It's safe to say that 2017 has been an eventful year in the cyber security industry. As well as a steadily growing number of breaches across a multitude of organizations and industries, there have been some pivotal moments that have had a significant impact on the cyber security industry as a whole. We've looked back over the last 12 months and have chosen the top 5 events that have shaped the industry.
We don’t include the Equifax breach purely because it was a high-profile security breach, but rather there were some key points of learning that are slowly trickling in to board level conversations and wider InfoSec cyber security strategies.
Equifax had a cyber security team and were running a cyber security program. However evidently, some of their programs were shaped more towards compliance requirements, and less by effective risk management. The ultimate Apache Struts vulnerability that was to be leveraged to gain access to 143 million records had been publicly disclosed for two months at the point of compromise. Industry commentators have discussed the fact that Equifax ran an annual penetration testing program, that identified vulnerabilities and impacts on a once a year basis. Unfortunately, as history now tells us, approaching cyber security, and indeed penetration testing as a once a year activity, will inevitably leave an organization hugely vulnerable in between test cycles.
A quick review on the MITRE website suggests that there are approximately 18,000 unique CVE numbers allocated and reserved for vulnerabilities that have been identified during the course of 2017. That equates to 1,500 new vulnerabilities per month or 50 new vulnerabilities each day. A cyber security strategy that tackles assurance as a point in time activity is doomed to failure. Unless organizations evolve their security practices to become continual in nature, the risk associated of a cyber security breach will be high.
If we look at the fallout from the Equifax breach, the CEO, the COO and the CISO all lost their jobs. The share price is now tracking at 80% of what it was before the breach. Developing and executing assurance practices that are continuous in nature would seem like a sensible approach, to mitigate against the risk of a cyber security breach.
Fake news – Data integrity comes in to the spotlight
During 2017 we have seen an increasing number of media articles that discuss fake news. There has been much commentary around nation states meddling in political campaigns in the US, the UK, France and Germany. This shines a spotlight on the fact that data integrity is hugely important to decision making processes. This is nothing new to the seasoned security veteran, that can recite confidentiality, integrity and availability being the core InfoSec towers, however it does demonstrate the impact of what a change in data integrity can bring about at the macro economic level. Historically, many people have thought about data integrity as an important function within financial services or application development, with an expectation that processes would fail or result in a loss of monetary value if integrity was compromised. 2017, demonstrated that data integrity needs to extend much further than this, and the integrity of social media, news articles and even blog posts can have an impact on decision making and expectations across industries, countries and culture as a whole!
Back in April, Wikileaks published the Vault7 leak on their website. Many security researchers were quick to jump in to the detail and within a matter of days media outlets were talking about nation states running campaigns that targeted smartphones, televisions and wider IoT devices as a means of gathering intelligence. The fact that nation states are interested in gathering intelligence will come as no surprise, however the aftermath of what happens when this type of information is publicly disclosed was made crystal clear during 2017. When critical vulnerability and exploit information is disclosed publicly through uncoordinated approaches, we can expect there to be cyber related incidents that rapidly follow suit. The disclosure of Eternal Blue in the Vault7 disclosure went on to be leveraged in a number of virulent ransomware attacks that impacted large and small organizations around the world.
In 2017 ransomware came to the forefront of the public consciousness. Although the concept of ransomware is nothing new, the impact of ransomware became all too apparent as it crippled high-profile health services, manufacturing services and shipping organizations during the course of 2017. At Nettitude, we have been talking about ransomware as a key threat for a number of years. Historically, organized crime units that wanted to monetize their attacks would focus on financial services as a means to gain access to money. As time has gone by, this has moved in to the targeting of organizations that interact with payment card data, as that in its own right provides an avenue to monetize an attack. In 2017, we have really seen threat actors evolve their techniques in to ones that target the population at large by distributing ransomware that removes an organization or individual’s ability to access their data. The number of individuals that have important documents, photos, music and videos is clearly large and so the potential attack surface is far beyond that of pure financial services or card processing entities. As a consequence, the ability to monetize an attack through denying a user or organization access to their data has really come in to focus. Our prediction for 2018 is that this type of attack will only continue to grow in frequency and impact. The types of entities that will be hurt the most will be those that need access to data immediately, and that cannot afford to role back to data backups that have been captured historically. This means devices associated with industrial control systems and wider critical national infrastructure will be a constant target.
GDPR driving board cyber consciousness
GDPR doesn’t come in to effect until May 2018, however during 2017 it has been amazing to see a whole new industry evolve. As a consequence of GDPR, many boards are taking cyber security more seriously and are trying to determine what data they have and how it can be secured. Clearly cyber security is not a new concept, and many organizations have been building programs to secure and protect their data for many years. What GDPR really demonstrates is that with the assistance of regulation, it is possible to change board level approaches to cyber security.
There is significant asymmetry of information and expectation between the board, and the cyber security practitioner. The board assumes that they won’t be targeted, and that they are doing all that they need to do from a technical perspective to secure their assets. The seasoned cyber security veteran knows that cyber security is not a goal, but rather an ongoing process that can always benefit from more focus or funding. For many organizations, this disconnect has existed for years. It is only through regulation such as GDPR that boards are giving cyber security a renewed kick start of focus. Although many would argue that a world of increasing cyber regulation could stifle innovation and hinder the growth and profitability of many organizations and industries, GDPR demonstrates that through regulation it is possible to bring about positive change in boards cyber consciousness.
2017 has been a pivotal year for the cyber security industry. There have been some far reaching incidents and events that has continued to bring cyber security in to the mainstream populations vocabulary. We expect this trend to only heighten during 2018, as more organizations become aware that cyber security needs to become a core component of everything we do online.
Nettitude is at the forefront of the cyber security industry. Whether your business is looking for advice and guidance for the best practices, the latest cutting-edge technology or knowledge on top notch processes, Nettitude is on hand to help. Make sure you kick start your 2018 cyber security plan by getting in touch with us. Simply fill in the form below and a consultant will be in touch to help discuss the requirements for your business.
Contact us today