Email interview held on 30th September 2017 – as follows between Alan Radley (questioner) and Chuck Brooks (relator):
- What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
The current state is a scary one. Constant breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.
In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain.
Ransomware is not a new threat, it has been around for at least 15 years, but it has become a trending one. Experts estimate that there are now 124 separate families of ransomware and hackers have become very adept at hiding malicious code. Success for hackers does not always depend on using the newest and most sophisticated malware. It is relatively easy for a hacker to do. In most cases, they rely on the most opportune target of vulnerability, especially with the ease of online attacks.
More ominous are the Distributed Denial of Service attacks (DDoS). Tech Target provides a succinct definition of A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems. The connectivity of the Internet of Things (IoT) and its billions of connected devices is conducive for DDoS activities. In 2016 a DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed a variety of IoT connected devices to overload and take out internet platforms and services.
Consider the dire and eye opening facts: Hackers attack every 39 seconds and around one billion accounts and records were compromised worldwide last year. There are estimates that global Cybercrime damage costs will reach $6 trillion annually by 2021. Cybercrime is growing exponentially and so are the risks to governments, business. Organizations, and especially consumers. Cybersecurity capabilities in hardware, software, training and protocols, must keep pace to protect and preempt the increasingly sophisticated threats in both the public and private sectors.
- What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?
Unfortunately, the internet was not built with security in mind. We are more vulnerable and there are more breaches because of our growing dependencies on technology and connectivity. There is a security component to almost anything technology related. The connectivity of technologies, especially to the internet, makes everyone and everything a target of cyber intrusion. A good example is the Internet of Things (IoT). IOT refers to the emerging connectivity of embedded devices to the Internet. It is estimated that there will be as between 25 to 65 billon connected Internet devices by 2020 (depending on who you cite). The commercial and governmental IOT “landscape of sensors” is becoming more exponential and complex by the moment. Cybersecurity for the connected IP enabled smart devices, from phishing, malware, ransomware, and denial of service attacks is becoming more of a priority with each passing day.
Also, government and companies are late to the game in both technology and personnel investments for protecting against cybersecurity threats. Until very recently, Security was a second thought at the C-Suite. There still are not enough cyber experts at the executive management level or enough trained cybersecurity technicians to keep up keep up with growing threats.
- Where do you go to find your “science” of cybersecurity?
My passion for the science of cybersecurity issues was first established over a decade ago during the time I spent at the Department of Homeland Security’s Science & Technology Directorate. DHS is still a “go to” source and they publish some great information. Anyone interested in cybersecurity issues can also choose from a many events, webinars, and conferences held almost weekly on technical cybersecurity subject matter. On the civic side, I recommend a variety of organizations, including CompTIA. The Homeland Defense and Security Information Analysis Center (HDIAC), The Cyber Security Forum Initiative (CSFI), National Academy of Sciences, CompTIA, SANS, IEEE, ISC2, and AFCEA as great resources for expertise and programming.
Additionally, do not overlook social media. I operate a half dozen groups on LinkedIn that focus on homeland security and information security issues. These include “US Department of Homeland Security, DHS” “Information Technology (Homeland & National Security)”, and “Homeland Security.” Among the members of these groups are a host of well-known cybersecurity professionals who often post and comment on issues of the day. Also, as any news on data breaches or cyber incidents occur, they are often posted in the LinkedIn groups.
- Do you recommend a particular cybersecurity blog that our readers could follow?
I recommend following the blogs of my fellow “CyberAvengers” https://thecyberavengers.com/ Paul Ferrillo, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma, Christophe Veltsos. They are a group of SMEs who address a combination of technical, legal, and policy issues related to information security. They all have blogs and are widely published. Plus I recommend the following books:
Companies big and small are waking up and realizing at the very top levels that cybersecurity is no longer an issue that can be relegated to the IT department, or left to quarterly board meetings. Cyber risks represent major threats to your organization and as such require a high level of engagement by top leadership and board directors. There are very few other categories of risks that can, overnight, freeze your business dead in its tracks, decimate your financial resources, ruin your corporate reputation or even take it completely offline. In this book, we take a non-nonsense approach to the problem of understanding, managing, mitigating cybersecurity risk, and improving cybersecurity corporate governance. Our approach is to provide concise, mission critical, and actionable information for directors, officers, general counsel, and C-Suite executives. Given recent advanced, stealthy cyber threats, our primer on artificial intelligence, machine learning and cognitive computing cyber defense solutions provides unparalleled knowledge on how these solutions work, and why you need them for your company today.
“Take Back Control of your Cybersecurity Now” is an engaging overview of the cyber security challenges facing companies and directors today. From regulation, to cloud security and incident response, Ferrillo and Veltsos cover significant ground—with a relevant look ahead toward how AI and machine learning can help solve some of these challenges. Any director or c-suite executive would benefit from understanding the concepts as presented here.” Charles (Chuck) Brooks, Vice President of Government Relations & Marketing for Sutherland Government Solutions, Chairman of the CompTIA New and Emerging Technologies Committee”
by Gregory J. Touhill and C. Joseph Touhill
Practical guide that can be used by executives to make well-informed decisions on cybersecurity issues to better protect their business
- Emphasizes, in a direct and uncomplicated way, how executives can identify, understand, assess, and mitigate risks associated with cybersecurity issues
- Covers ‘What to Do When You Get Hacked?’ including Business Continuity and Disaster Recovery planning, Public Relations, Legal and Regulatory issues, and Notifications and Disclosures
- Provides steps for integrating cybersecurity into Strategy; Policy and Guidelines; Change Management and Personnel Management
- Identifies cybersecurity best practices that executives can and should use both in the office and at home to protect their vital information
“I wrote about the first federal Chief Information Security Officer (CISO) in my blog in the Federal Times. Retired Air Force Gen. Gregory Touhill brought technical expertise, leadership, accessibility and inclusion to the US cybersecurity mission. He is widely viewed as a consummate cybersecurity professional. Hi book, Cybersecurity for Executives: A Practical Guide is essential reading. Gen. Touhill has been an outspoken advocate of the implementation of private-public partnerships to mitigate cybersecurity threats. This includes promoting information sharing and building standards and best practices as a cybersecurity community. Gen. Touhill’s book reflects his vision and insights that guided his public service in cybersecurity. – Chuck Brooks”
Making Passwords Secure – Fixing the Weakest Link in Cybersecurity by Dovell Bonnett
ENTERPRISE CYBERSECURITY’s most ignored risk is User Authentication When end users are allowed to generate, know, remember, type and manage their own passwords, IT has inadvertently surrendered the job title Network Security Manager to employees – the weakest link in the cybersecurity chain. Passwords are not the problem. The management of passwords is the real security nightmare. Dovell Bonnett reveals the truth about the elephant in the room that no one wants to mention: Expensive backend security is worthless when the virtual front door has a lousy lock! Dovell proves that making passwords secure is not only possible, passwords can actually become an effective, cost efficient and user friendly feature of robust cybersecurity. After examining how encryption keys are secured, this book introduces a new strategy called Password Authentication Infrastructure (PAI) that rivals digital certificates. Passwords are not going away. What needs to be fixed is how passwords are managed.
“I most highly recommend reading the timely and informative book by Dovell Bonnett, “Making Passwords Secure: Fixing the Weakest Link in Cybersecurity”. As companies, individuals are increasingly being subjected to breaches and ransomware attacks, the need for cybersecurity awareness and safeguards have become paramount. Thankfully, Dovell, who has been creating computer security solutions for over 20 years, offers a one-stop guide book on how to mitigate cyber threats by explaining the basis and tactics of authentication security. The book is written in a concise style that provides useful information for both laymen and serious techies. It is a book that should be on everyone’s reading list! –Chuck Brooks, Vice President, Sutherland Government Solutions”
Hacked Again by Scott Schober
Cyberwarfare has become a very real part of our business, our government, our technology and our culture. We’ve seen terms like hacking, cyber-security and DDoS explode into our popular vernacular and for good reason. Real cyber-attacks have increased exponentially in the past 12 months and the growing fear of them has gone off the charts. Still, many of us do not incorporate simple, best practices when it comes to things like creating passwords and engaging with social media.
Hacked Again details the ins and outs of a cybersecurity expert and CEO of a top wireless security tech firm, Scott Schober, as he struggles to understand the motives and mayhem behind his being hacked. By day, he runs a successful security company and reports on the latest cyber breaches in the hopes of offering solace and security tips to millions of viewers. But Scott begins to realize his worst fears are only a hack away as he falls prey to an invisible enemy.
“Hacked Again is a well written book that I recommend without hesitation — especially as a primer for business owners or even government business pros who want to understand what really happens before, during and after data breaches or security incidents that occur regarding your own accounts.” – Dan Lohrmann, Government Technology
- What keeps you up at night in the context of the cyber environment that the world finds itself in?
Because there is an open nation of soft targets, both physical and cyber-attacks are always a worry. However, it is the catastrophic scenarios that really worry me. We live in a world of algorithms. Our nation’s critical infrastructure including the electric grid, transportation networks, healthcare, and financial networks are all vulnerable to distributed denial of service attacks and ransomware by hackers and even governments. Several cyber security researchers said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyber attack that infected more than 300,000 computers in 150 countries this year, rogue cyberterrorism is a real consideration.
Also, the recent Equifax breach is a big warning for all of us. The statistics and accelerated pace of identity theft presents a somber picture. It is arising threat and difficult to prosecute as the bad actors are often hidden in other countries. Frank Abagnale, one of the world’s most respected authorities on the subjects of forgery, embezzlement, cybercrime, and secure documents succinctly states the troubling environment. “The police can’t protect consumers. People need to be more aware and educated about identity theft. You need to be a little bit wiser, a little bit smarter and there’s nothing wrong with being skeptical. We live in a time when if you make it easy for someone to steal from you, someone will.” There are many malicious actors out in the digital landscape and it will be increasingly important to stay ever vigilant.
Also available on Science of Cybersecurity