Internet security: The cyber risk we can't afford to ignore
Why businesses and governments need a collective intelligence approach to security
Throughout the centuries, human history has been shaped by an endless cycle of conflicts and wars. But in today's world, we are not only fighting with swords and shields, we are also fighting a new kind of war - Cyberwarfare. With the advancement of technology, cyber threats have become more frequent and sophisticated, and experts believe that cyber warfare will continue to be an important aspect of future conflicts. However, the impact of cyber-attacks is not limited to the leaking of government information. This also includes business data breaches and loss of citizen information. The SolarWinds attack and the Colonial Pipeline ransomware attack have demonstrated the need for strong cyber security measures.
Despite rapid technological advances in areas such as smart devices, IoT, AI/ML, quantum computing and VR/AR, companies still rely on traditional security measures such as firewalls and antivirus. In my experience working in the security industry, I have observed that the weakest link in the information security cycle is the human. Even companies with huge security budgets and internal security teams become targets of cyber-attacks. Examples such as Equifax and Yahoo demonstrate the importance of human factors in cyber security. Equifax suffered a major data breach in 2017 that affected over 147 million customers. The breach damaged Equifax's reputation and cost the company millions in fines and legal fees. Similarly, Yahoo suffered several major data breaches that severely damaged the company's reputation and destroyed user trust. The breaches were the result of a combination of technical vulnerabilities and human error, including poor security practices and delayed disclosures. Companies learned from this and began educating their people through employee training and awareness programs.
However, the current and last year has seen a significant increase in cyber-attacks with high-profile breaches. For instance, On January 19, 2023, T-Mobile disclosed that a cyberattacker stole personal data pertaining to 37 million customers. Australian telecommunications company Optus suffered a devastating data breach on September 22, 2022 that led to the details of about 10 million customers being accessed. On October 13, 2022, Australian healthcare and insurance provider Medibank suffered a data leak , which resulted in 9.7 million people's information being accessed. Companies regularly conduct vulnerability testing, employee training, and yet breaches happen. Why is this happening?
I remember learning a valuable lesson during my college days from a chapter in the book titled Information Security: Principles and Practice, 2nd Edition .
In 2003, the art collection of the Whitworth Gallery in Manchester, England, included three famous paintings by Van Gogh, Picasso, and Gauguin. Valued at more than $7 million, the paintings were protected by closed-circuit television (CCTV), a series of alarm systems, and 24-hour rolling patrols. Yet in late April 2003, thieves broke into the museum, evaded the layered security system, and made off with the three masterpieces. Several days later, investigators discovered the paintings in a nearby public restroom along with a note from the thieves saying, “The intention was not to steal, only to highlight the woeful security.”
It taught me that there is no such thing as absolute security. Cybercriminals have become more sophisticated and creative in their attack methods. They can easily bypass security measures and exploit vulnerabilities in systems that are supposed to be secure. Some companies are vulnerable to attacks because they prioritize finance and cost-cutting rather than investing in security solutions. Others perform pen testing only for regulatory/compliance purposes and prioritize only high and critical vulnerabilities rather than medium and low vulnerabilities. Furthermore, secure code review is still an underrated method for identifying security vulnerabilities.
Collective intelligence approach to security
With the rise of cyber threats and attacks, it is no longer sufficient to simply rely on in-house security measures. It is time for businesses to take a more robust approach to security, putting equal emphasis on technology and process-based solutions. Collective intelligence is a strategic approach that utilizes the knowledge and expertise of a global network of security researchers to identify potential vulnerabilities that may have been missed by internal security teams. Adopting Responsible Disclosure and Vulnerability Disclosure Programs (VDP) is necessary. Unfortunately, many companies currently do not have a system or process in place for external users to report vulnerabilities. The lack of guidelines and communication between the company and the security researcher can lead to frustration and the adoption of wrong practices. By providing a platform for reporting vulnerabilities and issues to external researchers, businesses can increase the security of their systems and data.
Technology has become an essential part of our daily lives, with an average person spending 6 hours and 37 minutes a day . India being the fastest growing economy in the world with vast digital infrastructure has become an attractive target for cybercriminals. India lags behind in adopting Responsible Disclosure and Vulnerability Disclosure Programs (VDP), which are essential for India to become a digital economy.
Governments worldwide have already implemented VDPs, including the U.S. Department of Defense . However, in India, only two entities actively accept vulnerability reports from third parties concerning government and sensitive information infrastructures. These are the Indian Computer Emergency Response Team (CERT-IN) and the National Critical Information Infrastructure Protection Centre (NCIIPC) .
Although private players such as Groww , Swiggy , Paytm , and Meesho have developed their own vulnerability disclosure policies, these are similar to "bug bounty" programs that have no legal backing and are subject to terms and conditions set by the respective private organizations. Unfortunately, most public institutions in India are not equipped with proper procedures or policies for responsible disclosure. Even the government has not established strict guidelines for organizations to follow in this regard.
India is home to a large number of software developers, and it has been reported that most white hat hackers on the popular platform Bugcrowd are of Indian citizenship. This indicates that India has sufficient security resources, but we are not adequately utilizing our domestic talent to make our cyberspace and digital assets more secure. Lack of a responsible disclosure program, resulting in the researcher either making the bug public or selling it on the dark net. We need to channelize their talent and help our organizations with the help of a collective intelligence approach to security. By building a comprehensive framework for responsible disclosure, India can build trust with its citizens and global partners, and continue to grow as a digital economy.
We are building the SafeDisclose Platform at Cuberk. This platform will act as a bridge between a security researcher and an organization. Using this platform, organizations will be able to create their own customized VDP in just a few clicks. With ready-made guidelines, rules, policies, and AI 🤖 powered response templates, our platform will make the vulnerability disclosure process easier and faster. Our platform will also have the functionality to manage vulnerabilities and generate reports, so that vulnerabilities can be quickly presented to higher management and other stakeholders. That's just the beginning - we have even more exciting features.
With the increasing complexity of security threats, it is imperative to adopt a collaborative approach that includes sharing of intelligence. Our SafeDisclose platform is on the way to facilitating the responsible disclosure of security vulnerabilities and will help companies to leverage the collective expertise and capabilities of global security talent. By connecting companies with a global community of skilled security researchers, we aim to create a safer and more secure cyberspace for India and the world. Get ready to experience a whole new level of innovation and convenience with our platform.
This article authored by Bipin Jitiya on March 31, 2023.