A brief and fascinating background
Information technology security threats have been around decades before the birth of the Internet and the Personal Computer. In 1903, inventor and magician Nevil Maskelyne, who was the manager of the Atlantic Telegraph Company, hacked rival Guglielmo Marconi’s demonstration of wireless telegraphy and broadcasted inappropriate messages with the intent to discredit Marconi’s claims of “secure and private communication.”
Fast-forward a few decades, we have the Enigma machine, whose first successful breaking occurred in 1932, accomplished by the Polish while it was undergoing trials with the German army. After the enigma was broken for the first time, it’s cipher was altered once every few months. During World War II however, it changed at least once per day. Alan Turing, Welchman and Keen built the Bombe which ended up deciphering Enigma-encrypted messages.
In 1943, Rene Carmille, considered an early “ethical hacker”, and head of the Demographics Department in Vichy (France), and later France’s National Statistics Service, sabotaged the Nazi census of France, saving untold number of Jewish people from death camps. He also hacked his department’s machines to block their ability to record religion into any census cards, which made it hard for Nazis to locate Jewish people.
One of the most fascinating people in computer security is legend John McAfee, founder of McAfee Associates, who developed the first commercially available antivirus. In an article he stated that being the developer of the first commercially available antivirus made him the most popular hacking target at the time. Years after he left the company, he moved to Belize, where he got into problems with authorities who thought he might be involved in the illegal drug trade. He therefore deployed key-logging software on computers he donated to the Belize government and police to find evidence of that the government had illegally instigated the raid of his home.
Online security and privacy has been a concern for many, and its risks and consequences are increasing with the rise of the IoT (the merging of computers and “objects/things”). We have seen this making headlines all over the world. This is a growing concern, especially since the days of paper-based record keeping are hanging by a thread, and the Cloud is becoming the preferred storage medium for reliability, scalability and performance purposes.
Going back again
The internet came into existence with the idea of globally interconnected computers having the ability to access data and programs from any site. Little was known (or anticipated) regarding its implicit security threats at the time.
In the early 2000’s, the Web 2.0 surfaced. This was not an update to the then-existing Internet, but more of a way web pages were designed and viewed. The Web 2.0 focused on user-generated content and interoperability (not only on computers, but on other devices such as mobile phones). This brought along the opportunity for anyone with access to the Internet to post almost anything, making it available to the entire global network. This also introduced an increased attack-surface for malicious users.
During the Web 2.0 era, some of the most common security threats are injections, poor session management allowing for efficient XSS and CSRF, and security mis-configuration. These weaknesses expose vulnerabilities such as identity theft, credit card/banking fraud, personal data theft, and many more.
One of the most common concerns and paranoia regarding online threats is the notion of privacy. We would like to know that the data we store on our computers or in the cloud is completely secured, whether they are business documents, health records, banking information, or simply pictures of our summer family vacation.
Unfortunately, there is no guarantee of these documents staying private. According to Symantec, over half a billion personal information records where stolen or lost in 2015, the majority coming from the health care industry – these are just statistics on reported cases, and do not include unreported or unnoticed cases. Symantec called these results the tip of the iceberg.
IBM, in their 2016 Cost of Data Breach Study, which constitutes years of data collection from almost 400 organizations in 12 countries, report that 48% of data breaches are caused by malicious or criminal attacks, 27% by system glitches, and 25% by human error. This goes to show that not all data breaches are caused by attackers, but also by regular people running into system bugs or the accidental exploitation thereof. Using proper encryption techniques alone can greatly decrease the usefulness of these accidental breaches, which cover roughly half of all data breaches.
PwC, one of the Big Four auditors, in their Information Security Breaches Survey of 2015 which surveyed 664 businesses, stated that 90% of large organizations and 74% of small businesses experienced security breaches in 2015, which was up from 81% and 60% from 2014. 69% of large organizations and 38% of small businesses were attacked by unauthorized outsiders in 2015, which was up from 55% and 33% from 2014.
The Internet of Things
With the emergence of the Internet of Things (IoT), the attack surface is increased, which increases the importance of online protection and precautions. Over the last few years, we have seen great progress in inter-connectivity between computers and “things”. Cars communicating with each other, home appliances connected to mobile devices to send notifications and other messages, and many more innovative technologies. This introduces new privacy and security concerns, some of which are increased personal data collection for businesses through potential monitoring of people’s daily routines to adjust service offerings; external control of home appliances, cars, your front door lock, and many more.
Some of these technologies are still under development or testing, however many of them are available publicly already. Let’s take interconnected cars as an example. In 2015, Twitter’s Charlie Miller and IOActive’s Chris Valasek demonstrated their ability to take control of a Jeep from their laptop via the Internet, cutting its brakes and transmission while in transit resulting in the car hitting the ditch. This was a planned demonstration and proper precautions were taken.
This, among others, raises serious concerns not just over our digital security, but also our physical.
According to Gartner, Inc., there will be nearly 21 billion devices connected on the Internet of Things by 2020. Other research corporations such as ABI Research estimate this number to be closer to 30 billion. This provides major personal and business opportunities, however, the increase in demand for security experts will be ever-growing.
What are your thoughts on these studies or today’s security threats?