Sick of the constant drumbeat of data breaches and destructive exploits? There's no magic bullet, but these four measures may help in the coming year
In today’s crazy world, where hackers can take down entire companies,
cancel projects, and ruin movie night for millions, I have to believe
we’ve hit some sort of tipping point. I mean, someone who doesn't like
your company shouldn’t be allowed to kill it.
I’m not talking about Sony
alone. Hackers have been putting companies out of business for years.
In the past it’s been smaller firms, but now damages in the hundreds of
millions of dollars -- or in Sony’s case, probably half a billion over
the long term -- are commonplace. Remember that few of these attacks
required sophisticated hacking techniques; it's generally a matter of
poor defenses. Almost any company could be Sony.
The security state has become so bad, it has to get better. In fact, I
see four areas of light in the endless fight against malicious hackers
and malware:
1. Better training to fight social engineering
Most companies that got pwned this year were hit by skilled practitioners of social engineering.
The phishing emails you need to worry about aren’t the ones with typos
coming from strange people asking you to get involved in something
you’ve never heard of. No, today’s spear phishing emails arrive from
someone you know and work with on a regular basis, refer to a project
you’ve both been working on for a long time, and ask you to do something
that seems highly plausible given the other shared facts and knowledge
contained within the request.
The only defense against such sophisticated attacks is better training.
We have to educate our users about the most common types of attacks and
what those attackers will try to get you to do -- such as log on to a
website (to steal your corporate credentials) or run a program (usually a
Trojan).
I'm sure you've seen the stale boilerplate instructions most companies
use, such as telling people not to open suspicious file attachments or
to avoid "untrusted" websites. In 2015, I think companies will finally
update that advice to meet the challenge of today's more sophisticated
threats.
2. More privacy by default
Over the last year-plus, thanks to Edward Snowden, everyone has learned they had no privacy.
The revelation that most governments are reading our emails and tracking
our cellphone calls created a backlash that won't die. Most cloud
services have already enabled default encryption in their products or
are creating the functionality and plan to release it in 2015. I think
by 2016 you’ll be hard-pressed to find a product, cloud or otherwise,
that doesn’t include default encryption, where the only person who can
access the keys is the owner. That will be a great development.
I’m not fazed by the fearmongers who argue default encryption will cause
the world to be overrun by terrorists and child pornographers. Sorry,
guys, you’ll have to go back and do hard police work -- or at least get a
warrant. I'll never be willing to give up my right to personal privacy,
along with that of billions of others, to catch a few hundred or
thousand bad guys.
More and more companies are hiring privacy advocates, including Chief
Privacy Officers. Guaranteeing a customer or employee’s data protection
and privacy has hit the mainstream. There’s no going back. This horrible
period of vicious, Orwellian privacy invasion will finally come to an
end.
3. More crowdsourced defenses
Crowdsourcing has worked for everything from funding inventions to
giving to good causes to organizing protests. Crowdsourcing can work for
computer security, too.
Most of the bad guys carry out their plans with many people at the same
time. Spammers send out tens to hundreds of millions of copies of the
same email. APT groups usually invade hundreds or even thousands of
companies at the same time. Each victim has valuable, detailed
information to share about these misdeeds.
Why we haven’t shared such collective intelligence with each other more
often, not to mention more quickly, has always perplexed me. But in 2014
I came across more organizations that existed solely to share their
experiences of being hacked, either among a selected group of business
partners or within entire industries. The results were productive.
Hackers have long shared different hacking methods and successes with each other. Why shouldn’t the victims do the same?
In 2015, more organizations for sharing information will emerge -- as
well as more tools that use information learned from the majority.
Information readily shared today among antivirus partners will begin to
be shared in open forums and feeds. Crowdsourcing of computer security defenses will make it harder for hackers to hide.
4. More international cooperation
Internet criminals commit crime because they know their chances of getting caught are slim.
In today’s Internet, much like in the Wild West, malicious hackers need
only slip across the border to avoid prosecution. We know the identities
of many hackers who cause damage, but their home countries will not
recognize our warrants or arrest them even if we have a great deal of
direct evidence.
The Wild West was replaced by a safer civilization because communities (look up Tombstone City)
decided that law and order had to prevail in order for humanity to
succeed. Today, even countries where rogue operators have been allowed
to flourish are seeing the light, if only for self-interest. For
example, many U.S. companies now block Internet traffic from entire
countries due of the actions of a few bad seeds. That can't be good for
those countries' economies.
In the past, many of these safe-harbor countries have cynically turned a
blind eye so long as the hackers focused on foreign victims.
Eventually, these thieves couldn’t help themselves and began hitting
easy domestic targets, too. Governments that used to tolerate attacks
against foreigners are discovering what happens when the chickens come
home to roost.
Eventually, a border will become less of a jurisdictional blocker than
it has proven in the past. I think you’ll see more international cyber
criminals rounded up and put in jail. You’ll always have some states,
such as Russia, where bribes go a long way to maintaining local
protection. But even the old guard will tested as more public evidence
comes to light.
Real change? Maybe so
My default Grinch attitude won't allow me to believe computer security
will improve radically in 2015, but I see glimmers of hope. Heck, I’ll
be overjoyed if only one of these predictions came true; even a single
success will give us more ammunition to fight cyber crime than we've had
before.
I have high hopes because something has to change. We can’t let someone
who doesn’t agree with a movie take out a company and interrupt the
social lives of nearly everyone. That’s way too Wild West.
Source: http://www.infoworld.com
No comments:
Post a Comment