27 July 2015

Cyber security: Are secrets possible anymore?

By S S Iyengar and Jerry Miller
July 24, 2015

We hear a lot about cyber security these days, most of it bad. Cyber crime and associated cyber security breaches lead most of our technology coverage. Victims of these incidents may not even feel the ravages of the crime until it is far too late. They may already be economically dead, or at a minimum paralysed, with both their bank accounts and their identities gone before they even know they were victims of an attack. Perhaps, you are already one of its victims.

Consider for a minute some of these statistics. In 2014, cyber attacks rose by 48 per cent, with over 42.8 million attacks occurring around the world. According to the PriceWaterhouseCooper Cyber Security Survey, security incidents cost businesses an average of US $2.7 million each year, with average reported losses up 34 per cent this past year. Perhaps, what is more important is that companies are identifying and reporting more incidents of higher monetary value.

Of those companies reporting losses greater than US $20 million this past year, the number of companies nearly doubled over reports from previous years! The fastest growing cyber threats involve attacks by peer competitors, organised crime, and even nation states, all of which increased by 86 per cent in 2014. And we are off to a banner year in 2015 already as evidenced by these accounts.

Anthem Healthcare Insurance was recently attacked with over 80 million personnel records compromised. Home Depot, a large US home improvement and hardware store, was also attacked and lost 56 million customer payment cards. More surprising was the cost to the company – over US $62 million – in order to take stop gap measures to secure the data, then inform clients of the breach and assure them Home Depot could be trusted to continue their business transactions.

And of course, who can forget the North Korean attack on Sony Pictures where digital records in several internal data centres were wiped clean, with sensitive contract information, salary lists, film budgets, social security numbers and even entire films stolen.

Experts believe that we may actually be engaged in a global cyber war where the lines between criminal activity and war can no longer be neatly drawn. According to a leading cyber security company, Kaspersky, the top five countries most actively attacked are Russia, Germany, the United States, India and France, in that order.

Officials at the United States Government’s Office of Personnel Management discovered after some time, that their files had been hacked, presumably by China, and “sensitive information” stolen. This information included the addresses and personal information, as well as health and financial information for over 4.1 million employees.

Later investigations revealed the attacks to have enabled the attackers to access not just 4.1 million records, but 14.1 million records. A short time later, it was revealed that the numbers were actually closer to 21.5 million records exposed with detailed information on the private lives of all US Federal employees over the past 15 years compromised, making this the largest cyber-attack and breach of information in US history. 

How could so much information be compromised in these cyber security events? What is cyber security and what is this cyber domain we hear about? Will the prospects of compromised data grow even larger as we expand to cloud computing?

First, what is “cyber?” Cyber refers to anything relating to computers, information technology and/or virtual reality. The term “cyber domain” or “cyberspace” describes the environments in which we digitally live and work, and can be expanded to include anything in the electromagnetic spectrum, specifically as it applies to communications and information processing. All of communications media can be attacked and exploited.

For businesses, their clients demand more open access to the market, with expanded smartphone applications and opportunities for internet shopping from the comfort of their homes, 24 hours a day. Businesses have responded accordingly, expanding their shopping forums, as well as their exposure to cyber attacks, yet their budgets for cyber security have actually gone down by 4 per cent over the last year.

Declining real security
But this is not an isolated statistic. Investment in cyber security by companies has remained steady over the past five years, resulting in rapidly declining real security. Simply put, companies are not keeping up with the cyber security threat.

So what is “cyber security” and how can companies better respond to the threat? Cyber security refers to actions taken to protect computer systems, networks, and information systems from disruption or unauthorised access, use, disclosure, modification, or destruction. There are three basic objectives of all cyber security measures – integrity, confidentiality, and availability.

First and foremost, the data in our systems must be protected to ensure that it is not tampered with either accidentally, or maliciously. This includes integrity of the data source, meaning that third parties do not have access to, nor responsibilities for, handling the information. The data, therefore, must be intact just as it was received from the source.

Information must also be accessible only to those authorised, thus ensuring confidentiality. This involves a series of protocols whereby access of information is restricted to those on access control lists, where their “need-to-know” the information has been previously confirmed. Companies must ensure that access can only be made through proper hardware/software and only by those authorised.

Finally, companies must ensure that while their protective measures are in place, the data is actually usable, and can be accessed reliably in “real time.” Information must be available immediately when needed, again without handling by third parties, or without providing too much information, and thereby exceeding the user’s “need to know.”

(Iyengar is a distinguished Ryder Professor and Director, School of Computing and Information Sciences, Miami; Miller has been with US Air Force for over two decades and is Coordinator, Discovery Lab, Florida International University)

No comments: