Cyber security people are articulate and intelligent and have a good sense of humour. It means that they know and can express what needs to be done against cyber criminals and to make networks secure; but that’s not the same as being able to make IT as safe as tap-water or electricity, writes Mark Rowe.
The closing session of the Black Hat Europe conference in London was also broadcast online. It served as a review of some of the talks over the previous couple of days. It also was the occasion for some frank admissions; such as, that (cyber) crime really does pay. There are such things as ‘ransomware negotiator’ as a Linkedin endorsement. As an industry, it was said, cyber should be making it much harder for criminal groups that do ransomware. Meanwhile Europol was releasing its most recent IOCTA (internet organized crime threat assessment) that admitted that cybercrime is entrenched in society.
Cyber security has some things in common with physical security, and indeed with any other work. While many of the 2021 Black Hat sessions were about technical matters – threats to apps, crypto-mining, mobile wallets, encryption, hacked databases of Microsoft Azure customers – intriguing was the talk on the social-behavioural psychology of Security Operations Centres (SOCs). They’re forever ‘fighting fires’, responding to cyber intrusions; and yet if they are busy doing incident response, are they ever going to communicate with non-cyber colleagues, and if not, how are they ever going to get budget?!
But the closing discussion was also about complexity of systems. If general IT people are struggling to work out what’s the make-up of a system and who is connected to what, how to find the places where the network is broken?! It’s long been known that, as the discussion put it politely, ICS (industrial control systems) are ‘not the most secure’. The very reason that businesses appear to accept that is because research is lacking into, for example, the IT that is running ships – and that, if hacked, could mean that the captain loses his (computerised) maps and weather forecasts and comms.
Major businesses have a vulnerability in their software and other products; but when cyber people – even doing cyber for a hobby not a job – point out bugs, those firms may refuse to take responsibility; until, eventually, there’s a fix. Maybe after the ‘bug bounty hunter’ goes around other companies pointing out the vulnerability and picking up bounties.
These cyber weaknesses have been known about and indeed raised at past Black Hat events; at the November 2019 event in London, pre-covid, attenders heard from the shipping company Maersk about the malware that floored their operations globally for days; as featured in the February 2020 print edition of Professional Security magazine.
And yet if the IT users clicks on a link in an email, and lets malware into a system and cripples a supply chain; the one clicking is to blame? As was said at the closing discussion, when you turn on a tap, you expect water to come out. Why is it not the same for email. The profound and yet highly practical point was not followed up; that networked railway signals (for example) are not as secure as the physical levers – that IT is not secure as was OT (operational technology) – appears to be for the duration, part of the very nature of computer networks.
