The future of cyber security
At the unit for information security at Combitech, a few of us have had the opportunity to try to look into the future and gain a picture of what our branch will be like in one, three or ten years.
The number of IT systems, cloud services and connected devices is constantly increasing, and it is now believed that the number of connected systems in particular will explode within a few years. All these systems and devices generate incredibly large volumes of information (this is what we call Big Data) and all this information must be protected in some way.
But, you might be thinking, not all information is equally sensitive from a confidentiality perspective, which is entirely correct, but it can be sensitive from the perspective of correctness; we want to be able to rely on the information not being altered. It can also be sensitive from the traceability perspective; we also want to be able to rely on information coming from the specified source.
At the same pace as our society is becoming more and more digitalised, there is also more and more to win by exploiting this. We have everything from individuals and organisations looking to earn money illegally, to those who want to spy on countries/businesses/individuals, those who want to injure countries/businesses/organisations/individuals and those who just want to show that they can. The more serious threats can briefly be divided into seven groups:
- Kidnapping information by encrypting it and then demanding a ransom for its release. The trend is targeting businesses and organisations that have important information, such as hospitals and their patient records.
- Selling information found through espionage, such as credit card details, hospital records, accounts or passwords. This type of information is often attained by searching far and wide via the Internet for vulnerabilities that can be exploited.
- Espionage can also be employed to gain access to confidential information. The difference between this and when the goal is to acquire money is that the attacks are directed towards accessing specific information.
- Phishing, i.e. false email used to trick people into providing information that can either be utilised to steal money or be sold. The trend here is focusing on directed attacks, so-call spear phishing, against selected persons that can produce high yield.
- DDoS, where a large number of computers are instructed to overload services and websites so that others cannot access them. This is most often done to injure the owner of a service or website.
- Intrusion for the purpose of causing general or more specific damage by breaking into a system to spread disinformation.
- Attacks designed to alter or knock out all or parts of systems. The final points are common ingredients in extreme scenarios such as cyber wars and terrorism, but are also methods employed by activists and bored hackers. The threats are increasing on all these fronts, but the same applies to awareness and technical aids.
One of our most important technical aids for protecting information is encryption. Using encryption, information can be hidden, fidelity proven and personal identity verified. A challenge that many are presently studying is how encryption should be adapted for a world where we have many connected devices that may not have all that much calculative capacity, memory and electrical power. This is a major challenge but many have taken it on and the technology will be developed in the near future.
An interesting development that has to be considered if we look 10 to 20 years into the future is how quantum technology will affect the encryption methods we use. There are two different encryption methods, symmetric and asymmetric. Symmetric encryption will be weakened by quantum computers, but with longer encryption keys, it can still be used. The algorithms presently used for asymmetric encryption will however, lose all their security and it is these asymmetric encryption algorithms that much of today's e-commerce, e-identities and certification management are based on. Here it is important to follow development so that these algorithms can be replaced before quantum computers become reality.
CONSEQUENCES FOR YOU
That we will use mobile devices in more and more aspects of our lives is a well-known trend. It facilitates our day-to-day activities but demands increased caution so that no one else can gain control of our devices and consequently our lives. As an individual, you have a substantial responsibility and the same applies to those who develop the apps and platforms we use. Development will entail a major market for services that contribute with security requirements, security design, security reviews and security tests. All make it easier in various ways for everyone to take responsibility for their respective areas.
A closely related trend is that companies’ information is no longer in closed networks, only accessible by IT administrators, but rather in networks that nearly all employees can access. The requirements for being able to work anywhere and anytime place major demands on how information is handled. Substantial resources are often put into good technical safeguards, which is important, but at the same time, the employees must be aware of the risks and properly use the provided protection.
In combination with technical attacks, social engineering is presently the most effective way of accessing a company’s assets. Friendly, helpful and often completely unaware employees will continue to be the easiest way in for many years to come. Training of employees on all levels will therefore be businesses’ most important form of protection.