Every so often, a misleading badge will turn up on a website that says it’s safe from hackers. How true is that? Can we guarantee that we’re 100% secure and will never experience a security breach? We asked some industry experts to find out.
Steve Durbin raises his eyebrows at the concept of 100% security. The managing director of the Information Security Forum hears about new attacks every day from members, and knows just how tenacious attackers are getting. He believes that 100% security is unrealistic for the simple reason that criminals are getting better at it – far better than we are.
“The technical capabilities and reach of cybercriminals are now equal to those of many governments and organizations,” he says. “In the next few years, these capabilities will extend far beyond those of their victims. As a result, the ability of current control mechanisms to protect organizations is likely to diminish, exposing them to greater impact.”
Can’t we simply use better tools and techniques than they do? Good luck with that. Cybersecurity isn’t the kind of war where one person completely wins and the other completely loses. Instead, it’s a cat and mouse game. Cybersecurity expert Aditya K Sood, author of Targeted Cyber Attacks, describes it as an arms race where organized cybercriminals and ‘white hat’ security researchers each try to best each other with new tools and techniques.
What does this arms race look like in practice? Criminals create viruses that steal your data, so researchers create tools that identify that malware based on its digital footprint, known as its ‘signature’.
So the criminal makes the virus polymorphic, meaning that the software effectively rewrites itself to change its digital footprint each time it installs. In response, the researchers start to identify the software by what it does, rather than simply what it looks like.
This exchange never ends, because the criminals will always be back with a new innovation. Virus software first appeared in the mid-eighties. Today, there are hundreds of thousands of new variants appearing each day.
Battles like these are being fought all the time, across many different technologies, and they’re endless. Which means that no one will ever win the war. The result: a constantly shifting landscape of wins and losses. Corporate networks are the battlefield, and they are littered with compromised systems and stolen data.
It’s difficult enough to prove that you haven’t been breached yet, let alone guarantee that you’ll be safe in the future. Forensics retrieved from breached sites reveal that intruders were happily dormant inside corporate networks for weeks or even months without being discovered. Compromised organizations took a median average of 146 days to discover intruders in 2015, according to Mandiant’s M-Trends 2016 report. How many intrusions were never discovered, and how many companies are congratulating themselves on not being hacked?
Cybersecurity isn’t about proving that you’re “unhackable”. Instead, it’s about tipping the odds in your favour through risk reduction, according to Sood. Companies must reduce the likelihood of threats with defensive tactics, while reducing the magnitude of the threat if they do still occur.
“For risk reduction, there are many ‘low hanging fruits’ or approaches that organizations can follow,” he says, highlighting the need for a healthy mixture of user awareness and technical controls.
Employees must be trained not to click on suspicious links, he warned. Administrators must update antivirus software, browsers and system software, and should impose strong password and twofactor authentication. Companies enjoying the benefits of mobility should control mobile devices more effectively with appropriate management software.
Give yourself more of an advantage by thinking like a crook, Sood advised. “Cyber attacks can be thwarted by staying ahead in the cyber arms race,” he says. “This is possible only when the defenders understand the stealthy tactics opted by attackers to conduct cyber attacks.”
We can guarantee security, to within just a hair of 100%. Just turn your computers off, disconnect them from the network, encase them in concrete and then bury them in an underground safe, guarded by lions. Armed with lasers. Then never turn them on again.
Or, in the real world, assume that you’ll always be vulnerable to some degree and respond with a sensible risk reduction regime. At the very least, be sure that you’re harder to break into than the next guy.