Cybersecurity is in the news all the time, and the vibe is that online threats are getting worse. Are the cybersecurity challenges becoming more severe or is it that there’s simply more to secure? Paul Rivers, Chief Information Security Officer at UNC-Chapel Hill, posed that question to three experts during an October 23 webinar, held as part of Cybersecurity Awareness Month activities.
Cyber-attacks have become much more targeted over the last 20 years, said Allison Henry, Chief Information Security Officer at the University of California, Berkeley.
“They’re doing this to make money. It’s not a game anymore. It’s not for fun,” she said.
“Cybercrime pays,” said Michael Tran Duff, Harvard University’s Chief Information Security Officer and Data Privacy Officer. “If it didn’t, people wouldn’t be doing it.”
These days online attackers are causing more financial damage. The technology itself is more secure, Henry said, but “it’s always a cat and mouse game.”
“I do think we’re currently losing the battle in cybersecurity,” said Duff. “Adversaries are outpacing our defenses.”
The number of devices connected to the internet and amount of data that is internet accessible are growing rapidly, he said. That favors the adversaries.
Adversaries also have an unlimited supply of vulnerabilities to exploit, and software companies and users spend an incredible amount of time and effort patching those vulnerabilities.
It’s an arms race, said Jeremy Rosenberg, Chief Information Security Officer at Yale University. And the line of cybersecurity efforts we must have in place to avoid being negligent keeps moving.
Remember when a username and a password were sufficient? Then came multi-factor authentication.
“We are trying to do lots of things whereas the people who are attacking us are just trying to do one thing at a time,” Rosenberg said. “It’s really hard to combat that.”
Fundamental cybersecurity challenges remain the same
Every year the annual list of top 10 vulnerabilities in web applications is the same. “They’ve just changed their order” within the ranking, Rivers said, “but it’s the same old stuff.”
“You can talk about the 50 different well-known tactics to make sure you never have these (vulnerabilities),” he said, “and yet we have them again and again and again and again.”
One could easily become pessimistic. “How do we change that dynamic?” Rivers asked.
Yes, “over the last half century, most of the fundamental cybersecurity problems have remained unchanged,” Duff said. “It’s just kind of new variations, like on social engineering and how those play out.” But, he added, we are at a point at which we can fix some of the problems.
Mix of solutions
Strengthening cybersecurity requires a combination of tactics — continuing some efforts and adding new solutions, the experts said.
For one, the international community needs to enact regulatory agreements across borders so that cybercrime doesn’t pay.
“Until it doesn’t pay, we’re not going make a dent in this problem,” Henry said.
Part of the solution, the panelists said, is to incentivize companies to develop software that is more secure. On one hand, regulators could make software developers liable for vulnerabilities. On the other hand, we don’t want to sue software companies into oblivion.
Also, software customers clamor for snazzy new features — but security features don’t get them excited.
“Putting security in your product doesn’t make you a differentiator in the marketplace. It doesn’t let you charge more for your product,” Henry said.
Software buyers must be willing to pay for more secure features because, if you think about it, we all ultimately pay for the cost of damage caused by insufficient security features, the experts said.
Also, using artificial intelligence may help the IT community gain ground against cyber criminals, the panelists said. AI, for example, could help coders avoid vulnerabilities in their programs.
Passwordless is one solution
One problem we can address is compromised credentials, Duff said. “For the last five decades, we’ve tried to put Band-aids on it.”
People were encouraged to use longer or more complex passwords, and then multi-factor authentication was added. Now, Duff said, “we have a passwordless option. That is the solution. That will solve that problem that we’ve had for 50 years once and for all.”
Carolina, in fact, began rolling out its passwordless option — called Carolina Key — a year ago.
Remember the basics too
A time may come when more technical solutions lessen the need for training and awareness, but for now, part of the solution is ensuring we keep promoting and following basic cybersecurity practices.
Double down on awareness and training but figure out how not to depend on them, Rosenberg said.
One key reminder is to slow down. “Take a breath before you check your email,” he said. “A lot of these attacks depend on exploiting how hectic our lives are.”
From looking at how compromises happen, his team found, he said, “if we just get people to be a little bit more mindful about their work, it can actually make a difference.”
For more cybersecurity tips and news, visit Safe Computing at UNC.