RiskUKAugust2017
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cyber Security: Risk Management for Automated Cyber Weapons<br />
arms ‘bazaar’ wherein criminals can purchase<br />
the cyber equivalent of smart bombs, complete<br />
with user guides, money-back guarantees and<br />
TripAdvisor-style user ratings.<br />
Powerful custom-made tools designed to<br />
exploit unpatched vulnerabilities and<br />
autonomously reproduce themselves across the<br />
world are widely available to buy, rent or<br />
franchise. They can also be repurposed and<br />
customised for any particular task, from<br />
hacking a bank through to attacking a hospital.<br />
These sophisticated weapons often contain<br />
an autonomous ‘transport’ mechanism that<br />
enables the malware to scan for vulnerabilities<br />
and spread itself along with a ‘payload’ that<br />
then delivers the attack.<br />
The Internet is also replete with intelligencegathering<br />
tools that lie dormant inside an<br />
enemy system like a cyber ‘sleeper cell’,<br />
covertly mapping out the network architecture,<br />
domains, servers and IP addresses of potential<br />
targets. A recent investigation showed that the<br />
UK’s national rail network had been unwittingly<br />
infiltrated by four nation state cyber attacks<br />
which appeared to be ‘exploratory’ exercises.<br />
Two-way relationship<br />
One cyber expert has warned the US<br />
Government that: “The Internet allows<br />
malicious cyber actors to deliver weaponised<br />
tools at a scope and scale we’ve never seen.”<br />
Even worse, nation states are deliberately<br />
‘leaking’ cyber weapons to illegal hacker<br />
collectives, hiding their activities behind proxy<br />
groups. The relationship works both ways, with<br />
cyber crime groups also sharing tools with<br />
Governments in return for payment or<br />
protection from prosecution. These tools then<br />
work their way lower down the food chain until<br />
they end up in the hands of low-level hackers,<br />
with the end result being that highly classified<br />
cyber offensive expertise is being transplanted<br />
into the laptops of teenagers.<br />
According to cyber security body (ISC) 2 , this<br />
comes at a time when the Human Resources<br />
needed to prevent these increasingly advanced<br />
and widespread attacks are in scarce supply.<br />
The world is set to face a shortfall of 1.8 million<br />
cyber security professionals in five years. Rising<br />
demand for a dwindling pool of talent is<br />
pushing up the cost of hiring, rendering it<br />
increasingly difficult for companies to recruit<br />
and retain the necessary and best talent.<br />
Given this major manpower shortage<br />
combined with a rise in automated hacking<br />
tools entering wider circulation, business and<br />
industry is now under greater threat than ever<br />
before. The central problem is that machines<br />
are far faster and more efficient at hacking than<br />
“The central problem is that machines are far faster and<br />
more efficient at hacking than humans. Automated tools<br />
can launch many simultaneous worldwide attacks at a<br />
speed and scale beyond the capacity of human attackers”<br />
humans. Automated tools can launch many<br />
simultaneous worldwide attacks at a speed and<br />
scale beyond the capacity of human attackers.<br />
For example, computer ‘worms’ are capable of<br />
autonomously replicating themselves millions<br />
of times in order to simultaneously infect a<br />
wide array of targets.<br />
To illustrate that statement, studies have<br />
shown how an automated worm could ‘infect’ a<br />
single lightbulb and then cross-contaminate all<br />
neighbouring lightbulbs, spreading like wildfire<br />
to plunge entire cities into darkness at<br />
lightning speed. In this way, widely-available<br />
automated weapons dramatically increase the<br />
speed, power and reach of cyber attacks on<br />
faraway targets.<br />
Autonomous tools also enable human<br />
hackers to cover their tracks, like a thief<br />
evading detection by sending a drone to burgle<br />
a house. While companies lack the time and<br />
Human Resources needed to find and fix all of<br />
their vulnerabilities, automated tools afford<br />
cyber criminals limitless time and resources to<br />
find and exploit vulnerabilities. It’s no surprise<br />
that, in a race between human defenders and<br />
autonomous attackers, the humans are losing.<br />
To turn this around, we simply must use<br />
autonomous tools as a defence mechanism.<br />
Automating our defences<br />
Whereas traditional ‘dumb’ scanners<br />
indiscriminately bombard a network from the<br />
outside in the hope of exposing a vulnerability,<br />
modern ‘smart’ tools can autonomously scour<br />
the individual blueprint of any network or<br />
system to find deep structural vulnerabilities<br />
and explain how to fix them. It’s the digital<br />
equivalent of going through every line of an<br />
architect’s drawings and identifying<br />
weaknesses in the structure within seconds.<br />
‘Smart’ tools dramatically reduce the<br />
demands placed on heavily-overstretched<br />
Human Resources, using automated systems to<br />
plug the cyber security skills gap that shows<br />
little sign of diminishing any time soon.<br />
With advances in automation enabling<br />
today’s criminals to launch devastating attacks<br />
in minimal time and with few Human Resources<br />
of their own, we really must begin to deploy the<br />
same ‘smart’ technologies to cut the time and<br />
cost of shoring up our defences. Frankly, we<br />
neglect to do so at our peril.<br />
Nicola Whiting: Chief<br />
Operating Officer at Titania<br />
61<br />
www.risk-uk.com