#1263234: Will the US ever get serious about security and privacy?

Description: We have the ability to drastically reduce cybercrime. So why are we still failing?

The beginning of what we now call cybercrime
I have been in this career for decades, yet it seems like we are still at square one. Back in 1970-1995 Kevin Mitnick had an advantage – he was a groundbreaking hacker, long before all the script kiddies showed up on the scene.

Mitnick penetrated some of the most high-profile networks in the world using social engineering schemes. He tricked insiders into revealing access codes and passwords. We now call this phishing and it’s highly automated.

Then, in 1988, worms like the Morris Worm showed up. What started as a seemingly small playful exercise launched from a computer lab at MIT, the worm spread much faster than anticipated. It went so bad Robert Morris was eventually the first to be convicted of violating the Computer Fraud & Abuse Act.

Kevin Poulsen made his mark in 1988-1994 when he took over the phone lines in Los Angeles to win a radio station contest. The prize was $20,000 in cash and a Porsche 944 S2 Cabriolet.

In 2011 things shifted into high gear. Enter the Stuxnet Worm. This was to become the world’s first weaponized attack. Stuxnet targeted Iran’s nuclear program, causing physical damage to their enrichment centrifuges. This was not the act of a lone hacker, prankster or script kiddie. This was the work of a Nation State.

Later in 2011, as social media was in full swing, hackers used this medium to publicize their work. The group Lutz Security would hack and tweet about their victim’s poor security. They even hacked Sony’s PlayStation network in an event that compromised more than 24 million users’ personal information. At the time, most operating systems were still not being not designed with strong security and neither was the internet.

Speaking of the not-designed-to-be-secure, in 1969 – the year of the Man on the Moon, Woodstock and the Miracle Mets – something else very significant happened. At the time very few knew about it, because there was no newspaper, radio or TV coverage of it.

On this day in October 29, 1969 the birth of the internet took place. Leonard Kleinrock, a professor of computer science at UCLA, sent the first message over a network that would eventually become the web. In an interview with CNN on October 29, 2009, Kleinrock had this to say about today’s internet:

“There's a very dark side to the Internet, which we're all familiar with. It started with a worm in 1988, and it became spam in 1994, and now we have pornography, we have denial of service [attacks], we have identity theft, we have fraud, we have things like botnets [pieces of software that cyberthieves use to remotely and secretly control your computer], which really worry me.”

The internet grows up, but can we control it?
So, we have this global network that was never designed to be secure, then suddenly in 2000 the dot com boom happened, and everyone was on the internet or getting on it. E-commerce was born. We would immediately place all our military secrets, medical records, educational records and banking credentials online.

Everything was now online. Did I say all of this was put on a network that was never designed to be secure?

It’s only natural to ask if greed has contributed to our cybercrime problem? Did we ignore security in our quest to make as much money as possible? Are we still doing this? Is security just too inconvenient for our customers?

Think about this: For the first time in history you could rob a bank in the US from Russia or anywhere in the world without ever leaving your safe and secure home or office. Every computer in the world now has the ability to connect to any other computer in the world.

How many targets are there? Add IoT, the Internet of Things, and cyber criminals can not only snoop on your baby monitor and home security system but also compromise you bank account and much more. How many devices are on the internet today? According to Internet World Stats, 4,383,810,342 as of March 31, 2019. According to Privacyrights.org, the total number of records breached since 2005 is 11,578,188,519.

I used to regularly give security presentations and I would always talk about the latest data breaches: Target, Sony, Home Depot, the US Government’s OPM, Adobe, Yahoo, eBay, Anthem, Equifax and Marriott, to name some of the more notable and newsworthy. Notice I didn’t include hospitals, where ransomware shuts down access to critical life-saving systems.

I’ve lost count. It’s become commoditized information when you announce another data breach. It’s like saying there’s another accident of Interstate I-4 in Orlando. In other words, it’s routine. We have become as numb to it as violence on the evening news.

The solution: Let’s work together…like the cybercriminals do
The 2019 Verizon Data Breach investigations report looks like this:

C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018
Phishing is involved in 32% of breaches and 78% of cyber-espionage incidents
90% of malware arrived via email
60% of web application attacks were on cloud-based email servers
Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
52% of cyberattacks involve hacking
34% of attacks involved insiders
43% of cyberattacks were on small businesses
Ransomware is the second biggest malware threat and accounted for 24% of malware-related breaches
There has been a six-fold decrease in attacks on HR personnel
Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors
I can’t and won’t speak for all nations, but for my home country the USA. It appears our siloed approach to cybersecurity is still hurting us. In Europe, privacy is considered a human right. It’s not even mentioned in the US Constitution (it only shows up in the 4th Amendment under illegal search and seizure).

Another issue hurting our ability to secure user data are the mostly unknown data brokers. We know that data brokers have free reign in the US because profits appear to mean more to Congress than our privacy. Our lobbyists often come from the government and go on to work for corporations, including data brokers who fund congressional elections. This gives them power to manipulate our government and its laws.

Just this week I read on the International Association of Privacy Professionals (IAPP) website that Congress is going to conduct a hearing on data brokers and the impact on financial data privacy, credit, insurance, employment and housing. Forget what info Snowden or Assange say our government has on us. This industry This industry knows everything about all of us…and sells it.

And with our mixed bag of State and Federal laws, there is little to no consistency or standards that we as a nation can comply with.

It’s time our government moves toward uniform laws. California and Massachusetts have their own data privacy laws, while some states have little to none, while the feds go another direction. This siloed approach guarantees that we will always come up short.

The government pushed electronic medical records for good reasons, but it was another example of too much too fast. They themselves became victims in the Office of Personnel Management (OPM) data breach, wherein the most sensitive government security clearances were stored, and everyone including the FBI director’s identity was compromised by China. In short, the same government that was unable to secure its own security clearances was simultaneously pushing for all our medical records to be online and ready for the taking.

Just how many healthcare records have already been compromised? According to HIPAA Journal, between 2009-2018 there have been 2,546 healthcare data breaches, resulting in the theft or exposure of 189,945,874 health records.

Read rest in the link
More info: https://www.csoonline.com/article/3401719/will-the-us-ever-get-serious-about-security-and-privacy.html

Date added June 12, 2019, 12:27 p.m.
Source CSO Online
Subjects
  • Latest Global Security News
  • News USA