Things were simpler in the past. I know we hear that sometimes and to a certain degree this is true. It is also true that he who forgets the past is doomed to repeat it. In the world of information security (IS), both adages apply.
Back in ancient history – in this case the 1980s (ancient in terms of IT evolution) – information security was an afterthought. The focus was on building “simple” networks with business enablement and functionality as the primary concerns. Back in those early days, hacking was more of a hobby than a malicious activity.
Those of us old enough to remember the movie WarGames will note its stark warning of how quickly things can unintentionally escalate. The first “simple” computer viruses began to emerge at this time as well. During the 1990s, we started to see more advanced network-aware code with the potential to cause real disruption.
Around this time, both government and private industry began to see the threats and to varying degrees take them seriously. Early intrusion defense tools, intrusion prevention systems (IPS) and intrusion detection systems (IDS), made appearances to mitigate these threats. In retrospect, these were simple and reactionary attempts at best. The IS model then was to “put out the fires” as they occurred.
Fast forward to today and we see that elements of this model still exist in practice. While security solutions and IS programs have become more intuitive and proactive, the firefighter mentality still prevails. Many of the issues of the past have never been fully eliminated, either.
There are still issues with weak authentication mechanisms and password management. Simple passwords with no multifactor authentication are still widely used! Viruses and malicious code such as SQL slammer and the Nimba worm are still in circulation. Vulnerabilities such as Heartbleed will continue to linger on and haunt organizations for years to come.
Many are still dealing with old, poorly written code. In many cases these exist at an operating system (OS) level and may never be remediated. Bugs in commercially available software pose real threats; how many older versions of Adobe Flash with critical security flaws are still running out there? Things like “bolt on tech” where a point solution is applied that only addresses one or two issues continue to propagate.
What about unchecked mobile apps? Who thought bring your own device (BYOD) was a good idea? It’s a good idea for hackers as it allows them to compromise internal networks via social media. In many ways, history is repeating itself.
Today, the threat landscape has advanced exponentially. We are no longer dealing with the Matthew Broderick type of hackers we saw in the 1980s. State sponsored espionage, Denial of Service attacks, botnets, insider threats, cloud migration and mobile devices are some of the top challenges for IS.
The sheer number of devices is further complicating things. Recently the Internet Assigned Numbers Authority ran out of IPv4 addresses in North America. That should give some indication of the scale of the problem. As more and more devices become “smart,” real challenges are on the horizon.
It has been theoretically and practically demonstrated that hackers have the ability to control modern cars[1] and aircraft[2] – in one case causing a passenger jet to turn without the pilot’s input. The Internet of Things (IoT) and the proliferation of “smart,” connected devices means that cyber attacks are getting serious, with the potential to cause serious physical safety concerns – think water treatment plants, power grids, etc.
Another big concern is the ongoing development of artificial intelligence. In the future, how will IS integrate, adapt and most likely defend against “thinking machines”? Just as we must not forget history, we must look to the future as well. The purpose of this history lesson is to ensure that we also learn from the past, not repeat it.
The old model of information security must evolve to address 21st century threats. As IS professionals, we must embrace the future and work collectively to educate, hire, train, and retain top talent and promote collaboration in our industry to avoid being “doomed” by the past.
[1] “More connected cars may mean more hacked cars,” CNBC. February 9, 2015.
[2] “FBI: Hacker claimed to have taken over flight’s engine controls,” CNN. May 18, 2015.