Cybersecurity: Time to think like a fox to fend off the hedgehogs
A report into cybercrime and stolen data has highlighted the risks for online companies saying that “the ability to stage cyber-attacks will likely outpace the ability to defend against them”.
The Markets for Cybercrime Tools and Stolen Data report says “attackers can be hedgehogs (they only need to know one attack method, but do it well) while defenders must be foxes (they need to know everything; not just technical knowledge, but knowledge of networking, software, law enforcement, psychology, etc)”.
It also says big companies will be able to secure themselves and follow newPayment Card Industry Guidelines (e.g. use of chip and PIN systems), "but smaller retailers will be hurt because they may not be able to keep up with these new security requirements imposed on them”.
Drew Sing, platform engineer for Bugcrowd – an Australian startup that offers bounties on behalf of companies to discover website vulnerabilities – says attackers can be beaten by fighting fire with fire – the good guys who think like bad guys.
“By incentivizing security researchers to responsibly disclose vulnerabilities through bug bounty programs, it allows them to utilize their specialized testing skills sets (the "hedgehogs") to help make a company more secure,” Sing says.
“This helps level the playing field against malicious attackers, and has been a successful strategy utilized by companies such as Facebook, Google, and Github.”
The approach has worked for Bugcrowd, which was referenced as a successful example of preventing cyber-attacks at least three times in the cybersecurity report.
Sing acknowledges that smaller companies sometimes don't have the resources to pay bounties, but says that by setting up a responsible disclosure policy, they can still benefit from the knowledge of security researchers without having to provide a sum of money.
“A disclosure policy provides a scope of what can be tested, and gives researchers permission to submit vulnerability information to your company without the fear of legal action,” he says.
It's important to remember security researchers want to help companies, but often aren't offered a simple way to communicate this information.
This necessity was highlighted when 16-year-old Joshua Rogers, a self-described white-hat hacker, found a security hole in the Public Transport Victoria website and reported it to the site.
Rogers hacked the site using an unspecified hacking technique to access a database that held personal data including full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors' card ID numbers, and nine-digit credit card extracts of customers of the Metlink public transport online store.
The site didn't respond, so Rogers reported it to the media, who in turn contacted PTV, who in response reported Rogers to the police.
The increased risk to businesses has also seen growth in the cybercrime insurance industry, with Allianz today launching a cybercrime insurance product and saying that cybercrime costs the Australian economy over $1 billion annually.
According to its research, Allianz says cybercrime moved into the top five risks faced by Australian business in 2014.
The new Cyber Protect insurance product will cover up to $50 million to enable businesses to protect themselves against cyber criminals and data loss.
Insurance expert Allan Manning says cybercrime insurance had been around for a while now, but the Allianz announcement was evidence this was an increasing trend with the cybercrime insurance now a billion dollar industry.
“In the future it will be a standard insurance policy that most companies take out,” Manning says. He mentioned that some policies cover bounty payments for people to find vulnerabilities.
Manning says the costs of the cybercrime insurance were not really prohibitive. He took out a policy for his own business which cost around $3000 for coverage between $300,000 and $500,000.
The Australian and New Zealand Institute of Insurance and Finance will release a report comparing the different cyber insurance policies later this year.