Information Security : Where do the world stand against cyber attacks?

“The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown.”

– HP Lovecraft, Supernatural Horror in Literature

The hooded hacker hunches over a clacking keyboard, face illuminated by the dim and flickering glow of a monitor. He punches a button and executes the code. He lurks in the dark. He’s a monster with the power to annihilate people, governments, and companies.

For most people, the archetypical anonymous and malcontented hacker is as mythological as ghosts and goblins. For enterprise companies, SMEs, and government agencies, however, hackers and hacking teams represent a terrifying threat. According to a ZDNet report, the average corporate hack costs companies $4 million. Hacking can also damage a brand and expose employees and customers to privacy risks.

In my previous article, I had warned that large-scale, coordinated cyber-strikes targeted at essential infrastructure could cost the economy billions of dollars in lost productivity and potentially harm individuals.

In this article, I have tried to answer few most asked questions about cybersecurity worst-case scenarios. Infosec Future has continuously expressed cybersecurity concerns about the burgeoning IoT market, vulnerabilities with the electric grid, and mobile malware.

Could someone die or be injured from a hack?

Unfortunately, YES. Someone could absolutely be killed from a hack, and it is possible someone already has been. What is unique about hacking as a weapon though, is that a killing blow can be thrown from thousands of miles away. If someone hasn’t already been assassinated via a targeted hack, it is only a matter of time.

Car hacking has been demonstrated. Shutting down power to a hospital can threaten lives. Network-connected healthcare devices can be misused. IoT is a new frontier with new risks – the things we’re putting on the internet range from convenience devices for comfort and lighting to life-sustaining devices like pacemakers and other medical implants.

What is the real-world, material threat of a cybersecurity hack?

Exactly the same as the results of Stuxnet. A purely digital attack, carried on a USB stick, caused an industrial controller that had control of a real-world spinning centrifuge to misbehave. A purely digital disruption caused cracking and failure of real equipment processing real Uranium. These are well engineered attacks. In developed and developing countries, we have nuclear power facilities, fuel processing plants, oil refineries, chemical plants handling toxic substances, dry cleaning facilities, even old-world manufacturing plants dealing with paints and carpets, and the noxious chemicals that go with them. Any and all of these include digital devices that can cause real world damage if connected to a network that is not resilient.

Major systems from the internet (upon which much of commerce, defense, and communications are reliant) to the power grid, the water supply, and food distribution can all be disrupted by cyber attacks. This could affect our ports, major industries like tech, manufacturing, and agriculture, and make military installations vulnerable.

Could hackers take down the power grid or tamper with water supplies?

Absolutely, you don’t have to blow up a substation to knock out a power grid anymore. It can be done with keystrokes from halfway around the world. The best defense is segmentation – separating networks from each other. Unfortunately, all the momentum these days is in the opposite direction – connecting networks and adding more things to the internet, whether they are ready for a scary, hostile environment or not. We need to plan for resilience – breaks are inevitable. When we build a chemical refinery or toxic waste pipeline, we don’t just build it sensibly up front and hope for the best – we plan for failure, we design in emergency procedures and recovery plans. Much of the internet has not yet gotten around to thinking about resilience this way and can therefore fail dramatically if pushed hard.

Utilities need to add a second layer of identity assurance for access to any command and control software. This simple and inexpensive effort would ensure the availability and safety of our most precious resources.

In what ways does hacking undermine institutional trust? Not just in the government, but in corporations, service providers, and the economy?

Hacks, and the fear of hacks, increase the tendency for worried people to pull money out of the bank and put it under their mattresses instead, since those mattresses are not yet connected to the internet. We share personal information with many institutions, information that we trust they will keep confidential and secure. When their network and that trust is successfully breached, the foundations of civil society and economic behavior can crumble. Trust, trust in a brand or trust in government, takes a long time to build but can fall apart quickly after a data breach.

CEOs and executives across all enterprises are being targeted in the exact same manner as our political leaders. If they are not proactive with cyber security, they will find themselves at the center of the next cyber-attack story. Instead of building customer relationships and brand goodwill, compromised enterprises will instead face huge barriers to regain trust and rebuild their brand.

What emerging cybersecurity trends are we monitoring?

Ransomware will be largely countered by better backups, but if attackers find the cost/benefit equation favorable, they will make fancier attacks which lie dormant long enough to infect backups too. IoT has barely gotten started – as we add millions, or even billions, of weakly defended, simple devices to the internet, we are likely to see even more record-breaking DDoS waves. If we put really tempting IoT devices onto the internet, we can express cross-pollination of these attacks – ransomware applied to IoT, where critical sensors will be locked down unless you pay Bitcoins to some hard to trace account. If it’s your artificial lung, would you pay? So we are in for more of the same unfortunately. Coordinating attacks from multiple devices will be easier and more common. The recent DDoS attacks are good examples of that. Nothing is being destroyed or stolen, but simply impacting business processes and speed are threats to economic activity.

As we become accustomed to and even numb to the cyber-breach-of-the-day story, there always seems to be something scarier to top the last story. Botnets that leverage millions of hacked devices are capable of taking not just a single company or utility offline, but potentially whole countries at a time. Imagine if all our cell phones, instant messengers, email, and other forms of communication were impacted for even a short period of time.