There is little doubt that organizations are operating in an increasingly dangerous cyber-threat landscape, with the prevalence and scale of attacks growing substantially over recent years. This was emphasized in no uncertain terms by the SolarWinds supply chain attacks at the end of last year, which highlighted both the growing sophistication of threat-actors and the vulnerabilities brought about by the highly interconnected and digitized nature of society.
While this is in many ways a daunting landscape for cybersecurity professionals to be operating in, it also offers major opportunities to make a huge difference to society as a whole, particularly in light of the digital shift during the COVID-19 pandemic. It is against this backdrop that Neil Daswani, co-director of Stanford Advanced Cybersecurity Program and Moudy Elbayadi, SVP, chief technology officer at Shutterfly, have written a book that provides a thorough analysis of the main cybersecurity threats and issues over recent history, offering a blueprint for organizations and individuals to keep themselves safe.
In the book, entitled Big Breaches: Cybersecurity Lessons for Everyone, which will be officially published on March 8, the authors have followed the famous Winston Churchill mantra of “those that fail to learn from history, are doomed to repeat it” by analyzing in depth the past 20 years of cybercrime and security, and understanding the lessons that can be taken from this wealth of experience.
The first half of the book takes a look at a number of major breaches that have taken place over recent years while the second outlines strategies for mitigating cyber-attacks based on these findings. To discuss this substantial work and its potential importance to the cybersecurity industry going forward, Infosecurity recently spoke to co-author Daswani.
Inspiration for the Book
So what inspired Daswani to undertake such an enormous project? To some extent, the research occurred naturally as part of his professional life over the years. It started when he was part of Twitter’s information security team, asked by the CISO to analyze breaches at that time that had targeted JP Morgan Chase. Then, after joining LifeLock as its CISO, “I took it upon myself to make sure I understood how organizations were getting breached in the past, what were the lessons to be learned, such that I could help defend my organization and customers from the same threats.”
Daswani’s investigation into the reasons behind breaches took on an educational footing when he was asked to put together a webinar about past breaches in his position as co-director of Stanford Online's Advanced Cybersecurity Program. “That webinar was so well received that we decided to start putting information into our Stanford online security courses on how organizations got breached,” he explained.
All of this demonstrated both the importance of understanding the past to improve security in the future, and the desire within the security community to gain such insights. Continuing to research breaches and putting all the finings and conclusions into a book seemed the natural next step to take.
Originally, the plan was for the extensive research and write up to be a lone operation, but a chance meeting over a coffee in San Francisco with a former colleague at LifeLock, Dr Moudy Elbayadi, in February 2020 changed things. During this unplanned meeting, Daswani informed Elbayadi about his plans for the book and the rest, as they say, is history. “To both of us it felt like it was fate that we had that chance meeting where I told him about the book,” added Daswani.
Evolving Cybercrime Tactics
Through his research of security breaches over the past 20 years Daswani has observed “quite a revolution” both in terms of the types of actors involved and tactics employed. When the internet really started taking off in the late 1990s and early 2000s, most incidents were caused by lone, amateur malware authors, who wrote code and released them on the internet. The outcomes would rarely go beyond mere disruption.
As use of the internet grew in the mid-2000s in areas such as e-commerce, more sophisticated cyber-criminal groups began to emerge, realizing the opportunities to make money rather than merely cause disruption. This led to the rise of more advanced attack methods, such as DoS and credit card fraud.
Daswani explained that the emergence of nation state actors started from the late 2000s, primarily to steal sensitive information from rival states, including trade secrets and intellectual property to try and gain geo-political advantages. Unlike cyber-criminal groups who are motivated purely by financial gain, these actors were “working over months and years to accomplish missions.”
The next evolution was the advent of mega data breaches from the mid-2010s, perpetrated by both criminal gangs and nation state actors. Daswani cited incidents such as the JP Morgan Chase cyber-attack in 2014, affecting up to 76 million households and seven million businesses in the US, and the global data breaches of Yahoo customers in 2013 and 2014. This trend towards larger scale attacks has continued since then, and nation state actors are increasingly the perpetrators. “With the recent SolarWinds hack, it seems that foreign nation state adversaries have continued picking up the scale of their attacks,” noted Daswani.
Lessons from Past Breaches
In addition to analyzing “mega breaches,” Daswani and Elbayadi looked at more than 9000 reported breaches that have taken place to date to try and find any common themes that may help improve security strategies going forward. From this extensive research, six technical root causes were identified in “the overwhelming majority” of cases. These are phishing, malware, software vulnerabilities, unencrypted data, third party compromiser review and employee errors. As such, Daswani believes it is vital that CISOs are free to focus on dealing with these root causes, ahead of other considerations, such as satisfying the vast array of security compliance standards that are in place in many countries. “There’s a saying that complexity is the enemy of security, and I honestly think that if we’re going to win this game, we need to simplify things and put our focus on the root causes that really matter as opposed to just trying to be compliant,” he explained. “From what we’ve seen, of most of the breaches that have taken place, pretty much every company could produce their compliance attestations at the time they were breached.”
“We need to simplify things and put our focus on the root causes that really matter as opposed to just trying to be compliant”
As well as implementing measures to counter those six technical root causes, Daswani and Elbayadi also believe that organizations need to work on establishing a stronger cybersecurity culture, ensuring this is a priority throughout all departments and employees. “If we look at many organizations that have been breached, they did not prioritize security as highly as they should have, they did not invest in security as much as they should have and they did not execute on their security initiatives with as much rigour as they should have,” observed Daswani.
As part of this, in the book, the authors set out ‘The Seven Habits of Highly Effective Security’ that people need to encode in their behavior to achieve security. These are: 1) Be proactive, prepared, and paranoid; 2) Be mission-centric; 3) Build security and privacy in; 4) Focus on security first, achieve compliance as a side effect; 5) Measure security; 6) Automate everything; 7) Embrace continuous improvement. These behaviors should be a consideration for both organizations and individuals alike as growing numbers make use of the digital space.
Future Evolution of Cybersecurity
With the rise in cybercrime over recent years, exacerbated by increased digitalization in the past year following COVID-19 lockdown measures, Daswani opined that the cybersecurity sector needs to evolve at a particularly rapid rate. In the book, he makes the point that while this field is still relatively young, cybersecurity is under pressure to develop far faster than other industries, drawing comparisons with the gradual introduction of safety features in the automotive sector. “I definitely expect cybersecurity evolution to happen much faster than the automotive revolution, and we’ve seen some indication of that,” he noted. “We’ve seen that, over the past seven years, there has been almost 4000 new cybersecurity companies and many of them have been acquired and incorporated their defenses into larger organizations.”
Daswani points out that against many forms of cyber-attacks, there are highly effective security solutions available, but low adoption is preventing them from having the impact they should have. He gave the example of using hardware security keys as an additional form of security authentication, which was adopted by Google and Salesforce for their employee base in recent years. “What we saw is they pretty much eliminated phishing attacks from happening against their entire employee base,” he noted. Daswani added that widespread adoption of hardware tokens has the potential to virtually eliminate phishing as a threat, which would be an enormous boost in the fight against cybercrime.
In general, Daswani believes organizations need to enhance their technological defenses over the coming years to provide adequate protection against increasingly sophisticated threat actors. As well as automation to help quickly detect when attacks are occurring, there is a particular need for investment in “adversarial AI,” with Daswani noting that cyber-criminals are increasingly finding ways to dupe AI security. “In addition to using AI security, we’ve got to make sure we’ve got security for AI,” he added.
While the knowledge and tactics of cyber-criminals have significantly advanced over the years, Daswani and Elbayadi’s work shows that looking back at the past can provide enormous benefits for the future. Their extensive research of successful cyber-attacks over the past 20 years had found some common themes, from both an attack and defensive perspective, which could help CISOs refine their strategy in the future in the midst of an increasingly digitized world.