This year has witnessed the embarrassing disclosure of 119,000 documents left on an unprotected server by Fedex Corp., a similar compromise of 37 million customer records by Panera Bread Co., the theft of up to 5 million records of Saks Fifth Avenue and Lord & Taylor customers, ransomware attacks at Boeing Co. and the City of Atlanta, and Facebook Inc.’s admission that 87 million customer accounts were compromised prior to the 2016 election by the data firm Cambridge Analytica.
And it’s only April.
The inescapable fact is, the state of cybersecurity keeps getting worse despite an explosion in the amount of investment and energy plowed into improving it going years back. And it’s only going to get worse, according to the unanimous assessment of 22 security industry chief executives, chief technology officers, security analysts and independent security experts contacted by SiliconANGLE.
As the annual RSA Conference run by Dell Technologies Inc.’s RSA Security LLC subsidiary opens Monday in San Francisco, SiliconANGLE asked a cross-section of people who are on the front lines of the cybersecurity wars two simple questions: Are we winning the battle against cybercriminals? And if not, what can be done to reverse the tide?
On the first question, the glum consensus of the experts was nearly unanimous: Not only are we losing the war, but the scope and severity of successful attacks is accelerating. “It’s not even close,” said Paul Kurtz, a former National Security Council member who’s now CEO of TruSTAR Technology Inc. “We are taking it on the chin day after day.”
Mike Simon, CEO of Cryptonite LLC, agreed the situation is “extremely serious. We’re seeing a massive ramp-up at the start of 2018 in a number of different areas, particularly intellectual property theft.”
No silver bullet
Their opinions are backed up by mountains of research. A recent survey of 1,200 enterprises commissioned by Thales SA found that 46 percent of U.S. companies said they been hit by a data breach in the past 12 months, nearly double the percentage of a year earlier. And breaches whose scope would have been breathtaking not long ago are now run-of-the-mill, despite the nearly $100 billion that organizations are expected to pour into defenses this year.
“The tools the criminals use haven’t gotten that much more sophisticated, but the volume of breaches has exploded,” said Harry Sverdlove, chief technology officer at Edgewise Networks Inc. He noted that last year’s theft of more than 145 million consumer records from Equifax Inc. affected nearly half the U.S. population. “It would almost be comical if it weren’t so tragic,” he said.
Many of the security providers we contacted sell products and services that address part of the cybersecurity problem, but none purports to have a silver bullet. And most agree that the most common vulnerabilities are best addressed by changing user behavior, rather than technology.
The reasons experts say organizations are falling further behind in the fight against cybercrime range from skills shortages to sloppiness to the failure of regulators and law enforcement agencies to enforce stricter penalties for organizations that suffer a breach.
Despite their high profile, incidents such as the Equifax hack, which triggered the resignations of several top executives, are relatively rare. Regulators don’t aggressively pursue prosecution of victimized companies, and attackers are almost never caught. The result: “Companies don’t have a lot of incentive to write secure code or to produce secure Web sites and apps because they view the cost of doing so to outweigh the cost of fixing it when things are discovered or broken,” said Brian Krebs, author of the popular Krebs on Security blog, which broke the news of the Panera attack among others.
For criminals, he said, “the barriers to entry have never been lower and the low-hanging fruit never more abundant. The chances of success with low to moderate effort are high and there are seldom consequences for criminals. It’s no wonder that cybercrime is such a fast-growing industry.”
Even if substantial improvements arrive on all these fronts, the prospects for gaining a sustainable advantage against adversaries appear dim. “It’s like asking if we’re winning the war against our fingernails,” said Troy Hunt, founder of HaveIBeenPwned.com, a site that matches visitors’ email addresses against stolen records found on the dark web. “They keep growing back.”
Attackers have an inherent advantage because they only need to find one weakness to launch an attack, whereas organizations must plug every possible security hole. That makes even trial-and-error a pretty lucrative strategy. “The reality is that we will never win the war unless all of the world’s cybercriminals suddenly decide to stop hacking,” said George Waller, a strategic adviser at BlockSafe Technologies Inc., a maker of products for securing blockchain-based services.
Gartner Inc. security analyst Lawrence Pingree agreed. “There is no such thing as winning, only deflecting attackers and dealing with the ramifications of breaches,” he said.
Artificial intelligence holds some promise for relieving a skills shortage that’s expected to leave 1.8 million security jobs vacantby 2020, but that’s assuming criminals don’t use the same tools to up their game — a poor bet. “The more we use AI in security, the more the bad guys will use it as well to create an arms war,” said Michael Fauscette, chief research officer at G2 Crowd Inc., which aggregates reviews of business software. “The only thing you can do is keep current, do everything you can possibly do and then do more.”
Sweat the basics
The most common causes of cyberattacks – and the most preventable — have changed little over the past decade. Organizations fail to patch known holes in infrastructure or educate users about basic tactics such as using secure passwords and not blithely clicking on links that can unleash malware. “From what I see, most if not all breaches that make it to the public could have been prevented,” said Mary O’Brien, vice president of development for IBM Corp.’s security organization.
The result is that attackers continue to use the same tactics successfully because they work. “Some very old techniques seem to retain their effectiveness despite our best efforts,” said Jean-Philippe Taggart, senior security researcher at Malwarebytes Inc.“The common theme is that criminals attack the human element.”
Sloppy security practices result when harried administrators fail to attend to basic blocking and tackling or respond to one-off requests that create unintended consequences. For example, a recent audit of 130 large organizations by Varonis Systems Inc. found that 21 percent left all folders on their servers open to every employee and 58 percent had made more than 100,000 folders universally accessible behind the firewall. Varonis also found that many companies have hundreds or even thousands of active accounts belonging to people who don’t work there any more.
The cloud makes matters worse, in one sense, because nontechnical users can easily post information to public platforms without implementing basic security controls. This led to the Fedex fiasco as well as similar recent incidents at Dow Jones & Co., Accenture PLC and Verizon Corp., which collectively left more than 16 million customer records exposed.
Failure to address these basic issues isn’t a matter of laziness so much as an indication of the growing complexity of the information technology environment. The combination of mobile devices, public-facing websites and the internet of things have vastly expanded the attack surface, creating “complex infrastructures and networks that cannot be controlled properly, enabling hackers to infiltrate and compromise them,” said Tamir Pardo, former director of Israel’s Mossad national intelligence agency and co-founder of XM Ltd., developer of a cyberattack simulation platform.
Contributing to that problem is the structural weakness of corporate networks built on the The Transmission Control Protocol/Internet Protocol, which was never designed for security. In its purest form, TCP/IP willingly shares information about other devices on the same subnet, including operating system versions and running applications. The industry has spent two decades compensating for these design decisions, but not always successfully. “All Fortune 500 networks are basically fully meshed for any-to-any connectivity. A breach in an office can ripple through the entire organization,” said Junaid Islam, chief technology officer at Vidder Inc. “You can see why that’s a problem with lethal malware.”
“People tend to focus on the most exotic exploits and try to deploy the latest, greatest ‘next generation’ solutions,” said Scott Petry, CEO of Authentic8 Inc., maker of a virtual web browser. “Security isn’t just about installing more whiz-bang software. It requires organizational commitment and methodical processes.”
Take phishing, for example. Ransomware, which was the fastest-growing form of malware in 2017, is predominantly spread by phishing attacks, which implant malicious web addresses in email messages or on social networks and entice unsuspecting users to click. A 2016 study by Cofense Inc. concluded that 91 percent of cyberattacks begin with a phishing email. “But if you look at how executives allocate security resources, it’s not in that area,” said Oren Falkowitz, a former official at the U.S. Cyber Command and founder of Area 1 Security Inc., developer of an automated phishing prevention system.
Password compromise is another major security problem that can be addressed without much technology or money. Weak passwords are responsible for 80 percent of cyberbreaches, estimated Darren Guccione, CEO of Keeper Security Inc., a make of password management software. Keeper last year audited 10 million breached accounts and found that 16 percent were secured with the password “123456” — which might as well be “pleasehackme.”
“It only takes a stolen password to enable an attacker to defeat many of today’s modern security mechanisms and hold entire businesses hostage,” said Rob Westervelt, research director in the security practice at International Data Corp.
Social networks have broadened the attack surface by introducing new ways to extract personal information. For example, people willingly reveal details like the name of their first pet to strangers on Facebook, despite such information being commonly used as challenge questions by authentication systems. “Attackers have collected a mountain of freely available data to mine through convincing social engineering,” Westervelt said.
Social gaming was a major tactic Cambridge Analytica used to steal profiles of millions of Facebook users in its efforts to sway the 2016 U.S. Presidential election. But Facebook is hardly alone. “We all have our respective Cambridge Analyticas,” RSA President Rohit Ghai told the RSA Conference audience on April 17,
Failure to apply patches for known vulnerabilities is another common problem. It factored into the 2014 Heartbleed vulnerabilityand last year’s Equifax breach, among others. Part of the dilemma is the sheer volume of patches that security administrators must contend with. For example, Microsoft’s most-recent “Patch Tuesday” release plugged nearly 70 holes. Applying patches often requires extensive testing to protect against unintended consequences, meaning that this basic blocking-and-tackling task gets pushed to the periphery.
“The greatest chance of success for the bad guys are the basic vulnerabilities like open ports, insecure browsers and unprotected email systems, which are present in most organizations,” said Authentic8’s Petry.
New bad actors
The bad guys are also getting better at what they do. State-sponsored hacking and organized cybercrime are new elements that security professionals haven’t previously had to contend with. Russia’s well-documented meddling in the 2016 U.S. elections and North Korea’s alleged involvement with ransomware attacks are only the tip of a much larger iceberg that has well-resourced hackers targeting everything from infrastructure disruption to intellectual property theft, experts say. That makes them much harder to stop.
“We are no longer battling teens wearing sweatshirts in basements,” said James Grundvig, co-founder and chief operating officer of blockchain security startup Myntum Ltd.
Vidder’s Islam concurred. “We are losing the war because we are not calibrated to fight nations . We’re calibrated to fight 14-year-old teenagers,” he said.
Recent ransomware attacks on city governments in Atlanta and Baltimore, as well as hospitals, indicate a troubling escalation of state-sponsored activity that aims to cripple critical services or entire regions. In some cases, rogue states are acquiring commercial technology from companies in the same countries they later attack with it. They’re also sharing their successes with criminal enterprises. “We’re seeing cybercriminals using tactics created by nation states,” said TruSTAR’s Kurtz. “That’s what makes the situation so perilous right now.”
A new strategy document released last month by the U.S. Cyber Command underlines both the risk and the need for urgency at the national level. “States possess resources and patience to sustain sophisticated cybercampaigns to penetrate even well-protected networks,” it said. Citing Russia, China, Iran and North Korea specifically, the report asserted that those countries “have demonstrated the resolve, technical capability, and persistence to undertake strategic cyberspace campaigns, including theft of intellectual property and personally identifiable information that are vital to our defenses.”
Cybercrime is particularly attractive to governments with limited military resources, said XM’s Pardo. In contrast to conventional warfare, which requires huge investments and heavy industrial development, “cyberweapons demand only easily accessible malware do-it-yourself kits, malware development organizations and/or hackers-for-hire,” he said.
Intellectual property theft is an underreported problem that has broad economic implications as well, said Cryptonite’s Simon. “If the Chinese want to build a new airplane, they don’t have to invest in R&D. They can just steal the IP,” he said. “That could have a significant impact on the economy.”
AI to the rescue?
Nearly everyone agrees that the battle against cybercrime will never be won, but most believe that at least incremental progress can be made. The biggest payoff would come from paying greater attention to tried-and-true security basics: using strong passwords, implementing multi-factor authentication, locking down file permissions and educating users about the dangers of clicking on unknown links. These simple steps could probably choke off 90 percent of attacks, although experts point out that the devil is in the details of implementation.
Another basic attitude change is to assume the breaches are going to happen and prepare for them. “It’s critical for organizations to maintain secure backups, system redundancy, failover mechanisms and manual processes when standard operations are disrupted,” said IDC’s Westervelt.
The General Data Protection Regulation, which takes effect in Europe next month, could have a broadly positive ripple effect by laying out strict new guidelines for data protection and breach disclosure. Similar rules have been adopted in Australia and are under consideration in Canada. “I’m not a fan of a lot of regulation, but things like GDPR are an important step toward forcing companies at a business level to take their data seriously,” said Edgewise’s Sverdlove.
The most promising technology antidote experts cite relates to machine learning and artificial intelligence. Both have the potential to address the growing complexity created by interconnected networks, which generate mountains of data that must be mined for evidence of anomalies.
This task is too large for humans to handle, particularly with skills in such short supply. Machines, however, excel at pattern recognition, and machine learning algorithms enable computers to become “smarter” as they iterate through large volumes of data. “Detection and response are just as important, if not more important than prevention,” said Brian NeSmith, CEO of Arctic Wolf Networks Inc., which sells an on-demand security operations center service.
Blockchain technology could contribute by enabling security teams to spot fraud and data tampering more easily, simplify strong authentication controls and make failed access attempts more traceable.
Technology providers are also getting better at building preventive technologies into their products and will continue to improve with advances like biometric and simplified multi-factor authentication, Westervelt noted. “In addition, cloud-delivered applications enable software vendors to rapidly address vulnerabilities and simplify the process for customers to improve their security posture through such mechanisms such as multi-factor authentication,” he said.
AI also has the potential to significantly improve the discipline of penetration testing, or employing white-hat hackers to look for holes in an organization’s cyberdefenses. XM’s Pardo said such assistants can “behave like a hacker, testing all attack vectors from breach point to critical assets and prioritizing remediation.”
And great progress can be made if organizations simply talk to each other more frequently and openly, said TruSTAR’s Kurtz. Regulations, competitive dynamics and fear of information disclosure prevent organizations from sharing security alerts and practices as openly as they could. However, groups such as the Columbus Collaboratory are showing that the common good can outweigh other concerns. “If the private sector begins to work at real-time speed, it will start to turn the tide,” Kurtz said.
The shortage of trained security professionals is real, but that’s no excuse to do nothing about it, said Kathie Miley, chief operating officer of Cybrary Inc., a security training firm. “I hate to say it, but we need to throw more people at this problem,” she said. “When we have a shortage of soldiers, we recruit more. There is a large supply of able-bodied people who can be trained to fill those roles. In a crisis, we can draft.”
A crisis may be just what we’re looking at. There’s no shortage of opinion about solutions to the cybercrime problem. What’s missing is the will to take collective action to end it — and that’s a slow process. That’s why the problem is certain to get worse before it gets better.