Daddy, what will you do in the new security wars?

Depends which enemy are we talking about, son

Beginner's guide to SSL certificates

Education lacking

The answer to the rise of internet attacks won’t come solely through technology. If there’s one topic that security experts can agree on, as they squabble over the code-level response, it’s that the education of the general public needs to improve. Not enough attention goes on people and this has been the industry’s biggest failing, says Professor Woodward.

“Machines don’t spontaneously mount attacks – they are commanded by people and people are more often than not the specific target of engineering an attack. A little awareness can go a long way,” Woodward says.

“That awareness needs to extend beyond just top level headlines. I think end users … need to be constantly updating themselves about the nature of the threat. Knowing how some piece of social engineering works today does not mean it will help in several months time when the miscreants will have thought of a new ruse to fool you.

“Personally I think the only way this will happen is if there is a suitable combination of carrot and stick. After all, we expect people to take reasonable precautions in protecting physical property – insurance companies won’t pay out if you haven’t done so.”

The UK government has shown some inclination towards improving public awareness. In January it launched the Cyber Streetwise campaign. It saw posters put up across the country, calling on people to use more complex passwords, decent anti-virus and adequate privacy settings. Little is known of the initiative's actual impact.

But it’s not just individuals who don’t get the problem. Basic steps to improve workers’ awareness of social engineering, which is used in most modern-day attacks on companies, would be a good start, says Peter Wood, CEO of consultancy First Base Technologies.

“The obvious response is to invest in people as much as technology. It’s a complex and creative task, very similar to a professional marketing campaign, but it has to be done and it has be an ongoing process. Sending out an email and telling people to read the security policy never worked, but imaginative and evangelical awareness programmes can work if the right people are involved and commitment is made at the top,” says Wood.

Whilst the average employee could do with a lesson in security, too often, the lack of understanding goes right to the top of organisations, says Simon Placks, head of cybercrime investigations at EY.

“Companies are starting to understand that they need to assess their exposure, but are doing so with limited situational awareness. We need to see companies re-thinking how they view security. The best approach an organisation can take is to raise cyber security to board level responsibility,” Placks adds.

“Similarly, when breaches occur, corporations need to treat incidents as corporate investigations, not IT remediation exercises. Many organisations are still treating network intrusions as if they were virus outbreaks. An intrusion is not an illness that can be prevented with good cyber-hygiene. Someone is out to get you, and you need to respond accordingly, otherwise it is only a matter of time before we see the first large-scale corporate collapse following a devastating cyber-attack.”

Policy points

The policy response will be crucial too. In the UK, the Computer Misuse Act, the Data Protection Act and fraud legislation are designed to protect people’s data, with police forces like the National Cyber Crime Unit and privacy watchdog the Information Commissioner’s Office set up to enforce the law.

Yet they may all need developing and updating, if cyber crooks are to be caught. According to Stewart Room, barrister and solicitor specialising in data protection, that legislation is required to improve the fight against online crimes, is an indictment of the efforts of non-public organisations.

“Regulatory laws are designed to cure ‘market imperfections’, by which I mean the failure of markets to cure themselves of their own ills. When regulations are adopted, the law is saying that the market does not have the skills, wherewithal, incentives or drivers to do what is necessary in the wider interests of society, which includes the wider interests of the economy, to fix itself,” says Room.

“In this sense, the adoption of regulations is a bleak statement about the market. If the hacking problem needs regulations to improve cyber security, then as a matter of simple logic the medicine has to be strong, because the market has utterly failed.”

Whilst Woodward and Malik believe market forces should be allowed to do their work, Room says a much harder line might have to be adopted if the industry can’t up its game. “Any scheme of regulation to improve the performance on cyber security will need to include compulsory breach disclosure, regulatory audits, fines and penalties. Toothless regulation will not improve anything.

“I am not an immediate fan of increased regulation, however, and I believe that badly designed regulation can cause as much difficulty as it solves. My preference would be for the market to improve itself, with leadership from the security industry and other insiders. However, I have very little confidence that tough regulation will be avoided forever, because the cyber security problem seems to be getting worse.”

In the US there is much talk of changing the Computer Fraud and Abuse Act (CFAA), with many hopeful of the passage of the proposed Aaron’s Law, named after the late internet activist Aaron Swartz who committed suicide after being threatened with the hacking law. Yet in the UK, little has been said of giving the CMA a thorough updating. That’s not to say it won’t happen soon, however.

“The blistering pace of technology change and the cyber threats that come with it are only going to accelerate… Stronger regulation of cybersecurity in the public sector, private sector critical infrastructures, ICT service provision and companies critical to the UK's economy may happen in the future, as well as more proactive detection, investigation, prosecution and disruption of the threat by government and law enforcement,” says Placks.

Outside of improving and expediting the police response to digital crime, mandating education could be the way forward for government, adds Wood. “My change to regulatory frameworks would be to include a specific requirement for continual investment in user education. Not the tick-in-a-box compulsory basic training offerings, although they can play a part, but audited requirements for full-blown awareness campaigns, backed by creative people and ideas.”

Law that educates rather than punishes? Now that would be novel. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.