We now appreciate the revelation that went public in February 2015 that international hackers circumvented what was supposed to be robust systems and defences, and managed to get away with an estimated $1 billion from a spectrum of around 100 banks located in 30 countries in what has been described as systemic cybercrime. With orchestration, the situation could impact the global economy in a very big way. However, one may conclude that here we are seeing the big picture of a big data reporting aspect, which has thus far been ignored. For instance, in the past 10 years there has been at least one UK-based building society which no longer exists after losing around £50m to what was called a 'ghost transaction.' In another case, a UK bank with international connections lost another £50m to an unknown source. And when it comes to losing client data, there are multiples of organisations who have lost unencrypted information assets relating to client accounts, which have never been made public or reported, providing rich pickings for the cyber criminals to further leverage and exploit to their end gain. Agreed, we have been seeing some signs of activity in the form of the initiative run by the Bank of England in the form of Waking Shark, but given in the past, this is an organisation that has not fully appreciated, or embraced the need to deliver robust security—the question is, is this late-in-the-day initiative fit for purpose and effective? But then we must also acknowledge that, if such initiatives as Waking Shark are so high in value, just why, and how can the international spread of successful cyber incursions be so very, very effective and rife at achieving their end objective? Looking back over the past decade, of course, we may notice the transition from what was the early days of technical security, morphing over a period of years into the strident spread of over-compensated compliance and governance starting to represent the ‘tick-box’ approach toward delivering the corporate security mission. We may have also observed the level of security skill being diluted with progress to align to the higher level security playing fields of PCI-DSS, and the centrality on the importance of ISO/IEC 27001 providing an all-encompassing solution to rid the evils of insecurity. However, within this transitional period, it may be that whilst commercial organisations may have taken their eye of the bouncing ball, it has been the criminal community and hackers who saw, and seized, an opportunity to make hay whilst their sun was shining high in the sky. All of the above said, my thoughts and opinions were all brought down to a bottom line only last week when I was asked the question by a big name defence agency: 'What is the difference between IT security professionals, and cyber security professionals?' To which I answered, ‘Whilst the first group tended to be soft policy focused, the latter retained higher levels of technological skills’ – an assessment which was agreed with. My meeting partner then went on to say, though they as an organisation could find more than enough people with soft focused skills, it was those with the chameleon aptitude of technical security skills who were proving to be a golden nugget find. Of course, we must also question the levels of security which exists inter banking institutions and as to the security effectiveness of their operational, staff and robustness of any compliance/governance practices that have been in play, pre, at time of, and post any systems compromise. In fact, just to add perspective to this, I recall working for one financial services organisation who, when faced with terminating a cable on their internal network, decided to leave it in place as they were unsure as to where it was actually connected to! In this year of 2015, it may be time to look back and ponder on the high gain success rates that cyber-criminality are enjoying, and it may be time to seek to put in place less compliance, governance and 'tick-box' security, and recognise that we must do more than message the public perception of security with FUD. It is no longer a case of scaremongering of spreading rumours of the threat posed by cyber criminals, but it is more a case of spreading the facts. By 2020, at the very outside, if the current success rates of cyber-attacks and incursions have been allowed to escalate year-on-year, there will be a very dark cloud hanging over a global interconnected community, which will carry real impact on the economies of the world. Add to this all the other facts we know about cyber incursions against the power industry, insurance companies, oil and gas, government agencies and so on, and I feel, and hope you will agree that the writing is on the wall that we must do better. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required]. Title image courtesy of ShutterStock