Offense informs gefense: Minimizing the risk of a targeted attack
By Ian Lopez, From Legaltech News
This ALM cyberSecure session focused on the nature of hacking and what should be done about it.
As recent history has shown, no agency is immune to the ills posed by data breaches. In the “Offense Informs Defense: Minimizing the Risk of a Targeted Attack” session at this year’s cyberSecure event, cybersecurity experts Eduardo Cabrera and Pamela Passman shed insight into the motivations and actors behind these attacks, elaborating on what it is these entities want to steal as well as how they do it.
The session began with Passman – president and CEO of the Center for Responsible Enterprise and Trade (CREATe.org) – espousing the necessity for organizations to mitigate risk, taking the topic from the perspective of the board.
“Increasingly, [board members] are quite focused on the issues around cybersecurity and how the institution they lead should be managing the risk,” Passman said. “There’s more and more commentary, more and more discussion, that this is a key role for the board of directors to start the [discussion] at the top of the company for how the company manages this risk.”
Passman said that if a company’s leading officials were to begin the discussion and planning around cybersecurity prevention, the message could eventually “cascade down to the organization.”
“Two years ago, the issue of cyber wasn’t on many boards’ agendas,” Passman said. “Now we’re seeing more and more that it’s full board level, that they’ll want to be engaged in this. It’s a conversation that happens not once a year, but [now] it happens quarterly.”
Passman added that it’s the responsibility of a company’s board to address cybersecurity from an all-encompassing risk management perspective as opposed to a singular topic. Boards should also not only be aware of the legal implications revolving around cybersecurity and risk management but have access to experts that understand “the threat landscape” as well as forensic experts.
In breaking down her suggested approach, Passman listed the steps as identifying the risks to be avoided, know the risks that can be mitigated, and have plans for each approach.
The problem, however, goes far beyond the executive room and the discussions had there. The speakers offered the infamous Sony hacks of 2014 as an applicable example for their warnings. Passman in particular said that a lot of the discussion around the topic of cybersecurity for both companies and individuals alike is related to the Sony breach.
“The types of information compromised in the breach were so broad and so deep that it was really a wakeup call,” Passman said. She added that prior to this, breaches tended to target “isolated information,” whereas in this case the attack was company-wide, compromising data like employee emails.
In attempt to unmask the perpetrators behind breaches, co-panelist Cabrera – vice president, cybersecurity strategy, at Trend Micro – defined the individuals attacking and the motivations that inspired them. Among those discussed were nation states, hacktivists and networks of sophisticated cybercriminals, or, as Cabrera often called them, “the digital criminal underground.”
Cabrera also elaborated on the deep web, i.e. the “internet we can’t see,” which services as a market for hackers and accounts for the majority of the web itself.
“This deep web is really an actual inverse of what we see on the surface web,” Cabrera said, noting how the information transacted in normal e-commerce on “the surface web” often finds its way to the deep web marketplace. Cabrera’s research on the topic goes back to his years with the U.S. Secret Service, where he investigated the deep web.
Cabrera compared these organized web criminals to traditional organized crime syndicates, saying that they are, in essence, “meritocracies” – hackers try to spread awareness of themselves and their skills, upon which they are chosen for certain criminal jobs.
“Traditional organized crime, they gain trust by feat of violence and intimidation,” Cabrera said. Referring to the new breed of cyber-based organized crime, he added, “These individuals, they’re like consumers today. It’s a reputation economy: They pedal in it, and that’s how they’re able to vet each other in the criminal underground.”
For more on this story go to:
