As technology becomes more deeply embedded into business and society in general, business owners and cybersecurity professionals are facing the task of our generation. That is, securing the global IT infrastructure from those cybercriminals who want to steal data, blackmail big corporations, and take control of automated systems for malicious purposes.
This article looks at four areas of development that need to mature quickly if we are to stay ahead of the bad actors: cyber threat intelligence (CTI), Internet of Things (IoT) security, ethical hacking recruitment, and security standardization. Cybersecurity is the ability to identify, protect, defend, response, and recover the use of cyberspace from cyberattacks, the inclusion of CTI is the first major stepping stone to achieve the lofty goal for enhanced cybersecurity posture as espoused by the cyber awareness and resiliency tenants (Watchorn & Bishop, 2017).
We will then summarize by looking at how a holistic approach is the best way forward.
Cyber Threat Intelligence
As cybercriminals become more sophisticated and highly targeted attacks replace more opportunistic methods, those companies that can quickly recognize the signs of an attack, widely disseminate the information, and deploy countermeasures will be the ones that survive.
Reactive strategies are unlikely to be enough for the deadliest persistent and zero-day attacks and even proactive detection and prevention methods could be too limited. The field of CTI, as detailed in depth in a previous EC-Council blog, provides targeted defense measures those have been proven to lead to the identification of more threats and, most importantly, faster detection rates. Taking the costs of data breach fines alone, the use of CTI technology is expected to save around a million dollars per breach per year.
The key components of a robust CTI system are tight integration with business planning and direction; effective data collection, processing and analysis, and wide, rapid dissemination. The output of this process (the feedback stage) should then be aligned with the initial business and planning objective to create an iterative cycle of ever more relevant, ever more effective cyber threat prevention.
A Ponemon Institute study, detailed in the EC-Council blog post, revealed that businesses believe that eight out of ten of the breaches they had suffered from would have been mitigated by the effective use of CTI.
Security Solutions for the IoT
Many business owners still don’t comprehend the potential of the IoT to bring down their businesses. The IoT, as it currently exists, combines the deepest yet integration of tech into the enterprise with the most inadequate security measures. The commoditization of IT has a lot to answer for, but it is incumbent, as always, for enterprise owners to own their own cybersecurity and not rely on IoT vendors to secure their businesses for them.
As a Kaspersky white paper on the IoT makes clear, the operating systems associated with IoT devices are, in the main, over-featured and poorly secured. This puts businesses at risk of both data theft and remote sabotage of connected devices.
Taking a sub-category of IoT, Smart Automotive, Kaspersky explain that the more complex a system is, the more difficult it is to secure since bugs are more easily missed. To mitigate a threat, it is necessary to combine robust security policies and separation technologies. However, the IoT requires a different kind of security policy than business owners will be used to. For example, user-based access control is less important than “thing-based” access control and capability-based approaches since cyberattacks can come from many different vectors (malicious code in third-party apps, remote attack to a vehicle bus unit, etc.). According to NIST NISTIR 7298 Rev. 2, a cyberattack is “an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computer environment/infrastructure; or destroying the integrity of the data or stealing controlled information,” while a cyber incident is defined as “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” The complexity of the IoT environment requires knowing the subtle differences between the two events, to ensure that each has defined response plan that describes the required mitigation strategy to operational incident managers.
Charlie Miller and Chris Valasek highlighted these precise dangers in one of the most effective—and chilling—publicity stunts ever filmed. The duo hacked a vehicle through its Uconnect infotainment system and were able to both query data and issue CAN messages to affect the radio, air-con, wipers, water jets, visual display, and even the vehicle’s engine. They also demonstrated how, at low speeds, the car’s steering and brakes could be controlled.
This exemplifies the importance of separating functions, such as communication, infotainment, and driver safety, from one another. The description of the hacking software reported in WIRED’s, now legendary feature, was, “software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”
One of the next-generation security measures those can minimize the risks of this sort of attack includes reducing trusted code by separating connection and authentication processes from application-level communications.
The Miller and Valasek hack also highlight the value of ethical hacking as a tool against cybercrime. Miller and Valasek work for a driverless car company as security researchers, but have also exposed flaws with the MacBook Air, iPhone, iPad, Safari, Windows, and NFC technology.
Their work has helped Apple, Microsoft, and others to become more secure, but clearly this approach needs to be scaled if security teams are going to keep up with cybercriminals. As Valasek puts it, “more people like us need to be focused on this problem.”
In 2002, EC-Council created the CEH certification with this kind of role in mind.
Should we really have to rely on the benevolence of ethical hackers to secure our businesses? How can business owners (and security-providing managed IT services) take more control over cybersecurity?
One of the reasons why the IoT is in such a vulnerable state is the lack of a standardized next-generation cybersecurity compliance framework. Without this accountability, IoT device vendors will often compete in the feature and cost level. The problem is, as Kaspersky aptly puts it, “complexity and security are conflicting features.”
Until market forces bear out the true cost of trusting poorly secured IoT devices, businesses need protecting from their own need to reduce their tech costs. As with all other forms of security and consumer protection, standardization will happen. The process is already underway at a government policy level and eventually frameworks for compliance will be decided upon and deployed.
Until that time, businesses need to do their due diligence and check the security credentials of the vendors, their IT support provider, consultants, and anyone else with a direct impact on their company’s cybersecurity. To help them, EC-Council and CREST have introduced equivalence between various cybersecurity certificates as explained in a previous EC-Council blog post.
Bringing It Together
Ultimately, the sooner we can create a holistic cybersecurity approach be weaving together the four strands above—plus others—the more future-proof business cybersecurity will be.
Companies need to invest in the best CTI measures in order to predict attacks and disrupt them before they have even got off the ground. They need to pay attention to the IoT and not get dazzled by multiple features.
Pertinent Questions Should Include
- How deep into my business does this device penetrate?
- How is it physically secured?
- Has it been secured by design (e.g., does it enforce “thing-based” user access, send minimum trusted code, etc.?)
- Can it be updated?
- How long will it be supported for?
Business owners and IT security providers should also remain aware of the latest developments in terms of cybersecurity compliance and best practice and, where possible, invest in penetration testing (and even ethical hacking) to stress-test their networks.
Only then will we have cybersecurity in place that can truly be regarded as the next-generation.
About the Author
Brent Whitfield is the CEO of DCG Technical Solutions Inc. DCG provides managed IT services in Los Angeles area businesses who need to remain competitive and productive, while being sensitive to limited IT budgets. Brent writes and blogs frequently and has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. https://www.dcgla.com was recognized among the top 10 Fastest Growing MSPs in North America by MSP Mentor. Because of Brent’s experience as an MSP, he is actively serving on partner advisory councils for many of the major MSP vendors providing backup, RMM, and software to the market. He also leads SMBTN—Los Angeles, an MSP peer group that focuses on continuing education for MSP’s and IT professionals. Twitter: @DCGCloud
Kaspersky White Papers
WIRED Jeep Hack Article and Video
Paulsen, C. (2018). Glossary of Key Information Security Terms. Retrieved June 10, 2019 from https://csrc.nist.gov/publications/detail/nistir/7298/rev-3/draft
Watchorn, M. & Bishop, J. A. (2017). Cyber Awareness and Resiliency. Retrieved June 10, 2019 from https://www.linkedin.com/pulse/cyber-awareness-resiliency-dr-merrick-s-/