• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Security
  • Insider perspectives on global cyber safety and security status (Part 3 of 4)

Insider perspectives on global cyber safety and security status (Part 3 of 4)

Pierluigi Paganini May 20, 2012

Article published on The Malta Indipendent

Data-breaches, intellectual property loss and your money… We have all heard the headlines about the social and economic implications of cybercrime, but how bad is the situation really? If we have a serious security problem, how do we get ourselves out of this mess? In particular, what can I do to improve my situation and protect those I care about?

Each week, this easy to understand series of articles quotes cyber security insiders to progressively answer these important questions. In the first week’s article, we learnt that according to the US National Security Agency (NSA): “There is no such thing as ‘secure’ anymore.” Worse, critical aspects of today’s mainstream civilian cyber security ecosystem foundations are fundamentally flawed at the conceptual design, architecture and implementation levels. (See Synaptic Labs’ free 2012 Annual Cyber Security Reports online for the full blow-by-blow disclosure.) In last week’s article, we explored why weak cyber security is one of the most serious (inter)national security challenges we face today. We learnt how computers used in industrial systems can be hacked and reprogrammed to make room sized power generators jump up and down, emit smoke, and shake themselves to pieces. We also learnt how “it is possible to contaminate the database upon which banking operates. [As] there is no gold standard, no dollar bills, so if you can just contaminate the data in one large bank, you could cause global banking to collapse.”

This week we look at the perverse economic incentives driving cybercrime, how we got ourselves into this cyber mess, and explore the concept of due-care.

With our sincerest apologies to Jessie J and her song “Price Tag”, in the cyber espionage and freelancing underground cybercrime communities: “It’s all about the money, money, money. We want your money, money, money. We just want to hack your computer. Forget about your welfare. It’s about your (ha) Cha-Ching Cha-Ching. It’s about your (yeah) Ba-Bling Ba-Bling. Can you feel that (yeah). We’ll pay them with your credit card tonight…”

Unfortunately, cyber espionage and cyber crime are profitable industries that are immune to the current economic crisis and their own moral crisis. The survey published by PricewaterhouseCoopers (PwC) paints a dire picture. The PwC “Global Economic Crime Survey” (2011) claims that cybercrime has double-digit growth. Today, cybercrime is the third biggest crime threat to UK businesses, only behind asset theft crimes, fraud and corruption.

Lack of awareness of the cyber threat, tight budgets and contraction of investment in education and prevention, enables criminals to undermine our businesses much more profitably. Brian Snow, former technical director of the US NSA’s Information Assurance Directorate, made the following assessment: (November 2011): “Data-breaches and financial losses are now hurting every segment of the community, it’s a wake up call. They are driving the community to become acutely aware of the (security) weaknesses in current products and systems, and better yet, it forces an increasing awareness of the real need to fix things! The sleeping customer (e.d: citizen) is waking up.”

The groundbreaking study “Norton Cybercrime Report: The Human Impact” (2011) exposes the alarming extent of cybercrime and the feelings of powerlessness and lack of justice felt by its victims worldwide. According to that report, fraud is costing victims more than $388 billion worldwide per annum.

Up to 35 per cent of the global cybercrime bill was paid by US fraud victims, who spent $139 billion on cybercrime last year. Attacks are now occurring at a rate of 141 victims per minute, an alarming statistic. To quote Brian Snow: “No (ed: person or) organization is immune and it is no longer credible to say: Not my problem!”

Unfortunately, it is impossible to effectively manage the cyber threat using a reactive “fire-fighting” approach because many serious attacks have a silent genesis. According to the UK government: “The covert nature of the threat means that the public and businesses can underestimate the risks.” According to Pauline Neville-Jones, former governor and chairman of the British Joint Intelligence Committee and the UK government’s special representative to business on cyber-security says: “There is a vast swathe of corporates who have valuable intellectual property, much more valuable than they understand, which is inadequately protected. They don’t even realise it has been stolen. They don’t even know they have been the subject of attack. They usually have to be told about it by a third party, most of them do not discover it for themselves. The level of awareness is nothing like it needs to be. This is a very, very serious state of affairs.” Sustained attacks can lead to disastrous consequences. Nortel was a victim of Chinese cyber espionage for decades, and recently collapsed in bankruptcy.

We occasionally hear some security experts/vendors pointing the blame at users. Clearly, better training of end-users and business managers would help reduce our collective risk and we applaud the public cyber awareness campaigns in many countries. You can see some very good examples on the ICT Gozo Malta Project website at [ictgozomalta.eu/cyber-security-awareness.html] We should all do what we can to advance our own understanding to protect ourselves and support others!

However we would be dangerously mistaken to place all the blame for our cyber security problems on the user in “main street”. According to Brian Snow, the ICT industry also has a lot to answer for: “There are problems today in Cyber Security practice that impact the community as a whole, and we need to solve those problems soon. They are pervasive, ongoing, and getting worse, not better. Right now, the community at large is applying the wrong or inadequate engineering practices, and taking a lot of short cuts. This adds greatly to our collective security risks.”

In short, no one person, group or sector is to blame. Security short cuts are being taken by all sectors of the global community. To quote Snow: “He who gets to the interface first, wins; so get security and risk experts involved early in your company’s operations and/or designs, indeed, at the very beginning; not as an afterthought!

“If you want transportation in a benign environment, you design a car. If you want transportation in a highly malicious environment, you design a tank! In the current climate on the Internet, I assure you – right now, you need a tank!”

Engendering a life-long ICT learning framework is essential to enabling the growth of the knowledge economy. Cyber security is now seen by the UK government and many other countries as an essential pre-requisite to sustaining that growth. If we want to follow Brian Snow’s guidance and get security in place at the very beginning, we need to integrate cutting-edge cyber security training as a pre-requisite (like reading, writing, arithmetic and IT) for every student in mainstream education systems (see [http://csrc.nist.gov/nice/] for an education framework).

When looking for best practices in managing any serious risks, we can look to the Australian Mining Occupational Health and Safety (OHS) legislation for inspiration. This legislation is generally viewed as being the most progressive (and among the most effective) in the world. It is based upon duty of care, risk management principles and workforce representation, with the primary responsibility for the provision of a safe work place residing with the business operator.

In this framework, government inspectors act as both enforcers of regulations and mentors who encourage good health and safety performance. Enforcement protocols are generally risk-based, with action being defined by both the level and immediacy of the risk.

In this context, “Duty of Care” means that:“

  1. An employer must, as far as practicable, provide a work environment in which employees are not exposed to hazards, and must provide information, instruction, training and supervision,
  2. Employees must take reasonable care for their own safety and health, and that of others at work,
  3. Self-employed persons must, as far as practicable, ensure that their work does not adversely affect the safety and health of others, and
  4. Suppliers have a duty of care to supply equipment, goods and services that are not only fit for purpose but also do not adversely affect the safety and health of workers.”

In a cyber security context, the goals are the same: The management of cyber risks and the protection of all stakeholders. This joint duty of cyber care must be shared between governments, vendors, employers and employees. According to Brian Snow: “Each of us has the responsibility:“

  1. To educate ourselves on cyber security issues,
  2. To find out what our individual security roles are in our business operations (and personal life),
  3. To improve our skills and apply them to improve the security posture of the community, and
  4. To identify what we cannot do personally and then call on the security community to deliver it.”

Visit [tinyurl.com/cybermalta] for links (hosted on the ICT Gozo Malta website) to some of the best free business cyber security education resources, including free work force training videos. We also strongly recommend you watch Brian Snow’s free 20-minute presentation “Our Cyber Security Status is Grim (and the way ahead will be hard)” for accessible guidance for business people and techies on how to get security right in your organisation. Be sure to read the next article in this series and join us in taking the next steps together to secure (y)our world!
by Ron Kelson, Pierluigi Paganini

References

Part.1

Part 2

You can find full citations to all materials referenced in this article, and related cyber security materials including Brian Snow’s presentation, at tinyurl.com/SynapticLabsAnnualReports2012 . Co-author Pierluigi Paganini, Director and CISO of Bit4ID, Italy has 20+ years of security experience and has many years of in-depth investigative cyber security journalism on important cyber events. Find his blog at: securityaffairs.co . ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu has links to free cyber awareness resources for all age groups. To promote Maltese ICT to the world, we encourage all ICT professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cyber Security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at david.pace@ictgozomalta.eu



facebook linkedin twitter

cyber espionage Cybercrime Data-breaches Nortel security

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT