The case of Ashley Madison
The dating site Ashley Madison was hacked wherein 33 million customer records were compromised. The data was dumped on Dark Web and various peer-to-peer file systems, where it was available for search by typing in an email address. Other than identity theft, brand impact, financial and intellectual property loss, there was a great personal loss to individuals who had registered.
Governments are the biggest target
It is time that Governments start taking cyberspace protection with as much seriousness as protection of their Land, Air and Water space. According to a report by Subex, in 2019 US, India and UK were the most targeted countries in the world. In India for instance, 21% of the total attacks were targeted at CII (Critical Information Infrastructure) as per the report.
“There can be many reasons for subjecting a country to brutal volley of cyber attacks. State leadership should rise to the challenge in making CISO role an important one when building digital infrastructure.“
Governments difficulties are exacerbated by lack of cyber experts whether it be due to low pay or convoluted hiring processes. Not to mention that growing availability of high grade computing resources, cheaper hardware, wide array of newer & better hacking tools and mass access to educational material on hacking is creating modern hackers in hordes.
Rising to the challenge
Not only governments need to fortify their infrastructure, they also have to be vigilant and resilient. To be vigilant, governments need to collaborate extensively with security agencies, industries and government bodies. To be resilient, government need to quickly get back to operations either through redundant infrastructure or some other means.
Protecting the Infrastructure
While many recommendations are already available form standards bodies, some of them are outlined as under:
- Encrypt sensitive data both at rest and in motion.
- Introduce two factor authentication
- Decentralize your data with harder access controls. Maintain air gap for extremely sensitive data by taking them offline
- Identify insider threats by mining big data, and observing anomalies in employee behavior.
- Collaborate and create awareness by continuously educating on good network hygiene, cyber threats and cyber security.
- Just don’t install security hardware. Keep changing the game – deploy honeypots, move the database, plant fake information etc.
Agencies must attempt to understand hacker’s mindset, and should know what data could be attractive for them. Finding needle in haystack is no easy thing. As collaboration grows among governments, agencies, System Integrator, industry and security/ data experts, the wisdom is likely to grow. The signals emanating out of security logs and devices must be monitored and analyzed well.
In today’s world cyber attacks cannot be completely avoided, organizations needs to build their strength with it and come back stronger. For the preparations, organizations are encouraged in simulated war-gaming practices such as data breach, website defacement, denial of service attack, disaster recovery exercises etc. It is important to measure the speed and readiness during the exercise. Building trust post damage is also critical for government agencies as they are continuously being assessed by wider group of enforcement and public agencies other than the stakeholders. Therefore seriousness towards cyber threats needs to be exulted.
Post 22 days of economic heist in 2007, Estonia has learnt its lessons. It has emerged much stronger and hosts CyCon demonstrating and testing its abilities to fight a cyber war.
Closing the Cyber skills gap
Cyber security skills are pretty different from regular IT skills. More so, cyber experts are expensive. Governments need to make concerted efforts in developing capacity and identifying the right person for such a serious job. Some of the ideas may be:
- Educational institutions may be asked to develop custom curriculum for cyber security.
- Conduct hackathons to identify skilled people
- Government funded programs or certification exercises
- Make job of cyber security experts in government more lucrative.
- Make it easier to recruit cyber security experts.