Zero trust may be the sole solution
While visiting various parts of the United States in August, I came away with the impression that major changes had occurred in the ways society reacts to cyber security.
Previously, such concerns had typically focused on the leaking of credit card numbers, and countermeasures that mainly involved halting use of cards with those numbers, and the issuing of new cards. A headache—to be sure—but one that involved damage that was manageable.
More recently, however, troubles have involved a lot more than the simple theft of data. Now, information such as the content of e-mail communications with customers, home addresses, employee social security numbers, and customers’ private telephone numbers is being leaked, often with serious repercussions.
In June, it was revealed that an attack had been carried out on what had previously been considered a secure server, which managed background check forms; data on some 19 million people had been stolen.
The most common form used, called the Standard Form 86, is submitted before starting employment with the government and, in some cases, the forms contain highly private information.
It may include details regarding the applicant and family members that are practically unthinkable in Japan, such as matters related to psychological health and the history of drug use. This raised concern over the possibility of stolen data being used for blackmail.
In another widely publicized incident, hackers attacked the online international dating site Ashley Madison, and personal information on some users was leaked on the Internet. In addition to being blamed for several suicides attributed to the leak, the site’s operators are facing legal action.
With hacker attacks and leakage of data continuing unabated, cyber security has become a serious issue for society as a whole. At businesses, as well, security measures set up to block incursions at the point of network entry and previously regarded as sufficient, can no longer ensure the protection of data.
Actually, in the past, numerous companies’ internal networks had experienced break-ins that had gone undetected, with serious consequences.
As a result, there is now a worldwide trend toward the concept of zero trust. This means that data security cannot be presumed even within a company, warranting a system of continuous checks.
Some readers might be familiar with Black Hat USA. Held each August in Las Vegas, it is the world’s most prominent international conference concerning hacker attacks.
Originally, Black Hat USA was a gathering where hackers would exchange data about hacking methods. Now, it is attended by security vendors from all over the world, who are keen to obtain information about the latest criminal methods.
At this year’s Black Hat event, most attention was focused on a demonstration showing how researchers had gained entry to a Jeep vehicle and could control some operations remotely.
The demonstration showed how hackers, if so inclined, can gain access to the vehicle’s internal circuitry, giving them control over the accelerator, brakes and so forth. Considering the ongoing technological development of cars, this raises the prospect for major risks.
The time has come to change the way people think about, and deal with, security measures. Previous methods of sharing data to deal with known attack programs and viruses no longer work.
Now there is “zero-day” vulnerability—meaning that once a flaw becomes known, the programmer or developer has zero days in which to fix it, while attacks occur before any countermeasures are made public.
Hackers, moreover, are creating “subspecies”—viruses reproduced with small changes in their code—which they can use to launch repeat attacks until the antivirus software fails to stop them. With these, it becomes just a matter of time until security is breached, making countermeasures akin to an unwinnable game of whack-a-mole.
These sorts of attack programs penetrate deep into networks and, on receiving commands from the attacker’s command-and-control server, can extract internal data that is transmitted to another destination. By the time the incursion is detected, it’s already too late, as the data has been carried off.
It’s essential, then, to know one’s enemy.
Hacker attacks involve a number of stages. First, a personal computer with some sort of vulnerability is found and used to enter the system. Then, a person is tricked into clicking on an icon, activating malware.
Next, the PC is made to engage in horizontal expansion, searching for the server containing the targeted data. The hacker makes contact and, by issuing commands, steals the data. If one or more of these steps can be thwarted, it is possible to prevent data leakage.
One item that has begun to stand out is a behavior detector, which automatically monitors data activities within a company or organization for signs of irregularities, and issues a warning when suspicious activity is detected.
For example, there are programs designed to detect suspicious activities that might resemble an attack virus, based on such previous experiences as “attack patterns up to now” and “an unnatural attempt to access the sales representative’s diagram.”
These are the equivalent of setting up a monitoring camera on the Internet, to proactively guard against damage, including that from subspecies or unknown viruses.
However, as with monitor cameras, suspicious programs aren’t always flagged as threats, so it is necessary to have programs that watch for suspicious behavior on corporate internal networks and determine which are actual offenders that should be situated at a separate location—what specialists call a sandbox.
Naturally, like a simultaneous checkpoint, it’s best to constantly investigate all data logs in the same manner. This, however, won’t work for companies that process excessive amounts of data. In such cases, it’s far more efficient to focus on spotting irregularities.
In particular, as the Internet of Things progresses, the volume of data is likely to increase exponentially, to the point that it can no longer rely on the human factor.
To confront, and overcome, attacks on servers that have become automated will increasingly require that security also be automated, leading to what will effectively resemble a perpetual game of cat and mouse.
Originally posted: ACCJ Journal
Date: 10/25/15
