Before you switch off as you consider security uninteresting, just remember that if you think about it George Lucas has made $5.3 billion out of a data breach story.
General Tagge " If the Rebels have obtained a complete technical readout of this station it is possible, however unlikely, that they might find a weakness, and exploit it."
Before we start let us say we aren't self-appointed gurus, we are most likely just like you, a user/business person. During this search, we realised that we both knew very little before and that the threat is much bigger than we had previously understood.
In this series of articles, we will cover a number of topics around security
- What is really going on?
- Why is this happening?
- Who are they?
- What are the different types of threats?
- What can you do about it?
Switching Sci-FI metaphor to another film, The Matrix, if you were given choice to make.
- The green pill would allow you to remain comfortably ill-informed, or
- The red pill would allow you to escape into the real world, but living the "truth of reality" is harsher and more difficult, what would you choose?
If you had chosen the green pill you would be forgiven if you believed that security was the job of the security specialists. Many organisations follow the Hope Strategy, which HK Bain defines as “We lock our filing room, have a password policy on employee computers, and use a firewall on our network. We hope that’s enough to keep out the bad guys. Besides…why would anyone want to me after us?”
As you chose the red pill and are continuing to read, the harsh reality that you will wake up to is the fact that security is a myth, and you pretty much need to assume you are being attacked right now.
It’s easy to dismiss the topic as scaremongering, in this series of articles I will aim to prove that it’s a serious threat that isn’t being taken as seriously as it should.
If the US Army is vulnerable its difficult to argue that any organisation is going to do better.
Lieutenant General Paul Nakasone of the US Army Cyber Command said “ My first thought was, ‘Wow, it only took them 10 minutes to identify a vulnerability. How long would it have taken for us to discover?”
The reality is that there are plenty of vulnerabilities out there and the only reason why you haven't experienced a breach is pretty much luck.
77% of all bug bounty programs have their first vulnerability reported in the first 24 hours. Hackerone
Are you hoping that private medical data is safe?
“We’re attacked about every 7 seconds, 24 hours a day," John Halamka, CIO of the Boston hospital Beth Israel Deaconess.
If you require further proof and are visual you can actually get real-time visibility into global cyber attacks from Norsecorp, which resembles another film from the 1980’s Wargames.
“Even if you have the best security in place, there’s still a chance that you may be breached,” said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department's computer crimes division.
4,000 ransomware attacks happen daily that’s 1,460,000 attacks a year. Department of Justice
Here is a chilling real example from a Fortune 100 company CIO following a cybersecurity assessment.
“It took the attackers only six minutes to circumvent the perimeter defences. From there, they achieved domain administrator privileges in less than 12 hours. In less than a week they fully compromised all 30 of our global domains. They harvested more than 200,000 credentials, giving them the ability to log in to the network masquerading as any of us—they could even change our investment elections in our 401(k)s or transfer money out. There was no place on our global network they could not go and only a handful of computers they did not have easy access to—only 10 percent of our manufacturing facilities are behind firewalls, segregating them from our network. The attackers were in a position to electronically transfer millions of dollars out of our bank accounts through our accounts payable system. Their tools did not set off any alarms—our antivirus software did not trigger any alerts. They had direct access to our manufacturing environment and could affect both the quality of our production processes and safety on our shop floors. They had access to our most sensitive intellectual property, including our past, current and future plans for major acquisitions and divestitures as well as the results of the billions of dollars we have invested in a decade of research and development. And, in the end, they were able to steal all the data. We were not able to stop them, or even see them in our network!”
Why don't we hear more about this, many companies are experiencing breaches but may not necessarily be publicising the fact, or more chilling may not even be aware its happening.
According to PWC 90% of large UK organizations reported suffering a security breach in 2015 - 2015 Information Security Breaches Survey, PwC UK
The reality is that most security breaches go unreported.
More than 89% of security incidents went unreported in 2007, according to survey of about 300 attendees at this year's RSA Conference.
In the past, we would all have been forgiven for believing we were all much more secure than we really are, and that security and my data was taken very seriously.
There is a belief that you "do security" and then you "are done", yet it’s a constant battle, with everyone in your organisation needing to be involved .
The situation is so serious that the Cyber Insurance market is growing exponentially
Lloyd’s of London has warned that a serious cyber-attack could cost the global economy more than $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.
We will cover GDRP and its impact later on in the series. In the next article in the series, we will cover Why is this happening?
* Verizon Data Breach Investigation Report