The massive cyber breach of Capital One, reported in late July, quickly brought a chorus of condemnation of the company from a wide circle of pundits, concerned customers, competitors and potential investors. Lost in the media fray was Capital One’s exceptional incident response.
The facts are impressive when compared to other cyber incidents. Capital One’s cybersecurity team detected the incident within days (as opposed to the industry average of over 100 days before detection.) Critically, the company alerted law enforcement, and collected and analyzed the logs and data that led to an unprecedented rapid identification and apprehension of the perpetrator by law enforcement personnel.
Senior leadership messaging to the public regarding the incident was quick, transparent, and sincere. YouTube watchers even got to “ride shotgun” with reporters as they accompanied law enforcement personnel to arrest the alleged hacker and secure the purloined data. Such streaming content of law enforcement arresting suspected cyber criminals in a timely manner bolsters confidence in law enforcement’s capabilities to thwart cyber criminals while providing an unprecedented deterrent in the age of cyber crime.
With nation-state actors, hackers, and other criminal organizations increasing in their boldness and cyber capabilities, corporate entities face significant cyber risk, and the odds of a cyber breach or reputation-damaging cyber incident are high. Boards and business leaders at all levels should recognize that their organization is a target and that they need to be prepared to respond fast and well in times of crisis. They should fine-tune their incident response procedures using lessons learned from the Capital One breach, implement measures to protect the weaknesses exposed in this attack, and practice what they should do if their enterprise encounters their own “really bad day.”
While boards and business leaders rightfully should pay attention to the circumstances leading to the breach itself, there are numerous lessons learned from this breach that organizations of all sizes should pay close attention to – and nearly all are positive.
Given the many instances of email security compromises, it has become vital to provide additional security to emails from the domain administrator level. Security protocols such as Domain-Based Message Authentication, Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF) and Brand Indicators for Message Identification (BIMI) to prevent address spoofing are considered below.
Before getting into the security protocols, spoofing needs to be understood. Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls, websites, IP address, etc. In email spoofing, an email header is forged so that the message appears to have originated from someone or somewhere other than the actual source. The objective is to get recipients to open/respond to the emails. There are many email spoofing portals from which emails can be sent to the recipient as if they originated from the real domain; such spoofing is called direct domain spoofing. DMARC, DKIM, SPF and BIMI can be used as an authentication and validation tool in many of these instances.
DMARC is an email authentication policy and reporting protocol. It determines whether the sender uses DKIM/SPF, handles recipients for authentication failure as per policies, and improves and monitors domain security from fraudulent email. It detects such emails and discards or blocks, depending on the configuration upon receiving. DMARC addresses owners and receivers in the following ways:
- Informs usage of email authentication DKIM, SPF
- Collects feedback about email messages using their domain – authentic or not
- Sets policy to report, quarantine or reject the message
- Ensures the email domain uses email authentication
- Continuously evaluates SPF and DKIM along with what recipients see in their inboxes
- Ascertains domain owners’ preference of report, quarantine or reject the messages that do not pass authentication checks
- Provides email owner feedback about messages using their domain
DKIM validates the identity of the email domain through cryptographic authentication by attaching a new domain identifier. It differentiates domains used by the known organization and domains used by others through Signing Domain Identifier (SDID). Figure 1 shows the DKIM model in which the process of the message validation is depicted. DKIM service provides a responsible identifier to the assessor, which assesses the identifier and assessment database and provides input to handling the filter. This filter uses various factors such as ancillary information from DKIM validation to provide input to the recipient.
SPF is a type of Domain Name Service (DNS) TXT record that identifies which servers are permitted to send email on behalf of your domain. The purpose of SPF record is to detect and prevent spammers from sending messages on behalf of your domain.
BIMI is a centralized method across multiple email providers to display the brand’s logo along with email messages. It helps to identify legitimate senders and reduce the number of fraudulent messages being opened or read. This protocol has been adopted by more than 81 leading email sending domains.
These protocols will be effective only when the email domain administrator enables in DNS using TXT records or enables an email host provider’s admin console. This is done to verify whether a particular email came from the specific domain from which it claims to be sent.
The above options are not perfect solutions for email security due to the fact that compromised email can be sent within the domain, a domain that uses DKIM and SPF can be set, and many commercial email hosts may not consider the senders’ domain settings. These protocols may provide enhanced security but are not 100 percent fool-proof. There are also cloud solutions in the market for preventing email security compromises that provide promising results.
Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.
However, it seems progress is being made on the cyber staffing shortfall, at least anecdotally. At the 10th Annual Billington Cybersecurity Summit conducted 4-5 September in Washington DC, the theme of cyber workforce development was discussed in several sessions. Specifically, a number of speakers employed at various US agencies commented on the progress the US government has made in using creative and innovative approaches to hiring individuals for cybersecurity roles.
The Office of Management and Budget (OMB), for example, is piloting a cybersecurity reskilling effort according to Grant Schneider, federal CISO at the OMB. As part of the Federal Cyber Reskilling Academy, US federal employees are offered an opportunity to be trained in cybersecurity.
The Federal Bureau of Investigation (FBI) asks new hires to take an aptitude test to gauge their potential ability to perform cyber tasks. Thus, for example, if an individual is hired to be an analyst (perhaps because of language or data skills) but scores high for cyber on the aptitude test, the FBI will encourage the individual to pursue employment within the Bureau in cybersecurity.
A number of speakers from several US agencies stressed that the government has shifted its hiring practices to focus on aptitude versus requiring specific degrees or skills (and in many instances have eliminated the degree requirement). In one example, government-employed cyber professionals worked very closely with government recruiters to vet candidates and help establish aptitude for cyber roles.
The US government has also had recent successes in hiring industry experts at its agencies. Often these employees started in government, left public service to work in the private sector, and are now returning to the public sector, sometimes via a partnership arrangement with industry. Often individuals want to work for the government, fulfilling a need to give back or serve the public. As Katherine Arrington, chief information security officer, Office Undersecretary of Defense for Acquisition, noted, “We need to reduce the bureaucracy to facilitate that. We’re moving in the right direction.”
As ISACA’s State of Cybersecurity reports note, retention of qualified cyber professionals can be challenging. This is especially true in government, where public sector cybersecurity jobs often don’t pay as well those in the private sector. The government, however, has had recent successes with hiring cyber professionals at a higher pay grade than in the past (particularly for civilian employees) and increasing renumeration via bonuses (for military personnel) according to Jack Wilmer, deputy CIO for cybersecurity and senior information security officer, Department of Defense.
It’s encouraging to see the progress the US government is making in tackling the cybersecurity workforce shortage. The private sector should take note and consider adopting some of these successful tactics.
Cybersecurity resilience of Industrial Control Systems (ICS), Building Management Systems (BMS) and other Operational Technology (OT) systems is falling behind, a critical challenge considering the potential impact of a cyberattack on ICS and OT could result in the loss of lives and/or major environmental damage. These grave threats, of course, are in addition to the financial, reputational and compliance impacts of cyber incidents that affect all industries. Given the high stakes, it is time for the CISO to step up, learn about the unique characteristics of ICS and OT, and collaborate with the industrial control engineers, in order to take proper responsibility over ICS and OT cybersecurity.
I have gained experience in this area through my work on a project I conducted for the Israel National Cyber Directorate (INCD), in which we worked to provide the Israeli ICS sector with a practical tool allowing enterprises to conduct a cyber risk assessment of their ICS network. In working to develop the tool, we met with a range of OT engineers and cybersecurity professionals to draw upon their expertise and insights. Through those interactions, a concerning pain point was identified – ineffective working relations and processes between the two groups, leading to poor cyber resilience for ICS networks.
Clearly, there is a leadership vacuum that needs to be filled. Among many in the industry, there is a debate about who should assume ultimate responsibility over ICS security – the CISO or OT engineers. I believe that the CISO is best-suited to do so, given the CISO’s grounding in risk management practices and controls for cyber risk mitigation. But to properly oversee this area, CISOs must address their blind spot regarding risks in the OT environment. Since CISOs generally do not possess much knowledge of OT processes and systems as well as their sensitivity to change, they tend to overlook potential consequences if something goes wrong. Conversely, business executives might have familiarity with OT processes, but they tend to have less understanding of cyber risk, focusing instead on productivity and process reliability.
ICS and OT systems, such as Building Management Systems (BMS) and surveillance cameras, can be found in most modern organizations. ICS is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes. ICS are used in critical infrastructure – areas such as the manufacturing, transportation, energy, and water treatment industries, which are essential to the health, safety, security and economic well-being of governments and society as a whole. OT systems, meanwhile, include the hardware and software systems that monitor and control physical devices in the field, such as devices that monitor temperature in industrial environments.
The convergence of IT and OT provides enterprises greater integration and visibility of the supply chain, including critical assets, logistics, plans, and operation processes. Having a thorough view of the supply chain can help organizations improve strategic planning and remain competitive. On the other hand, however, the convergence of IT and OT expands attack vectors for cybercriminals, allowing them to take advantage of poorly protected OT infrastructure.
This is part of the challenge for CISOs, who have several places to turn for guidance in shoring up this common blind spot. CISOs and others interested to learn more about reducing ICS security risk would be well-served to explore NIST’s Cybersecurity Framework Manufacturing Profile. Additionally, the ISA/IEC 62443 series of standards provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. And on the certification front, ISACA’s CISM credential can help CISOs develop a risk-based approach to managing security challenges that may arise on the ICS and OT landscape.
Editor’s note: Weisberg will present additional insights on “Illuminating the CISO’s ICS Blind Spot” at Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City, USA.
About 10 years ago, when I was deciding on my major in university, I was very anxious about where my decision would lead me. I eventually chose Management of Information Systems, and fast forward 10 years later, I’m working as an information security consultant at a Big 4 firm.
Settling on a career that aligns with your interests, personality and educational background has proven to be quite the challenge for many young professionals of this generation. Apart from aiming to stay relevant and make money – which is usually a hidden aspect of several neatly typed-out CVs – young professionals also seek growth capable of propelling them to extraordinary heights.
Pursuing a career in information security is as extraordinary as the word gets. Reports of data security breaches have become commonplace in our daily lives. Organizations from various industries face myriad threats and require information security professionals to help them address this compounding issue. Despite the vast array of opportunity seemingly laid out on a silver platter for prospective security practitioners, the paradox is there remains a huge skills gap, so there is an ever-increasing demand for information security-related job roles. According to the Global Information Security Workforce Study, there will be 1.8 million unfilled cybersecurity job roles by 2022. This situation presents young professionals with both an opportunity and a challenge.
Here are a few reasons young professionals should consider careers in information security:
The cyber and information security, audit and risk professions are remarkably multifaceted. As a young professional, it is vital that you learn about regulatory and industry changes in your country, and even globally, to better inform your choices for a job role. For example, in my country, Ghana, the Central Bank issued the Cyber and Information Security Directive in October 2018, which requires all financial institutions under its supervision to comply with relevant minimum security standards. This very significant regulatory change has opened up numerous opportunities for information security practitioners in Ghana. There already has been a ripple effect in the financial services industry as banks and other financial institutions require their partners to maintain minimum security standards. It is likely that these partners would also require their affiliates to adhere to security best practices, so the cycle goes on and on. These organizations will need professionals (in-house or outsourced) to help them implement and maintain security standards. The opportunities are endless.
Organizations around the world owe a duty of care to their employees, clients and partners to secure their systems and data. They need the right talent to do this and are actively trying to fill the gap in the educational system by honing skills through mentorship and graduate programs for students and recent graduates. With regulation, advanced persistent threats and industry expectations breathing down the necks of organizations, enterprise leaders are looking for individuals who they can invest in and train to effectively handle the growing volume and sophistication of cyber-attacks. For example, Cisco invested $10 million in a cybersecurity scholarship program that sought to increase the pool of cybersecurity professionals to close the security skills gap and enable individuals (starting from the age of 18) to develop cybersecurity proficiency at the early stages of their careers. There is also the Cyber Security Talent Initiative, which is a partnership of leading companies and universities encouraging students to pursue careers in cybersecurity by offering loans of up to about $75,000.
You Don’t Need to Be a Computer Science Major
Several potential job candidates assume that they require a degree in computer science to pursue a career in information security. This is a myth that needs to be debunked. I have met several computer science majors who ended up practicing accounting, finance, HR and even hospitality. On the other hand, I have met accounting, science, history and literature majors who eventually pursued careers in information security, IT audit and risk. Your degree should not be a limitation, especially in cases where you wish to make a career change. Just like any other professional field, information security requires you to have the tenacity, hard work and the right dose of curiosity to succeed.
Furthermore, acquiring soft skills is equally as important as building technical competencies. Learning how to network with other professionals and write compelling reports is a skill that needs to be developed. Imagine being the senior penetration tester or an SOC analyst in an organization that cannot properly communicate the impact of a vulnerability or make a business case for a solution that is required to management.
There is Room for Growth
From my experience in information security roles so far, I have realized there is always something new to learn. The rate of change in the technology field and the spate of cyber-attacks leaves us all falling in a bottomless pit – in a good way. You can’t afford to be stale, and for me, this has been the exciting yet challenging aspect of my work. News story after news story about seemingly sophisticated and mature organizations left devastated by cyber criminals leaves us wondering if we can ever combat cybercrime. But the nature of data breaches being experienced today is gradually paving the way for tomorrow’s job roles. The reality is that opportunity will come looking for you, hence, you will need to be ready to self-learn and obtain the right certifications to position yourself for the next opportunity that finds its way to you.
To sum this all up, I encourage all young professionals to consider pursuing a career in information security. Also, prior to landing a job role, look for opportunities to volunteer with organizations such as ISACA and (ISC)². Sometimes, you learn the most about networking and soft skills through volunteer roles. Who knows? You might even meet your next employer.
And remember – curiosity and being indomitable will take you to great heights in your professional life.
Editor’s note: For more resources for young professionals, visit www.isaca.org/young-professionals.
About the only thing shifting as fast as the cyber threat landscape is the typical enterprise’s org chart. As enterprises aim to keep pace with the rapidly evolving digital economy, many are restructuring internal departments, hiring criteria and the processes by which they develop and distribute products, all with the overarching objective of becoming more proficient at rapidly responding to new opportunities in the marketplace. In making these well-intentioned adjustments, the ability for enterprises to establish robust, broadly integrated cybersecurity as a core capability of their recalibrated operation will be one of the best predictors of whether these changes will prove successful.
The Expanding Footprint of Data in the Enterprise
The degree of difficulty in achieving solid, enterprise-wide cybersecurity posture is difficult not only because cyber threats continue to grow in volume and sophistication, but because of the expanding footprint of data in the enterprise. Call data the new gold, the new air, the new oil – whichever metaphor you prefer – and the reality remains that the need to leverage data is becoming increasingly essential across lines of business. That is one of the main reasons why security teams must not look at themselves as the sole implementer and enforcer of sound security practices, but rather spread security awareness and adoption of clear policies with their colleagues as an ongoing, sustained point of emphasis. More than 8 in 10 respondents to ISACA’s research say that establishing a stronger culture of cybersecurity would increase their organization’s profitability, and this will only become more on-target as organizations increasingly embrace digital business models. The rising profile of data analytics factors in heavily, as referenced in a recent McKinsey article, which noted that “as companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information. They must also incorporate security controls into analytics solutions that may not use a formal software-development methodology.”
The cloud is another area in which proactively bolstering security capabilities will be critical in the new enterprise environment. While cloud computing is certainly not new, turning to cloud providers has become increasingly attractive for many enterprises whose traditional server-based approach no longer is sufficient for storing and protecting their data. Modern cloud platforms supply enterprises with an array of options that provide data storage and protection that can lead to dramatically improved scalability and flexibility. While new, sophisticated security capabilities are being integrated into today’s cloud platforms, these capabilities are not always integrated into organizations’ security programs, whether due to discomfort with trying new approaches or just the challenge of carving out time to explore them amid the usual, day-to-day challenges. This is a missed opportunity for enterprises to enhance their security programs and derive additional value from their investments in the cloud.
Turning DevOps into DevSecOps
Another dynamic elevating the importance of broader integration of security principles is DevOps. In an era in which business velocity can reach a dizzying pace, enterprises have turned to DevOps to move faster and more efficiently in their builds, deliveries and deployments. The problem is, security oftentimes is an afterthought in this process, which puts developers in the difficult position of trying to figure out security best practices on their own. Working security into the DevOps program – referred to as DevSecOps – allows the security team to become involved during the design phase and ensure that critical security flaws are identified and addressed before they require costly fixes that become increasingly costly later in the process. Similarly, Agile development methodology needs to take cybersecurity considerations into account, such as ensuring that all data is properly categorized and that a comprehensive, risk-based approach to safeguarding the data is in place.
Historically, we have seen enterprises are typically more attentive to positioning themselves to sell products and increase revenue than to protecting themselves and their customers from security threats. But as we near a new decade – the 2020s – the pace at which enterprises will realign to thrive in a technology-driven digital economy will only accelerate. We remain in the early stages of this era of digital transformation. Consider the way technologies such as artificial intelligence/machine learning, robotics, and the ongoing proliferation of connected devices will create new business opportunities that result in new methods of product development and ushering products to market. Anything less than deeply ingrained cybersecurity throughout the enterprise will not work going forward. By integrating sound cybersecurity practices in all areas of the organization, implementing new security capabilities that are baked into modern cloud services and turning DevOps into DevSecOps, enterprises will have the flexibility to re-imagine their business models while retaining a stable foundation on which to innovate.
Editor's note: This blog post originally appeared in CSO.
Cybersecurity awareness is a topic that most organizations and leaders know is important, but is typically treated as a check box requirement to remain compliant with regulations or mandates placed on the enterprise. Most leaders will argue that cybersecurity awareness training is very important but only marginally effective.
To be honest, how effective is most cybersecurity awareness training? The standard requirement that each individual complete mandatory training every year looks good on paper, but doesn’t provide the needed impact in order to make a difference and increase the security awareness of the users in an organization. For example, most people who are required to go through annual security awareness training for the US Department of Defense likely have half of the answers memorized for the mandatory computer-based training. In fact, many people let the videos play while they do other work and then simply bounce back to the training when it is time to answer questions and advance to the next section.
Enterprises can’t expect that providing training when an employee is hired and refresher courses once a year will arm the employees with the knowledge and understanding to not fall prey to cybercriminal attacks. In fact, the cybercriminals have all seen the required security awareness training modules and have a blueprint of what “not” to do. Cybercriminals are always looking for new ways to infiltrate and attack organizations. So why not think like the enemy and create a cybersecurity awareness training program that resembles what the real cybercriminals will do?
Everything from the marketing of the cybersecurity awareness program to the actual training itself needs to be rebranded, constantly updated and customized to the target audience. Cybersecurity awareness training needs to change and adapt as quickly as the cybercriminals change their attack methods. This means continual training based on the latest trends and attack vectors that are constantly evolving. The most important attribute of a successful cybersecurity awareness program is the effectiveness of the training. To drive up effectiveness, the training must be relevant and retain the attention of participants.
What better way to engage your employees than to include them as part of the actual training program and its activities? Make the training interactive and personal. Show them how a hacker will attempt to steal their identity, include them in a phishing campaign and entice them with [fake] confidential information through trojans or malicious software.
Consumers of cybersecurity awareness training want to learn how it is applicable. They want to know how to lock down privacy on Facebook and other social media applications, or how their Home Depot credit card information is easily obtained on the dark web, or what personally identifiable information (PII) of theirs is circulating the dark web. A majority of end users find hacking fascinating, and they want to learn more about it and how it could impact them. Utilize the curiosity as a training mechanism. Branding your cyber awareness training as a monthly opportunity to hack your coworker and then showing them how the cyber criminals are “hacking” the user will increase awareness and strengthen cybersecurity practices.
I will be presenting more on hacking your coworker to improve cybersecurity awareness at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. I look forward to walking through specific examples and results of the hacking your coworker training across several organizations.
Consumers are demanding we offer outstanding user experiences and technology interfaces, and we need to strategize how we both safeguard and leverage ever-growing portfolios of data and systems to differentiate ourselves from our competitors. Yet, often our cybersecurity programs and business goals seem to be at odds. Digital transformation (DX) strives to provide outstanding customer experience, personalization, convenience, agility, and cost savings. None of these are traits most organizations would ascribe to their cybersecurity team! I offer below some high-level guidance to bring cybersecurity closer to DX goals.
Embed Security Into Your Culture and Processes
Security controls fall into three major categories: people, process, and technology. In many cases, organizations consider technical controls to be the panacea to safeguard assets from attacks. Technology is scalable, configurable, and consistent in its application of rules. Yet technology functions exactly as designed, not as intended, leaving opportunities for exploitation – often within weak processes and human-elected shortcuts supported by your culture.
For culture, look at what your organization rewards. Do good results justify breaking the rules? Can projects and changes push forward without consulting security? If you celebrate the “heroes/fire-fighters” that save the day when incidents occur, do you also reward the teams that develop reliable and secure applications? IT security processes such as patching, privileged access management, API security review and inventory, change management, and adherence to architecture standards are not glamorous, yet breakdowns in these core areas facilitate most incidents.
In addition to IT processes, business processes must support your goals. For example, with self-service being a DX standard for consumers, business should define “normal” predicted volumes for transactions such as new account openings, profile updates and other measurable key activities so security can program alerts when those thresholds are exceeded. And, business teams should be prepared to review those alerts. Perhaps your DX offerings are more successful than anticipated, or perhaps this is a symptom of a well-engineered attack leveraging known business processes.
Enable Agility by Clarifying Risk Classification and Tolerance for the Entire Organization
If you asked three different groups – let’s say Sales, Customer Support, and Security – to assess the same scenario that contains some level of risk, you would likely receive three different risk classification levels. In all probability, your security team will classify it as “high risk.” Except for organizations that regularly deal with life safety, very few have well-defined matrices of what constitutes medium versus high risk. Almost all leverage vague qualifiers, such as material versus serious or severe harm. We need clear monetary amounts and thresholds – fatalities, volume of records exposed or corrupted, existing or new customers lost, etc. – to guide consistent risk classification and decisions.
Two of my favorite questions to ask when assessing the risk of a new initiative are:
- What are we doing today, versus what you’re proposing?
- What’s the risk if we don’t move forward with this?
Answers to both of these questions help set perspective for potential losses associated with missed opportunities as well as improved (not perfect!) security controls that may be gained over status quo. These questions, along with your other initial security risk evaluation questions, help form a consistent process for your business triage of where to allocate finite resources and time. If the risk level doesn’t rise to a defined threshold, then business can proceed without further security consultation. In other words, this is a “good risk” that falls within defined risk acceptance thresholds – let it run.
Include Detection and Response Capabilities in Your Security Strategy
One of the biggest strategy errors in security is to overspend on prevention mechanisms to the detriment of detection and response capabilities. Similar to the risk determination above to triage where to allocate your security team’s finite time and resources, you need to spend your security budget where it provides the most value. There is no foolproof method to prevent undesired access into your systems – new exploits will always be created. In every breach case I’ve researched, there were multiple opportunities to identify and contain an event once inside, yet multiple breakdowns in processes and culture enabled the intrusion (or error) to progress into a larger impact. Your detection and response plans should be ready for any significant event, regardless of the entry vector.
Further complicating detection and response readiness is the complexity of shared security models within multiple X-aaS implementations that comprise most “Cloud First” strategies. Even if you can detect anomalous activity now within your on-premise services, once you migrate them into a hosted infrastructure, platform, or software environment, will those alerts function in the same way? If you receive an alert, who has the responsibility and access to make any required changes to contain and minimize further impact – and within what timeframe? Make sure your vendors have the capability and customer service mindset to partner through detection and response, and include relevant Service Level Agreements (SLAs) within your contracts. Finally, maintain an inventory of hosting agreements, RACI charts, SLAs, and contacts to streamline decisions and assign actions during events.
In our world of DX, the cybersecurity function becomes both a provider and consumer of customer experience, personalization, convenience, agility, and cost savings to support business goals. Is your team ready?
For those in the ISACA community who are fans of popular culture, you might have noticed in recent years that, in many cases, film and TV stars are beginning to look more like you and I, and less like the muscle men of our youths.
Movie and TV producers have long been interested in technology – from the times of single action heroes like the one-man army of John Rambo in “First Blood” and Arnold Schwarzenegger as a cyborg assassin in “Terminator,” the film industry has been at it. But as the work performed by IT security practitioners has become more central not only to all enterprises but to society as a whole, it has been interesting to see how that realization is filtering into the big (and small) screens.
Now having more fully embraced technology-savvy heroes, the film industry portrays IT security in action-packed, fast-paced, intense scenes where IT systems are breached by a few clicks, in a matter of seconds. The nerdy programmer super-heroes are largely depicted as introvert loners, and family members of IT security characters are prone to being kidnapped, taken hostage and other forms of trauma associated with the job.
In recent times, the internet, smartphones and mobile computing technology have taken center stage in movies, mirroring their rising prominence in our daily lives. The plot in many movies no longer leads to traditional showdowns in physical locations and instead are more likely to traverse multiple virtual locations, by use of drones and closed circuit television.
In the hit TV series “24,” Joel Surnow and Robert Cochran create a character of the indomitable Jack Bauer, who relies heavily on intel from the IT security team. The team, normally just one or two very intelligent people, support all counterterrorism operations, within a command operations center with multi-screens. The protagonists target each other’s operations center as part of the main strategic battle plan. Backup plans and fallback positions become the lifeline of the movies; you have to bring all these down to win – this is the new fictional reality.
Watching the Hatton Garden TV drama, a real-life story of how the Hatton Garden (underground) Safe Deposit Company is burgled by four elderly experienced thieves. As viewers, we worry if the aging thieves will survive hunger, severe incontinence, and worse still, heart attacks. And we must wonder what really happens to the IT security personnel in such a plot during such long weekends especially over the Easter weekend.
The tension and level of precision required of IT security professionals will vary from one sector to another. IT security personnel in a bank may stress over financial loss schemes orchestrated by internal and external players, while in a law firm, the concerns might center on a data leak that could compromise the privacy and confidentiality of the clients and violate lawyer-client confidentiality, paving the way to lawsuits, reputational risk and unfathomable damage. It amounts to a matter of trust, built painfully over a long period of time, that can be brought down in such a short time. And the business world is not so forgiving (see the Panama Papers expose).
The good news is that the daily routine of a “normal” IT security practitioner is relatively mundane by comparison and would not sell at the box office. Incidentally, how many IT security professionals would pay a premium ticket price to watch “us” do our job normally? The excitement and glamour injected into the roles by the script writers may be necessary to keep us glued to our seats, but taking some creative license has long been a hallmark of film and TV producers. That should not obscure the bigger picture here – the work that IT security professionals do for our enterprises can have heroic impact, as today’s consumers of cinema and television can increasingly attest.
If there is one universal truth we have learned from developments on the cybersecurity landscape in recent years, it is that none of us are free from cyberthreats. Attackers identify and exploit vulnerabilities wherever they might exist, regardless of the target’s geographic location, whether the target is an individual or an enterprise, or which industry sector the target represents. By the same token, attackers are equally capable of wreaking havoc whether their target is based on land or sea. Considering that more than 70 percent of the earth is covered by water, and an expanding attack surface for the vessels journeying across those waters, and cybercriminals have no shortage of maritime targets that they can aim to exploit.
Unlike many of the modern sectors of our digital economy on which cybercriminals have set their sights, the maritime industry has been around for centuries. Ships and other seafaring vessels might not seem like natural targets for cybercriminals, but the array of potential access points on modern vessels – such as internet connectivity, the use of industrial control systems and satellite and radio communication systems – present growing opportunities for cybercriminals to pursue. Expect the maritime attack surface to continue to expand given momentum toward a future in which autonomous ships will be a prominent piece of the maritime landscape, underscoring the growing reliance on interconnected information systems.
New methods of attack on the high seas
A wide range of methods exist for those who seek to target maritime vessels, including:
- Extortion/ransomware for allowing the vessel to restore operations
- Digital piracy by shutting down the vessel
- Espionage for obtaining sensitive information that can be used by competition
- Defamation/litigation by causing ISPS Code incompliance/delaying the vessel/causing disruption
- Terrorism causing vessel collision/hazard to ports/other ships
- (H)Activism for conveying a message
These possibilities are not merely theoretical. The US Coast Guard recently warned that unidentified hackers attempted to gain access to ships’ electronic systems to steal sensitive information and disrupt ships’ computer systems. The impact of these kinds of attacks can be enormous. Consider such disturbing possibilities as attackers manipulating passenger lists to allow for illegal transports, illegally leaking data about sensitive cargo transports and potentially even causing engines to explode or vessels to shut down by manipulating industrial control systems. When it comes to maritime threats, not only are sensitive digital assets at risk, but the possibility exists of cyberattacks leading to physical security incidents that could lead to large-scale losses of life. Needless to say, these are sobering scenarios. Just as pirates have been a feared threat to ship personnel for centuries, now and in the future, those in the maritime industry have to worry about attackers who are equally menacing but can imperil their missions and safety without risking a physical confrontation.
A shift in mindset
A recent article published by the Center for International Maritime Cybersecurity shined a spotlight on shortcomings in the US Navy’s cybersecurity posture, drawing upon an independent review that was completed in March. Essentially, it was noted that a shift in mindset is required to direct more attention and resources toward preparedness for cyberwar. The article states that, “Ultimately, the objective should be a Sailor who understands cyber hygiene and proper use of the network as a primary on-the-job tool, just as well as any Soldier or Marine knows his or her rifle. Sailors go to sea aboard complex warships with integrated networked systems that run everything from Hull, Mechanical, and Electrical (HM&E) systems to combat systems and weapons employment. The computer is our rifle, why shouldn’t we learn how to use it more safely and effectively?” Given the considerable resources available to the US military, it is fair to assume that many of the world’s smaller nations face an even more glaring challenge in readying their navies and maritime operations for the emerging threats they face at sea.
Fortunately, there are many avenues available to those in the maritime sector to safeguard the people, cargo and other resources on which they depend. After first taking stock of the organization’s cybersecurity capabilities and gaps in preparedness, some of the most important next steps should include devising an updated ship security plan, appropriate training of the crew and employees and tracking implementation progress through periodic audits.
It is essential that all entities that operate in the maritime sector – whether private organizations or military units – commit themselves to taking stock of their cybersecurity maturity and then putting the policies and procedures in place to address their vulnerabilities. This is an overlooked component of the cybersecurity ecosystem that is in urgent need of greater attention in both the public and private sectors. There may be nothing new about the need for ships to deliver cargo or patrol their country’s coasts, but the threats they are increasingly likely to encounter, invisible to any telescope, have placed the age-old maritime sector in uncharted waters.
Editor’s note: This blog post originally appeared in CSO.