By Ryan Linn, Director of Advanced Threats and Countermeasures, Nuix
I’ve been reflecting on a number of conversations I had and some of the concerns people expressed to me about cybersecurity during my recent two-week trip to Australia.
One thing has particularly drawn my attention: cybersecurity is just now becoming a talking point in Australia. In the United States, we are inundated at least once a week with stories about this hack or that hack. As a result, organisations are at most just a few days away from another heavily publicised incident.
This has led to individuals becoming more concerned with security and this awareness puts them in a better position to protect themselves online. For various reasons, I don’t think Australia is quite there yet.
Cybersecurity should be a national issue
Raising awareness is the first step to protecting Australian businesses and critical infrastructure.
The Australian Government has delivered its Cyber Security Strategy and made efforts to increase awareness of security issues. The distributed denial of service attacks that disrupted the 2016 census helped make security very real and visible. So did the recent announcement that the Australian Red Cross Blood Service had accidentally published the details of 550,000 blood donors on its website.
However, such announcements are relatively rare because the Australian Government has still not enacted mandatory breach disclosure legislation. As a result, many organisations that suffer breaches try to sweep the matter under the carpet rather than suffering the bad publicity – and other consequences – resulting from telling people what happened.
Until Australians are aware of the true frequency and scope of data breaches and broader security threats, cybersecurity will not become a national concern and it will be hard to focus the minds of lawmakers and business executives on these issues.
Visibility into your networks is critical
Across the globe we suffer from a lack of security as well as a lack of insight into what’s happening on our networks, computers, and phones. Computing is becoming more powerful and user interfaces are facilitating easier computer use at the expense of visibility. Why is visibility so critical when we have antivirus, firewalls, and all of these other technologies protecting us? The answer is that attackers are staying one step ahead of the good guys and as a result it’s fairly easy to bypass many of these security controls.
I’ve heard the phrase “We haven’t been breached … as far as we know” more times than makes me comfortable. What is most distressing about this statement is that many people don’t even have a grasp on what a breach is.
If your organisation has had a virus, malware or any other malicious application appear on one of your systems, you’ve been breached. These breaches are relatively easy to deal with by reinstalling the machine, using a cleaning tool, or hoping your antivirus software caught all the pieces. However all of these pieces of malware have a purpose besides just infecting machines. If you don’t know what that purpose was, it’s impossible to know what the impact of the breach has been.
The emergence of ransomware has brought this issue to the forefront, yet most people don’t consider ransomware a breach. If someone else is holding your data hostage, how do you know they don’t have a copy? “Doxware” such as the Chimera ransomware doesn’t just hijack your data and encrypt it – it also releases your data online if you don’t pay promptly.
The takeaway from this is that regardless of whether or not you think you’ve been breached, the truth is that you have, you just may not know what was taken.
This is where insight comes into play. The more visibility you have into what’s happening on your device, the better your chances of detecting a breach and mitigating the damage before it becomes critical. As we push forward with technology, we now have to worry about internet connected doorbells and refrigerators, not just computers, phones and network hardware.
The vulnerabilities of the internet of things
“Internet of things” devices such as thermostats, door locks, lighting and household appliances are becoming the latest attack surface.
Attackers are looking at these devices and realising that not only do device owners have no visibility into what’s happening on their devices, many do not even know how the device is connected to the network and managed. The outcome is that attackers know more than the consumer which puts all of us at a disadvantage.
To understand the extent of the problem, look at sites like Insecam that trawl the web looking for publicly available internet-connected cameras that use default credentials (admin:admin, for example) or sometimes no credentials at all. You can watch people from around the world from the comfort of your living room, and in some cases, watch them type in their usernames and passwords, credit card numbers and other sensitive data.
So why are these devices so vulnerable? Because we as consumers aren’t telling companies that security is as important to us as functionality. Once we do, security will become more of a priority for these companies. We have to be willing to pay for products that do it right instead of shopping for what’s cheapest or just buying something because it works. We have to take responsibility for our security and hold companies accountable if we are to collectively reduce our risk of a cyberattack.
What’s next?
So what do we need to do to protect ourselves? Prioritising security in our everyday lives is a solid start. Take the example of two products or services that are identical except for price and security. By basing our purchasing decision on security, we’re signalling the vendors that we’d rather have a solid product, even if it costs a few more dollars.
As we move forward and start to demand security in everything from our bank accounts to our baby monitors, we drive the industries that we consume to do better. This isn’t a problem that was created overnight, so we shouldn’t expect it to be solved overnight either. Rather, by making sure we are diligent with our data and demanding others to do the same, we can keep pushing towards the levels of security that we need to protect ourselves from the world of chaos on the internet.