The massive theft of personal data from Australian National University (ANU) will have sent shivers down the spine of security managers everywhere – but it is what the university does now, one cybersecurity researcher says, that matters the most.
Evaluating and prioritising a response to cybersecurity threats is second nature for Lavi Lazarovitz, a cybersecurity researcher whose resume includes five years serving as a pilot and intelligence officer in the Israeli Air Force.
There, he learned first-hand the value – and potentially catastrophic disruption – that can be caused when information is compromised and used for unintended purposes.
“As an intelligence officer I benefited from intelligence sources that were relying on cyberspace,” Lazarovitz – who shifted his focus to web security, cybersecurity blogging and eventually his current role leading a team of cybersecurity researchers in CyberArk Labs – told Information Age.
“When our sources were going to very distant places where information is not that available, cyberspace was giving us a lot of new air to breathe – some light in a very, very dark hole.”
This often included seemingly innocuous information, such as electricity or gas bills – which could, for example, highlight hotspots of high consumption that might be a tip-off for hidden enemy facilities.
“For the guys out there in the field, this was super precious,” Lazarovitz said. “There are things that you wouldn’t expect that would be interesting to intelligence agencies, but they are.”
Finding a problem you can’t see
The data stolen from ANU – including 19 years’ worth of names, addresses, dates of birth, tax file numbers, bank account details and more – makes the breach particularly valuable for identity thieves, who can use the information to perpetrate new fraud with convincing realism.
ANU acted swiftly to inform the community, launching a dedicated page of information about the breach that noted this latest breach was only detected because of system upgrades occasioned by a previous incident last year.
“We have invested heavily in IT security in the past 12 months and that investment has been successful in the sense that it reduced the risk presented by many attackers, and it helped us detect this sophisticated intrusion,” the university’s FAQ notes.
Yet, as Lazarovitz learned working in military intelligence, the biggest threats aren’t only the high-profile breaches of obviously important data.
He and the members of his team also specialise in exploring potential threats from emerging technologies – which may produce data that seems innocuous until cross-matched or aggregated over time.
Many such technologies are driving ambitious digital transformation efforts, such as omnipresent cloud infrastructure and flexible DevOps development practices, that fundamentally change the way many business processes run.
Ditto Internet of Things (IoT) devices, which are delivering important new capabilities for businesses but are often – through carelessness or plain antipathy – sold into a hungry market with suboptimal security that is hard or impossible to update.
The problem, Lazarovitz said, “is not the smart things that are connected to the Internet, but the stupid things like simple home appliances, that will be connected to the Internet – and we won’t even be aware that they are connected.”
Those connection points offer cybercriminals a wealth of potential new vulnerabilities ready for exploitation – pitting resourceful and determined adversaries against security staff that, he warned, “are not trained to trace, mitigate, or do incident response in those new, emerging environments.”
In too many cases, he said, businesses task software engineers with implementing security because they are the ones that understand the new environments.
Yet those engineers “are aware of best practices but have real difficulty following those best practices”, Lazarovitz said. “When you have operations as the first priority, security will come second.”
Even where security staff are on the job, new cloud-based environments and containers pose their own challenges because security tools like authorisation tokens work differently in the new environments.
This means that even as cybercriminals poke holes in novel code and architectures, engineers and security practitioners are all playing catch-up.
“They usually don’t know where to look or exactly what to look for” to detect cyber attacks,” he explained. “Their environments are now loosely connected, so it is much more difficult to know what’s going on.”
“This is a hard game to play when you don’t know the rules.”
Learning (and re-learning) the rules
In cybersecurity, those rules are constantly changing – and so are the playing pieces.
New threats such as biometric authentication and machine identities enabling machine-to-machine communications, Lazarovitz said, pose challenges for security practitioners because they necessitate acceptance of the authority of credentials whose potential for abuse is still being understood.
“The technology terrain is changing a lot,” he said.
“In cloud models, engineers have direct access to the infrastructure and the cost of a mistake nowadays is super high: with just one code push, I can create damage in the millions.”
Cybercriminals were also exploring ways to infect target systems by lacing software development builds, increasing-popular software ‘containers’, or routine software updates with malicious code that sneaks into the enterprise within the cover provided by legitimate apps.
Even social-media accounts were providing a ripe target for determined cybercriminals, who are leveraging widespread implicit trust in those platforms to embed links to malicious code – or, in a particular threat to information sources whose legitimacy relies upon their integrity, hijack accounts to post misinformation.
This threat was particularly pointed for government bodies that are struggling against a tide of online fake news and need to figure out how to maintain their legitimacy despite cybercriminals’ endless efforts to compromise it.
With so many new vectors opening up on a regular basis, the seemingly unending compromise of targets will continue unabated if organisations keep playing catch-up.
Instead, Lazarovitz noted, organisations should define security teams that focus on new and emerging technologies – and others that are focused on security best practices that, all too often, are being glossed over despite having been known and understood for decades.
“Environments are changing, and so should the security teams of every organisation,” he explained. “This requires a lot of knowledge and research to shed light on the security gaps and issues, and to develop operational plans to counter these attacks.”
“Every organisation should deploy security measures that would minimise the impact of a mistake.”