Metamorphosis: from ‘Information Security’ to ‘Cyber Security’

The term “Information Security”, once deliberately used by sagacious people of Information Security community to emphasis on the enterprise-wide scope (“it is not only about IT”) of the term, is getting faded away and the new term “Cyber Security” is replacing its predecessor.  

The recent large scale attacks show that the attackers have become meticulous and harmonized. We all know that the level of attacks have gone far beyond than a single isolated person running some tool or script for his/her own fun-n-fame. Today, a single large scale targeted attack or a mass attack is composition of multiple services offered by multiple (ill)service providers of the underground cybercrime market. Although the sponsor or the owner of the attack may be a single group or a party with some common objective; the materialization of the attack is carried out with the (ill)services availed from various (ill)service providers. For example, there is always a sponsor/owner (an individual or a group) of the attack who has a motive/malintent for the attack. These adversaries, who plan and materialize the attacks, could be the nation sponsored actors or a well organized crime-group spread across the countries or simply a handful of people – so called hactivits.

Let’s call them the client (of course, they are client for underground market). Now, this client contacts a malware developer who develops the malware. Then, he needs an exploit framework/BOT/C&C Server (e.g. Browser Exploitation Framework) that exploits the vulnerability of the system/software and drop the malware on the system. Further, the client needs anonymous and protected hosting to host the exploit framework. In some attacks, the client may need anonymous proxy and VPN gateways to remain anonymous on the internet. Moreover, in hacking of payment cards, the client needs mules – the person whose accounts are used to transfer the siphoned money or droppers – who collect the purchases through the stolen credit cards and give it back to criminals. There are many more examples like these. All of these (ill)services can be availed in an underground cybercrime market by spending some amount of money. Interestingly, All of these (ill)services are provided with high level of customer orientation and sometimes with money-back commitment. The whole point that I am trying to convey is that the anatomy and the physiology of today’s cyber-attack is much more convoluted and not restricted to a single tool, person or motive.

We have seen countless data breaches in last 2-3 years especially in retail, government, financial, insurance and healthcare industries. These attacks incurred a loss of millions of dollars to these organizations and over and above that they have lost the trust from their customers. The impact of a few breaches so severe that CxOs of a few impacted organizations are forced to abdicate their positions. Many of the organizations have started thinking in direction of having a dedicated CISOs.

We have been taught for ages that as a security professional, we should speak the rhetoric language that CxO would understand and should talk in terms of business et cetera, however, I would not be surprised if, in this post-Target-era, CxOs would start speaking security language. In fact, they have. These attacks have drawn the attention of board members and CXOs to the rising issue of data protection and cyber security. Suddenly, cyber security, once an abolished and side-lined topic, becomes the topic of the board discussions. On a lighter note, the attackers have made the job of security professionals easier , in way that , now to get the budget for security initiatives from management might be little easier ,for which they have been once struggling.

These innovative attacks created a convulsion in a security industry and have forced industry to think in a heterodox manner. The typical compliance or audit centric approach will not work now. The typical document centric information security programs will not work. The typical lip-work / bombastic language used with respect to standards, compliance, controls, control objectives, threats, vulnerabilities, risks, mandatory controls, discretionary controls etc. may not work now unless it is strengthened with real world threats in changing and challenging threat landscape. A 500-raw long risk register is futile if it doesn’t include the real world threats of current and changing external scenario.

A maxim that has recently been surfaced due to prevalence of these sophisticated attacks says something like this ” Either the organization is breached/hacked or they are not aware of it” which essentially means that we need to consider that sooner or later we are going to get hacked and more importantly how I am equipped to respond to this situation.

The security world is moving towards proactive threat intelligence and improved incident response (IR). The security industry has shifted one notch higher in these areas and these areas are have become a center of any security discussions today. The security vendors have started talking about investing equally in prevention, detection and response rather than focusing and spending only on preventive controls. The importance of proactive threat intelligence is tremendously increased. The organizations like FireEye, Dell, Symantec, Intel Security (McAfee), Kaspersky, RSA are investing hugely in proactive threat intelligence and incident detection & response for last few years. These security vendors have made the acquisitions and have taken over relatively small but focused organizations on this line and now they are marketing these products in a big way using(abusing) the wave of cyber security.

On the other hand, security professionals also need to diversify their skills and need to upgrade their knowledge in these niche areas of threat intelligence, cyber forensics, incident response etc. They need to get their hands dirty in order to understand the newer and innovative threats and the modus-operandi used by these threat actors. We need to realize the change and have to come out of the ostrich view to embrace the changes.

The demand for the Incident detectors and responders are getting high. The demand for the professionals who are the right mix of “Information & Cyber” security would be on rise. …………………………………..!!!!!!

Note:  The empirical views presented here are those of the author and do not necessarily reflect those of his current or any of the previous employers.