Overcoming the next wave of cybersecurity threats
Threat actors are adapting and innovating at a faster pace than ever. On the one hand, cybersecurity as a constant tug-of-war between attackers and defenders has remained unchanged, observes Huang Shao Fei, CISO of SMRT Corporation in Singapore. On the other hand, the consequence of a successful cyberattack has morphed from yesteryear’s annoyance and productivity loss to having substantial, even crippling real-world impact.
The scale of cybersecurity has certainly ballooned, notes cyber security researcher and practitioner Professor Lam Kwok Yan. Prof Lam, the associate vice president of strategy and partnerships at the Nanyang Technological University (NTU), says this is driven primarily by the prospect of monetary gains and fuelled by unaffiliated black hats working together.
“If an attacker could poison the data used to train your AI, then they might be able to make your AI overlook something vital. Or if they could somehow gain access to your AI model, they could identify ways to circumvent it.”
– Prof Lam Kwok Yan
No longer a fringe problem
Part of the reason why cybersecurity is so impactful today can probably be attributed to the pervasiveness of digital systems in our society. Huang pointed to the discovery of a critical vulnerability in the widely used open-source Log4j library late last year, and the subsequent scramble by the IT industry to identify and patch affected systems.
“A software vulnerability is like a pandemic. The Log4j zero-day was like patient zero. But discovering it doesn't mean that you are done, as there could be instances of vulnerable code out there that you are not aware of. You are hardly out of the woods even after you treat patient zero; you need to get everything checked.”
And the fact that Log4j was also used in some embedded systems underscores how hardware systems are just as vulnerable. Indeed, a critical vulnerability was found in the security cameras made by a top video surveillance equipment maker just weeks ago, says Huang. Like it or not, the always-connected nature of IoT devices makes them a potential attack vector.
The extensive use of digital technologies has opened the doors to an avalanche of cyber threats that are evolving at a “crazy” rate, says Huang. And rather than focusing on addressing yesterday’s problems, organisations need to look ahead and develop an overarching strategy.
Huang shared an anecdote to illustrate his point: “Imagine owning a beautiful bungalow. Because you value your privacy, you decided to build an imposing and extraordinarily high wall around your home. Cost you a small fortune, but no one is going to get in any time soon.”
This tale might have ended well 10 years ago, but not today. Huang mused: “Today, any kid could stand just outside your wall, fire up a drone, and peer through your windows with its built-in high-resolution video camera.”
The vulnerable side of AI
To stem the deluge of cybersecurity threats, the industry has turned to AI and automation, says Prof Lam. And there is no question that these technologies play a vital role in helping security analysts to assess a voluminous amount of data far quicker than was possible in the past.
However, Prof Lam cautioned that more attention needs to be paid to operationalising AI systems. “For AI to work, you first need to gather a large amount of relevant data. You need to store this data somewhere and manage this storage. And only after you train the AI model do you put it into production to detect threats or make predictions,” he said.
The process of training and deploying AI models is vulnerable to adversarial attacks: “If an attacker could poison the data used to train your AI, then they might be able to make your AI overlook something vital. Or if they could somehow gain access to your AI model, they could identify ways to circumvent it.”
This is often the case in cybersecurity, says Prof Lam, where a new solution invented to solve an existing problem ends up creating new problems in need of new solutions: “AI helps us address productivity challenges and manpower shortages. However, it could itself become a target. This is something we need to bear in mind as AI is increasingly used in cyber operations.”
Ditch the rose-tinted lens
The nature of cybersecurity means that there would never be a perfect solution to help organisations achieve a risk-free state, says Huang. Unfortunately, many cybersecurity professionals tend to present only the best-case scenarios to their senior leadership and board of directors.
Instead, Huang recommends that organisations strive to achieve resilience, which entails thinking of the worst-case scenarios. This calls for organisations to move beyond robustness to building antifragility into their systems and processes. Failure has an important role to play here, with the idea that we come back stronger in the face of stressors or mistakes.
“Think of the human muscle. Some pain is inevitable if you want to build up your muscles and increase your fitness. There is a parallel here to the pain of a cyber crisis or cyber incident,” said Huang. “If you meet a CSO who tells you that their organisation is highly secure, that they never handled a single cyber incident – I think you would rightly be sceptical of their ability to weather a cyberattack.”
The concept of coming back stronger is one reason why Huang often looks out for SOC (Security Operations Centre) experience, even for backend cybersecurity roles. He explained: “I want people who have set their boots on the ground. Never mind if they have lost a [cybersecurity] war, as long as they have fought one. I feel that says a lot about the person: You fought the war, you did not give up, and you came back stronger.”
An ecosystem of trust
While the bulk of hackers used to be either lone amateurs doing it for street creed or syndicates stealing data or engaging in blackmail for profit, a new class of hackers has emerged in recent years, according to Prof Lam. These are highly skilled experts in their respective fields and brought together through the dark web with a common goal of profiting through cyber shenanigans.
Their contributions might range from writing specialised malware code, social engineering, monetising stolen data, or even laundering illicit gains. “I think cyberattacks will be more specialised, more advanced, and more difficult to detect. And because there are so many anonymous parties involved, this means that even if you could track one down, you may not be able to find the others,” said Prof Lam.
And in the face of sophisticated misinformation campaigns and the use of bots to drown out legitimate voices, Prof Lam thinks the emerging field of trust technology could well play a vital role to help security professionals overcome the evolving threatscape and the increasing sophistication of cyberattacks.
Today, a search engine might throw out contradictory recommendations to various cybersecurity-related questions. And who is to say that a seemingly legitimate recommendation is not poisoned by an adversary, or one-sided advice missing important context or downside risks?
Prof Lam envisions an ecosystem of established websites or trusted intelligence sources to serve the cybersecurity industry. “I think there's a lack in this area right now. So that could be another trend with a provider offering trusted information as a cybersecurity service.”
Ultimately, cybersecurity professionals must work together. “The ecosystem aspect of cybersecurity is very important. Attackers are now working together. Cybersecurity professionals must work together, whether by sharing experiences, sharing knowledge, and sharing tools,” he said.
GovWare 2022 is back and will be held at the Sands Expo and Convention Center on 18-20 October 2022. This gathering of great minds will once again see cybersecurity trailblazers, business leaders and policymakers coming together, with an extensive exhibition alongside co-located events.
Don’t miss your opportunity to learn from the best with this year's theme: Fostering a Safe and Sustainable Cyberspace Amidst Disruption. Sign up here.