We hear so much in our industry about threats changing, evolving and adapting.
What’s more, they are often described as being quicker and more innovative than the defensive strategies for protecting against them. I have always found that a curious notion – why is it that attack techniques and threats keep shifting and advancing so much, and why does security often seem to be playing catch up?
Well, the proverbial penny dropped recently for me when I attended a digital transformation conference in October. I sat through a presentation by security researcher Samy Kamkar. The name may ring a bell – Kamkar shot to infamy in 2005 when he created the notorious ‘Samy’ computer worm that virally propagated across the Myspace social network.
Kamkar explained that he launched the worm all those years ago to see if he could manipulate the Myspace system to earn a few extra connections and impress some of his techie friends – within a day, he amassed over a million new Myspace acquaintances. The site went down, he was (eventually) raided by the United States Secret Service and Electronic Crimes Task Force, before a plea bargain saw him sentenced to three years’ probation and forced him to give up all internet access.
He served his offline time in an admirable way; he went for walks, he took in more of the non-cyber world around him, and found a new outlook on life. When his sentence was up, he was granted access to the internet once again, and he decided to use his passion for research to help keep things secure, rather than causing havoc. He has been doing this ever since.
It’s a fine story in itself, but the thing that really stuck with me upon hearing Kamkar tell it was his inspiration for creating Samy in the first place.
“There is something super-intoxicating about being able to use some sort of tool and manipulate a system across the internet without knowing anything else about it,” he explained.
Kamkar likened hacking to solving a puzzle. “It’s as if somebody designed a maze; in a typical maze you can escape if you find the right path out,” he said. “With computer hacking, it’s as if somebody designed a maze and then they blocked off all of the exits, but when you’re hacking, you’re still able to find a way to get to the other side.
“Once there is no challenge, the fun is gone,” and so hackers are always looking to push boundaries and see what they can achieve next, Kamkar added.
I knew in that moment why cyber-threats keep changing and evolving so much, and more importantly, why cyber-criminals can prove such tough and dangerous adversaries. Taking malicious nature or financial drivers out of the equation for a moment, if hackers are anything like Kamkar, they’re inspired by an inquisitive nature and a constant determination to solve the puzzle – or make it to the other side, as Kamkar put it. Hacking almost becomes a game that goes beyond just making money, and successes made in security can be short-lived when attackers are driven by that insatiable need to find an answer to a challenge.
This print issue of Infosecurity Magazine, our last of 2019, serves well to explore that notion. On page 22, we look at how cyber-criminals have recently taken their social engineering exploits to a whole new level of sophistication, manipulating AI to create deepfake video and audio that can fool even the savviest of users. It’s a great example of both the ingenuity of attackers and their techniques, and the challenge it poses those charged with security to be just as forward-thinking in defense.
Likewise, our dark web feature on page 18 highlights the growing, robust dark economy in which threat actors continue to trade in credentials, access to compromised systems and stolen payment cards – it’s never been easier to indulge in ‘cybercrime-as-a-service’ exploits.
Under that sort of pressure, it’s no real surprise that security leaders admit to feeling the heat when it comes to defending against cyber-risks. On page 12, our cover feature explores the significant levels of stress, burnout and anxiety that come with the territory of being a modern CISO, and the potentially damaging impact those things can have on an individual’s career and health. Perhaps that’s why more and more security leaders are looking to bolster their organization’s threat detection, investigation and response capabilities by investing in security operations center (SOC) functions. Find out what it takes to make a success of a SOC on page 44.
We also ask whether the time has come to re-assess the Computer Misuse Act (which turns 30 next year), taking into consideration just how different (and potentially dangerous) a place the cyber-world is now compared to when the Act was first introduced almost 30 years ago. You can get to grips with both sides of that argument on page 38.
Finally, I’d like to say a huge thankyou to all of our readers for your continued support over the course of this year – it’s certainly been a busy one! I am delighted with the content that we have been able to bring to you throughout 2019, with special mentions of our Online Summit events, bespoke breakfast briefings and, of course, our podcast series IntoSecurity (launched earlier this year). IntoSecurity has been a joy to work on alongside my co-host Dan Raywood, and we look forward to continuing its success and growing the series further in 2020.
All that remains is for me to wish you all the very best for the remainder of the year, and I hope you have a successful (and secure) end to 2019!