Feature Story

Security, by the numbers. The sky isn't falling

cyber security month

It's #CyberSecurityMonth. Sean Kerner takes a look at all the things we can do to reduce risk.

Written by: Sean Michael Kerner

It's October and that means it's National Cyber Security Awareness Month (NCAM) again and time to recognize all the positive things that can be done to reduce risk. While there seems to be no shortage of events and 'special' days for cybersecurity, NCSAM stands as a somewhat differentiated occasion, thanks in no small part to its history. NCSAM has been an annual tradition since 2004 and was launched by the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance.

Over the last 15 years of NCSAM's existence a lot has changed in cyber security landscape and a lot has stayed the same. Over that time, there has been no shortage of big data breaches, zero day vulnerabilities and new forms of attack that have impacted IT enterprises and consumers alike. Many cyber security stories (and more than a few written by yours truly) focus on the exploits and things that have gone wrong.  Just think about it, 15 years ago ransomware didn't exist, and no one had ever heard of Business Email Compromise (BEC).

See also: “Security requires a cultural commitment” says Duo Security’s Dug Song

The Federal Bureau of Investigation (FBI) reported last month that between May 2018 and July 2019 there was a 100 percent increase in losses from BEC. Among the primary reasons for the spike is greater awareness and improved reporting. Ignorance is not bliss when it comes to risk. By having heightened awareness around BEC, the risk can be accurately measured, and organizations can take steps to improve security. Moving beyond just awareness, law enforcement agencies are also playing a key role. On Sept. 10, the FBI along with partner agencies around the world shut down a global BEC campaign in an effort dubbed, Operation reWired, resulting in 281 arrests and the recovery of approximately $118 million.

Passwords

One of the primary areas of weakness in many IT systems and services are passwords. According to data cited by the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, the world will need to cyber protect 300 billion passwords globally by 2020.  That's a whole lot of passwords.

Adding further insult to injury, given all the data breaches over the past decade, chances are that the majority of people reading this article will have had at least one account involved in a data breach, whether they know it, or not.

But it's not all doom and gloom on the password front, because even though the risk is real, awareness and technology innovation has helped to move the needle.

Whereas 15 years ago it would have been challenging for any user to know if their password had been stolen, in 2019 it's easy. Troy Hunt's HaveIBeenPwned (which has been baked into other service including Mozilla's Firefox Monitor), Google's Password Checkup and others are among the multiple public resources available.  The fact that any user can find out if their password has been stolen is not about fear, it's about awareness. If you know, something has been breached you can take steps.

Password managers were not un-heard of 15 years ago, but now are more powerful than ever and with the knowledge and awareness that passwords should not be re-used and need to be managed, adoption should grow. Another area of improvement in 2019 vs. 2004 is web encryption. The majority of web sites in 2004 did not use HTTPS by default, with sites requesting usernames and passwords from users without encryption - ie. sending user info in the clear. That's another trend toward improvement - the widespread use of HTTPS, with more than half of global web traffic transmitted over HTTPs  since late 2017 according to Cisco's 2018 Annual Cybersecurity Report.

Risk reduction is also about defense in depth, which is another area where password security can arguably be better in 2019 than 2004. While there were users in large organization using two-factor authentication (often with token based key fobs), many (if not all) major online services for consumers and enterprise alike today offer multi-factor authentication options. Technologies like Cisco Duo are a key enabler of that transformation.

Another key transformation that has improved in recent years is the use of User and Entity Behavior Analytics (UEBA) technologies that leverage machine learning algorithm to spot abnormal behavior. That's a technology category that simply did not exist in the same way 15 years ago.

Spam and Phishing

One thing that doesn't seem to have changed much over the years is Spam. The latest data from Cisco Talos for September 2019 estimates that spam represents 86 percent of global email traffic volume. Spam is still a problem today as it was in 2004 and though there are great technologies for filtering, blocking and quarantining spam so the impact on enterprise users can be minimized, the volume of spam that clogs the arteries of the internet continues to proliferate. 

Phishing emails also continue to be a problem, but there is a spark of optimism there. The 2019 Verizon Data Breach Investigations Report (DBIR) reported that clickthrough rates  on phishing simulations dropped to only 3 percent, showing that awareness training is having a degree of impact. Cisco's Email Cybersecurity Report: Click with Caution provide some solid guidance for defenders on how to deal with email security challenges.

See also: People@Cisco: Jon Oberheide

Another big area for security improvement that needs to be recognized is the march toward improved privacy protection. To be fair privacy does not always equal security, but often the requirements of ensuring user privacy do require security controls. The Cisco 2019 Data Privacy Benchmark Study for example found widespread evidence that data privacy effort are being adopted by companies, yielding better business outcomes overall.

Cloud

Among the biggest shifts in the IT landscape over the past decade has been the move to the cloud. The standard joke is cloud is really just someone else's server, but when it comes to security it's a game changer and one that didn't exist when NCSAM got started. By routing traffic through a cloud proxy or security service (Cisco's Umbrella is one such example), security can now be delivered in a way that can make people safer.  

The emergence of bug bounties and managed programs that easily enable researchers to report issues is another big win for security in recent years. Ignorance is not bliss when it comes to bugs. Bugs are a reality and by incentivizing and enabling a broader community to participate in the process there is the potential for better security.

Overall, while there will for the foreseeable future be a constant stream of reports on data breaches and new exploits, it is important to also be aware that there is innovation and technologies that can help to empower organizations to be more prepared. While security is still an obvious concern in 2019, there are many things that have improved, helping IT users in organizations of all sizes reduce risk.

We live in an area where attacks can and do come from anywhere, that's not something to be afraid of, but rather something to be aware of and be prepared for.

 

###

We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.