Understanding security in the world of risk society

Jake Olcott, VP of Government Affairs, BitSight

Renowned sociologist Ulrich Beck explained “Risk Society” as “Modern society becoming a risk society in the sense that it is increasingly occupied with debating, preventing and managing risks that it itself has produced”. Beck was writing in the mid-eighties, in a post-Chernobyl environment where the globally significant risk consequences of human activity were becoming starkly apparent. Fast-forward to today, and his insight is even more incisive, as we struggle to manage the inherent risks that have developed in tandem with our innovations in technology and digital networks. Preventing, managing and mitigating the impacts of cyber risk – a risk we have ourselves created – is a major challenge for individuals, businesses and nations worldwide.

Business v Personal

As technology constantly evolves, we want to take advantage of it to make our lives easier and more successful. The data we provide to organisations we use for social and business purposes are becoming more important, but at the same time the risk increases. This causes problems for individuals at a personal level, but there are also serious knock-on effects for business and society as the trust on which relationships depend is eroded. Beck observed this, noting that perceptions of risk can alter the future development of systems, technologies and societal structures themselves.

From a personal point of view every transaction and interaction you have with organisations involves sharing personal data, such as your name, address and birth date. This is the same when sharing data online, every time you visit a website, search for or buy something, use social media or send an email. Sometimes you share data consciously and deliberately, by entering it into the website for example, and sometimes data is shared less overtly, through the ever-present cookies and tracking apps that we all tend to authorise without a second thought.

Sharing data helps makes life easier, more convenient and connected, but the data is still your personal property. The price of it getting into the wrong hands can be very high in physical, financial and psychological terms. This includes limitation of an individual’s rights, discrimination, identity theft or fraud, financial loss, damage to reputation and significant economic or social disadvantage.

As Beck predicted, the evolution of this risk has given rise to an intense preoccupation with discussing, managing and preventing it, largely through the implementation of regulations – such as GDPR – designed to protect individual privacy and hold businesses and organisations that collect personal data to account.

Befitting the risk associated with personal data loss, the punishments are severe – multimillion-pound fines, legal ramifications and reputational damage all have a direct impact on the business’s bottom line. They combine to make the consequences of mis-managing this risk as unacceptable to businesses as having data stolen is to individuals. The aim is to try and restore a balance of trust between individuals and business/society that reduces the risks of data-sharing for all involved.

So, in the ever-connected digital world, security risk is inevitable and both customers and businesses are heavily affected. Regulation is one way that society is tackling the issue – creating a “stick” to keep corporations in line. However, Beck has more insight on how “Risk Society” manages itself, describing the development of “a systematic way of dealing with hazards and insecurities induced and introduced by modernisation itself”.

Reflexivity and monitoring

Beck draws heavily on the concept of reflexivity, the idea that – as a society examines itself – it changes itself in the process. Within the social theory of reflexivity sits the idea of monitoring. Monitoring enables us to assess and understand the ways that a new set of practices affect business and people.

The concept of self-monitoring was first introduced in the 1970s, highlighting how it can help people with self-presentation, expressive behaviour, and nonverbal affective displays. The concept provides an important tool for society for both personal and businesses purposes. Self-monitoring is something we are all doing every day to help manage risk. This could be through calorie counting apps to avert ill health, credit rating services to help manage financial obligations or time management for work productivity. All self-monitoring is done as a preventative measure – it is the “carrot” of self-improvement, creating a better, safer life. However, it is fair to say that self-monitoring of personal data privacy remains in its infancy among the general population. Few people take a proactive, systematic approach to maintaining personal data hygiene and security. So, whilst the public still requires education, the business world needs to ensure it is taking the lead in ensuring customer data is protected; this is where security sits in the risk society.

Causes for concern

From the perspective of the public, there is of course no ‘one size fits all’ view on exactly which privacy issues they are concerned about. But the most common themes tend to be the following.

  • They want to control their personal data.
  • Transparency – people want to know what organisations will do with their personal data.
  • Education on the different purposes, risks and benefits of data sharing.
  • Reassurance over the security of their personal data; and the specific rights of access, deletion and portable personal data.

As more of the public’s daily lives are spent online and the range of information held about them by organisations increases and is more likely to be processed electronically, this brings in new challenges for enterprises handling the data. Chief among these is the fact that large data repositories are highly attractive to cybercriminals who want to steal and monetise personal information. So how can businesses mitigate the risks in the context of Beck’s risk society? A three-step process of planning, monitoring and metrics can help.

Planning proactively

Understanding that the business operates in a risk society and treating risk as a strategic issue is the first step. The second is to plan proactively for what happens should those risks become reality. For businesses it is important to agree an incident response plan. This should include breach notification within an agreed timescale and the remedial actions to be taken by the organisation. Proactiveness and transparency pays dividends not just in containing a breach from a security perspective but also during post-breach compliance analysis by regulators – it all adds to the awareness that’s essential to operating in a risk society.

Monitoring third-party ecosystems

The threat environment is continuously changing. Any supplier that has passed due diligence yesterday, may not be secure today. This is where the self-monitoring aspect comes in – it has to be ongoing and as real-time as possible to identify emerging threats. The security performance of the business itself and the suppliers that are critical to its operation must be monitored continuously to ensure that customers are protected from service interruptions and data theft. The act of observing allows businesses to refine and inform their risk mitigation activities to reflect the reality of risk society.

Setting success metrics

Looking back at the “stick” of regulation, an important part of compliance is being able to demonstrate that a risk management programme is not just in existence but is understood and endorsed at Board level. Key to this is regular reporting of metrics that link cyber risk to business risk.

Regulations such as GDPR and the California Consumer Privacy Act have highlighted how operating in the risk society is one of the biggest challenges facing today’s business ecosystem. As individuals trust their personal data to businesses with the expectation that it will be protected businesses need to adopt practices of self-monitoring and utilising real-time risk intelligence to ensure that their own security posture and their third parties don’t introduce unacceptable risk into the organisation.

(56)

Share

Millions of Amazon Echo and Kindle Devices Affected by Wi-Fi Bug- Comment

It has been reported that millions of Amazon Echo 1st generation and Amazon Kindle 8th generation are susceptible to an old WiFi vulnerability called KRACK that allows an attacker to perform a man in the middle attack against a WPA2 protected network. Using this attack, bad actors can decrypt packets sent by clients in order to steal sensitive information that is sent over plain text. While the WPA2 wireless connection of this network has been compromised by this attack, it is important to note that any encrypted traffic sent over the wireless network will still be protected from snooping.

Commenting on this, Sam Curry, chief security officer at Cybereason, said “The Amazon Echo, Kindle and the entire Amazon home automation suite sits at the intersection of our personal and digital lives. The implications at home and at work and how to accommodate these devices safely and securely are still being discovered. WiFi sniffing, interception and hijacking are nothing new, but this latest development may have more implications than simply snooping on your Kindle reading habits. Keep in mind that businesses have commercial relationships in place with AWS and your Amazon identity is often linked to your home, your bank accounts and credit cards. It’s a good idea for Amazon to think carefully about all of its common components and this usage sooner rather than later.”

(56)

Share

New phishing campaign targets Stripe users to obtain banking data- Comment

A phishing campaign using fake invalid account Stripe support alerts as lures has been spotted while attempting to harvest customers’ bank account info and user credentials using booby-trapped Stripe customer login pages. Stripe is one of the top online payment processors, a company that provides the payment logistics internet businesses need to accept payments over the Internet from their e-commerce customers. This makes Stripe users the perfect target for threat actors looking to get their hands on their banking info, seeing that the company handles billions of dollars in payment every year.

 

 

Commenting on the story is Jonathan Deveaux, head of enterprise data protection at comforte AG:

 

“Companies that are profitable, disruptors, or trendy may be HIGHER profile targets than other organizations.  Threat-actors realize that emerging companies may have data security gaps due to their success and rapid growth. As customer popularity grows for a company, so do cyber-threats against it.
In this case, the cyber-threat is targeting its customer base under false pretences of the Stripe name.  Stripe seems to have done a good job of providing information on its website with tips that should help users avoid getting phished.
Companies who want to secure their growth and protect the data privacy of their customers should do two things:  1) Keep their customers well informed about steps to avoid phishing attempts, and 2) Look at data-centric security to minimize risks from data breaches or data incidents.”

(32)

Share

UK and US Governments Issue Update Now Warning For Windows, macOS And Linux Users – Comment

It has been reported that both UK and US government agencies have taken the unusual step of issuing a rare update now warning to Windows, macOS and Linux users concerning a critical cybersecurity threat from advanced persistent threat (APT) attackers. The NSA’s warning is regarding an ongoing attack from advanced persistent threat (APT) actors. The NSA warns that attackers could remotely take control of affected Windows, macOS and Linux systems. The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory and is recommending that users upgrade now. Furthermore, the National Cyber Security Centre (NCSC) in the UK has also issued an alert.

 

The NSA advisory concerns the exploit of multiple vulnerabilities in Virtual Private Network (VPN) applications. As is often the case, these official government warnings come when vulnerabilities that have been known about for some time have, despite fixes being available, ongoing exploits causing concern. Indeed, according to the NCSC alert, the vulnerabilities are well documented in open source, and the exploit activity is continuing with international targets across academic, business, government, healthcare and military sectors.

Commenting on this, Tim Mackey, Principal Security Strategist at SynopsysCyRC (Cybersecurity Research Center), said “Most remote workers are familiar with a key requirement to access corporate systems – the ubiquitous VPN client or VPN software. VPN software is used by most businesses to provide a connection to services secured on internal networks to their employees who require access from public networks. The software works by bridging the network on the client device, be it a desktop, laptop or tablet, to the internal network. Access occurs over an encrypted network connection which in theory ensures that sensitive corporate information isn’t visible to other users on the public network and is only accessed by authorised individuals. VPN software is of course a software application, and it needs to be secured just like any other software – so what happens when it isn’t?

This is precisely the scenario outlined in the advisory from the US NSA and the UK NCSC issued on October 7 following up on an advisory from the Canadian Center for Cyber Security in August based on research disclosed at the annual Black Hat and DEFCON conferences in August. In their talks at Black Hat, the researchers from DEVCORE outlined a serious of exploits in popular VPN software from multiple vendors. In each of the scenarios covered, the researchers followed responsible disclosure practices and worked with the VPN vendors to ensure patches were created. So if patches are available, why is the NSA issuing a bulleting almost two months later?

 

Whenever new research is published showing a potential exploit, that exploit will eventually form part of a toolkit used by malicious actors. In this case the NSA is calling out that a class of attack known as an Advanced Persistent Threat, or APT, has been created to take advantage of the vulnerabilities disclosed. An APT relies on the reality that inevitably someone won’t have patched their system and then can be exploited. The easy answer then becomes to patch, but this time it’s more complicated. Given the nature of the vulnerabilities, it’s entirely possible that a successful exploit has occurred with at least one user of an impacted system. Proper patching in this context requires both a reset of any access credentials and potentially a reset of any access tokens used by users for cloud services. The credential reset must occur after the patch has been applied as any reset prior to the patch could enable the attackers to collect the updated credentials. It’s also worth noting that the researchers were able to demonstrate a bypass of a 2FA solution meaning that organisations who are delaying rollout of patches believing that their MFA solution mitigates the attack vector may be at greater risk. The last part of the remediation is to perform a forensic analysis to ensure that no infection occurred and that systems are configured as expected.

 

For the technical folks out there, this situation was created in part due to VPN vendors creating proprietary implementations of secure communication protocols. Unlike implementations from open source solutions, proprietary implementations of security solutions often lack the level of scrutiny afforded to implementations performed by open source communities. Additionally, the VPN solutions involved allow for proprietary extensions to be written in languages like C/C++, Perl or Python. These extensions all require additional care when validating and executing an extension. To best address the types of problems covered in this advisory, VPN vendors should implement a security regimen encompassing protocol fuzzing and threat models. VPN customers expect their VPN to provide a highly secure connection from a public network, and public networks are notoriously unreliable making any instability within the VPN an opportunity for attack.”

(44)

Share

Attackers exploit zero-day vulnerability that gives full control of Android phones- Comment

It has been reported that attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Group or one of its customers, Project Zero member Maddie Stone said in a post. Exploits require little or no customisation to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content.

 

Commenting on this, Jonathan Knudsen, senior security strategist at Synopsys, said “The newly announced Project Zero disclosure involving a vulnerability in the Android kernel illustrates a classic division of labor between development teams and security teams.

 

“Vulnerabilities will inevitably slip through the cracks if security testing mechanisms aren’t incorporated into the testing phase of software development. Using a secure development life cycle (SDLC), including more and better security testing, means that more vulnerabilities will be located and eliminated before products are released.

 

“When a downstream security team, an external researcher, or an adversary finds a vulnerability, the best practice is to determine why the vulnerability was not found during development, then improve the process so that any similar vulnerabilities will be detected and eradicated as early in the development process as possible. Over time, the SDLC becomes more and more accurate and lethal to vulnerabilities, resulting in fewer released vulnerabilities and lower risk overall.”

(50)

Share