Nick FitzGerald, Senior Research Fellow, ESET in an exclusive interview with Techseen talks about software vulnerabilities across the globe. He says that technology has advanced in these few years for everyone, customers as well as cybercriminals alike. Therefore, it is important to have dedicated teams of security experts specialized in device types or systems as different security measures are needed for different devices. Citing an ESET trend report, he also states that as technology keeps on growing the world will see different companies coming together to collaborate on their offerings. Excerpts:
Techseen: Are there any regions that are more vulnerable to cyber exploitation?
FitzGerald: While software is not limited by geographical regions, developing markets such as India and Vietnam where businesses and consumers are quickly adopting cloud services and connected devices may appeal more to cybercriminals. In such markets, low awareness of the need to report and manage software vulnerabilities could offer porous barriers, allowing for more attacks.
Governments and businesses in emerging economies adopting a digital way of life need to ensure that knowledge and awareness of cybersecurity risks are made a priority alongside the provision of digital infrastructure and capabilities, to reduce the chance of cyberattacks. In this regard, it is especially important that a sufficient number of law enforcement staff are suitably trained and equipped so they are able to respond to, investigate and successfully prosecute cybercrimes.
Techseen: The report noted that secure software development is a growing trend, does this mark a shift in responsibility from organizations and consumers to manufacturers?
FitzGerald: The growth of secure software development practices is an encouraging trend that we hope will continue in the years to come. Manufacturers have a responsibility to ensure that their products are safe to use before hitting the market. Good management of reported vulnerabilities is also an important avenue that manufacturers will need to take care of.
However, this doesn’t mean that the responsibility falls completely on the shoulders of manufacturers. Consumers and organizations using these devices and software need to play their part in actively reporting any vulnerabilities they encounter. End users also need to configure, deploy and manage devices and software in security-conscious ways. If all IoT device manufacturers stop shipping their devices with default credentials, but most users then set the ‘admin’ account password to ‘admin’, we will not gain very much. As always, good cybersecurity habits and being vigilant continue to be essential ingredients to prevent cyberattacks.
Further, the large software developers, such Microsoft with its Security Development Lifecycle, have realized the financial implications of not designing security from the ground up. Software developers have learned the hard way that if you do not design security into your products from the ground up, it is much less convenient – and thus much more expensive, both in monetary and reputation terms – to try to bolt it on after the product has shipped.
It is somewhat clichéd to say, ‘security is a journey, not a destination’ but all of our experience to date reinforces just that. Any software developer that does not recognize this today and builds its products with the hope of retrofitting security in time for the release of version 2.0 is a software developer to avoid like the plague.
Techseen: With the shortage of cybersecurity talent or funding to analyze software vulnerabilities in-house, how can businesses keep their data secure?
FitzGerald: With an increasing volume of information technologies to defend, the cybersecurity talent crunch has been felt all around the world. While governments, educational institutions and private sector companies globally have boosted efforts to train new cybersecurity professionals, this is a long-term measure, and it will take time before this new supply is able to meet the existing demand.
In the meantime, with end-users being the weakest link in cybersecurity, both public and private sector bodies should also focus on building awareness of basic internet security measures among employees and consumers. Security is everyone’s responsibility, and not exclusively that of those working in IT.
Techseen: The report mentioned that industry 4.0 will add many more connected devices to the already existing plethora of security challenges. Do you think we would require individual security measures for individual device streams? For example, specific measures for connected cars or smart cities?
FitzGerald: Clearly, different security measures will need to be adopted for different devices. Just as the security solutions designed for a mobile phone will be different from those a company would adopt for its private servers, separate security measures will need to be implemented for connected devices, keeping their specific functionality and interfaces in mind.
Inevitably in any software – and especially in large networks such as those deployed across a ‘smart city’ – there will exist numerous potential zero-day vulnerabilities open to attack by hackers. It is important to have dedicated teams of security experts specialized in device types or systems, such as autonomous vehicles, to respond quickly to newly disclosed threats and promptly distribute patches to affected devices.
Just as the existence of such vulnerabilities must be assumed, so must the discovery and exploitation of at least some of them. This insight is especially important to those designing and maintaining the security of such systems, and highlights that they must design good anomaly detection and response capabilities into the system to detect when things have failed.
This means that, across all classes of devices, or even connected systems such as smart cities, manufacturers of any connected device have a responsibility to ensure that security considerations are embedded into the very design of the product, reducing vulnerabilities in both software and hardware. On the other hand, users too must take proactive steps to protect themselves, such as by changing the default password on their routers and IoT devices or employing antivirus solutions to monitor their own home networks.
Techseen: You also mentioned that strategic collaborations for releasing new platforms sometimes overlook the security threats, how many times do things like these happen? What steps should companies take to counter the same?
FitzGerald: As technology continues to develop, we can expect more collaborations between companies to integrate and strengthen their offerings. It is not that these collaborations tend to overlook security threats, but rather that they have the potential to create new attack vectors in multi-platform attacks.
As long as companies work closely with security experts to anticipate and block potential security threats, new innovations in platform design will continue to bring both businesses and users greater value.
Techseen: With advancement in technology, don’t you think vulnerabilities should decrease rather than fluctuate?
FitzGerald: Technology and research has indeed advanced greatly for the ‘good guys’, but the same can unfortunately be said for cybercriminals. Security researchers and vendors have made big strides in protection capabilities, while manufacturers have begun to prioritize information security alongside time to market. With already good practices being improved across the software development lifecycle, we have already observed reductions in the number of reported vulnerabilities.
However, as adoption and development of connected devices, big data applications or cloud-based services continue to grow, this creates more entry points for cybercriminals to exploit.
The challenge for us will be to improve management of the vulnerabilities that will inevitably be encountered. Efficient systems will have to be set up for companies to report on vulnerabilities, share threat intelligence and distribute updates. Greater cooperation between security and product development teams is necessary to deploy robust and effective systems.
Techseen: Is low risk awareness among businesses/consumers because of lack of compliance issues or due to a lack of education about the devices and its vulnerabilities?
FitzGerald: Good employee education to raise awareness of device risks and vulnerabilities is a key effort for businesses in the year ahead. This will in turn help with the need for compliance with standards set by businesses and public sector regulators.
In addition, there is a need to explore platforms for greater business collaboration with security researchers, and employing expert input in a range of IT functions such as correction of coding errors and mitigation of breach impacts. Management teams also need to focus on the appropriate implementation of security policies and plans that will enable businesses to continue functioning in event of a breach. This should also include appropriate communication of incidents necessary to keep users informed of breaches, allowing them to take the next steps to protect their devices and networks.