This month, as a prediction for the world of Cyber in 2021, I wrote the following:
“In the period of 2021 more successful security attacks and compromise will be encountered, with many high profile organisations, in multiple sectors falling on their own sword of insecurity, and will thus pay the price of the reactive style of a supposed security posture. Sadly, 2021 in my opinion, will not be the year we see real steps taken toward Cyber Resilience – but it will be the year in which we finally see a more serious mindset toward addressing cyber insecurity with a proactive security posture.”
Developed way back in the 1830/1840’s by Samuel Morse and other collaborating inventors, the telegraph revolutionized long-distance communication. It worked by transmitting electrical signals over a wire laid between stations, and changed the nature of communications forever – in fact it was commented by one authority:
“The new technologies will bring every individual into immediate and effortless communication with every other, and will practically obliterate political geography, and make free trade universal. Thanks to technological advance, there are no longer any foreigners, and we can look forward to the gradual adoption of a common language.”
Powerful words, linked to a positive aspiration. However, stepping forward to the invention of the Internet by Sir Timothy John Berners-Lee, not only may we track our all encompassing technological progress, but equally may note that the outcomes have not always been so positive, with the advent of, what seems to be widespread abuse and cyber insecurity.
From the Genesis period of the Internet Revolution there was always a very real concern that such a multi-faceted world on interconnectivity should dictate a very firm and robust overlay of security in the uncontrolled and ungoverned space of the World Wide Web (WWW) – it did not. In fact such early concerns were around the area of the Internet naming and numbering authority – or, to put it bluntly the root authority. In that era, John Postel was, like many are today, fighting to prove the dangers of lacklustre controls, and on 28 January 1998 decided to take action, and took control, sidestepped Network Solutions and demonstrated that he could transfer root authority whenever he chose to (and he did) – this made those in control sit up and take note – but not to the depth required.
So just what has the history of the Internet got to do with the WWW today – answer, the simplicity of John Postels early concerns are now maximised to an unprecedented level with complex interwoven connectivity, with potentially millions of domains across the world being maintained in a vulnerable and exposed and exploited profile.
Along the path to exploiting what is referred to as the Super Highway, multiples of global organisations, and governments have embraced this easy to empower technology to their own singular advantage. However, as this eager embracement grew, it would seem in the majority of cases, those who were chasing the benefits of the Internet were unaware of the Genie of Insecurity which was gradually creeping from the lamp and entering their domains.
As of 2020 there are around 2 billion websites running on the net, so just imagine if only 10% are insecure – that amounts to 200,000,000. However based on what has been discovered from a number of sample technological surveys, that percentage would seem to be very much on the low side – with 25% being a more realistic, the end number of insecurity is now scarcely significant, and in my humble opinion on the constant rise.
Fig 1 – Easy OSINT Pickings
What really changed the world of cyber was the appreciation and practice of the grey art of OSINT (Open Source Intelligence) which goes well beyond the element of the IP address to discover titbits (as shown at Fig 1) of unknown unknowns which can expose even the most secure of sites – titbits gathered from multiple sources may then be leverage to paint a aggregated big picture, Cuckoo Egg style off-line acquisition of dark intelligence metrics which may be used to further expose and exploit further insecurities.
In 2020, much work has been done by a number of dedicated professionals, utilising cutting edge AI applications, tools and engines, discovering open insecurities gathered from both commercial and government sites, which were observed with the question – how can this be? The findings not only suggest there is a potential for cyber insecurity to exists within multiple deployments, but goes well beyond and proves that these discoveries are fact. The problem seems to be, nobody is willing to listen (even when they are informed) – that is until such time they are compromised!
On 24 February 2021 the I am taking a lead role in setting the day scene at the SC Virtual Congress – ‘Protecting against Cyber Attacks’ and will introduce the concept of finding robust security resilience through the unknowns, where I will expand on, what I feel is one of the most overlooked – or tolerated cyber risk of our era – I hope you can join us.