I'm secure and so is my network...
By Michael Owen
In the wake of the TalkTalk hack we have to ask some serious questions about security, both as individuals and as businesses.
As individuals we place a huge amount of trust in companies who hold sensitive information about us and we don't really know what they have, where they keep it and how secure it is. Clearly these companies are not actually IT security specialists themselves or even IT service providers. They are enterprises with an IT function that has tools and policies to protect them and ultimately us - their customers.
So, whose job it is to protect us from cybercrime?
It’s a crime; so it must be the police, right? Well yes, but actually that’s not much help. The police (National Crime Agency) have made massive strides in cybercrime investigation, but not in prevention. They arrested the 'kids' over the TalkTalk hack and they are kids, the youngest is 15 and could probably build a robot to tie his shoes laces before he could actually tie his shoe laces. So the police aren't going to help prevent or stop a cybercrime. Only investigate and hopefully bring those responsible to justice. Although many cyber criminals operate in a different geography or as a team in multiple legal jurisdictions, to make it even more complex for cross-border police to operate successfully. And the police don’t have access to any of the elements where cyber-crime is occurring, they can only request information to investigate a suspect or crime.
So what about the Service Provider?
Interesting the service provider (Telco) is the first organisation that should be able to 'see' specific events on their network. They should also have tools to monitor and stop events that are happening, but that is massively complicated and expensive and service providers aren't known for innovation or making these types of investment (especially if they don’t really result in direct revenues). They have been typically sweating assets and continually reorganising making strategic planning very challenging. Additionally, look at the amount of fraud on the Telco's network, roughly estimated at $40bn globally per year (yes, you read that right!).
Some Telcos have specific Distributed Denial of Service (DDOS) protection, as a business you pay for the service but it allows you to massively scale your connectivity to try and out trump the collective connectivity of those trying to hit you with a DDOS attack; a ‘my pipe is bigger than your pipe’ approach to allow genuine traffic to get through.
In addition Telcos have been very slow to work together and with the authorities to monitor, identify and isolate cyber-crime events - many of them are not obvious events, but major ones are.
The industry regulator is on hand though; they manage to update the infrastructure report which includes security every 3 years; yes every 3 YEARS (or a 5th of a TalkTalk hacker’s lifetime to look at it another way). During that time, between each report, 7.5m cybercrimes and 15m of fraud would have been committed.
Ultimately it must be the Company - surely.
IT Security is an ever evolving and specialist field and it is clear that the vast majority of companys’ security policies are as out of date as printed maps. Most organisations have a generic security policy that looks at standards and procedures. They don't look at specific events, such as a DDOS attack. So if you are a senior manager in a business or within IT, ask your security guys about the companies DDOS DR plans, they'll probably go a funny colour or look at you strangely, either way they must spend an uncomfortable amount of time with everything crossed.
For many companies they keep the DR plans on a drive like SharePoint, clearly if you need to implement DR or your under a major DDOS attack you might not even be able to access the documentation you need. Additionally, the purpose of security policies is massively variable, most often it’s still for compliance and is not a quality measure or an operational plan.
But let’s be realistic, with organisations spending on average 44% of IT budgets on security, you have to ask of the 5.4m small businesses in the UK, how many have a security specialist or security budget, how many of them would even know if they had information stolen? Of the larger enterprises and corporates, how do they keep on top of IT security when in reality they have a very complex set-up with a mish-mash of services all over the place, they spend 99% of the time spinning plates and trying to get red lights to amber and the amber ones to green. The other 1% they are in meetings or having lunch. And to be honest, they tend to look after the VIP’s within the business; keeping them happy results in a much easier life. So the VIP’s (decision makers and budget holders) get a different view from everyone else; no wonder they don’t see the problem in the same way.
A new approach is needed.
We are trying to deal with a new world problem in an old world way. It’s a bit like trying to stop a refugee crisis by building fences.
Maybe what we need is a different approach, cybercrime has to been seen as a continual set of activities and events with serious consequences. In the same way our stores employ security guides to monitor suspicious behaviour and reduce crime, ideally we would take a similar approach, on a global network level. But who am I kidding, that's not going to happen.
The Information Commissions Office has Action Fraud to help register a cybercrime. It’s still voluntary, so your service provider or the business who has you as a customer does not necessarily have to report a cybercrime and many do not want to; it's not exactly a good news story.
Or maybe we need to go back to Sir Tim Berners-Lee and say...
"now look here Tim, you created this monster, you sort it out".
What to do next?
One failed shoe-bomb means you have to take your shoes of at the airport and can’t carry liquids.
Several DDOS attacks, viruses, hacks and snooping revelations later and most companies have managed to upgrade to the latest version of Anti-Virus.
As individuals we need to keep our eyes and ears open and our online wits about us. We’ve not been trained for this, but good luck anyway. As employers we need checks and balances, we need to educate staff, we need to understand IT and security rather than trying to manage it; most businesses are not IT companies but that doesn’t stop them from trying to be good online citizens and protect their customers’ data.
Invest wisely in education, resilience, testing, planning and real-life scenarios. Work closely with IT specialist providers to minimise risk and understand the what if scenarios in detail, and how your IT defenses will handle them.
Above all, don’t just bury your head under the pillow and hope the online threats will simply go away, they will not.
So tell me, what do you think needs to happen to improve online security?
Michael Owen: LinkedIn
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky
View all comments