Being that I’m new to cyber security, I can’t help but gape at the number of ‘hacks’ I hear about on an almost daily basis.The other day I read an article on a KFC rewards program in the UK whose members were hacked. There were a lot of corny puns and I thought to myself “not even the chicken is safe.” The truth is, it’s no joking matter. And just because only username and passwords were what was compromised in this case, our tendency to reuse both for other accounts is what makes instances such as this one so dangerous. No one would think they need to monitor their loyalty program information, right?For those of you who have been in the field awhile, and are no longer shocked by another breach, I have some statistics that may simultaneously make you want to throw your computer out the window, and change your mind.
The first comes from Juniper research. Their recent prediction states that “the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.”Is your computer still intact?Back in 2011, Facebook admitted that it was the target of 600,000 cyber-attacks every day. Can you even imagine what that figure looks like 5 years later?If we think about recent events with the DNC hacking, or even reflect on the section from Friday’s UNM4SK3D
about China’s new cyber security rule, there are many nuances to the umbrella term of ‘cyber- attack.’ Among them, cyberwar, cyber espionage and cyber crime.The topic of the Chinese cyber security rule sparked a lot of interest for me personally, and the more I read, the more confused I got differentiating one term from another. So, because I’m so nice, I laid out the definitions for you here (especially since you smashed your computer after reading those initial facts and can’t look them up for yourself):Cyberwar:
The use of cyber weapons to violently destroy–or threaten to destroy–enemy capabilities.Cyber Espionage:
The exploitation of computer systems to steal industrial, military, and political information as well as military reconnaissance efforts to probe the security of adversary defense networks and industrial infrastructure.Cyber crime:
Petty hacking, political activism, large-scale criminal enterprises, etc.So I bet you’re wondering where the law plays a role. Because for me, that was a major question.In the US, the Cyber Security Act of 2015
enacted by Congress “aims to defend against cyber attacks by creating a framework for the voluntary sharing of cyber threat information between private entities and the federal government. This Act is broken into 4 Titles total, but the main focus centers on Internet monitoring.The problem with laws such as these lie within the issues of the issues themselves. HUH?What I mean to say is, take the issue of cyber espionage, for example. Some of the ‘issues’ at the core of this issue, are attribution and data integrity. So, in a case where one entity carries out cyber espionage, but we can’t pinpoint exactly who that entity is, then we can monitor all we want, but without absolute proof, we cannot prosecute. So, we have a case of trying to catch smoke.And aside from issues, we then have to look at how cyber attacks threaten. 3 main threats I’ve recognized are:
- Collateral damage
- Critical infrastructure
- Reverse engineering
Howard Schmidt, former White House cyber security coordinator, said “a cyber espionage attack is like using fire in battle. It’s a risky proposition because it’s difficult to control once it’s released…”This example points to all 3 of the threats I just listed, wherein a fire could take out critical infrastructure, harm innocent people, and others could add fuel to the fire, and use that fire to their advantage.
Quite possibly the most dangerous, in my opinion, is reverse engineering, a technique used to analyze software in order to identify and understand the parts it is composed of. This means that when an attack is done using a particular malware, for example, once the details of that attack are made public, other hackers could reverse engineer that malware for their own use and carry out yet another attack.Now, I’m not saying we’re doomed by any means, but as I dug further into this, the wheels of my brain kept turning and it brought me back to a recent conversation I had with my roommate who is a law student.She was talking about one specific assignment where they were to propose a new law and examine why it would benefit society, using facts, figures, etc. Hers focused on changes to a family leave policy. It was her classmate’s topic however, that became the focus of our conversation.His assignment would be looking at intellectual property law, from the context of cyber security. From one law student to another, it was clear that she was impressed at his awareness of the issue. And just the same, I was concerned about her lack of awareness of it. Cyber security didn’t even cross her field of consideration, and I’m going to bet that it doesn’t for many studying law.
And now I’ll back my guess with a quote. According to cacm.acm.org, “policymakers have some experience with many kinds of crises, but their understanding of the cyber world is, with some exceptions, sketchy and incomplete. Nevertheless, in the event of cyber crisis, they will make decisions with whatever information and knowledge they have. Computer scientists today are in a position to play an important role in helping to shape national and international policies regarding cyber conflict.”My point is, awareness and understanding is so crucial, regardless of your ethnicity, gender, political affiliation. If we want to make to protect ourselves, and help lawmakers make meaningful change to cyber security law, we have to first educate ourselves. So, it’s a good thing you’re here.I’m not saying Cybrary has all the answers, but it’s a good place to start conversations and earn new skills. To learn. Plain and simple.If I’ve inspired you somewhat to make a change in the way your workplace handles data, and especially if that data is critical, you should start by getting certified
. Use code: OBLOG50 for 50% off your next skill certification.A good place to begin?NIST SP 800-53
, the Security and Privacy Controls for Federal Information Systems and Organizations Skill Certification course. It provides a broad listing of precise security controls for all U.S. federal information systems, except those related to national security. This NIST SP 800-53 Skill Course deep dives into the process of selecting and implementing a subset of controls that information systems under development are expected to be compliant upon deployment. This includes selecting an initial set of baseline security controls, prior to the security analysts and system owners beginning to analyze, tailor, and supplement them based on an organizational risk assessment.Olivia Lynch
is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.