Let’s Talk About Cyber Risks
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
In the last 12 months, we have seen an unprecedented number of cyber-attacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with run-away risks. Can security tame data breaches, ransomware, massive DDoS assaults, cyber theft, and attacks against autonomous and internet connected devices which potentially put people’s lives in jeopardy?
That was the topic for the advisory council members of the Bay Area SecureWorld conference recently held in San Jose CA. As moderator, the task is keeping control of a conversation with a room full of passionate experts who live and breathe these challenges every day.
In the past year, a number of significant risks have risen. The team had no hesitation in talking about some of the big issues.
IoT DDoS Attacks
Consumers and business are feeling the impact of massive Distributed Denial of Service (DDoS) attacks, fueled by insecure Internet of Things (IoT) devices. The sheer impact of data and requests which these botnets can wield is an order of magnitude ahead of where the industry is comfortable. The consensus is that everyone should be worried and the fix is not quick. The IoT industry must change to embrace security across the life-cycle of these devices. In a twisted way, these recent attacks are a good wake-up call for the industry. The group agreed, it is far better to have these incidents occur now, versus down the road when billions more IoT devices are connected to the global Internet.
Data Breaches
On the heels of the worst year for healthcare data breaches (2015), the hemorrhaging continues. It is by no means limited to healthcare, as many other sectors are being impacted. An interesting debate emerged challenging the role and impacts of government regulations in this space. One side postulated the government has weakened security by setting a confusing bar, which is too low. Compliance does not make organizations secure, which is an unfortunate mental trap, where many organizations only fund what is needed to achieve the minimal requirements. On the other side, advocates of regulation and auditing pointed out that without a baseline many organizations would fall severely short. As we all work together, assurance is needed to establish confidence other partners, parties, suppliers, and vendors are implementing security controls which meet expectations.
Nobody believed the legislative process could effectively keep pace with the changes in the industry. But both agreed, that the lack of consistency, readability, and simplicity of regulations is a problem. Complexity increases costs, delays implementation, and causes confusion. Smarter, lightweight, and easily understood guidelines might be an opportunity to benefit the community.
Credit Card and Online Fraud
Major retailers saw a drop in in-store credit fraud with the introduction of new ‘chip’ cards in the U.S., accompanied with an correlated rise of online theft, where the ‘chip’ doesn’t play a role. In effect, fraud continues, but the bubble was squeezed from in-store to online properties. It is a predictable outcome when threat agents are viewed as intelligent attackers. They will adapt. Shrinkage figures are not outrageous, but the online security teams are feeling the heat to keep them low. This will likely require a combination of new technology, back-end analytics, and end-user behavioral changes. Greed is a persistent attribute for cyber-criminals. Other activities, such as Ransomware, are also currently painful for consumers, healthcare, and small businesses. Enterprises have their ears open to shifts where they may become the primary target if attackers can find a way to reach into their deep pockets.
Gone in 60 Minutes
The industry is full of risks and opportunities. Sitting in a room of experienced professionals who are sharing their insights and experiences reveals one important fact. This must occur more often, if we are to keep pace with the attackers. Our adversaries share information and are masterful at working together to our detriment. We, the cybersecurity community, must do the same in order to survive. Our one-hour together disappeared quickly. I look forward to more meetings, discussions, debates, and venting sessions.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.