The world’s first MS-DOS computer virus, “Brain” created in 1986 – 30 years ago - was so primitive compared to the malware of today that it is hard to learn much from the past. That’s fine – millennials only live for the future.
Cyberwarfare and Cybercrime - technologies, capabilities, and resources – were born this century. Advanced persistent threats, sponsored nation-state organizations, and highly motivated criminal organizations are new, and they are today’s issues.
So now what? What are the millennials, a.k.a. Digital, tech savvy natives born between 1980 and 2000, doing about security given their need for instant gratification – let's fix it now!
I asked Corey Wilburn*, an outspoken millennial and security practice manager with DataEndure to pen me a few comments.
{loadposition ray}
He writes:
The casual observer may say security seems like “a no-win situation,” where things just slide down a slippery slope. But there are some good things coming from fighting that unsavoury activity. Each day more people (and companies) become security-centric.
While high-profile breaches are unfortunate (and usually preventable), all they really do is provide a chance to see what failed, and usually to patch an existing hole. Fortunately, as the tools, tactics, and procedures of criminal organizations and sponsored nation-state groups evolve, so too does our ability to protect, detect, respond, and recover from these attacks.
Organizations must be willing to admit that the way we do things today, may not be the way we do things tomorrow. Take it from a millennial - The best way forward is to be well educated and collaborative, so that as a community, we can objectively determine if what we are doing is effective.
With that in mind, there are some good practices that we know work well today and are expected to continue to be good practices for some time.
Real knowledge is to know the extent of one’s ignorance - Confucius
Educating yourself is the first step to mitigating the threat of cyber-crime. Attackers target the weakest link - people. Social engineering and phishing campaigns are still primary attack vectors because they work.
Use good judgment when opening email messages from people that you don’t know. If you receive a message that looks like it is from a service you belong too; banking, social network, or financial, be mindful.
If you receive messages requesting you to open an attached document or visit a website and view new documents, or update your settings, or install a viewer – do not use embedded links in the email – open a browser and go to that site directly. It is easy to spoof a sender’s name as “Joe’s Bank” but if you check the actual address (hover your mouse over it) it may be email123@whowouldhavethoughttolookhere.com.
As a consumer, you must install and use security tools such as Anti-Virus, malware, and firewalls on all your devices. Paid versions will always provide the best coverage, but free versions of better-known software are a start. Some ISPs also offer free protection.
As a corporate user promote awareness tools, such as regular security awareness training sessions, reminders and tips via e-mail, and education posters in areas with heavy foot traffic – to get your end users thinking about security. Consider outsourcing resiliency testing to “name and shame” employee’s that click before they think.
It’s cold outside; wear more layers…
One security solution will not fit all. The larger your company and internet profile the more you need a layered approach to identify and manage risk. But the user is still the greatest risk.
50% of users who receive a spear phishing e-mail will click on a link in the first hour – stolen identities within an organization and at home remain the top priority target for attackers.
The right identity in the wrong hands is always a worst-case scenario – the keys to the door. Identity management is a relatively new tool to mitigate misuse of login credentials. Methods for how users authenticate, identify, and access sensitive information systems have evolved. Adoption of multi-factor authentication (MFA) should be mandatory for all risky access.
There are many MFA methods - one-time-passwords (OTP), hard or soft tokens, or combinations of OTP’s and other pattern based recognition systems. MFA become the norm -a standardized approach to protecting individual identities.
Consumers need to check online banking platforms to see if it has MFA for login and transactions. Even if you do fall victim, cybercriminals won’t be able to do anything if your bank requires additional authentication to authorize a transfer.
Think about the online platforms that you use the most e.g. social media, online shopping, banking, and finance, that contain your most sensitive information and enable MFA – it is a great detection tool alerting when someone might be masquerading as you.
Be that for others for those who can’t….
Other darker elements of cyber crime do more harm than simple financial losses (most of which are insured).
Cyber terrorism, human trafficking, the exchange of child pornography and abuse images, are still very persistent forms of cybercrime. Through the misuse of legitimate anonymizing platforms and nearly untraceable digital “bitcoin” currency, there is a huge market for dark activity.
We all have a duty to be aware of what to do if we come across evidence that someone we know is participating in these acts.
You might be that “tech bro” that the neighbour asks to help with their computer; the Genius behind the Bar; the geek working on a squad; the helpdesk technician who was asked to work on someone’s laptop because it started “acting funny” – fact is that you might be the one person that can do for others what they can’t do for themselves. As common sense tends to indicate, if those files seem suspicious, then they probably are, so don’t ignore them - report them.
As far as security practice at a company level, we have a duty to ensure that our information systems are not being manipulated or used to store, transmit, or otherwise participate in the distribution of these types of images and content. There are numerous tools available that can significantly reduce the chance of this happening. Appropriate ingress / egress proxies, SSL decryption, and deep-packet inspection technologies, data assessments to gain insight into what sort of files are within your environment, where they exist, who created them, how long have they been there. These are just a few and are the tip of the iceberg. It’s up to you to find the right combination of tools, technologies, processes and procedures to help reduce the impact of this unfortunate reality we live in.
That was heavy - I know, sorry about it - but I hope you understand the importance of calling it out.
It takes a village….
As we move forward into the future, we will continue to face new challenges, and hopefully overcome them, with grace [and a lot of hard work and smarts].
I touched on an important concept earlier - as far as where we have come from, where we are at now, and where we are going - we are still very much so in the infancy of it all. Less than thirty years ago, our lives and the world we lived in were very different.
I am limited by the boundaries of my imagination, as I cannot truly fathom where we will be in another thirty years. I do believe that as technology progresses, how we secure and protect the tasks we do in our day-to-day lives is going to continue to become more “mainstream,” as it will become an essential component of survival.
Just like how we learned to ride a bike and drive a car, cook for ourselves, become social creatures, and seek an education; we will continue to learn how to navigate the pitfalls of using the gift of technology safely and securely. Through community efforts, information sharing, social networks, we will help each other live safer lives in the digital village of the future.
*Corey Wilburn is the security practice manager at DataEndure where he specializes in the design of strategic solutions, aimed at delivering high-value operational intelligence, leveraging best-in-class products as well as services built around current and emerging standards. He has a passion for infosec policies, processes and procedures. He loves working with clients to help them realize the potential for their security strategy, maximizing ROI while reducing their attack surface, and helping them become more resilient in the face of an ever-evolving threat landscape.