A weapon is anything that can be used against an opponent, adversary, or victim. In the digital economy, nearly everything can be weaponised.
One area where a weapon can assume nearly any form (and sometimes multiple forms) is in the area of software and digital data.
“A cyber weapon is a bug in the system” answered Eddie Doyle, global security strategist at Check Point Software Technologies when prodded to describe the nature of a bug.
The market for vulnerabilities
Monetizing a bug is easy. A “researcher” who discovers a bug may be paid for his discovery by the company that owns the software – as is often the case with bug bounty programmes.
Weaponization can come in the form of putting the vulnerability within an exploit kit and renting it out. “Another option is to sell the vulnerability to someone else who can do very nasty and horrible things with it, will go out and use that weapon or they will use it themselves,” said Doyle.
How much for a vulnerability?
Prices for exploits can start below US$10,000. Exploits specific to Android and the IOS platform can fetch as much as US$1.5 million.
“What these criminal organisations are doing is they are recruiting anyone around the world through those kinds of websites, and those again, are publicly available websites, and they have an actual price sheet of bugs for various different technologies,” said Doyle.
Biggest weakness in enterprise security
Many IT security strategies today are built with a patchwork of solutions from various vendors, to solve a specific problem or address a specific need. This creates an “any-any” rule at the bottom of their rule set, because they are so afraid that these blinking lights are false positives, and they are going to slow the business down to a crawl.
“What you end up with is a complex set of technology, manage by a massive team of people. This complex environment is potentially were vulnerability lies. They haven’t actually prevented a cybercrime because if they try and use these technologies in prevention mode they are going to stop their business,” he warned.
AI – the silver bullet
Many enterprises are pinning their hopes on artificial intelligence to solve many of the challenges plaguing the enterprise – from poorly structured operations, highly complex networks, the uncontrolled growth in shadow IT, and even containing cyber threats.
Gartner recommended that security teams to address these challenges and be aware of how AI will impact the security space.
But it’s not all the IT team’s fault. Doyle believed that the vendor community, in general, has done a muddy poor job of using AI as a sacred word. After all, AI is today nothing more than machine learning (ML).
“This is what we got today! It’s “if-then” commands. The reason a computer can be a grand master of chess is because the computer has thought if the grand master does this, then I will do that. It’s all “if-then” commands. That’s not actually self-awareness, it’s not AI. But we [vendors] use ML and AI synonymously. And I think it has degraded of the word “AI”,” lamented Doyle.
To be credit of the user community, however, is recognizing that AI is not really a thing. Computers analyse incidents at the speed and volume impossible for humans to handle. What the software does is identify exemptions and draw the attention of humans to these.
Shadow IT – insecurity lurking in the shadows
How do you secure something that you have no control over?
Doyle suggested that rather than blocking the use of shadow IT, the better strategy is to wrap a later of security around the person and around their assets, and allowing them to freely move and connect with assets that they need for their work.
“And then provide a mechanism by which we can stop intellectual property theft, stop you know, insider threat, stop malware from spreading within these assets. That’s a better model,” he opined.
How to improve security posture
According to Doyle human psychology says unless it is simple, people are going to ignore it. He cited the oft suggested approach to the use of passwords by security professionals – use complex alphanumeric with special characters that have no meaning to anyone or use phrases. Vendors have started to sell password lockers.
What if a bad guy breaks into that one password from the password locker, they get all access to all the passwords? Alpha-numeric passwords are more secure, but people aren’t using them because it just doesn’t work in the human brain.
“What you have to have is a simple design in your architecture. You have to be in prevention mode, and you have to reduce the amount of noise that’s coming your way, so that you can focus purely on the events, and let the technology do its work,” he concluded.
