Just a short decade ago, cybersecurity was still a fringe subject to most people. Today, while still fascinating, it has undoubtedly become part of our daily life. I have had my credit cards stolen before (not physically). Last year, a neighbor of mine fell victim to ransomware (they paid). Cybersecurity is impacting every single one of us.
The explosion of data breaches, proliferation of identity theft, the emergence of cyberattack on critical infrastructure and even cyber warfare, were once only seen in movies and science fiction stories. Now, shows are made based on real stories happening around us. If you haven't seen one, I highly recommend Zero Days (2016) and Mr. Robot (2015). It might just totally change your view of the binary world.
While we do our online shopping and connect with friends on social channels, cyber criminals are doing the same on the Darknet – trading anything from stolen credentials, to fake identities from any country or state you'd like, to weaponized cyber attack software, or organizing the next DDoS attack. You can buy Exploit-as-a-Service right out of the box. They even receive star-ratings for their products and services just like those on eBay or Amazon. Because you surely would like to know if that batch of credit card data you just spent two bitcoins on will work, or when you travel with that fake passport if you will end up in jail. And as criminals, you might have a hard time trusting each other.
Lately, I was often asked about the unique perspective and challenges around Cybersecurity in the financial industry. How is it different? Or, is it?
Before I get into that, let me ask you this. Have you noticed the similarities and the convergence between the digital and physical worlds around us?
Advance in technologies bring to reality virtual assistance, virtual and augmented reality, artificial intelligence, biometrics, self-driving cars, robots that look, move and even begin to think like us. The Internet of things is making everything connected just like organisms in our bodies.
To me, fighting the cybersecurity battle is just like fighting a disease or a physical combat. Hack, we even use some of the same terms to describe them! (virus, worms, zombies, infection, phishing, DMZ, spyware, firewall, cyber weapons like high/low orbit ion cannon ...)
Growing up, my parents, like many Asian families, wished me to become a doctor or a lawyer. I rebelled and chose to go down my own path of computer science and later cybersecurity, beginning with network intrusion detection and what the industry calls "ethical hacking". Lately I realized I somehow achieved the goals my parents set forth for me – I had become a doctor and a detective in the cyber space! I also realized how lucky I am to have chosen this path – because just like doctors and cops, as long as there are diseases and bad guys, we will always be in demand.
(To explore this connection between cyberspace and the human bodies is one of the key reasons why I recently joined LifeOmic, a biotech startup focusing on genomics and disease management.)
Now let's get back on cybersecurity in the financial industry as an example. Surely every industry is different. Even every organization within the same industry has its unique challenges. There are unique trends on attack patterns, motivations and impact. For financial services, the culprit seems to be software and its vulnerabilities.
In the 2016 Verizon Data Breach Investigations Report, it was noted that the top three attack pattern categories – web application attacks, denial of service, and credit card skimmers – accounted for 88% of all incidents in the financial services industry. 82% of confirmed data breaches were a result of attacks on web applications. In comparison, privileges misuse, malware, physical theft and loss were much more prevalent in other industries.
I can point you to countless reports on the state of cybersecurity; or list the latest buzz words in technology innovation of cybersecurity. But I won't bore you with those. Because to me, many of those complex analysis and solutions, are merely speaking to the symptoms. Last I checked, there are over 1,400 security companies in the world, but this cyber pandemic doesn't seem to be getting any better (data breaches are probably only the tip of the iceberg).
The battle between the "black hats" and the "white hacks" isn't exactly new. We have been playing this game as early as World War II with the Enigma machine. In the recent years, we have been working furiously to cover our bases with two-factor authentication, more robust vulnerability and patch management, better threat intelligence, layers upon layers of security tools, and collectively investing billions of dollars in this fight. Yet, we continue to see data breaches much grander than the one before, and trends where attackers were able to compromise our systems in the matter of minutes while it would take us weeks and months to discover such compromise.
So, I would argue, in the cybersecurity battle in general, we are still focused too much on fixing the symptoms rather than the root cause.
For application security, some of the reasons and challenges could be that the development teams are not integrating security early in their software development lifecycle. Or they are only paying attention to security defects in code, but overlooking flaws in design and business logic. Or they are only looking at use cases but not abuse cases – making the assumption that "nobody would do that" rather than "thinking like the bad guys".
But again, what do you think the root cause is? To me, and many other like-minded security professionals, the answer is quite simple.
It is us. It all comes down to people. We are the weakest link and we all know it. We, as human beings, are not perfect. We build products with defects, we make bad assumptions and stupid mistakes. We are naturally curious with the tendency to trust, so we click on every link in every email and we plug in that USB drive found in the parking lot without giving it a second thought. This, is the same regardless of industry. And for as long as we are humans, this will never change.
What makes the problem worse is that most organizations often handcuff the good guys to a huge set of self-imposed constraints – be it policies or politics – while the bad guys run free. Many continue to operate as if things are better and safer inside the corporate "walls". And many organizations have surprisingly little visibility into the inner workings of their systems and products to be able to effectively protect themselves from attacks; or worse, choose to ignore the vulnerabilities via the so-called "exceptions". If you've been a penetration tester on a corporate security team, you know exactly what I'm talking about (if you are good at what you do, that is).
You may ask – is this ever going to end? Unfortunately, cyberattacks, just like diseases and physical illness, are here to stay. We must accept this reality and be comfortable with it.
No, I am not saying we are doomed. No, I am not advocating for machines and robots to take over. There is no perfect security or complete risk mitigation. Rather, what I believe, is that we need to first open our eyes, admit our imperfections, and be willing to change, to operate differently; second, we need to learn from how our bodies fight diseases and apply it to the cybersecurity battles. It is not just the job of a few of us security professionals. It is up to every person and system in every organization to be a part of the defense mechanism. We need to work together to practice good security hygiene, to build more secure products, to create visibility and mitigation through automation, to generate a network of self-evolving digital immune systems just like our physical body has, to detect, defend and heal – effectively Precision Security. And this, is how we will survive and thrive in this new reality of cybersecurity.
This article was originally published on LinkedIn.