In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and Internet-connected devices that potentially put people’s lives in jeopardy?
That was the topic for the advisory council members of the Bay Area SecureWorld conference, recently held in San Jose, Calif. As moderator, I had the task is keeping control of a conversation with a room full of passionate experts who live and breathe these challenges every day.
In the past year, a number of significant risks have risen. The team had no hesitation in talking about some of the big issues.
IoT DDoS attacks
Consumers and business are feeling the impact of massive distributed denial of service (DDoS) attacks, fueled by insecure Internet of Things (IoT) devices. The sheer impact of data and requests that these botnets can wield is an order of magnitude greater than the industry’s comfort zone. The consensus is that everyone should be worried and the fix is not quick. The IoT industry must change to embrace security across the life cycle of these devices. In a twisted way, these recent attacks are a good wake-up call for the industry. The group agreed that it is far better to have these incidents occur now rather than down the road, when billions more IoT devices will be connected to the Internet.
On the heels of the worst year (2015) for health care data breaches, the hemorrhaging continues. This is by no means limited to health care, as many other sectors are being impacted. An interesting debate emerged challenging the role and impacts of government regulations in this space. One side postulated the government has weakened security by setting a confusing bar that is too low. Compliance does not make organizations secure, which is an unfortunate mental trap. Many organizations fund only what is needed to achieve the minimal requirements. On the other side, advocates of regulation and auditing pointed out that without a baseline many organizations would fall severely short. As we all work together, we need assurance that other partners, parties, suppliers, and vendors are implementing security controls which meet expectations.
Nobody believed the legislative process could effectively keep pace with the changes in the industry. But all agreed that the lack of consistency, readability, and simplicity of regulations is a problem. Complexity increases costs, delays implementation, and causes confusion. Smarter, lightweight, and easily understood guidelines would benefit the community.
Credit card and online fraud
Major retailers saw a drop in in-store credit fraud with the introduction of new chip cards in the United States, accompanied with a correlated rise of online theft, in which the chip does not play a role. In effect, fraud continues, but the bubble was squeezed from in-store to online properties. It is a predictable outcome when threat agents are viewed as intelligent attackers. They will adapt. Shrinkage figures are not outrageous, but the online security teams are feeling the heat to keep them low. This pressure will likely require a combination of new technology, back-end analytics, and user-behavior changes. Greed is a persistent attribute of cybercriminals. Other activities, such as ransomware, are also currently painful for consumers, health care, and small businesses. Enterprises have their ears open to shifts in which they may become the primary targets if attackers can find a way to reach into their deep pockets.
Gone in 60 minutes
The industry is full of risks and opportunities. Sitting in a room of experienced professionals who are sharing their insights and experiences reveals one important fact. These conversations must occur more often if we are to keep pace with the attackers. Our adversaries share information and are masterful at working together to our detriment. We, the cybersecurity community, must do the same in order to survive. Our hour together raced by quickly. I look forward to more meetings, discussions, debates, and venting sessions.