Sometimes, even when a vulnerability is identified or a threat properly qualified, it is too late to do something about it. The crime has already taken place.
This is the antithesis of the future seen in the Spielberg movie Minority Report, where seers expose “PreCrimes.” In today’s security world, we’re less likely to find something about to happen, or even something happening now, and more likely to find something that happened long ago.
Here’s what I’m talking about. Earlier this year, IDG polled security “experts” to predict the “single biggest security threat of 2016”. The brief was to sum this risk up in just one sentence.
My contribution was: “The biggest single security threat is cyber - more specifically, for business and political entities it is probably nation state espionage and APT (advanced persistent threat) actors.” It was a view, from the survey, shared by only about 8% of my industry colleagues.
Unfortunately, my “prophecy” was bang on, as recent reporting about a “state-sponsored” hacking attack against Yahoo has revealed. This, in the public domain, is the single largest cyber-breach in history, affecting an estimated 500 million Yahoo users and potentially compromising their personal, demographic, contact and security information.
But when I made my predicton, this crime had already happened. In fact, it happened back in 2014 and has only just been made public. Those affected were neither informed nor allowed to try to remediate any exposure through changing passwords or other security credentials for two years.
Why is that?
Complex attacks or highly sophisticated threat actors like nation states can, and often do, operate covertly for some period. But two years is as unacceptable as the level of individuals affected is unprecedented.
Getting ready for future breaches is critical. But so is checking the rearview mirror for evidence of any past compromises.
I commented on my Twitter post (@KinchB) following the recent “Future of Cyber Security” event in London that,
This prompted some pretty hot responses about the General Data Protection Regulation and its suitability as a framework within which data breaches should be managed. The dichotomy, of course, is that nefarious activity might not always be detected, and even when it is there is no absolute guarantee that the extent of the activity has been comprehensively determined, good or bad. One only needs to look at the Yahoo case – or the TalkTalk one before it – where initial risk evaluation when news of the breach was breaking suggested a different level of exposure than what came to be revealed. For Yahoo the estimate moved from 200m to 500m. For TalkTalk it was 4m to 157k. Where information offered by the breached organisation is inaccurate it gives rise to even greater public and potential regulatory criticism and scrutiny.
We live in a world where information has never been so accessible and where adequate security measures have struggled to keep pace. We should all, as individuals, be selective about the data we volunteer, get better informed about the risks that our interactions pose, and recognise that just because we have not (yet) been told our information has been breached does not mean that someone with nefarious intentions has not already gotten it. Tomorrow’s announcement of a data breach is merely a reflection of today’s risks. And those risks are growing.