Securing Cyber Space
by Robin Hegg
Your phone, your watch, your home, your car: These days more and more of the objects we use every day are connected to the Internet and more and more of our personal data is being stored online. This increasing reliance on networked technology means that cybersecurity breaches and cyber attacks have the potential to bring about devastating damage.
There have been a string of recent large-scale cyber attacks that have highlighted how unprepared and under secured most institutions are. In 2013 a Ukrainian hacking ring broke into Target Corporation computers and stole roughly 40 million customer credit cards. In 2014, the same group broke into Home Depot computers, making off with between 53 and 56 million credit card numbers. In 2014 a group of hackers allegedly working for the North Korean regime used malware to break into the internal servers of Sony Pictures Entertainment. It is believed that this was a phishing attack in an employee clicked on a link in an email causing malware to be downloaded. The attack was able to go on for months before it was detected. The hackers accessed internal financial reports, employee health data, executives’ emails, even unreleased movies and scripts, all of which were released. In 2015 a teenager in Northern Ireland was able to use a distributed denial-of-service attack and malicious code to access the names, birth dates, addresses, and phone numbers of more than 150,000 customers. In 2016, the IRS received a large number of false tax returns, filled out with stolen personal data. Attacks of this kind are extremely costly and put people’s privacy and safety at risk.
Cyber attacks have now been used to cause physical damage as well. In late 2014 hackers attacked steel mill in Germany. The attackers were able to access the steel mill through the plant’s business network using a spear-phishing attack in which an employee received an email that appeared to be from a trusted source. They clicked on a link or downloaded an attachment that caused malware to be downloaded to their computer. From there, the attackers were able to move into the production networks and access the systems controlling plant equipment. The attacks resulted in the plant becoming unable to shut down a blast furnace in a regulated manner, causing massive damage to the system. With more of our transportation and utilities systems online, the risks of an attack are huge and can effect our physical security as well.
While some institutions, such as banks, have learned to prioritize cybersecurity, others, like hospitals, haven’t invested as much in cybersecurity, and are beginning to become major targets of cyber attacks. It is increasingly important that all organizations learn to prioritize cybersecurity so their data and their property are safe. On the hardware and software side, security is often low on the list of priorities for designers. In all industries and in all areas of technology and networking, security must be kept in mind and prioritized throughout their design, development, and production.
Cyber criminals generally aim to steal data, damage hardware, software, or information, or disrupt services. Attackers use many different methods to exploit vulnerabilities and gain access to restricted systems and data. Cyber criminals will sometimes find and exploit a product’s back door—a way for the creators to access otherwise protected areas—or find a way to create one themselves. Other attacks involve physically tampering with a computer or network, or escalating an attacker’s privilege level on a network, allowing them to access areas they shouldn’t be able to.
A denial-of-service attack involves making a machine or network data unavailable to its users. This can happen by locking the users out of a system or by overloading a machine or network. Sometimes blocking access to the system is the goal of the attack. Other times, ransoms are demanded for access to the effected system or data to be reinstated.
Eavesdropping or Man-in-the-Middle attacks involve eavesdropping on data conversations by intercepting communications over networks. There are also eavesdropping concerns involving Internet-connected products that contain cameras and microphones. These concerns have been raised for products ranging from smart televisions to children’s toys.
Other attacks rely on tricking the user or using social engineering—gaining the trust of users to get important information. Clickjacking or User Interface redress attacks trick a user into clicking on a button or link on one webpage while they think they are clicking on another. This method can also be used to hijack a user’s keystrokes. Spoofing attacks involve an attacker using false data to pretend to be another person. Phishing attacks attempt to gather important information like passwords, usernames, and credit card numbers directly from users, usually through emails or instant messages, which often direct users to a fake website that is almost identical to the real one. Users are directed to enter their information into the fake website or to email it directly to the attacker.
Some of the strategies to strengthen cybersecurity and prevent these sorts of attacks are fairly simple, while others are far more complex. One of the most basic ways to make networks and data more secure is the use of strong passwords. It’s estimated that 91 percent of user passwords appear on the list of the top 1000 passwords. SplashData, a cybersecurity company, puts together a list each year from millions of stolen passwords and then ranks them by popularity. The top ten passwords for 2015 were 123456, password, 12345678, qwerty, 12345, 123456789, football, 1234, 1234567, and baseball.
User-created passwords also tend to follow certain rules and patterns. They often include some version of a person’s name or a family member or pet’s name. Numbers are usually at the end of the password and are often someone’s birthday or an old address. Hackers will find out as much information as they can about a target, then develop a list of possible passwords based on that information. They can use the lists of common passwords along with their targeted guesses and use a computer to quickly try all the possible passwords.
Limiting user privileges on a computer or network is another simple but effective step toward increasing security. This means only allowing users to access the levels of information they need and nothing more.
Cybersecurity experts are using a variety of strategies to fight back against cyber attacks. One is analyzing behavioral data to spot spoofing and other suspicious activities. They can create behavioral profiles of users and then use this information to notice any changes that are out of the ordinary, signaling a potential security breach. Using location tracking can also help set off alarms, particularly if a device is seen to be logging into accounts from an unusual location. Other techniques involve analyzing data from past attacks to determine what sites may be hacked in the future.
Virtual Dispersive Networking (VDN) is a technique developed to protect against Man-in-the-Middle (MiM) attacks, which eavesdrop on data conversations. By dispersing the message being sent into multiple parts, encrypting those parts, and then routing them over different protocols on independent paths, they become almost impossible to intercept or understand.
Many technology companies are also working to secure smart grids. Technologies are being developed to encrypt communications between central stations and field devices and to detect physical and digital tampering. Some monitor networks to make sure that only known and allowed communications are taking place and others allow for quick vulnerability assessments and compliance audits to check system security.
Cybersecurity experts are also working to develop active defense strategies—ways to actively track and fight back against hackers. Some gather counterintelligence, having a cyber expert learn about hackers and their techniques to learn about malware. Other techniques seek to lure in and then gather information on hackers. Sinkholing involves creating a sinkhole or a standard DNS server that hands out non-routeable addresses for all domains. This allows experts to intercept and block malicious traffic so it can be analyzed. Honeypots work by tempting hackers. A honeypot is a computer or network site that is created to attract hackers, allowing security experts to gather information on attacks and hackers.
While it’s important that cybersecurity experts are able to detect and respond to attacks, another important step toward increasing security is prioritizing security at the point of product design. Software and hardware should be designed with security in mind and new devices and software must be tested before they are released to the public in order to discover their vulnerabilities and address them..
Tracking down an attacker presents a huge challenge and law enforcement often isn’t up to the task. A lack of technological sophistication, time, and resources leaves many cases untouched, but some security software is helping police to track down cyber criminals. Even when an attacker can be identified, there is often little that can be done to prosecute them. There is still little international agreement on cyber law and since viruses can cross multiple jurisdictions, this can leave prosecutors’ hands tied. Many organizations, including the IEEE, are working to develop standards and policies that can help to keep machines, networks, and utilities safer, to help prevent and prosecute cyber crimes, and to help train more skilled cybersecurity experts.
The world is increasingly reliant on computers and the Internet. Users are trusting their devices and networks with their personal, financial, and medical information. Everyday devices like our cars, homes, appliances, toys, and televisions are now connected to the Internet. All of this makes strong cybersecurity all the more important. The world is in serious need of more skilled cybersecurity experts and engineers in all disciplines need to know the ins and outs of cybersecurity so it can be a priority through every part of the design process.