The Most Pressing Cybersecurity Threats in Ever-evolving Internet Landscape — How can Organisations and Working Professionals Address them?
By Prof. Nishit Narang, Group Leader and Associate Professor, Department of Computer Science & Information Systems, BITS Pilani Work Integrated Learning Programmes (WILP) Division
During the pre-Internet era of landline phones and mobile phones, cybersecurity threats were mainly in the form of man-in-the-middle attacks — where the attacker or perpetrator secretly intercepts, relays, and possibly even alters the communications or messages between two parties. However, from Distributed Denial-of-Service (DDoS) attacks to Data Privacy concerns and to the more vigorous threats of today, cybersecurity attacks have indeed come a long way.
So, how have the attacks evolved so much to what they are in today’s world?
Understanding cybersecurity threats requires one to understand the evolution of the Internet. While we use the Internet today in different ways and means to serve different purposes, the Internet itself had a very humble beginning. During the initial days, it was seen as a data communication network. The first generation of the Internet saw the evolution of the World Wide Web (or the WWW), which was used to search and access content, due to which, it was also referred to as the Internet of Content.
From then until now, the Internet has seen many generations. With the introduction of e-commerce/e-productivity applications and innovative IT platforms, the Internet became a way to offer and consume e-services. This was the second generation of the Internet, also commonly known as the Internet of Services. The second generation was followed by the Internet of People, a term coined for the third generation of the Internet to signify the introduction of social media applications, easily accessible via smartphones. Today, the Internet connects billions of smart devices globally, making it the Internet of Things (or IoT, as some people know it!). Smart connected cars, smart televisions, and intelligent machines connect to the Internet to communicate and enable innovative applications. The list of such smart applications is endless and growing.
Distributed Denial-of-Service (DDoS) attacks became commonplace with the Internet of Services, while Data Privacy concerns became paramount in the Internet of People. And today, with the Internet of Things (IoT), the cybersecurity threats have only become more accentuated. As the Internet evolved considerably in the last few decades, so have the cybersecurity threats.
New challenges due to the widespread adoption of cloud computing and IoT
Cloud computing has been one of the game-changing technologies in the IT infrastructure space. More and more organisations are migrating to the cloud platform and adopting cloud-enabled services due to the economies of scale and ease of use that come with this technology. But this has come with new challenges in cybersecurity. Cloud platforms are based on the underlying principle of Virtualisation. Every part of the infrastructure, from computing to storage to the connecting network has been virtualised. This introduces a new set of challenges to securing the infrastructure and the applications deployed using this infrastructure. Multi-tenant use of the cloud infrastructure requires secure partitioning of services and information belonging to different tenants.
Hybrid cloud deployments introduce challenges related to secure communications across various geographical sites. This calls for additional focus to topics of cybersecurity that are focused towards the cloud – a new sub-domain focusing on cloud security. Cyber threats and incidents involving the cloud require advances in the domain of cloud forensics to build new tools and techniques needed to investigate cloud-based security incidents.
Cloud computing has become a game-changer for managing IT infrastructure; similarly, IoT has been a game-changer in how we look at intelligent applications and solutions. Today, IoT is everywhere in every vertical domain, be it transportation/mobility, home or office automation, industrial automation, smart city solutions, healthcare, or others. The proliferation of IoT devices enabling IoT solutions is a major threat to the security of cyberspace.
Insecure and resource-constrained IoT devices are doorways and soft landing points for hackers to break into otherwise secure networks and systems. The fact that these IoT devices are limited in terms of their security capabilities, mainly due to their resource-constrained nature, is one of the key reasons that IoT brings new challenges to the cybersecurity landscape. Hence, just the way that cloud security and cloud forensics need to be evolved as a separate security sub-domain, IoT security, and IoT forensics also need special focus.
What new cybersecurity challenges can one anticipate as technology continues to advance?
As technology evolves, new threats to cybersecurity evolve. The next five to ten years will see new advances in technology, and the adoption of technology-driven solutions in various fields of life. Most prominent among these will likely be cloud computing, AI/ML, IoT, and quantum computing. Each has the potential of being a game changer. And all of these have a major bearing on the emergence of newer challenges toward cybersecurity. We have already talked of new challenges due to cloud computing and IoT.
AI/ML is a technology that will likely bring intelligence to almost everything that exists in cyberspace or is connected to it. It could bring alongside both challenges and solutions for cybersecurity. For example, as AI/ML provides full human intelligence to machines, the ability to launch attacks will become more sophisticated. At the same time, the application of AI/ML in cybersecurity tools has immense benefits. Security analytics, behavioral analysis, and predictive analysis can all be used to build better and more advanced cybersecurity tools.
Quantum computing is another technology that could prove to be a major threat to the traditional and conventional techniques for cryptography. Most cryptographic algorithms are designed to be computationally or conditionally secure. The big assumption is that an adversary launching an attack does not possess unlimited computational power to break these algorithms in a limited time. This, though, could all change with quantum computing and may force a re-think of the cryptographic techniques used currently.
How can organisations address the need for adequate cybersecurity measures, accessibility, and ease of use — all at the same time?
To address this, we will need to peek a little into the domain of Enterprise Security. Now, enterprise security is not a new topic. Enterprises have been dealing with cybersecurity issues for a long time now in an endeavor to secure their networks and systems from outside attacks. However, recent technological advances require that we re-look at enterprise security differently.
Enterprises have made some major technological decisions over the last few years. Migration of enterprise services to cloud platforms is one of them. The second big change has been the adoption of the Bring-Your-Own-Devices (or BYOD) ideology. For small and medium-scale enterprises, BYOD brings cost-related advantages by reducing IT budgets. For large enterprises, it can be a means of increasing employee productivity. However, BYOD brings new challenges in the form of insecure employee-owned devices into the workplace. No longer is the threat to enterprise security limited to only external or outside actors. The threat can also be from within an enterprise! This requires a re-look at enterprise security and the migration to a Zero-trust model (or a trust-no-one approach). Accordingly, enterprise security architectures need to be re-designed to align with this new zero-trust model.
New solutions, for instance, the use of virtualisation technologies to enable virtualised workstations, or the use of mobile device management (or MDM) solutions, need to be adopted to allow employee-owned laptops and mobile phones to be used in a secure manner. So, in short, the domain of enterprise security is also going through an overhaul as enterprises adopt new technologies.
How can organisations ensure adequate training to recognise and respond to potential cyber threats?
To being with, a lot of emphasis must be placed on the four pillars of enterprise security, viz. policies, standards, tools, and training.
For any organisation, policies define the “what” part of their security ideology. A policy’s intent is to address behaviors and state principles for IT interaction with the enterprise. For example, an employee cell phone policy may be created in response to the business request to use personal phones for the business. In general, organisations must have policies that include an Information security policy, Acceptable use policy, Technology use policy, Remote access policy, Data classification policy, Data handling policy, Data retention policy, Data destruction policy, and so on.
Standards, on the other hand, are different from policies in the sense that they define the “how” part of the enterprise security ideology. In other words, standards focus on configuration and implementation based on what is outlined in a policy. Continuing with the example of the employee cell phone policy, standards will describe the ability to use a personal cell phone. For example, there may be restrictions on using the “smart” features to access enterprise data, or a requirement to load a mobile device management application on the cell phone.
While policies and standards define the enterprise’s approach to cybersecurity, enforcement of the same requires the use of tools. In other words, relevant tools need to be identified and implemented to measure compliance and provide enforcement of policies and standards.
Finally, no enterprise can deny the need for adequate programs for training employees on their security policies, standards, and tools. This is not just the fourth pillar, but also arguably the most important, as it is one that focuses on awareness across the entire employee base of the organisation.
Finally, how can ICT working professionals react?
As technology evolves, cross-domain knowledge and expertise will be in demand. For example, an expert in cybersecurity for IoT, AI/ML cybersecurity, and so on. ICT professionals will need to continue to hone their skills and build new ones. And this requires continuous learning.
While on-the-job learning is inescapable in the IT industry, ICT graduates must also look at getting themselves enrolled in different certificate and degree programs, especially those that also specialise or focus on specific key domains (Security, Networks, IoT, AI/ML, Cloud, etc.). This will help them continuously develop and build upon their practical skills. A lot of recognised and well-known institutions in the academic sector today offer such programs for working professionals. The only caveat is that the focus must be more on experiential learning; so, ICT graduates must differentiate between regular run-of-the-mill programs being offered from the ones that offer more experiential learning, and enroll for the latter.