CIO Folder: All ICT is cyber, all cyber is risk
12 December 2016 | 0
Cyber should be cipher. All data transmissions should be encrypted, certainly over the Internet, WANs and most if not all networks, certainly all virtual ones. Yes, it could be clunky at times, especially at the endpoints. Certainly, some data will be lost in transmission or translation — so be it. Universal adoption and market competition should smooth out the bumps and lumps. Compared to the losses of data to enrich criminal gangs and hobbyist scammers, the potential problems of using constant encryption should fade into the trivial.
Whether data at rest should also be encrypted is certainly worth looking at but that is probably a decision for the specific organisation or indeed for the particular function or set of records. A bog standard SME hardly needs to encrypt its warehouse and logistics files or its point-of-sale data. But it might seriously consider encrypting its financial records, particularly including customer information, business or consumer.
“For personal scams, Facebook is a treasure trove of kinships and relationships, nicknames, pets and favourite things… the point is that one loose end lying in the open or visible to the keen eye, can lead to the gentle easing out of a long string of other clues and information”
One type of fraud involves getting company details such as VAT registration, purchase order numbering and bank account (BIC and IBAN is all that is required). Most of that could be picked up from a discarded hard copy invoice. But online it adds the required authenticity to an email from the financial director instructing a change of destination bank for payments. Such scams have gone undetected for weeks or months until the creditor finally chases payment only to discover that payments have gone into the ether.
A little info
The point is that online confidence tricksters, like their plausible on-street counterparts, need only a little information to elicit more or add just that small convincing detail that seems to confirm authenticity. Phishing depends on being convincing—and a 0.0001 success rate is actually real success. For personal scams, Facebook is a treasure trove of kinships and relationships, nicknames, pets and favourite things. But again, the point is that one loose end lying in the open or visible to the keen eye, can lead to the gentle easing out of a long string of other clues and information. Trivia can be significant, just like real life police investigations or stories of fictional heroes, really, except it is The Bad Guys that gain.
Incidentally, that loose end may be an item of personal information, like a date of birth or an address, whole or partial. Even a place of birth can be a giveaway if relatively unusual—rural Irish people carry their townland community characteristics into cyberspace. In corporate scamming, it might be as apparently trivial as the name of a person who authorises purchase orders or bank transfers. But the commonest, according to many security researchers, is an inept password like ‘12345678’ or ‘qwerty’ or just partner’s first name.
The point is that encryption hides many such loose ends and clues, potentially very useful to the criminal, and the security systems can concentrate on the doors and locks, lockers and safes rather than the contents. The data contents can be protected by encryption. Yes, the NSA or other high-powered intelligence agencies probably have the resources to crack it. That includes nowadays some shadowy organisations linked to hostile governments. We know which we might suspect but some might be criminal enterprises with support or tolerance from the murky worlds of state spooks. But they do need to know where it is and at least broadly what they are looking for and what the directory or file or database looks like.
But in many types of cybercrime the actual content is not the direct target. It is the access and consequent privileges — like transferring money. Ransomware, for example, can work on already encrypted contents. The hijackers are not interested in the content, only the ransom to retrieve it.
Security has to be comprehensive. Any vulnerable points can potentially lead to the innermost secrets. We have all read of lurking malware that sits quietly within systems for weeks or months waiting for opportunity. That is what killed the simple-minded perimeter and firewalls obsession of early IT security, although endpoints are certainly still the first line of defence. But above all else, security systems have to be joined up. Then additional smarts can be added, notably today the spotting of anomalous behaviour in systems.
There should be no question of offering crumple-zone type layers, where information that is not particularly sensitive or confidential is less well protected because the successful casual attacker might be expected to retreat with the easily if ill-gotten gains. Individual organisations may sometimes think that way but security professionals certainly do not.
On the other hand, there is certainly a recognition of the hierarchy of value, to the organisation and the attackers. That may certainly be where layered protection comes in, with a common answer being that only certain categories of data may be encrypted. It is understandable that management may not see the point of encrypting ‘normal’ correspondence and email while happily complying with the highest standards for protecting customer records and personal details, for example.
There is also, it has to be acknowledged, a widespread fear of encryption. Somewhere deep in our human psyche is that terror of being locked out of our own systems and data as of our place of shelter or protection or refuge. Most of us have lost significant keys at some stage in our lives and remember the escalating consequences. The very idea that a tiny bit of digital data, the cipher key, could be lost forever is in many minds a bigger fear than being successfully attacked. Perhaps there is an anticipation of guilt there: you can at least think or say ‘We did our best…’ after a cybertheft. But publicly acknowledging ‘We lost the key…’ is downright terrifying.
The only possible advice is to talk to the experts, to organisations that already use encryption widely (there are few in Ireland that use it universally) and think it through. In the all too near future, in the humble opinion of this column, there will in fact be little choice. There is constant progress in the sophistication of digital security, certainly including smart applied analytics in real-time and already a key target area for artificial Intelligence.
But the same lines of development are being pursued by The Dark Side. In theory, the baddies have fewer resources and budget. In reality, we do not know that and in any event any cybercriminal or gang only has to succeed once or twice to win the lottery much less recoup the investment. Security has to protect everybody and everything all the time.
A newer threat, if you so consider it, is state security and other agencies. The passing of the new Investigatory Powers Act 2016 in the UK is possibly the most extreme surveillance law ever passed in a democracy. Most European organisations are already wary, to say the least, of US agencies like the NSA and their official powers not to mention their extended or sub rosa powers — it is an offence not to cooperate, but also an offence to disclose that you have cooperated!
The new powers on the Inner Islands force ISPs to keep a record all of subscriber traffic for up to a year, obliges companies to decrypt on demand and enables government security agencies to hack any device clandestinely. Right now, much less after the reality of Brexit, we have to be aware and wary of our neighbour’s official snooping. In fact the domestic powers go generally further than the USA. That certainly suggests that the new EU Privacy Shield will go up between us as a Digital Border to match the threat of Customs posts on the M1.
In the meantime, the much less discussed threats of state snooping and cyberwarfare from less democratic states grow all the time. So far as we know. There have been rumours for years of university level (and up) cyber-snooping developments and even institutions in the former Soviet Union, funded largely by crime with the covert cooperation of state agencies.
So be afraid. Be very afraid. Embrace encryption. Make cyber cipher.