Earlier this month, Distil Networks’ Co-founder and CEO Rami Essaid participated in an enterprise security panel entitled "The Cyber Landscape at the annual Web Summit" in Dublin, Ireland. Joining Rami on the panel were Todd Simpson, Chief Strategy Officer at AVG Technologies, and Evgeny Chereshnev, Vice President, Global Consumer Marketing at Kaspersky Lab. Moderating the Web Summit discussion was Dermot Williams, CEO of Threatscape.
The past year has seen security breaches of retailers, health insurance companies, film studios, and countless other industries in an ongoing escalation of malicious cyber attacks. The panel was tasked with discussing whether private players have a role in tackling these threats or are mere spectators at a global cyber war.
Cyber crime – anyone can do it
Dermot Williams got the discussion going with a recap of the recent breach at multi-billion dollar telecom provider TalkTalk, which saw the theft of vast amounts of customer data. The company’s CEO described the attack as “super-sophisticated”, a questionable defense when the primary culprit turned out to be a 15-year-old boy.
All three Web Summit panelists agreed that this was a perfect example of how easy it is to become a cyber criminal today. “It’s getting to be a bigger and bigger threat landscape out there”, noted Rami. “It’s one company against an infinite number of expert and novice attackers, so people have to think about security as part of their core infrastructure, and I think too many people are too relaxed about this. Any one solution is not enough to stop everything out there – you have to have a really sophisticated plan and a stack of defenses.”
He cited a frighteningly simple, publicly available “how-to guide” Distil had found in a recent targeted attack on a customer. It literally told the hacker to “click this button, then call the support line and repeat this phrase, and they will reset the password for you”. Web app plus social engineering = security breach – and there are many, many such guides out there.
Evgency added that it was clear TalkTalk was not paying enough attention to their cyber security. “It’s safe to say we can expect a lot more attacks of this nature.”
How can we make it harder for hackers?
For Todd, it’s a question of economics. Given the ease with which cyber security weapons can be obtained, the security industry should be making it more and more expensive and difficult for hackers to get past that stack of defenses – not just WAFs and other web security but data encryption, smart storage, and other defense-in-depth tools. Hacking is a moneymaking business; it’s not just a game anymore.
Evgeny reiterated his belief that many companies still do not understand the realities of cyber crime and, until they do, it will remain difficult for the security industry to help them. Success in fighting cyber criminals will come from collaboration, and that includes working with those hackers not motivated by money but by the challenge of “it’s impossible to hack Company X”.
Todd agreed, citing Tesla’s recent experience at DefCon, when the Model S was hacked but the company was able to respond quickly, patching the cars the next day because they stepped up and engaged directly with the hacker community. Rami noted that companies are afraid such bounty challenges will turn them into a target, but the reality is that they are already a target, and a bounty program could actually help them to remediate more quickly. He added there are even brokers in this arena now like Synack and HackerOne that will help companies engage in white-hat operations with the hacking community.
“The Past is Just a Preamble”
That’s the title of a recent white paper issued by HP’s enterprise security team, so Dermot’s final challenge to the panel was: “Have we seen the cyber equivalent of 9/11 yet, or is the HP team’s assessment correct?”
For Evgeny, what we are experiencing now is just the tip of the iceberg. Today’s cyber security landscape is nothing compared with what we’ll see with the Internet of Things and billions of IPs out there, all potential access points for the bad guys. The manufacturers of these Internet-enabled devices need to be working with the cyber security community now, not after something really bad happens.
Rami equates today’s cyber landscape with the wild west; we haven’t seen anything like 9/11 yet. That’s most likely to take the form of a catastrophic terrorist attack. Industrial systems are no better protected than the customer databases being breached today. Cars, refrigerators, coffee makers – all the devices that make up the Internet of Things are hackable and ripe for exploitation by terrorists.
Todd sees a redefined cyber security landscape that is not just about protecting data but also about protecting devices and people. The Internet of Things is one giant attack surface, and both companies and individuals need to pay a lot more attention to things that may seem innocuous but can have far-reaching effects in the wrong hands.
Rami agreed, reminding the audience that even today, when usernames and passwords are exposed in a breach like Ashley Madison, it’s just the beginning. That information can then be sold on the black market and used in brute force attacks on other major databases. Those hacks can then deliver bank and credit card account details, Social Security numbers, dates of birth, and other opportunities for financial and identity theft.
See who’s going after your website
You can’t fight what you can’t see, so get a jump start on the fight against cyber terrorism and request a free no-strings trial of Distil’s web infrastructure security solution at www.distilnetworks.com/trial
About the AuthorFollow on Twitter More Content by Courtney Brady