The headlines seem to be dominated by hacks lately. Some of the top TV shows around the world heavily feature cybersecurity plot points and hackers, both ethical and not, as key characters. Cybersecurity and the consequences of getting hacked has entered popular culture in new ways over the last several years, but according to industry experts, there is a lack of qualified information security professionals ready to lead the world’s organizations to true cybersecurity. One way security professionals can prove they can perform the tasks needed to keep the world’s infrastructures secure is by participating in a hacking game.
Hacking games are great tools for students and experienced professionals alike to show potential employers that they not only possess the knowledge required to do a job, but also know how to do it. Most cyber games are built to mimic the real world scenarios cyber security professionals face on the job. Organizations want to hire experienced professionals to keep their infrastructures, data, employees, and clients safe from hackers. Another group that participates in hacking games is consulting firms and other technology companies. Companies have sponsored teams of their own professionals in the past to show potential customers and clients that they employ the best of the best and have what it takes to defend information.
Hacking games are typically set up as a series of different cybersecurity challenges structured as elimination rounds. One round may focus on cyber forensics, the next on hacking or penetration testing techniques. The standard model employs an automatic score bot that keeps a tally on how well each team is doing. Teams have to defend their “flags” from opposing teams while also collecting opponent “flags.” These flags represent servers or data stores or other targets.
Simulations like these that test a student’s or potential candidate’s applied skills are extremely important in a job with stakes that are as high as cybersecurity. Companies do not know how the people they hire will react and how good their skills will be in the event of a hack until they actually experience one. That is obviously not an optimal time to discover that an employee cannot apply his or her knowledge. These games are a great way to determine readiness before disaster strikes.
EC-Council Foundation, a charitable and educational cybersecurity training organization, is excited to partner with ISACA and host the finals of their hacking games, the global CyberLympics, during ISACA’s CSX North America conference, taking place in Washington, DC, USA, 19-21 October.
I visited last week the IAA in Frankfurt, Germany. IAA stands for International Automobile Exhibition and takes place every year in Frankfurt, Germany.
This is the place where every year the latest cars are being presented but also the newest technologies around cars.
This year it was a lot about mobility, interaction, autonomous parking and driving, interconnectivity between cars and IoT.
I went there to address more the car parts suppliers (Tier 1 and 2) than the car manufacturers. For us it was more interesting to get involved in the devices that are easily and directly attackable. Things like entertainment systems, connected devices of the car, GPS devices,etc..
Not a single car parts manufacturers we talked to wants to openly speak about security. Not because they don’t have it or because they don’t address it. My impression was that speaking about security is like speaking about something that nobody wants to happen?
The most used argument was: “Why would anyone hack us/our device? They don’t have anything to gain.”
I wrote a dedicated post about this visit and what I think about the state of cyber security in cars.
The other argument I’ve heard was:
But the connection to all backend(s) is encrypted, so the device is secure!
Because cars run also (a lot of) software, I decided to write this post about Encryption and IT security.
Encryption is a measure to enhance security because it can protect files and data. It is important, but alone, it definitely doesn’t make a system secure.
Security has the following aspects which are called the “CIA triad”. This definition is highly disputed by the security community and there are also other models that extend these three aspects (Parkerian hexad (Confidentiality, Possession or Control, Integrity, Authenticity, Availability and Utility) and the non-repudiation model).
But, what is the “CIA triad”?
No, “CIA” in this case is not referring to the “Central Intelligence Agency”. CIA refers to Confidentiality, Integrity and Availability.
Applied to IT, we can talk further on about “Confidentiality of Information”, “Integrity of Information” and “Availability of Information”.
It is not the scope of this post to go into details about what they mean, I just want to round the story behind “Encryption”.
For more details about the CIA triad please check Wikipedia.
Confidentiality: protecting the information from disclosure to unauthorized parties.
You got it: Encryption in particular, and cryptography in general, helps to protect information from being disclosed to unauthorized parties.In other words, it keeps information confidential.
Integrity: protecting information from being modified by unauthorized parties.
As with Confidentiality, cryptography plays a very major role in ensuring data integrity. Hashing helps to protect data integrity. However, this means that the hash of the original data must be provided to you in a secure fashion.
Availability: ensuring that authorized parties are able to access the information when needed.
Information that you can’t access for whatever reason, is useless.
Conclusion
Encryption of information helps a lot to increase the security of the data, especially of the data in transit. The entire transfer security across the web (SSL, TLS) is based on cryptography and encryption in particular (but not only!).
A system is as secure as its weakest component. If the component resides behind the encryption layer (which usually is the one where the data leaves or enters the system), then the Integrity and possibly Availability of the data is compromised, despite the fact that it is transferred encrypted.
And if this happens, the compromised data is going to be transmitted encrypted, so very secure, but nevertheless compromised.
Going back to the car, if you look at the pictures in the article, you will see that all those lights are sensors and processors which communicate with each other via the CAN BUS (Controller Area Network). If one of them is compromised, it will send invalid data to the others and the consequences are unpredictable. The data will leave the car encrypted and will be decrypted on destination, but the information is compromised. This means that the Encryption did its job to protect the confidentiality and integrity, but overall the car is not at all secure.
If you are like most security professionals, you probably feel overwhelmed just thinking about your to-do list: update policies, run reports, extend protections, analyze results, find hidden threats, manage multiple deployments… That list is endless.
Automation seems to be the perfect answer, but most security professionals are torn between the idea of automating and streamlining processes while maintaining manual control to enable human decision-making. There is a fear of simply letting software make security or network management decisions in their organizations. This choice can feel like the conflict in the Matrixmovies: man against machine. Many security professionals hesitate to trust automation because they often prefer to maintain manual control at the expense of a more controlled, predictable, and manageable work environment.
But let’s take a closer look at the pros and cons of automation in security environments. For sure, there are certain concerns about automating processes, especially when it comes to managing security deployments; but, in general, we will see that most concerns are more fear-based than fact-based:
Perceived loss of control: Let’s face it, we all feel like we can do a better job at keeping our companies secure than technology alone. But the fact remains that there are limitations as to how much analysis can be done manually in any organization.
Distrust in technology: The feeling that automated technology will overlook threats or overblock the employees in our organizations is another very powerful, yet emotional argument against automation.
Fear of change: What will automation of security do in my organization? How will it impact my job? Most security professionals feel overwhelmed but have accepted this situation as just a part of their job. A reduction of this stress could feel like they are not protecting their companies efficiently.
Counteracting the cons is a series of very powerful fact-based pros:
Streamlined processes and less duplication: Many processes in security deployments are complex and often result in the duplication of effort. How many policies do you manage that are duplicated across your network? Do you have to maintain and update all of these policies manually? Automation can go a long way in reducing duplication.
Reduced complexity: Most security deployments are incredibly complex and span a variety of different technologies, all of them with their own UIs, reporting functionalities, and rule bases. Automation can bring cohesiveness and consistency, and with it, reduced complexity to the table.
Fewer human errors: Complexity and duplication are dangerous when it comes to human work. Stress, long work hours, and confusion frequently result in human errors that can spell disaster for security organizations. Automation can significantly reduce human error.
Improved knowledge sharing and fast decision-making: Automation can correlate information across different data sources, resulting in faster threat detection than possible with manual analysis.
Deciding when, how, and to what extent to automate is a decision that is left to each individual network administrator and security professional. When it comes to automation, it can be introduced or expanded to any organization in four main categories across your network security deployments. Breaking out the automation process into these categories will help prioritize any plans for automation.
Network Setup – Automation in this area allows for configuration of firewalls and policies by eliminating duplication and streamlining processes with automation tools such as templates, templates stacks, and device groups.
Network Management – Automation in this quadrant ensures always up-to-date network and policy with capabilities such as SIEM integration or security policy orchestration.
Threat Intelligence Setup – This area focuses on automatic protection against known and unknown threats with thorough analysis and prevention of successful attacks. It also can ensure that differing security technologies can learn from each other. Automated threat correlation, a common security rule base, and similar functionalities go a long way toward making things more streamlined.
Threat Intelligence Management – This component focuses on continuous protection with the latest information with automatic and frequent updates to software, signatures and other security components.
To learn more about the pros and cons of security management automation, please see our archived “Automation in Network Security Management – Friend or Foe?” webinar, availablehere.
The Australian Cyber Security Centre (ACSC) has released its first unclassified Threat Report [1], which describes a number of cyber adversaries targeting Australian networks, explaining their motivations, the malicious activities they are conducting, and their impact. This threat report also provides a number of examples of activity targeting Australian networks during 2014. The report further offers mitigation advice on some of the types of malicious activity targeted to Australian organisations, how best to deal with these threats, and how to both prevent and respond to these activities to limit the severity of the damage.
The report calls out a number of techniques that are being used by cyber adversaries to target Australian government and business. These include:
Spear Phishing ‒ the process of using social engineering techniques, such as carefully crafted emails, to entice a user to click on a link or open an attachment.
Remote Access Tools – the malicious use whereby someone accesses a computer from a remote location.
Watering Hole – a technique which takes advantage of a user’s trust in a legitimate website by placing malware on the frequented website to compromise the computers of visitors to the site.
Malware ‒ malicious software that is designed to facilitate unauthorised access or cause damage to a system.
Ransomware ‒ extortion through the use of malware that often locks a computer’s content and requires victims to pay a ransom to regain access.
Denial of Service ‒ an activity that prevents the legitimate access to online services by consuming the amount of available bandwidth or the processing capacity of the host computer. This may also include the use of ransomware.
Australian Government agencies that have implemented the ASD (Australian Signals Directorate) Top 4 Strategies to Mitigate Targeted Cyber Intrusions [2], and a number of other strategies, are improving their protection against cyber espionage activities. When implemented, the Strategies can mitigate at least 85 percent of targeted cyber intrusions responded to by the ACSC.
While the overall number of cybersecurity incidents increased in 2014, the number of confirmed significant compromises of federal Australian Government networks has decreased since 2012.
In 2014, CERT Australia responded to 11,073 cybersecurity incidents affecting Australian businesses, 153 of which involved systems of national interest, critical infrastructure and government.
In 2014, the top five non-government sectors assisted by CERT Australia in relation to cybersecurity incidents were: energy (29%), banking and financial services (20%), communications (12%), defence industry (10%), and transport (10%).
During 2014, CERT Australia handled more than 8,100 incidents involving compromised websites.
Australian organisations are urged to report cybersecurity incidents to the ACSC by following the links on the ACSC website. Australian government agencies and businesses reporting cybersecurity incidents to the ACSC can request advice and assistance on how to remediate these incidents.
The threat report calls out a number of trends, which will continue, locally and globally:
Number of state and cybercriminals with capability will increase.
Cybercrime-as-a-service is likely to increase, reducing the barriers for entry for cybercriminals.
Sophistication of the current cyber adversaries will increase, making detection and response more difficult.
Ransomware and watering-hole techniques will increases and continue to be prominent.
An increase in the number of cyber adversaries with a destructive capability.
Increasing amounts of web defacements and social media hijacking.
Cybersecurity efforts should aim to make Australian organisations a harder target and, thereby, increase the trust and confidence of all Australians to engage in the benefits the Internet brings. The report explains that “Effective cyber security requires a partnership between government and the private sector.” One such partnership could be around information sharing, which ultimately shifts more costs to the cyber adversaries.
Many adversaries often write one piece of malware and send it to multiple organisations. However, if we, as a community – in partnership with government and the private sector – can force cyber adversaries to create multiple unique attacks each time, forcing their costs to go up. And if we can share the information, the defender costs go down. The benefits grow exponentially if we automate this process whereby organisations do this in real time, whilst preventing the attacks.
It is unlikely we will ever stop all cyber intrusions, but through a concerted effort to share information, we can significantly raise their costs, thus making it harder for them to threaten Australian and global organisations.
