybersecurity reporter Nicole Perlroth explored the secretive market for zero-days – unpatched vulnerabilities discovered in frequently used software, capable of providing covert access to a network – as well as software companions created to exploit those flaws. Sometimes those hacks actually string together a series of zero days. And hostile nations are eager to acquire these tools. But while the offensive capabilities they present are huge, at least in the United States, they have not been matched by developments to defend against them – a dangerous imbalance.
Yet, despite the growing public indifference, corporations and other organizations with operations vulnerable to disruption are taking cybersecurity very seriously. Security budgets have increased. Cybersecurity specialists are in greater demand than ever. And security-related software is selling very well. Those are all good things. But there’s also a downside: as more security tools are deployed, and multi-vector attacks become more sophisticated, the number of alerts keeps going up. But not all of them rise to the same level of staff attention.
In that respect, it’s similar to the issue with automatic fire alarm systems in many commercial buildings, which react to a wide range of potentially threatening events, including minor ones. Whenever something triggers them, local firefighters are obliged to suit up and respond. However, the incidence of actual fires associated with those alarms is typically only around two percent. Particularly for volunteer fire companies, that high rate of false alarms gets old quickly. The problem is, those two percent can be devastating, and so cannot be ignored.
In the world of IT, it’s the same. More than 2,000 cyberattacks a day were reported to the FBI last year. But that doesn’t include the far larger number of unreported attempts which were thwarted by various defense mechanisms. A NSA data center in Utah, for example, is experiencing an incredible 300 million hacking attempts every day. That massive volume of alerts can easily overwhelm staff, hindering security teams from investigating the alerts that really DO matter.
Because sorting through an avalanche of alerts can be exhausting, SIEM, or Security Information and Event Management software systems, a.k.a. Threat Intelligence Gateways, have become particularly valuable. These are systems which block known bad IP addresses and then learn by simulating assaults on the organization’s production network, essentially training themselves to spot and interpret unusual patterns associated with attacks. As a result, security teams can prioritize their efforts by weeding out the low-stakes threats and focusing instead on the telltale signs of serious compromise. The outcome: faster containment and shorter resolution times.
But while smart software defenders can be great, promoting good digital hygiene across the organization will always remain valuable. Strong passwords, multifactor authentication, zero-trust access, and alertness to phishing attempts are some of the best-known defensive methods. They can all help. But as the Solar Winds debacle demonstrates, even when you do everything right, malicious code can slip into your network, sometimes lurking undetected for months before being activated and doing harm.
With that in mind, here’s how I think companies should view cybersecurity:
1. Nothing is completely secure
2. No organization is too small to hack
3. There is a strong likelihood that some of your information has already been stolen
4. There is nothing you can do to prevent a persistent state-sponsored hack
5. There are, however, meaningful steps you can take to deter or block criminal hackers
6. Plan ahead for how you can respond if you do suffer a cyberattack
Cybercriminals and malicious hackers have been very creative in finding ways to manipulate people and technology to steal data, infect systems, and seize control of assets. As a result, the defenses against cyberattacks keep changing. Security is not a once-and-done proposition – it is a constant process, and notwithstanding what different vendors might tell you, it’s not easy, and it’s never finished. But no matter how far you stray from having a perfect system — or how close you come to attaining one — the pursuit is always an essential and worthwhile investment of your time.