What Is Cyber Security?
First, let's be clear about what it is not.
Definitions of security abound in the post-Snowden world which makes sense since the number one question I am asked on this topic is "What does 'cyber' mean?" Once you get past that point, people are more interested in knowing what you're doing to secure their data than trying to parse out an overly technical definition. So for my purposes here I'll settle on capturing the essence of your data and protecting it by stopping its unauthorized use or disclosure both during transmission and when stored at rest.
This leads us directly to system vulnerabilities like Heartbleed (CVE 2014-0160) where memory leaks were created by a flaw in OpenSSL's implementation of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL). These exploits allowed for the theft of private encryption keys, usernames, passwords or actual content sent through supposedly secure means.
System vulnerabilities are not solely targeting computers but also servers hosting critical data. The recently disclosed SAP vulnerability has been called "as dangerous as Heartbleed" with severe consequences if used to attack one of the German software company's customers. Fortunately this one was reported responsibly to the company so that a fix could be issued before it became public knowledge.
The existence of cyber security threats is no longer newsworthy in most circles but these two recent examples bring up an important factor - all system users must apply patches immediately upon their release or risk being exploited.
Another factor that I find worth mentioning is the argument over whether or not a particular vulnerability can be used by an attacker to launch a cyber security attack. The term "zero day" refers to exploits which have been discovered but not patched and thus are ripe for exploitation by hackers. Zero day vulnerabilities, also known as 0-days, are often sold to other parties such as government agencies through brokers as was the case with the infamous Stuxnet worm.
Because these vulnerabilities exist in software we all use on a daily basis many people argue that they should be shared so that companies can release patches and users can update their systems before attackers gain access to them and use them to gain entry into otherwise secure environments. This might seem like common sense but the debate is very heated in the security community. A counterargument to this plan is that when vulnerabilities are disclosed publicly before a patch is released they lose their tactical advantage which is needed by law enforcement agencies, espionage groups and malware writers who use them in their attacks.
The final, and possibly most important aspect of cyber security, is human behavior. As common sense suggests most companies have rules about internet usage set up on their networks but often these are limited to barring illicit or illegal activities like child pornography or fraud which makes it easy for employees to wiggle around the restrictions without too much risk of being caught. There are also numerous ways that legitimate work can be done with an attacker's help so employees must at least consider how they might be aiding malicious actors.
An example is the Yahoo malware fiasco where engineers were asked to write and sign non-disclosure agreements (NDAs) before allowing them to review a secret directive issued by its legal team about how the company could be legally hacked. I'm not going to comment on whether or not this was nefarious but it does open up a lot of security questions about how far an organization should go in order to maintain secrecy as opposed to protecting its users as well as itself from attack.
I'll end with another famous quote by Sun Tzu that has long been used to explain all manner of battlefield behavior: "Know thyself, know thy enemy; a thousand battles, a thousand victories." This applies nicely to cyber security because you must understand yourself, your organization and how you can be exploited by a hostile actor. You also have to understand the technical knowledge of an attacker so you can resist them or at least detect their presence before it's too late.
The more insight you gain into these things the more likely you are to succeed in preventing attacks from hackers, malware writers and foreign governments. I feel compelled to add that this is all easier said than done but that's no surprise. Achieving cyber security nirvana is no small feat but it's necessary if you want to keep your systems secure. Knowing the enemy is the first step to achieving this goal.
An adversary who can see you coming can easily defeat you in battle but knowing yourself means that you know how others will try to exploit your weaknesses and what methods they'll use to attack it. If you combine these two valuable insights with a strong security plan which incorporates both knowledge of an attacker's capabilities and protection against them then you stand a fighting chance against any cyber security threats which make their way into your organization.
I hope this blog has given readers something valuable to think about. I've merely touched on some of the issues surrounding cyber security threats but I feel like it's somewhat comprehensive while also providing new ideas for readers to consider when developing new standards or policies for their organizations. All of the topics I've included are important but they're all limited in what they can provide. The final piece of the puzzle is to understand how you can be breached and used as an attack vector by groups like APT28 or Pawn Storm.
I've read countless articles written by cyber security experts who speculate about Stuxnet, Duqu, Flame and over a dozen other sophisticated pieces of malware which successfully navigated their way through corporate firewalls before wreaking havoc on SCADA systems around the world. It sounds like science fiction at first but that's because people fail to remember that these (and countless other) weapons were developed specifically for espionage purposes before later being modified to become precision-guided munitions with scary results.
Attackers are at war with us. They have powerful tools which can defeat our security measures so it's important for people to understand the methods they'll use to get in so they can be better prepared to avoid these attacks or detect them before it's too late. This is especially true for companies that develop industrial control systems because their products are used in critical infrastructures around the world. An attack on one of these systems could cripple a nation, cause massive loss of life and significant damage to our economy.
An adversary only needs one successful attack against you before they've accomplished their goal even if it takes years or decades to realize how serious this breach was until someone makes the discovery through an entirely unrelated event. There are countless examples of cyber security breaches which went unnoticed for years before someone caught on to the problem. The US Office of Personnel Management (OPM) was breached by hackers who stole incredibly sensitive information about American government employees and it was no secret that their data security wasn't exactly impressive.
The deal-breaker isn't that OPM had bad cyber security (which is true), it's how they handled this incident after being hacked. They were given a heads up by the Department of Homeland Security not long after the attack began but took months to recognize how severe this breach would be once everything was said and done because they didn't properly secure their systems against potential threats. Companies must realize that if you don't have visibility into your environment then you're flying blind when it comes to security.
A lack of visibility is a major problem with cyber security today because it's estimated that 80%+ of all attacks which occur go unnoticed by the victim . This means that companies have no idea if they've been breached and whether or not their data has been compromised. It might seem unlikely but people must consider a worst case scenario for a moment. How would you feel if your company had been compromised multiple times already without even knowing about it? What would you do to better prepare yourself against these threats? Until more people start asking themselves questions like this then we'll continue to see breaches become more sophisticated as attackers gain an edge due to their knowledge of how organizations work compared to those who are fighting them on the other side of the battlefield.
This is a huge problem because organizations have to consider that enemy nations or even private companies may have already infiltrated their networks once they recognize the scale of the threat. What would happen if a military contractor discovers an intrusion but can't tell it's customers about what happened? Something like this has happened before and will continue to happen because it happens so often. The best way to stop attacks from happening is to prevent them from being successful in the first place by having good cyber security practices in place for years before any breaches occur which will help you manage your digital reputation better than competitors who aren't as proactive about their security posture.
Remember, there are over 1 million people outside of government agencies who work on industrial control systems , each component of which may be compromised by an adversary who's using them to get into networks which control other critical systems. Since there are millions of people working on just this one component then it makes sense that adversaries will use any vulnerability they can find to target these individuals and infiltrate their computers for future attacks against the real targets, the companies which make these products.
One method is called supply chain attacks in which hackers exploit vulnerabilities within a manufacturer or vendor to gain access to the product before it goes out into the world. This allows them to compromise all components of a product (or multiple products) at the same time instead of having to target each one individually. For example, imagine if criminals bought thousands of routers from different places around the world and found security vulnerabilities in as many as they could. They would then write malware which targets those flaws and give it to operatives who can use these routers to hack into the target network without the administrators knowing, making this a potent espionage tool .
Supply chain attacks are just one method of compromising critical infrastructure but other types exist. For example, there was a recent intrusion against a power plant in New York City where attackers used spear phishing emails with attached malicious documents which gave them access to the system . With all of this said, it's important for organizations everywhere to recognize their digital footprint and use appropriate cyber security practices so that no adversary has any advantage over them at any time.
Transparency is crucial because adversaries will always seek out vulnerabilities wherever they exist. In that regard it's not only the responsibility of companies producing critical infrastructure to take active steps in protecting their networks, it's also the responsibility of these companies' customers to hold them accountable when they fail. By stalling on regulation or refusing to act altogether, government officials are showing that they don't always have an interest in protecting individuals who use their services. After all, once cyber security is so poor that intrusions happen regularly then people will become even less engaged because voting for representatives who support laws that promote better protection won't matter since there won't be any elections anyway if the machinery used to administer elections itself has been compromised by malicious actors.
It's not just criminals and pro-democracy activists who should care about digital threats. Everyone should because all infrastructure is vulnerable.
If cyber security was so important to government officials then the United States itself wouldn't have been hacked by anyone with even rudimentary training in basic offensive techniques. If digital threats were taken seriously, internet users would be able to enjoy the same rights online as they have offline which they currently don't because of legislation that works against their interests. Legislation like SOPA , CISPA , and any others that threaten our rights needlessly will come with great costs since it will take away freedoms online just as effectively as if a physical bill passed restricting them offline.
SHe is a graduate of Akdeniz University, Department of Business Administration. She graduated from the university with a faculty degree. It has contributed to its environment with its social responsibility project. She writes articles about business and its fields.