Cybersecurity

From TekiWiki
Revision as of 18:22, 23 May 2017 by WikiSysop (Talk | contribs) (Created page with "The world is reeling from the latest cyber security attack. Apparently a “weapons grade” tool created by the NSA that somehow mysteriously turned up on a hacker’s web si...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The world is reeling from the latest cyber security attack. Apparently a “weapons grade” tool created by the NSA that somehow mysteriously turned up on a hacker’s web site. Aside from the alleged origins of the weapon used to lock up large numbers of computers, is the massive issue that all computers are potentially vulnerable to such attacks. The standard shout has been to “install the latest security patches” – insinuating that those caught by this attack only had themselves to blame. If we look at the alleged timeline: NSA created a “Cyber Weapon” based on an exploit of a security flaw in Windows XP, 7 and 8.1. Someone stole the weapon Weapon was placed on a hacker web site NSA spot the weapon on the web site and realise it has been stolen NSA inform Microsoft of the exploit Microsoft develop a patch for all


The generic advice being bandied about - to “install the latest security patches” – only worked as Microsoft had developed the patch. At the times prior to that, the risk was apparent and there was little defence. It is conceivable that the next attack like this will happen prior to a security patch being available. Our back up, business continuity and contingency plans will be tested to the maximum. As countries become more reliant on their computers, we need to question the way that we design our security. At the moment, most operating systems have little in the way of natural defence. There is a secondary market in protection software that tries to prevent malicious software (often called anti-virus, but these days these software products defend against many types of threats – not just the now venerable computer virus. As consumers, we need to demand better security from these threats. As citizens, we need to demand our politicians to set standards for software and networks and services, and better policing of cybercrimes. Many attacks – including this one – are perpetrated by phishing attacks consisting of emails sent to email addresses with the aim of tricking the recipient to click a link to their web site. The first phishing scams were aimed at individuals, the email would imitate their bank and ask them to renew their security details. Some of these attacks are now targeted at individuals, tailoring the email to look like one that raises fewer suspicions. Phishing emails are also used to infiltrate protected company networks, where other attacks are becoming harder. On the face of it, phishing emails prey on the weakest link in the security system – the human operator. However, for our convenience, the trend in email client software has been towards disguising all the hidden details of an email to improve the presentation. So an email that looks like it is from your bank with legitimate links to the bank’s web site is only the presentable mask of the underlying link to a web wormhole. The security fraternity is often keen to blame the user, but the email clients do not warn us when the email is not all that it might seem – it has been sent from the wrong email address (and certainly not one in your address book), the message header shows that the email originated from a country you rarely correspond with, that the pictures and links are from an unrecognised domain. If you choose to go ahead after all these warnings (after all you won’t care as you have won the Dutch lottery without even buying a ticket), then perhaps then you have yourself to blame. But if you clicked when the email looked OK, you could not see the domain of the link without hovering over it for 4.7 seconds…

So vendors of email software can do something to help prevent this, but what can governments do? I do not believe legislation or compulsory checking or testing are the answer. My preference would be for a voluntary testing scheme with strict standards and a set of certifications software can earn. These standards would be audited – both the processes that the manufacturer follows and the resulting software. Of course, no software standard can completely eliminate the threat, but it can help to define the threat and raise awareness in the marketplace. The production of the standards and auditing should be kept at arms’ length from governments. After all, this cyber weapon was originally created by the security services of a national government. The standards would need to be continuously updated as new threats and attacks are uncovered. The PCI DSS (Payment Card Industry Data Security Standard) would be a good model for these standards. Some of these checks can be automated, some would need human checking. It would be the combination of these various approaches that would decrease the vulnerability of the software users.

Conclusion

There are actions both governments and software vendors can take to reduce the cyber threat, but we, the consumers, need to take an active role in lobbying for such changes. It is not sufficient for vendors to blame the customer, saying their security was not strong enough.

Retrieved from "http://springboardsolutions.com/wiki/index.php?title=Cybersecurity&oldid=1131"