|

Who’s Responsible for Cybersecurity?

By KARTER K. ROHRER AND NATHANIEL S. HOM
October 1, 2017
0 comments
Cloud shape lock on tablet with computing devices white background

Cybersecurity isn’t a one-and-done task for the manufacturer but a responsibility shared among everyone operating the device.

 

Each day, billions of users browse the internet, completely unaware of the potential privacy risks that their activities may hold. The moment a user connects to the internet, analytic engines begin processing information about that person, even without user consent. Once a device connects to the public-facing internet, a geographical location is stored in a variety of formats. Not only does the device hold valuable geographical information, but every connection throughout a device’s lifetime is stored in memory. Digital connections include email, phone calls, text messages, app usage, and any other activity on a device. Analytic engines gather information primarily for marketing campaigns. Organizations must be aware that online activity is being captured from multiple sources, which could impact business decisions in the future.

 

Aside from geographical information, data about data (also known as metadata) is captured with each digital activity. For example, when an individual takes a photograph on a cellular device, the device stores information about where the photograph was taken, the time the picture was taken, and information connecting a user to social media outlets. Much of this process is done without the user’s knowledge or control. For data to be truly destroyed, the digital device must be physically destroyed. Even when data is destroyed, security professionals must consider other means of contact that data could have had. Organizations should be aware of information and activities of employees on the internet. While dealing with proprietary or sensitive internal material, security professionals are responsible for developing a process to securely encrypt sensitive data in transit.

 

Cybersecurity is control of which digital devices are used to interface with other devices. This entails giving operators control over how data is distributed, exposed, manipulated, and transmitted to the outside world. When early digital devices were released, security was of little concern. Only once malicious adversaries gained unauthorized access to digital devices did manufacturers implement security mechanisms to mitigate the risk of unauthorized data access. Cybersecurity isn’t the responsibility of a single party. Each individual involved in operating a digital device, from manufacturer to end user, is responsible for ensuring safe usage.

 

With most devices, locational information is an optional feature that can easily be disabled with consent of the operator. In most cases, an individual’s location and information serve little value to any organization or government. But in extreme cases, if someone commits a crime, law enforcement has little difficulty in tracking the suspect down based on that person’s digital footprint. Other instances may not involve law enforcement but an unknown party tracking down an individual based on the user’s immersive digital footprint on the internet. Many users of social media outlets voluntarily give up locational information. Just because a social media profile limits a viewer to “friends” doesn’t mean information can’t be used in a criminal or civil prosecution. The phrase “everything can and will be used against you” is applicable in the cyber domain.

 

As with any digital signature, computer scientists can easily tamper with digitally generated geographics in the form of a virtual private network (VPN), Tor onion routing, or even MAC address spoofing. This has made 21st Century cybercrime investigations a difficult job. Unless validated with multiple sources, digital signatures aren’t valid in a court of law. These methods made the investigation of the Democratic National Convention and other government breaches in the United States difficult to report accurately. While a cyberattacker may physically reside in one country, he or she could use tampering techniques to spoof the recorded location, compromising investigations. Organizations should look for mistakes that an attacker may make while the actual location is spoofed, such as if an adversary logs into any social media platform while under investigation.

 

While some organizations allow employees to bring personal devices to work, many security professionals strongly discourage it. In most cases, such permissions are the result of budget cuts and a lack of resources to provide employees with the proper digital devices they need to complete the job. Allowing employees to use personal devices may save an organization a substantial amount of resources, but the risks typically outweigh the savings. Because few users take personal device security seriously, they can inadvertently infect an organization’s network. If an organization issues a bring-your-own-device (BYOD) policy, new practice suggests that security measures to secure allowed devices should also take place, such as requiring devices to have antivirus, antimalware, and a validated VPN, even with mobile devices.

 

Cybersecurity professionals are classified under three hats: white hats, who conduct cybersecurity practices ethically to protect digital users; black hats, who access digital systems unethically and have malicious intents; and gray hats, who are a mix between white and black hats. Some cybersecurity professionals believe that privacy is important, but they also have personal ambitions to challenge digital security implementations and gain unauthorized access to devices. Organizations often run incentive programs, also known as bug bounties, to encourage researchers to self-report discovered vulnerabilities. Bug bounties allow researchers to study products in a safe environment, and they also help an organization identify holes in a system that adversaries could easily exploit.

 

Researchers have proven that it’s possible to gain unauthorized access to an assortment of devices. Through university research, cybersecurity conferences, and capture-the-flag information security competitions, hackers have shown that it’s possible to remotely hijack drones, industrial control systems, automobiles, traffic lights, and essentially anything connected to the internet or digitally powered. With endless possibilities, a team of skilled computer scientists could cause a lot of havoc given the right circumstances. The most commonly reported cyberattack is a data breach, which involves dumping stolen digital files from an organization. Data breaches cost organizations a lot of money and put employees, customers, and citizens at risk.

 

Karter K. Rohrer provided extensive research and contributions to UAV security at California State Polytechnic University, Pomona. Currently, Karter develops secure satellite communications for the U.S. government. You can reach him at kkrohrer@cpp.edu.  
  Nathaniel S. Hom is a senior at California State Polytechnic University, Pomona, and his research is focused on vulnerabilities in critical infrastructure, artificial intelligence, and cyberwarfare. You can reach him at nshom@cpp.edu.  
0 No Comments

You may also like