Between 7–9 October 2019, more than 3600 attendees came together at the Australian Cyber Conference in Melbourne to discuss the latest trends in the industry and the future of cybersecurity.
Mimecast's Garrett O'Hara also interviewed world-famous hacker Kevin Mitnik, who rose to acclaim when his social engineering exploits landed him in jail. Here’s some food for thought from those discussions.
The challenges of securing a digital ecosystem
As the digital ecosystem grows more complex, the emerging challenges of cybersecurity are no longer restricted to specific systems or devices. Bruce Schnier gave the example of smartphones being a truly international device. These devices have a vast number of hardware and software components from different manufacturers around the world coming together and working seamlessly in a single unit. A vulnerability can come from any of the vendors, suppliers and software companies that make smartphone parts or services. Given the ubiquity of smartphones and services supporting them, any potential vulnerability is potentially a global cybersecurity issue.
Challenges of this scale cannot be solved in isolation. If we take a closer look at the emergence of vulnerability, we can see that securing technology ecosystems is a new frontier. The recent Myki data set leak, which compromised data on more than 15 million people, showed that even supposedly “de-identified” aggregated data can potentially reveal identities and highly specific details when correlated with other markers. Two separate technologies may not be vulnerable when working independently, but when they are brought together, unforeseen vulnerabilities can emerge.
The real-world costs of compromised data
As more and more processes and records transition to digital, there is increasingly a very real risk to life and property, for example. Someone stealing patient records or identity theft is a nuisance compared to the real-world dangers of data integrity. Cyber attackers could potentially rewrite critical information, like changing your blood type or editing sensitive records. The current state of security at most healthcare organisations make them particularly vulnerable.
Security policies are not infallible. They are developed by people with good intentions, but who may not have a full technical understanding of all the implications. There is no way to guarantee 100% protection end-to-end, but we can build cyber resilience to manage the risks. However, building resilience comes with its own cost. For businesses, there is a decision to be made on the cost of building resilience versus the costs of losses/insurance if something goes wrong.
The future of cyber resilience is human
Cyber resilience becomes even more important when we consider the trend towards smart cities, where everything is connected and countless devices are communicating with each other. In such a connected ecosystem, security is not just a technical issue. Human error is a major factor and not just limited to the end-users. It can and does happen on the development side as well.
In many development processes, cybersecurity is treated as an afterthought. It is something that is considered long after the core functions of a piece of software or system have been defined and the code has been written. What’s more, developers do not always consider the unpredictable nature of human behaviour. The iPhone charger is a really good example of a point of vulnerability. Kevin Mitnik demonstrated live on stage how to compromise a phone via a hacked USB cable. No one thinks twice before plugging in the cable, but it’s surprisingly easy for a doctored cable to find its way to an unsuspecting user and compromise their device through that route.
Education and awareness can only go so far in changing human behaviour, but future cybersecurity planners will also have to take into account social engineering and how to factor in the human element on both the development side and the end-user side. No doubt, it is a huge challenge, but also an exciting area of opportunity and innovation for those interested in building a cyber-resilient future.