People still consider the internet a fun place, a virtual playground where we can be happy, enjoy ourselves and experience peaceful lives without many worries. Whilst this is a great mindset, and I personally enjoy the internet a great deal myself, we must not forget the state of affairs; the internet is also the playground of:
- Criminals
- Governments
- Fraudsters
- Cheaters
- Murderers
- Mafia
- Sex-offenders
- Drug-lords
- Terrorists
- Scammers
- Trolls
- Hackers
You could say that you’re just a ‘ping’ away from these characters. You’re living in the same neighborhood as pretty much the worst criminals and dangerous individuals on the entire planet. Yet, users are still walking around with their wallet sticking out their pocket on high-crime streets when they’re online. People are still acting naively when it comes to personal or work security, like choosing bad passwords or refusing to commit to a reboot to install new updates.
In light of the current COVID-19 pandemic there was bound to be an upswing in the amount of fraud and scams, but remember that this is constantly happening all the time. The pandemic has caused a surge in the amount of criminal activity we see, but other than that, this is status quo. Think of attackers constantly observing the ‘what’s trending now’ section of Twitter. Anytime there’s something positive, negative, a crisis, a pandemic, or anything really being talked about, there’s huge opportunities for criminals to ride that trend and successfully con people for money.
Are We Conveying What a Critical Security Patch Really Means?
It’s highly likely that most users do not realize what patching does to their computers, because if they did, they would be eager to patch rather than the opposite. We haven’t successfully conveyed the story of what a critical security patch really does to our systems, hence people are instead irritated about having to install patches, rebooting and potentially breaking something. So, what is the story of patches? What do people need to know? Missing critical security patches really means that someone could potentially use the weakness to control your web-camera, listen to your microphone and access illegal content through your machine. The story quickly becomes a horror story. Oh, and when you’re accessing illegal content, and by that I mean THEY are accessing this through your computer using your IP address, it’s your address the broadband subscription is registered to, so it’s your flat the police will come to raid and seize equipment from. If your neighbors see uniformed police officers, exiting your house carrying laptops and ‘computer paraphernalia,’ you’re already labeled even if you’ve done nothing wrong, other than getting hacked by one of your online neighbours.
There are many wrongs with how we use computers and the internet today. I’m told on a regular basis told that users can’t operate a password manager, and that a VPN is too complex. When did we start making excuses for everybody and when did exceptions become the rule? A VPN is activated with the click of a single button, and a password manager in many cases makes it easier to log onto systems. There are always exceptions, but we should deal with those and not let them become the rule. We can seek to mitigate those risks with different means, look for alternate solutions and ways for it to at least be secure enough.
The Story Needs to Change
We need to be realistic not only about the current situation, but also the future. Cybercrime became a multi-billion-pound industry many years ago. Cyber-criminals are getting filthy rich, tax free, with slim chances of getting caught or held accountable. In a single taking, more than eight million pounds were stolen from a Norwegian government organization in May 2020. These kinds of figures are not a one-off but seen several times a year. Most of the big headlines never reach the public media, as great measures are taken to keep breaches under the wraps, all to the advantages of the criminals themselves.
What needs to change? Companies needs to be far more agile, not just in development, but in security work too! Many organizations are hesitant to patch in production, but why is this? To stay ahead of the game, we need to patch in production. We need to orchestrate, automate and respond in real-time.
Security teams can no longer sit back and accept the push back of those at senior/leadership level who simply don’t understand. “No, you can’t” is stifling innovation and causing employees to avoid us. Instead, we should learn from people like Martin Sklar, Disney imagineer, whom famously said: “Don’t tell me you can’t because…; tell me you can if.” In security, it should never be “No,” but always a “Yes…but, here’s how we do it.” If you don’t have the answers yourself, seek someone who does.
Security should not be a hindrance to innovation; instead it should stimulate it, and at the same time enforce the necessary level of security. It will not be an easy transition to make, but it is an essential one if we are serious about turning the tide in the ongoing battle with cyber-criminals.
Author Chris Dale holds the GCIH, GPEN, GSLC, and GMOB certifications. Currently Chris teaches the SANS course SEC504: Hacking Techniques, Exploits & Incident Handling. SEC504 prepares students for the GIAC Certification in Incident Handling (GCIH).