Fighting for Survival in the Age of Cybercrime

…is this the End?

October 2017

2

Isn’t that what we are all thinking? Can this REALLY be happening that yet another company failed to protect data, and now we are all suffering the consequences. Well, that is not quite true – only 145.5+ of us in the United States. When you take a step back and look at the root cause of these massive breaches, some still yet to be discovered, we must apply Occam’s Razor – the simpler answer is the best answer. So, what is the answer to why these devastating breaches are still happening? In my relatively blunt, unfiltered mind – the answer is total unobliterated arrogance.

Let’s look at a few facts to see if my conclusion could be true. We know definitively that in our digital age breaches are not a matter of if, but when. We know software needs to be patched (duh).

3

We know we must protect our critical data. And we know we must prevent breaches, not just detect them. In most cases you hear about in the news, companies were warned by third parties that they had a vulnerability, or many, that exposed them to high-risk intrusions, and they chose to ignore or accept them.

I don’t want to pick on Equifax alone, because there are so many others just like them who were fully aware of the risks and chose not to protect personally identifiable information (PII), which they were required to do by regulations and policies. Now, with news of Equifax receiving a $7.25 contract from the Internal Revenue Service (IRS) to verify the identities of taxpayers and provide fraud prevention services, the potential risk has increased two-fold. And, to be blunt, just does not make sense.

Disparity of Consequences1,2

“Ignorance and weakness is not an impediment to survival. Arrogance is.

― Cixin Liu, Death's End

3 https://www.nytimes.com/interactive/2017/your-money/equifax-data-breach-credit.html

2 United States of America -v- Albert Gonzalez

1 United States of America -v- Bernard L. Madoff

4 http://www.nytimes.com/2009/06/30/business/30madoff.html

5 https://www.scmagazine.com/hacker-albert-gonzalez-receives-20-years-in-prison/article/557561/

4,5

Really?!

#WTF?

3

I am sure there wasn’t a situation where someone (hypothetically of course) went to the CEO and Board and said, “hey – we have found a weakness in our systems and at any minute we can be hacked by criminals.” No executive would say, “that’s ok, let’s just roll the dice and worry about that later.” Most likely, someone in the cyber security organization would realize the risks, assemble a plan to mitigate against breaches, and present the plan to a senior executive who would inevitably choke on the price tag and say, “it’s too expensive” or “it’s not in the budget”. To those irresponsible people who fall back on those excuses, I ask (hypothetically) – was the $150million+ loss to your business in your budget?

6

Because insurance doesn’t cover everything and it certainly doesn’t guarantee you won’t be fired for being a buffoon. Let’s call things what they are – because in the end, those executives would be choosing profit over protection. Arrogance AND Greed. I went ahead and added greed into the mix, for all those executives who did that and sold their stock before these breaches went public.

Unfortunately, this is the world we live in. It is evident that “corporate responsibility” is not going to force executives and boards to invest to effectively protect and prevent breaches. If things stay their current course, we must pause and ask ourselves – how do we survive? Literally – survival of our lives as we know it. Let’s dive a bit deeper into how we got ourselves into this mess, and how we get out of it alive (yes, a bit dramatic, but not that far off from reality).

…Really?!

6 https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security/enterprise-threats-mitigation

Is it

REALLY

that BaD?

4

Yes, it is really that bad. We live in an age of technology where we have become dependent on the luxury, immediacy, and automation it provides. Internet enabled technology touches everything from milking cows to operating nuclear power plants. Simply put, if you take down the systems – you take down a nation. Imagine a nation state attack against a system that powers IT for air traffic control, nuclear cooling devices, cellular and land communication, and transportation.

One of these alone could destroy our way of life for a significant period and could kill many innocent people. Some say the Equifax hack did not result in potential harm to human lives. But is that really true? One could speculate that having the identities of half of the American population might allow terrorists to use that information to infiltrate one of these systems – then its game over. Hacker mic drop, walk off the stage.

We must accept that evil exists in this world. Criminals are opportunistic. They walk past an unlocked car, they open the door, and take what they can. I would be happy to dive deep into the psychology of evil people, but that isn’t why you are reading this paper. I will, however, briefly cover how this problem came about and how it has evolved into the current epidemic in hopes of helping you understand the challenge we are facing. I would be remiss as a cyber professional if I did not include at least one reference to Sun Tzu, “know thy enemy as you know thyself.” That said, not all hackers are bad. At times, they help identify weaknesses before the ‘bad guy’ finds them. But that’s not the group we are talking about. We are talking about the “black hat” hackers, i.e. bad guys.

The motivations of bad people span a variety of reasons. These reasons are ever-changing depending on politics, religion, mental illness, etc. (even hackers). Over the past few decades, the growing technology dependency has provided bad guys with a growing opportunity to commit heinous crimes. The timeline shows some examples of how bad guys are out pacing the good guys.

7,8,9,10

TRAITORS!! Who are these evil hackers?

510 FBI Cybercrime Report 20139 FBI U.S. Auto Theft Statistics 20138 Computer Crime and Intellectual Property Section Criminal Division7 2016 Norton Cyber Security Insights Report

6

7

Most of us in the field of cyber who have been around for twenty+ years have seen the problem grow from bad to worse and know its heading for eventual Armageddon. Unfortunately, there are not enough of us veterans in the world to fill the necessity for skilled cyber professionals. In fact, it is expected that we will face a shortfall of over 2 million people needed to fill critical cyber security roles. You can buy all the technology in the world, install it perfectly, and yet, without someone who can operate and protect it proficiently – we are screwed. I hate to say it because I have been conditioned against this, but this is the time where we must admit – we need to throw more people at this problem.

We rely on the training and expertise of the military and law enforcement agencies to protect our physical well-being. You cannot put up a wall, walk away, and expect that you are protected (Sorry, President Trump). You need officers to patrol the grounds and constantly monitor for intrusion. This effort is enhanced with technology such as videocameras and alarms, buttechnology cannot replacethe expertise of a well-trainedindividual.

The more we can help our communities understand every parallel to cyber, the better off we will be. We need cyber warriors to protect and defend us, our companies, our data, and our way of life – just like our military and law enforcement agencies. When we have a shortage of soldiers – we recruit more people. Today, we are fortunate that there is a large supply of able bodied people who can be trained to fill those roles – and in a crisis, we could draft. In the cyber world, although tasked with protecting us, we cannot pull from a draft. We are doing a poor job of recruiting new people into the field.

In a recent survey done by Cybrary, over 90% of our 3,100+ respondents said employers do not pay for any type of cyber training. Isn’t this as bad as saying, “Hi, do you have cyber experience? No, you worked in restaurant for the past 2 years? That’s ok, you can shadow Joe over there for a week and you’ll be great!”

11

12

Ok, I’m scared as hell! Now what do we do?

11 https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#3437f7005163

12 2017 Cybrary Community Survey

Cybrary has created an open source platform that provides people everywhere in the world, the cyber and IT training tools needed to 1) obtain the skills, and 2) to keep the skills current going into the future. Cybrary’s training is completely 100% free (meaning absolutely no cost), forever. We realize that employers aren’t doing the best job of training their people and we realize the risk this creates. All of us of here at Cybrary are personally committed to helping people across the world to get trained, join the fight, and make a difference.

In a paper Cybrary is releasing soon, we review and provide analysis of the results of our recent survey. We know the problem extends beyond money and we are going explore the data, the facts and provide solutions on how to address them.

It is vital that management takes these ever-evolving cyber threats seriously. Hackers are getting better and better as each day goes by and we need to make sure our teams on the front lines are trained, and ready to protect and defend our organizations. Knowledge and education are the key to survival in the Age of Cybercrime – and our survey results prove it! TO BE CONTINUED!!

Conclusion

Shameless Plug: What does cyber security learning mean to me?

Survey results showed that, companies can’t fill their open positions and struggle with retention because they will not invest in continuous learning for their employees. If they won’t do that, they certainly won’t invest in recruiting people who - although are not skilled in cyber, want eagerly to be in cyber - and then provide them the education they need to make a difference. The almighty corporate dollar rearing its ugly head again.

But if cyber training has been around forever and we are still catastrophically short of skilled workers. Why would this change?

In fact, cyber training hasn’t been around forever, and when it did get introduced into the mainstream

– the cost was so high - most private individuals could not afford to take the classes. I will concede that the high cost of training has prevented many businesses, particularly small companies and government agencies, from being able to absorb the expense of cyber training.

Fortunately, Cybrary has given the world a reprieve from that financial burden. Things are going to change because now anyone, anywhere, at any time can be trained at no cost. There is absolutely no reason why companies can’t architect and manage a training program for their employees. Using this progressive approach, not only will this help grow the population of much-needed cyber warriors, but it will also help companies retain their current employees.

13

813 https://digitalguardian.com/blog/cybersecurity-higher-education-top-cybersecurity-colleges-and-degrees

Cybrary is an open-source cyber security and IT learning and certification preparation platform. Its ecosystem of people, companies, content, and technologies converge to create an ever-growing catalog of online courses and experiential tools that provide cyber security and IT learning opportunities to anyone, anywhere, anytime. Cybrary levels the playing field for those who want to advance in or start a cyber security or IT career by providing anyone with access to the tools they need to be competent and confident.

Through its open-source model, Cybrary is actively working to fill the gap between open cyber security and IT positions and experienced practitioners. Cybrary has thousands of hours of free content for beginners, all the way through advanced and leadership-level courses, that is developed and delivered by industry subject matter experts. The platform offers skill assessments, learning, and certification preparation on popular topics such as Ethical Hacking, CompTIA A+, Security+, and CISSP, Web Application Penetration Testing, Secure Coding, NIST 800, Metasploit, while staying current with changes in the industry. Visit www.cybrary.it to learn more.

Kathie Miley (@kCyberella) brings more than 20 years of leadership and cyber experience to Cybrary. Before joining the company, Miley was the Senior Vice President of Global Sales at Endgame and Executive Vice President of Worldwide Sales at Invincea. She also spent more than 12 years with Verizon Enterprise Solutions, where she reported to the President and served as Executive Director of Global Security, providing the strategic vision to guide all aspects of sales delivery, engineering and innovation for the enterprise’s security services portfolio. While at Verizon, Miley acted as interim leader of the Global Security Services organization, including security operations, product, engineering, consulting, and sales, prior to her departure. A recognized name in cyber security, Miley also served on the Board of Directors for the National Chapter of Information Systems Security Association and has her CSX Fundamentals and HIPAA Security and Privacy Expert certifications.

Olivia Lynch (@Cybrary_Olivia) is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

About the Author

Contributor

About Cybrary

9The entire Cybrary staff contributed to the findings in this report.

Copyright 2017

Contact

Info

To learn more about Cybrary, please go to www.cybrary.it

Cybrary Inc.bizdev@cybrary.it(301) 220-4526

7833 Walker Drive, Suite 510Greenbelt, MD 20770

Join us on social:

https://www.facebook.com/cybraryit

https://www.linkedin.com/company/cybrary

https://www.twitter.com/cybraryit