I think the threat landscape will also continue to expand as IoT technologies advance, again leveraging that user interaction aspect. If I had to pinpoint a subset of IoT that is really going to continue to feel this, I would say healthcare. My former experience working in the healthcare sector showed me just how unprepared the industry is to implement security at all. There is double the chance of reward here. The development of those technologies is not robust from a security perspective, and the benefits of attacking those assets are literally vital. Peoples' lives are affected by this, so the incentive for victims to cooperate is high. I am just waiting for the day when someone's bionic Wi-Fi connected arm goes rogue on them and then demands a ransom.Continuing with that social theme, I think that the biggest and most subtle development of the threat landscape will be (or, heck, already is) that of information warfare. From a political perspective, the anarchy of social media is really one of the biggest threats that is being experienced on a global scale. The injection of false or biased information combined with the mechanisms of information-fed algorithms creates an environment where the beliefs, opinions and actions of people can be radically changed and amplified if they are given a communal space to express them. We have seen, for example, Pepe bots through Twitter memes in an image format to avoid detection. Security is just as much social as it is technical, and the expansiveness of technology no longer requires technical expertise to be a part of a security threat. The average person, even if disconnected from a particular system, still has easy access to the much larger connected infrastructure of the Internet. As we all know, the biggest risk is the unaware and uneducated end-user. That all being said, there is also still much room for current attack vectors to grow. Information systems are becoming more secure, but very slowly. In my work, I still see gaps in systems that seem silly to us security professionals. Things like misconfigured components, missing access controls, lack of data validation and sanitization and so on. I picture the landscape like a loaf of bread sitting on a steady base but steadily rising and amplifying in all directions. There is lots of room for the development of new kinds of exploits, but there is also just as much room for the commoditization of threats that already exist. KC: Do you think carefully targeted attacks, even APTs that go after one target at a time, are more destructive overall than bot-driven promiscuous attacks? A virus or worm developed a certain way may do less damage to each computer, but the number of computers that can be attacked could be huge. I do notice though that a lot of people in our industry are a lot more concerned about SamSam ransomware, which is really specifically targeted, than most other strains of ransomware, which usually aren't. AS: That's a tough question, and I think it is really hard to generalize. This is partially because the concept of "destruction" means different things in different contexts and the temporal factor makes it hard to quantify. Bot-driven attacks have the potential to be absolutely detrimental to everything from personal assets to critical infrastructure, and the effects tend to be more instantaneous. Thinking back to WannaCry, we experienced the destruction of assets in several countries, affecting all different types of users. The shutdown of NHS hospitals for several days is the obvious hugely destructive outcome from that infection, but the infecting of average end users’ devices can conceptually be just as drastic. If we were to theorize that a large portion of some nation-state's personal assets were encrypted, we could imagine that there will be economic damage as users are locked out of their sources of production. Likewise, we all know how notorious other infrastructures – like the power grid – are for being vulnerable. The ability for bot-fueled ransomware to transcend all layers and types of infrastructure in such an instant fashion probably seems more drastic at a first glance. Yet the damage that a one-time APT can do can theoretically be just as large. The nature of APTs is that they are persistent. This implies that they are operating over a long time and probably undetected for some stretch of that time. From a strategic perspective, the infiltration and subsequent surveillance of intelligence assets could be just as detrimental. The damage associated with having that sort of reconnaissance may not produce immediate consequences. In fact, the consequences may never be discovered by the victim. If that information is pivotal for the success of some other dangerous operation, then the injury is just as much, albeit spread over time. KC: Do you think there are special challenges for women and queer people in our industry? AS: Ah, everyone's favorite topic. The short answer is absolutely yes, and I think the answer is a lot more nuanced than the way our industry and society handle this issue. The cultural aspect of the industry – or, really, any industry – is an important one that is overlooked. The sheer fact that the representation of these groups is so low is a comment on itself. With an estimated workforce gap of literally millions, we are an industry that’s starved for talent, and there are people in these groups looking for non-menial work. So why can't we reach them? There are factors that are either not making their access to the industry clear or are actively pushing them away. The subculture that our industry has acquired contributes to this issue. Even in North America, where these groups are not legally barred from accessing the education required to enter the industry, there are still cultural aspects that can make the industry unappealing. The roots of information security reach into that of hacker culture, and those are tied intimately with other concepts such as gaming and trolling. The reality is that these communities can tend to be very elitist and misogynistic. Furthermore, academia in general, stemming from a culture where higher education was historically only normalized for men, also carries the same sort of notion. One of the biggest misnomers is that people participate in prejudiced structures by blatantly insulting others when in fact they are often express their views more subtly in the ways that they interact with and make assumptions about one another. While I've been mostly lucky to work with individuals who are not like this, I still have had some experiences where my success was assumed "because you are a woman" rather than the work that I contributed. Most of the women and queer people I have talked to have mentioned having similar experiences at some point. In a setting where there are few to no others in the same underrepresented group, this can become a huge deterrent for wanting to be in the industry. And so, the way that companies attempt to remediate this discrepancy becomes commoditized as a business plan. In my experience, women and queer people wholeheartedly agree that competition for work should be based on talent. Yet we have now programs and quotas that insist on a certain amount of representation in the workforce, so hiring becomes a game of meeting this quota. Underrepresented individuals must be hired not for their talent but because they will make that business culture "diverse enough." This issue is further amplified by how much this commoditization aggravates peoples' views on it. Discussions about the topic often degrade into complaints about the degradation of true, unbiased competition from both sides. And really, it is a valid concern because both want to be respected for their work. The remediation here is really to target the root, to target the educational institutions that provide people for the industry. If women and queer individuals were encouraged to try infosec and STEM in general from a young age, then the talent pool would inherently have this representation. Hiring would no longer become an issue of "how many" minorities a business unit has because those minorities would inherently be there already. When the talent pool is diversified, the presence of women and queer people becomes a normality rather than an exception. The social culture of the industry will also change. If underrepresentation becomes a non-issue, then the commoditization of "diverse" talent also no longer exists, and the talent will tend towards being based purely on skill again. That being said, I would like to acknowledge that it is, in no way, an easy solution to implement. At least in my experience, it seems that there is very little dissemination of what information security even is before a post-secondary level. And post-secondary has its own plethora of issues when it comes to providing up-to-date curriculums with knowledgeable and experienced teachers that will actually provide actionable industry skills. Tackling this issue will require a massive upheaval in the way education is handled in general. It's this train of thought that really inspires my passion for thinking of new ways to present information security education training. Going through the existing educational institutions is challenging because of the barriers that are imposed on having control over program materials, control over hiring and so on. While we need to find ways to work around those issues, we also have the power to create our own education. The presence of community education events such as CTFs, conferences and workshops are at utmost importance. And with the issue of underrepresentation in mind, it is important to encourage that these events accommodate access to them, whether it's simply by making an effort to reach out to those groups or explicitly hosting events for integrating those groups into the industry. KC: Excellent! Do you have any advice for people who aspire to have a career in cybersecurity? AS: Don't be afraid to jump in to the unknown, don't be afraid to fail and especially don't be afraid to bring your own unique talents to the table. The industry is young, and its emergence has coincided with the exponential growth of technology. There are so many areas of study in cybersecurity that do not have a definitive, fleshed-out methodology and that require creative, critical thought to develop them. There is so much room for creating new ways to solve old problems. One of my biggest anxieties when I started studying cybersecurity was that I was always trying to get it "right", and for some time, this kept me from experimenting with my own projects because I didn't want to do them if I knew they were going to "fail." But it is that failure that provide experience and knowledge, and I really believe that every skill that is learned somehow pops up in some project later. I've experienced this especially when analyzing the intersection of infosec and other bodies of study. There are huge gaps to solve in the industry, and all different sorts of talents are required to formulate solutions that coherently integrate with other issues in technology in general. It's impossible to be an expert in everything, but it is certainly viable to create new expertise! KC: Excellent! Do you have anything else to add before we go? AS: l think we've actually hit a great breadth of topics. Not much else to say on my end. Thanks so much, Kim, for taking the time to chat!
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.