There is no magic bullet, and yes, management is a problem

June 9, 2015

NYS Cybersecurity Conference

The 18th annual New York State Cyber Security Conference and 10th Annual Symposium on Information Assurance was held at the Empire State Plaza on June 2-3, 2015 and was attended by a contingent from the NCSP to assess the intersection of policy, homeland security, and cybersecurity.

There is one significant takeaway from the conference that was reiterated by almost every single panel and presenter: "There is no magic bullet." This isn't a Hollywood-inspired theory about the JFK assassination, rather a common concept that cybersecurity problems have all-encompassing and distinct solutions. It's not that cyber-breaches, hacks, and ransomware don't have solutions, it's that there are numerous ways to approach solving these common problems and that the solutions are certainly not static. The one-size-fits-all (or most) approach to cybersecurity isn't effective in a constantly evolving threat landscape.

"We spend all this time and money on fixing security issues only to find that they don't work."

- Dr. Sanjay Goel

It's simple, but accurate: they don't work. When data breaches such as the Anthem health data hack expose the Protected Health Information (PHI) of approximately 80 million people, and the current cost of an attack is $150-200 per-person, why isn't there a solution to a $16,000,000,000 problem? The hacking isn't the only problem, it's a combination of our reliance on data and IT infrastructure and human error. It's extraordinarily complicated to manage the storage and retrieval of information across multiple devices and platforms, but "management" is also part of the problem.

Let's say for instance, that you are an IT professional and an employee calls you into their office and with a look of total exasperation tells you: "It just doesn't work. I can't get to my email, the calendar, and any websites." We've all been there: maybe it's unplugged, or needs to be restarted, or maybe an elite group of hackers has just compromised national security and is preparing to launch nuclear missiles. The system might not have actually been "hacked"- most of the time sensationalized hacking, DDOS attacks, man-in the-middle scenarios are unnecessary. The user willingly installs the problem software.

In one case, a "PC Performance Program" branding itself as increased power management and system resource allocation was installed with full administrative privileges and went about its business improving the PC by bringing in the MindSpark.A virus, .PUP(optional)_ASK.A toolbar virus, and malware that goes by the name of .HijackControlPanel-style. These malware/viruses remove all protected browsers (Chrome, Firefox, Opera) and force the user to use a flawed version of Internet Explorer to browse the web. Specific sites are blocked, such as common anti-malware and virus removal tools, and basic functions of the user as slowed and blocked, like email and system monitor. Removal isn't terribly difficult, but requires the time of an IT professional and some pre-loaded removal tools like Malwarebytes, Adwcleaner, and HitMan Pro.

The kicker here is that the machine in question has endpoint security that should have blocked this program from installing and quarantined these viruses: so why didn't it? The program wasn't ineffective; the user had full administrative ability to override it, and did. Basic cybersecurity awareness starts with all users and with some basic training for all employees on how to avoid common problems. Awareness-level training won't prevent clandestine hackers from forcing their way into your secured work laptop or phone to acquire PHI and steal your identity, but it will help to stop users inviting in programs that allow someone to use your Netflix account or track your web-browsing habits.

Jane Holl Lute, the CEO of the Center for Internet Security and day one keynote speaker, reiterated that there are a few basic questions to consider when looking at cybersecurity and how systems fail or succeed in today's rapidly changing world:

  1. How do we architect trust in systems when the components are failure points?
  2. How do we ensure integrity and identity in an increasingly open internet?
  3. What is the role of Government in cybersecurity?
  4. Do we know who is connected to our network?

Lute stated that question four is often the most enlightening, because we think that we know who is connected to the network, but we don't always have the full picture. One of the panel presenters demonstrated exactly how this can work, and it doesn't require a whole army of hackers. Using a small, cheap, wireless access hotspot and the public open WiFi, they were able to set up a shadow network that routed all connected devices through a single point, allowing an individual with just a laptop and some free software to see all traffic on these devices, including passwords in plain text.

The question evolves: do we know what network we are connected to?

Encryption isn't the solution either. Data can be encrypted, but methods for transmission and decryption aren't flawless. Especially for mobile, where users can have one of dozens of devices running varied versions of Android, iOS, or Windows, security solutions must be flexible and adaptable. Access control, mobile device management systems, remote device wipe, and encryption can produce an effective mobile security solution: as long as the end-user can't just delete the security profile.

It all comes back to the user. How do we build trust in systems when the components are failure points? The components might fail, which is out of the user's control, but we can build trust in the user through security awareness programs and basic cyber hygiene. Regular training and assessment in cyber awareness including phishing scams, botnets, and common malware/spyware can help to ensure that users are doing everything they can to be an asset to a positive cyber-environment, not a liability. It's also necessary for IT professionals to communicate effectively with management and users to convey the type and severity of threats as well as the existing security measures in place. This is a dual burden: just as in Emergency Management, you don't want to be meeting your IT staff for the first time during a major crisis.

As a critical component of both the National Preparedness Goal and the New York State Homeland Security Strategy, cybersecurity – like disasters and major events – starts and ends locally. With increased awareness, flexible security solutions, and public-private partnerships, we can begin to mitigate the effects of major cyber-attacks and data-breaches and to prepare for the cyber-problems of tomorrow. As Dr. Sanjay Goel said, "Gone are the days when you can sit and work on a problem for 25 years...[as IT professionals] we must work on the problems of tomorrow, because it's already too late to solve the problems of today."