Friday, oh sweet Friday it's great to see you again my friend. I hope all of you are doing well with Polar Vortex 2014.2! Don't get me wrong I love Star Wars, and winter (for the most part), but I do not enjoy living on the set of Hoth this long.
This week an interesting article from SC Magazine highlighted the results of a discussion of industry leaders at a conference in Lille, France. Long and short, a good amount of these experts have deemed the current state of cybersecurity as a "failure and a challenge." Many others maintained that it was not a failure but will always be reactive to the failures of a few organizations, and will need to constantly evolve. The challenge? The onslaught of devices that hit the market on what seems like a daily basis. Your fridge can now send spam, not just keep it cold, and your phone can access the most sensitive aspects of your network. While you may think that these aren't equal threats, who wants to be the first one to say someone in their org was socially engineered by their toaster?
What aids this line of thinking is a recent report highlighted on DarkReading from the security firm CrowdStrike. It focuses on organized groups with potential (if not direct) state sponsorship who's tactics are constantly evolving. While most of these attackers employ some type of social engineering on their intended target they have also taken additional avenues to get them to their end result; the capture of sensitive data. They now employ the use of social media to focus on specific interests of targeted individuals, infecting their most visited sites and attacking third-parties to find an open backdoor. They highlight a specific use case from a group out of Asia focusing on attacking the embassies of foreign countries rather than trying to infiltrate sites with in the borders of the targeted nation.
The current million dollar question: How do we stop this, or at the very least hinder the ability of attackers to access sensitive data?
Education needs to be the answer. Not necessarily in the same sense that I've talked about here in the past, though that certainly helps, but making it the long term solution by beginning the cycle with our children. As noted by a report on the GCN CyberEye blog there is a growing deficit of students needed to ensure the nation's cybersecurity. This isn't simply training for college grads, this is building the cyber foundation with the youth of the nation. First graders are beginning to learn Spanish to better prepare them for a bi-lingual society. I'm 32. If C++ was just beginning to be taught in my High School in '96 to help students as there was a dearth of talent in the IT industry, why can't we do the same with a focus on cybersecurity? If you want to leave a safer world for future generations then focus on training them to focus on their own personal cybersecurity and you will see cybersecurity on the whole improve. While this is a long play, and will take years for the results to take affect we need to begin shifting the paradigm sooner than later.
My Tuesday morning commute through Boston.