What will the ‘mega security breach’ of the future look like?
Posted by Kathryn Cave on January 16 2017
Security is an area that just keeps gaining prominence. The breaches keep hitting the headlines. And it is pretty clear that a horrific attack – that most people simply can’t imagine yet – is on the horizon. This means while it is not always helpful to focus on the negative stuff – it can be hard not to with security – and at least by looking at the worst case scenario it might help us confront what we could be up against.
At a December roundtable in London, Jason Hart CTO of Gemalto, highlighted the rise of integrity based attacks. These see attackers manipulating company data for their own benefit rather than simply stealing it. He believes that this will hit business reputations very hard and over the next 12 to 18 months [since December] at least one UK firm will fold because of it.
Andrew Nash, Founder and CEO of identity management startup firm Confyrm, who has a long pedigree with organisations like RSA, Google and PayPal, also attended the event. He focused more on identity theft but agreed that today criminals are more likely to play the long game than they did in the past.
He talked about blowout credit card fraud – where thieves sit on a bunch of stolen cards for months and
He talked about blowout credit card fraud – where thieves sit on a bunch of stolen cards for months and months then use them all in one pre-planned hit – and stressed we’re going to see more of that mentality in data theft. “If I was a [nefarious] nation state I would produce a cheap wi-fi chip,” he said, embed it in a wide range of ordinary devices, leave it for years and switch it on to scan things occasionally.
Overall though, it is difficult to pin security down because there are a few different types of criminals out there with entirely different motivations. There those who are simply motivated by the desire to steal things they can sell easily. There are those who are in for a longer, more lucrative, haul – maybe an identity theft or integrity attack. There are those who are involved because of some kind of political motivation – which could frankly lead to any kind of mayhem. And of course, there are those there for the LOLs.
This means a criminal could be buying kits on the dark web, conducting smash and grab attacks, and just flogging the data straight on. They could be buying up passwords and other personal information as it becomes available with the aim of making a larger cash. Or they could be plotting something truly enormous to achieve maximum devastation.
So, what does this mean for the future of security breaches? Well, when I threw out a few simple questions in an open forum, the 23 senior security professionals who came back came back to me covered a lot of the same ground.
Not surprisingly, the majority agreed that as so much critical infrastructure has a digital component, cyber threats are now are potentially serious as their physical counterparts.
Greg Day, VP and Chief Security Officer, Palo Alto Networks describes how “more and more traditional national infrastructure is being replaced by its digital twin”. 2016 saw the potentially harmful social impact of this when hospitals had to cancel surgeries because digital health records were held to ransom.
“As the interconnection of data and systems grows into a global mesh, leveraged by an ever-diverse ecosystem of technological devices, it seems we are generating a bigger cyber risk profile,” he says. “However, we should recognise that this is not more risk, but actually a transference of physical information risk into cyber, and in most instances a blurring between the two.”
Yet Lisa Baergen, Director at NuData Security puts it: “The paradox is that investments are being made in physical infrastructure and cyber security separately, [while] the connection between the two is being overlooked.”
In fact, countless breaches have shown critical infrastructure and organisations alike are not prepared. Eric O’ Neill, Security Strategist at Carbon Black believes “a mega security breach will look like a ‘lights out’ scenario, where a carefully orchestrated attack compromises a critical mass of infrastructure components to such a degree that power grids are overloaded or shut down for a significant period.”
But this is just one scenario. The mega breach of the future could take on a variety of different shapes and guises. Douglas Crawford, Cyber Security Expert at BestVPN.com imagines what it might be like if a criminal got hold of a lot of banking passwords. “The economic chaos caused could, in addition to bankrupting potentially millions of individuals, destroy banks and banking systems, create global economic depression, and even bring down governments,” he says.
The interesting thing about this situation is it could arise from a variety of different motivations. Yet Chad Schamberger, Director of Engineering at VirtualArmour believes that mega breach of the future “will be driven to affect a decision, a political election, a financial outcome, or the intent to cause mass chaos across a population. Not necessarily to gather sellable assets but intended to expose the attack surface that has developed by introducing more and more poorly develop connected devices (IoT).”
James Wickes, CEO and Co-Founder of Cloudview agrees: “A mega security breach in my opinion is one that either affects national security or competitiveness.”
Bharat Mistry, Cyber Security Consultant at Trend Micro believes that integrity will play its part. “I think breach data won’t necessarily be around mass data extraction as monetisation of stolen data has almost become a commodity. It’s more likely to evolve towards mass undetected modification data especially in environments where the data is being used to make strategic or economic decisions.”
Other people we spoke to warned that criminals are beginning to use data to improve their own operations. Chris Carlson, Vice President of Product Management at Qualys says “the mega security breach of the future is likely to reflect criminals’ advances in using analytics to combine and crunch stolen data to identify new opportunities for themselves.
“When bad actors combine stolen data from multiple smaller breaches then analyse it, the real risk is that they will identify trends in the data that allow them to innovate and succeed with more specific and targeted attacks on more vulnerable systems. Doing this at scale represents a huge risk to the economy – when a small percentage of people or businesses are hit by attacks, the system can cope. If that percentage grows significantly, the network effect would have serious repercussions,” he says.
While Norman Shaw, CEO at ExactTrak adds: “There is a lot of discussion about big data. This tends to centre around general commercial activities. Why do we not assume that criminals are using the same big data tools to bring together all the data from cyberattacks and maximise the opportunity.”
In some ways, this feels like the teething pains of watching our whole way of life go digital. It isn’t just the business transformation we hear so much about in the enterprise space. It is a full and complete social transformation.
Amit Sethi, Senior Principal Consultant at Cigital believes: “In the future, we will likely see huge data breaches involving personal information that will make everything we’ve seen so far pale in comparison. Unlike with breaches involving passwords where password changes can help you recover, once personal data is stolen, you cannot recover from it.”
In the end though the level of destruction wreaked does come down to the motivation of the criminal. And Baergen of NuData Security describes cyberwarfare as the “elephant in the room” that nobody wants to talk about.