The Cyber Puzzle How common sense can solve the problem
Dr John McCarthy Ph.D. B.Sc. (Hons) MBCS Social Engineering Expert
CEO Oxford Systems
Key words: Cyber, Cyber Security, Cyber Hygiene, Cyber Security Culture, SCADA, IOT, Digital Security
Summary
In this article, I will attempt to highlight the problems we face today when we try to understand the issues around cyber security. I propose that the traditional viewpoints we have taken when dealing with security are not always helpful in the cyber security arena. I then look beyond the technology and examine the issues from a human perspective and offer a range of simple solutions that could do much to mitigate many of the cyber threats we face today. Finally, I argue that we cannot tackle this problem alone and we need a new level or interaction between organizations to mitigate the threats of today and tomorrow.
The Wild West
It is often said that the Internet is a new frontier ready to be discovered and explored. Parallels are often drawn between Cyber Space and the Wild West. In some ways this is true. The Wild West and Cyber Space are both lawless domains where criminals can and do act with impunity. Many marginalised groups sought the freedom of the Wild West and emigrated to the USA where they could act and practice what they wished. Those same groups today can use the Internet as a platform for their views which may not be welcome anywhere else.
Both the Internet and the Wild West are arenas that lack or lacked censorship. For some this pioneering spirit is what is attractive for others a cause for concern. One fundamental difference is that the Wild West was a physical location. You travelled to it or avoided it as you wished. The Internet has no physical location and although we may try and avoid it in developed economies it is ubiquitous. It touches every part of our lives, even if we don’t “use it” everyone around us does and there is no escaping it.
This difference cannot be overstated. In the past we could sit in our civilised homes and talk about the dangers and depravities of the Wild West knowing full well that unless we visited we were safe. This cannot be said of the Internet. The dangers of the Internet are all around us, our children and our businesses. We like to think the Internet is “safe”. It can be very safe and completely lawless at the same time. We need to understand this dichotomy, something governments struggle to grasp.
In the Wild West we ultimately solved the problem by binding physical location and security. We brought in policing and had clear understanding of what was being secured or protected. We cannot apply this solution to the Internet as it does not have a location. We can do some things, for example we can keep our own house in order but this is very limited. We have created a world where everything is connected to everything else, the Internet of Things and Smart Cities are new buzz words which are becoming realities. One weak interconnected link is everyone’s weak link. Many of us simply do not have the mind set to grasp that cyber security reaches beyond international boundaries, or laws. It is natural that we react according to our location. Sadly, this is of little help in the cyber realm.
Protecting our Organizations
If we are a victim of cybercrime the chances of the criminals being caught is very small. They are probably located in another country and our legal systems have yet to address the issues raised by International boundaries and cybercrime. The Internet does not respect nation states, for example an email you send could easily travel the world to reach its destination which could be very close to you. The Internet protocols we use are designed to do this.
As cyber security has entered into mainstream thinking it has often been tainted by glamourous tales of ruthless and clever hackers who have exploited systems for millions of dollars. There is a general belief that all systems can be hacked and nothing is safe from hackers. In the world of absolutes where we take into consideration every possibility then nothing is safe from being hacked. However, if we apply this type of thinking to other areas of our lives we would see that absolute thinking is not always helpful. Let’s take the example of the front door on the house where you live. Answer the following question “Can that door be broken and your house entered into?” The answer is an obvious yes. We put a door on our houses that we deem secure enough for the role it has to perform. We take a risk based approach to our household security.
Such pragmatic logic is the foundation that many cyber security systems are built upon. Yet the general public think in absolute terms when dealing with cyber security. I get asked many questions, one of the most common is “Who should be responsible for cyber security in our organization?” A perfectly reasonable and sensible question.
The easy answer to this will only get you so far and that is “It is a board level issue”. This is very true and in my opinion vital for successful cyber security management, appraisal and deployment. Organisations need to put cyber security on their risk registers and adopt a regulatory framework to manage cyber security.
Once the board buys into this idea then, do we not just simply hand over cyber security to the IT department? Well if that is all that is done then I foresee problems. The IT department has a major role to play but what about the facilities manager? They are often responsible for multiple Industrial Control Systems that are vulnerable to cyber attack. Surely cyber security is now part of their remit?
In many organisations facilities management and the IT department are distinct and separate entities. Bridging these silos is one of the challenges to deploying effective cyber security. How this is overcome will vary from one organisation to another but will certainly need board level support.
It is known that over 80% of cyber attacks involve some form of human error or omission.
Ask yourself this question “Does my IT department have the skills and capacity to educate the entire workforce on how to mitigate social engineering attacks?”
Manipulating the Human
We have all watched TV shows about confidence tricksters and how they extract money from vulnerable victims. If you speak to a con artist and I have met a few, they always say that the victim got caught up in their own greed. This may be true for some con tricks but not the vast majority. Most of the time con artists exploit the fact that we are busy, distracted or tired and at these times they ply their trade.
This makes anyone likely to fall for a social engineering stunt. All of us can recognise the tricks they use in the cold light of day but how about late on Friday afternoon when we are tired and stressed?
When you are in a hurry you tend not to concentrate as well and can be more vulnerable to tricks that you are not expecting. If you are reading this and have children you know all about expert social engineers. In short, we can all be fooled or persuaded.
Everybody can be aware when you are being told that somebody is about to dupe you. Unfortunately, they generally don’t advertise the fact.
I feel the answer to this is a cyber security culture that promotes good cyber hygiene. Should we not then be putting basic cyber security training in our induction policies for new staff? So now cyber security widens its scope and falls under the remit of HR.
I feel that cyber security is similar to general Health and Safety. It is everyone's responsibility though some areas have more complex duties and roles to play such as the IT department. For example the accounts department needs specialist social engineering training and a high level of cyber hygiene to be truly vigilant. Indeed, every employee needs to be aware of cyber security and good cyber hygiene. Once we begin to do this we are taking steps to secure our organisations from cyber attack. If we embrace good cyber security practices, through training and secure systems, we have the opportunity to promote good cyber security as an asset to our organization. There is no doubt in my mind cyber security starts at the top but is a part of everyone's duty to ensure good security. Put simply the buck stops with all of us.
In the digital age the social engineering problem has far more serious consequences. We can now be a doorway into IT systems that social engineers can use to deploy malware, steal information and destroy our data. Why would they do such a thing?
Well social engineering is a “craft” that stands on its own and has been around for centuries, however now it is being used as an attack vector to gain entry into our most secure systems. This has resulted in many other criminal types adopting social engineering techniques as well as the regular con artist
Criminals have been quick to recognise that IT systems, whilst secured with very expensive and sophisticated firewalls and Intrusion detection systems are very easy to access via the humans operating these systems. In fact, 80% of all cyber breaches have a social engineering element to them.
Creating a Cyber Security Culture and Cyber Hygiene
The answers is not in IT systems but in training staff to be aware of social engineers and the types of attack they undertake. Informative training coupled with the development of good cyber hygiene practices and the creation of a cyber security culture can do a huge amount to mitigate these types of threats. Good cyber hygiene and culture are important as it reinforces the training undertaken in mitigating social engineering techniques.
Simple cyber hygiene could avert many of the attacks and problems facing us today. Our understanding of how we operate in a cyber-environment in still very much in its infancy. In other areas of our life we have good hygiene practices. We wash our hands when leaving a washroom and cover our mouths when we sneeze. We need to develop similar cyber hygiene practices inside and outside of our workplaces. My view is to start simply with good cyber hygiene practices. Get everyone in the business involved and start from the top and lead by example. We need simple messages on good cybersecurity practices that everyone at all levels of the organization can understand and can adopt.
Once we have a good cybersecurity culture all departments in the businesses will understand each others’ needs in relation to cyber security so much more. Many of the hurdles we now face in relation to bringing parties together to solve cybersecurity problems will be easier to overcome. Creating a common goal with familiar language will go a long way to help foster a healthy cyber security culture and thus address many of the cyber security problems we face today.
The Wider Problem
Cyber security touches all elements of business life so does not easily fall into a convenient silo. This is because in recent years we have seen a new level of interconnectedness of devices and systems and therefore to fully understand this and how it impacts upon cyber security we need to examine the problem from outside the traditional boundaries of departmental logic.
This is challenging for everyone as they are all keen to do what is required but often nobody fully understands what role they need to play. The question remains how then do we create a common purpose and outcome for all the players? The IT and technical players will want to apply technical solutions to the cyber security problem and in many ways they are right to do so. The managers may be examining a risk averse solution and strategy, whilst government wants assurances all is being done to protect the critical national infrastructure.
So then what is the answer? I have to remind myself of this simple fact. All business interact. The ecosystem of business IT systems are intertwined on many levels. Therefore to focus on a large business alone is like putting a steel door on the front of your house whilst leaving a window open at the back of the house. Any cyber security solution needs to encompass every business large and small to have any real chance of success. This is a challenging task and requires a step change in working practices where businesses who have different owners will have to work together. I do not think this will come easily or naturally. I think we need to develop a common goal and language that is global in its reach and understanding. Everyone everywhere should be singing from the same hymn sheet. We need to create a cybersecurity culture where cyber hygiene and good practice are second nature to everyone.
One final thought, if we think we are not potential victims of social engineering, that our views and thoughts cannot be manipulated. Then answer a question, when did you last buy or want to buy something on the brand name alone?
Biography
Dr John McCarthy is an authority on CyberSecurity strategy, development and implementation. John is also a leading expert on social engineering awareness training and best practice. He holds a PhD in CyberSecurity and e-Business Development and is an internationally recognized author of a number of academic papers discussing all aspects of CyberSecurity in the modern world.
John is frequently invited to sit on expert panels and appear as an expert speaker at well-known CyberSecurity events. Furthermore, John’s impressive list of posts include seats on a number of prominent US committees that offer advice and policy guidance to the US government on cybersecurity matters. He is also panel member of the American Transport Research Board researching Cyber Security best practice for airports throughout North America.
Dr Marshall Potts (Retired & Working)
7yLike what you say John..
Hope and Vision
7yGood article John , I like that.
Consultant at TPL Consultants
7yExcellent article, John. Thank you.
Account Director at DICOFRA Security Consulting
7yVery interesting article, congrats!