In this first of a mini-series on security, I look at why cyber security is so critical.
In this first of a mini-series on security, I look at why cyber security is so critical.
Or listen at:
Published: Wed, 06 Oct 2021 16:56:29 GMT
Hello, and welcome back to the Better ROI from Software Development podcast.
In this episode, I'm going to start a mini-series on security - I'm going to call these the security briefings. In each of the security briefing episodes, I'll give you an overview of a security based topic.
In this episode, I'm going to give you an introduction as to why security is so important in the first place.
Many years ago, I remember a CFO talking to me and expressing his view that cyber security wasn't that important.
He believed the industry as a whole had made a lot of hyperbole and a lot of media attention, largely to sell their products - very much like the Emperor's new clothes.
And, while I don't necessarily disagree that there is a certain amount of media spin, there's a certain amount of hype that goes around subjects like security and many other technical subjects, and I don't disagree that the security industry as a whole within computing has grown massively over the last few years, however I believe there is a good reason for that, and I do believe that security is important.
Within the information security industry, there's a well known meme:
"There are two types of companies, those that know they've been compromised and those that don't know."
When researching this episode, I found an excellent article that went through the history of that quote. It appears to have originated by Dmitri Alperovitch from McAfee. In 2011, Dmitri said
"There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised."
A year later, in 2012, former FBI director Robert Mueller said something similar:
"For it is no longer a question of “if,” but “when” and “how often.”
I am convinced that there are only two types of companies: those that have been hacked and those that will be.
And even they are converging into one category: companies that have been hacked and will be hacked again."
And it certainly doesn't take much to find examples of security exploits and hacking in the media. ITGovernance.co.uk said that by July 2021, they had recorded eight hundred fifteen security incidents, totalling three point nine billion breach records just in 2021 alone.
And if I'm honest, that's probably just the tip of the iceberg.
So many breaches, so many security incidents, aren't being recorded. Some aren't even being noticed until many, many years later.
Let's talk about the impacts of a security breach. This will differ from company to company. It depends what you have that you value that you don't want to lose - Do you have customer data? Do you have intellectual property? Are you very heavy into research and development?
Anything that you have, that someone else could covet, effectively is something that could be attacked, could be breached.
And in some cases, it's not even as targeted as that - sometimes it's just disruption. Maybe you work in an industry that has detractors that would like to see you fail. Or maybe it's just competitors that would like to see you and your organisation fail.
I worked for a company many years ago that, when it would get to a busy period, we knew that we were being attacked by a competitor. Our systems were being taken offline by the competitor so that they could receive the bulk of the traffic.
So what happens if you do lose that data?
You obviously have impact to your reputation.
Take T-Mobile. At the moment, they've lost 50 million people's records. And it's believed they've had at least five breaches since 2018. They're currently being hit heavily in the press for such a poor record.
We are also seeing a much greater level of protection coming through in law.
Take, for example, the GDPR, the General Data Protection Regulation introduced in the EU. This sets out expectations for you as a data holder when you're holding individuals data. And if you breach that, there's a maximum fine of 20 million euros or four percent of annual global turnover, whichever is greater.
And we're seeing similar schemes in other territories. I think it's only a matter of time before these get stronger and stronger, and we see heavy fines coming through for people that are failing to keep up with their commitments.
The UK's ICO, the Information Commissioner's Office issued £42m of fines in the past year - this rise is driven by a £20m fine issued to an airline and an £18.4m fine to an international hotel chain.
These fees were issued following data breaches, where millions of customers personal data were compromised.
An interesting example of an organisation that really took security to heart was Microsoft.
Back in 2002, Bill Gates issued the "Trustworthy Computing" memo. In it, he recognised that the future of Microsoft, which was big at the time, Windows Office, etc., needed to establish a level of trust with businesses and consumers. They were failing in that responsibility at that point, having followed a number of security incidents based on their software. In the "Trustworthy Computing" memo, he repurposed Microsoft to focus on making sure that they were building trustworthy systems, and these focussed on four things: security, privacy, reliability and business integrity.
That single memo is credited with actually changing the direction of Microsoft at the time. And in many ways, many industry experts are doubtful they would continue to hold the position they still do if they had not made that course correction.
And again, more recently, you're seeing a lot of interest in privacy.
Apple are currently doing a lot of marketing around privacy and protection of people using their iPhone. Chrome recently has done a number of changes again around privacy.
As an industry, we're being asked to provide more privacy to our customers. And I can see that only growing over time.
So who is it that's actually attacking us?
If you do a Google search and put the word "hacker", you'll get plenty of images back of someone in a hoodie, in a dark menacing environment.
In reality, however, there are actually many types of people that could be trying to cause us problems through security, that could be trying to even get our data, get our systems or just interrupt our business.
So let's talk about some of those different types of people that could be causing you sleepless nights.
For this, I'm going to borrow some examples from an episode of the Security This Week podcast from their Pyramid of Threats episode. In the episode, they talk about how you can think about it as being pyramid shaped, the possible attackers. At the bottom level, you have the lower level technical capabilities - and a lot of them. Rising to the top where you get to the much more sophisticated operators - but there's lower numbers.
But let's start with that lowest level and the one that's probably closest to that media image of somebody in a hoodie in a dark menacing environment. Within IT, we would generally refer to these as "script kiddies". Notionally are we thinking about them as being relatively young, running automated scripts. They're effectively button pressing to try and find low hanging fruit. These are not particularly sophisticated attackers. They are looking for easy ways in and they're using automation and automated scripts to be able to try and break into systems.
Think about this in terms of you park your car in a car park. A script kiddie is basically just walking through that car park, trying every door handle. They're not going after any specific car. They're just trying each door handle to see which cars are open. And if you leave your car open, don't be surprised if they then take what's available. It's generally not a very targeted attack. They're not aiming to go after you specifically. It's largely they're going and looking for potential targets. They're looking for low hanging fruit. And if they find one, then you will find that they've stolen all your CDs at the car.
And the script kiddies are largely using downloadable software to do this. It's trivial to download software packages that will search the internet for exposed systems or, in this case, cars with the doors unlocked.
They are effectively using the same sort of tools and working practise as Google do. If you think about how Google searches the entire web for search terms - so when you look for your next red teapot, they can give you a results - this is pretty much what the script kiddies are doing.
They have automated systems that will trawl through websites looking for potential vulnerabilities. There are even websites out there similar to Google, which do this all the time. They are looking for security exploit. They are looking for known vulnerabilities. Largely, these are used for security research, but if they can find it via a security research, it's still a vulnerability, it's still allowing someone into your car and stealing your favourite Taylor Swift CD.
Ok. The next group wanted to move on to was the disgruntled employees.
Now this is slightly different in terms that then are going to be targeting you as a company. For some reason, either they've had a poor experience with you or they're doing it for monetary gain, they are targeting you specifically.
And because they're an employee, they're normally inside the security. If you think about this as a castle, they're inside the moat, they're inside the walls. And while this is sometimes overlooked by organisations, it's probably one of the biggest points of attack.
Sometimes it can be accidental. Maybe they introduce a virus or ransomware into your systems. But in the same way, because they have access, because they have insider access to your systems and your processes and your data, a disgruntled employee can be one of the most dangerous things to protect against.
Think about if you've given the keys of your car to your employee, maybe you've asked them to valet it, maybe you've given it to a mechanic, they're suddenly past the security. They've got your keys. If they want to take your Taylor Swift CD, it's gone.
There's also the potential of industrial espionage. Your competitors.
I say industrial espionage, and it makes it sound so much grander than it could be. Yes, maybe you are leading the way in some very, very lucrative research and development - in which case your intellectual property is super important to you. It's super valuable to keep that secret. And as such, it's a very tempting target to competitors with low morals.
But it might not even be as simple as that.
It may be a competitor wanting to get your customer list. They want to be able to ring all of your customers to try and steal them.
Certainly in years past, I've known salesmen to move between roles, taking their customer list with them as a way of getting a foot in the competitor's door - as a way of getting their next job.
And as I mentioned earlier, I've certainly been in organisation that have suffered from competitors trying to disrupt their business by trying to attack their systems and take them offline during key periods of the year.
Now I suggest, in most cases, direct attack by a competitor is relatively low - and you probably have a good idea who those would be - but it's certainly something that can happen.
Now, generally, a competitor won't attack you directly. They go on to what I'm looking at as the next category: professional individuals or organisations that are attempting to make money out of an organisation by hacking it or holding it ransom.
Now there are individuals and organisations, and indeed entire crime organisations, based around being able to take data potentially to sell it or hold it for ransom and demand payment for its release.
Now they could do this by taking that data and holding it somewhere else and threatening to release it. Or they could use things like ransomware, which encrypts the data on your systems - and without them providing you the unencryption password, you can no longer access that data.
You've lost your customer records until you pay up that ransom.
Generally, professional individuals and organisation will be a lot more targeted in trying to attack you as an organisation. There will generally be a reason why they're going after you. Now, potentially they could have been contracted by a competitor. Most cases not likely, but could be possible. More likely, they feel that there's something there to gain in terms of being able to get money out of you. You have something of value that you want to protect, which they can either take, steal and sell, or that they can ransom back to you. So the much more targeted.
Now, sometimes those attacks go astray. They may be aiming at one target, but the way they've done it isn't as clean or surgical as they originally intended, and other companies are affected by the fallout of their systems.
Take, for example, if they've developed a specific computer virus for one company and that computer virus finds its way into other systems unintentionally - it can cause downtimes and knock on effects to unintended targets.
For example, the WannaCry ransomware that hit the NHS exceptionally heavily. Now, it's believed by most security researchers that the NHS was never a target. Effectively, it became collateral damage.
If we go back to our car park example, those professional individuals, organisations almost certainly have ways of getting into your car without needing the keys. Maybe they have devices which will record the security code when you press your remote lock.
Almost certainly, they will have tools and capabilities well beyond that script kiddie going in and just trying the doors.
Plus, as I say, there will be targeted.
They may specifically want that limited edition Taylor Swift CD that's in your car.
And the final category is nation states.
There is a long held belief there is a cyber-war happening as we speak, and it's been going on for quite some time. Nations are constantly trying to get one up on each other in the cyberspace environment. There's been considerable investment by many nations in their capabilities, both to attack and defend.
And obviously, we'd like to believe that our own nation is only using it in defence and other nations are the ones using it as a means of attack, both in terms of disrupting business but also the nation.
Ultimately, if a nation state wants your car, they're going to get it. There is very little you are going to be able to do to stop a nation state attack.
One last thing I wanted to pick up in this episode was how much to spend? How much should you be spending on security? How much should you budget for it? How much should you be putting into investing in time, money, effort, resources, training to protect your computer systems?
The short answer for me is - it will depend.
Almost certainly you're not spending enough, but you can always spend more.
And it really depends on the risks and the threats to you as an organisation. You as an organisation have to take a long, hard look at what is it that could possibly be stolen or disrupted? How much of a threat is that to you, your organisation and your customers, and thus your ongoing success as an organisation? How likely is it that you will be attacked?
It's the same principle as how much do you want to secure your house or indeed your car?
You want to make sure that you've got good enough locks so that those script kiddies that come along and try the door can't open it. That may be enough to discourage the script kiddies to go away.
It's not going to be enough to discourage a professional individual, organisation or nation state.
And of course, you could go on from there in terms of securing your house: you could hire security guards, you could build walls, you could build defensive mechanisms to protect your house from attack.
And each time you put more in, you're making it more difficult for a potential attacker to get to your house.
So the same principles apply to our computer system, the more things we do to protect it, the better it will be.
But you have to look at how much is appropriate for you to spend. Unfortunately, the actual amount depends, it really does depend on what you are trying to protect.
Now there are certain standards you will need to reach for certain activities. For example, if you're taking credit cards, you have to pass certain levels of security to justify being able to take and store credit cards.
You will find the organisation that provide that will ensure that you meet those conditions.
And the same with legal requirements from any governing body that you have to report to.
Those almost certainly will be your bare minimum. You have to meet those commitments as a bare minimum to be allowed to trade effectively under whatever governance you're being asked to.
But we should always remember there will always be a way in, no matter what you do, there will always be a way of getting into that customer data or system. There will always be a way through, even if they have to take you at gunpoint to gain access - there will always be a way.
But in terms of how much you should spend?
Use the yardstick of would you feel comfortable explaining what you've done after a breach to the government bodies, to the press, to your grandparents?
Would you feel comfortable enough being able to stand in front of people after you've lost data and say you've done enough?
Would you feel comfortable being able to stand up and say we did as much as we could?
If you don't feel comfortable in being able to say that, then maybe you need to look at more investment.
Thank you for taking the time to listen to this episode. I look forward to speaking to you again next week.