Welcome to the first in a series of articles looking at the world of cybersecurity, and how it can both benefit and harm efforts in security and protection generally.
The electronic and physical worlds are converging ever faster, with smartphones, cars, cameras, aircraft, drones, and even houses relying more on information technology to make lives more comfortable. The field of information or computer security has been around for a while, and as this crosses over into the physical world, we’ve now rebranded it as cybersecurity – bringing in cyber-physical systems such as industrial control systems.
Cybersecurity is often seen as a niche area which requires a lot of specialist knowledge to apply. This is partly true – in order to configure a web application firewall someone needs to understand how to work with the technology at a very low level. What is often missed, as the technologists take over, is that cyber is still security and the same fundamental principles apply to designing and building effective protections.
The basic principles of cyber are simple and can be understood without a deep dive into the vast range of technological applications which exist today.
1. Risk Management, not Prevention
It is a truism in cybersecurity that you cannot have perfect security. Any system is vulnerable, and the goal is to make carrying out an attack cost more than the expected benefit. At the most basic level, it is risk management and mitigation rather than attempting to eliminate risks entirely. Different technology solutions exist to reduce different threats, and a lot can be done simply by ensuring processes follow good principles.
2. The Weakest Link
Given it is about risk management, we have to focus prevention on the weakest link in any system. Spending millions on a top of the range firewall with real-time monitoring and a follow-the-sun operations team to protect a piece of data is only any use if no one is printing out copies of the data and throwing them into the dumpster around the back of the office. Dumpster diving is a time-honoured tradition among attackers.
3. Human Vulnerability
The hardest weakness to address is simple human fallibility. Training and awareness of how to take basic precautions against attacks is essential in preventing them – the technology can never be perfect. While in the industry we don’t expect humans to be perfect and can put some technology in place to help with this, if they aren’t being given the information they need to protect themselves then we may as well throw out all of our expensive toys and go home.
4. Least Privilege, Minimum Access
One advantage of working with technology is that trust is an absolute – you either have it or you do not. Two systems trust each other and will exchange information, or they won’t. The least privilege principle (along with its other names) is simple – you only get access to information, systems, areas, or anything else when it is essential to carry out a role you are trusted to perform. This applies to people accessing systems just as much inter-system communications, and any system implemented with a good least privilege model during the design stage will be an order of magnitude more secure than an open system with all the firewalls in the world.
5. Incident Management and Response
Being blunt, in cybersecurity, we have to accept that we will fail, repeatedly, and will fall to attacks. We face an asymmetric threat as any person or organisation the moment that an organised attacker turns their focus on us. This is why, once the basics are in place, being able to detect and respond to an incident is vital. The average dwell time of an attacker on a network, with full access, is somewhere between 50 and 150 days, and some attacks have gone undetected for multiple years.
Most of the technical expertise in cybersecurity is about knowing how to or finding ways to apply these principles. If this is done early in the design stage of a system, the need to layer expensive security solutions on top of it later on when it gets breached is massively reduced. The same applies to implementing processes and procedures.
One final important note is that cybersecurity is not the same thing as information security. Information security, or infosec, is concerned only with protecting confidentiality, integrity, and availability of information. Cybersecurity includes infosec but extends into areas where systems and technology interact directly with the physical world, and damage may be dramatically more extensive than lost information.
Stuxnet was the most advanced malware discovered to date and is believed to have destroyed a fifth of Iran’s nuclear centrifuges over the course of two years and before it was discovered – it was carried into the facility on a USB drive.
2014, unknown attackers caused serious damage to a German steel mill by preventing the blast furnace from being shut down as scheduled.
In 2018 the White House publicly acknowledged that Russia had infiltrated, and potentially had control of, some utility control systems including power.
And now we get more and more warnings in the news of home automation systems, including surveillance systems, being compromised and accessed by attackers, whether for malice or mischief. Modern vehicles have a lot of automated intelligence, and demonstrations have been carried out to switch off breaking systems, control acceleration, and take over windscreen wipers – self-driving cars will only add to the possible attacks.
Malware on mobile phones can discretely turn on cameras and microphones with one unlucky download, turning a personal device into a surveillance device.
All of this is possible because security was not considered a priority by device manufacturers, whether of cars, home automation, phones, or even medical equipment. Knowing the potential for attacks through these vectors is vital for personal and corporate security to weigh up the risks and take action to bring them down to an acceptable level or prepare for the possibility of an attack.
In the next article I’ll be diving into an area of cybersecurity which is less technological, and more about the weakest link in any modern system with an overview of how attackers use social engineering to shut down accounts, discover personal details, and generally cause havoc.
Introduction to Cybersecurity
By: James Bore
James Bore is a cybersecurity ‘Jack of all trades’ by vocation and choice. In over a decade he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently, he works for an entertainment and hospitality company, and in rare spare time runs a blog on cybersecurity https://coffeefueled.org