By David J. Blumberg
The Internet has transformed the world in a manner few technologies have. It has expanded the reach and dramatically reduced the cost of instant communications, while giving people a voice and enabling them to be more creative, make better decisions, and be more productive. While information technology including the Internet has revolutionized our economy and society, human nature is rather static. Recent hacks of major multinational companies, government email and personnel records, and coordinated state attacks on entire infrastructure systems such as the US electrical power grid, oil industry, and hospital systems, among others, show that evil inclinations still abound. In addition to the good that the Internet has brought, it has also sparked new waves of vandalism, crime and cyber warfare. For those of us involved professionally with cyber security, we know the underbelly of the Internet to be a treacherous and ever-shifting domain where menacing actors motivated by the most basic human vices threaten us all. It is critical for enterprises and governmental organizations to anticipate threats so they can protect their networks and shareholders from those who’ve surrendered to the Seven Deadly Internet Security Sins.
This is often considered the source of all the other sins. Pride certainly motivated the first hackers, the relatively naïve and benign computer nerds who wrote viruses and hacked into sites believed to be impenetrable, simply to demonstrate that they could break-in. There are no doubt hackers still motivated by pride, but as the Internet attracts new breeds of criminals motivated by other sins, pride is very much becoming a sin of those who believe their systems all already secure and/or that they can outwit and thwart attackers. But security is a classic arms race, and the only way to stay ahead of bad actors is to always assume your organization is behind. Pride has no place in cyber security; those who succumb to it do so at great peril.
Greed motivates almost all online criminal activity. From online payment fraud to stolen credit cards to identity theft and personal healthcare information scams, fraudsters are coming after customer data, whether network security systems are ready or not. One key defense is to Know Your Customer or KYC management. Internet Identity Bureaus or verification services, which confirm individual identities through knowledge-based authentication questions or by matching their profiles to public and private data bases, are critical for any company that needs to instantly know customer or potential customer identity in order to minimize the risk of fraud and adhere to regulatory compliance regimes.
In the past few years, we’ve witnessed the emergence of a frightening new frontier in cyber security. What was once the domain of nuisance hackers and then later greedy criminals, has increasingly become a target for highly sophisticated actors tied to terrorist groups or affiliated with enemy governments. These actors have an appetite – and a mandate – for destruction and they have already demonstrated that they could cripple an oil refinery, bring down a military drone, or even crash the banking system. And as more of our vehicles, homes, workplaces and infrastructure systems become increasingly connected to the Internet of Things, we open ourselves up to new vulnerabilities. To protect our organizations and society, we must adopt cyber-defense solutions to protect connected systems and specifically mission-critical systems. One method of protection is protocol enforcement, which prevents inappropriate messages or code from compromising communications between a controller and a remote device, such as a missile, drone or industrial power generator. Another powerful set of defense technologies centers around user behavior analytics from existing log data. By establishing base line usage profiles, UBA systems can automatically ascertain anomalous patterns of behavior to catch ongoing insider threats such as Edward Snowden, the NSA contractor who had legitimate credentials but used them for inappropriate and illegal purposes.
Too many organizations assume their current security tools are sufficient to keep them safe. Unfortunately, the truth is many of the currently deployed anti-virus/anti-malware systems are like castle fortress walls made of Swiss cheese – nearly useless. In stark contrast, the only sure rule in cyber-security is that the bad guys are growing increasingly aggressive, sophisticated, costly and dangerous. With an estimated 300,000 new malware vectors created every day, those who remain indifferent or complacent will quickly succumb to the worst the Internet has to offer. Coming to the rescue are a handful of startups that are applying the artificial intelligence domain of Deep Learning to develop self-learning algorithms that can detect and stop “first seen” threats from these new vectors. This will save enterprises and organizations time and money, and reduce the risk from previously unidentified “zero-day” threats.
There’s a lot of it about on the Internet. By some accounts, there are more than 7 million pornography websites worldwide and according to analytics firm Alexa, Xvideos.com receives more traffic that Apple.com, craigslist.org or CNN.com.
Advertisers want nothing to do with these sites, but unscrupulous actors might not care quite so much. Industry experts report that more than 30% of display advertising was not shown where it was intended to be placed. Some insiders say 15% of online ads appear on pornography or gambling websites that harm the brand’s reputation and that up to 40% of video traffic is driven by bots. Tens of billions of dollars out of the $135 billion in global Internet advertising revenue in 2014, was spent on ads placed in undesired websites. With sophisticated fraudsters and suspect websites gaming the system, advertisers need to protect their reputation and reduce the cost of customer acquisition by ensuring their ads don’t appear on inappropriate websites or webpages.
The first order of business for any Chief Information Security Officer (CISO) is to keep outsiders out. Advances in password protection and biometric identification have enhanced security, but these systems are not foolproof. Good defense also requires internal real-time and ex-post monitoring systems to ensure that even credentialed insiders do not abuse their privileges. A growing tactic is pattern recognition: the average guest at a dinner party won’t get noticed, but the person who puts 17 drumsticks on his plate will raise a few eyebrows. Savvy but untrustworthy insiders wouldn’t dare be so obvious, making them among the hardest threats to counter. But since every person is different, their behavioral patterns are unique and discernable. A new breed of security companies is tapping behavior analytics to detect when someone has commandeered an employee account, or worse, when an employee has gone rogue. This is the last line of defense and no company should be without it.
This blog was originally published on LinkedIn.
David J. Blumberg is the founder and managing partner of Blumberg Capital. Follow him on Twitter at @davidblumberg.