Cyber crime explosion is here to stay

Jeff Moss, founder of DEF CON and Black Hat security events, talks to about the rise of hacking attacks and what can be done to prevent them

Tags: Black Hat ( crimeUnited Arab Emirates
  • E-Mail
Cyber crime explosion is here to stay Regional organisations are getting a better understanding of what they need to do to be secure, says Moss.
By  Mark Sutton Published  November 20, 2011

Jeff Moss, sometime hacker, founder of the Black Hat and DEF CON security events, and now chief security officer of ICANN, spoke to ahead of next month’s Black Hat Abu Dhabi event, about why the surge in cyber crime is not going to go away any time soon, whether companies are able to protect against motivated hackers, and what governments should be doing about cyber crime.

Last year saw Black Hat come to the region for the first time, what came out of that event?
An awareness of the growing importance of online security. Not just ICT security but also the importance of the individual. The region is growing more dependent on electronic systems, as the rest of the world is, and with that there is a growing level of risk. To manage that risk to an acceptable level the people involved need to have a realistic view of what the treats are, and Black Hat hopes to be one source of that information. The better educated people are the better decisions they can make about the risks they take.

What sort of security concerns are you hearing from companies in the Middle East, and how do you perceive the Gulf region in terms of cyber security-readiness?
I would say as a whole the region is starting to graduate from the firewalls and anti-virus stage to a more sophisticated understanding of the threats. It might have been OK in the past to buy some security products like A/V, anti-spam and a company firewall and call it good, but that doesn't work any longer. Those are the bare minimum, and as organized crime gets more sophisticated you need better trained staff and more sophisticated infrastructure to keep up. It is not enough to have network monitoring equipment, you need the staff that understands the output, has the authority to do something about it, and the experience when to act.

This year has seen an unprecedented number of security breaches – will things go back to ‘normal’ in terms of number of attacks, or can we expect things to get worse?
I think this is the ‘New Normal’ for the foreseeable future, and it would be wise to plan accordingly. If I am wrong and we fix all the issues with security tomorrow then no harm done. If we tell everyone not to worry, things are under control, then we risk losing the respect of those who look to us for honest advice and support.
Until some of the larger issues around the incentive structure of on-line organized crime can be changed I would expect the pace and evolution of attacks will continue.

Can organizations ever beat a determined hacking attempt?
Yes, but the devil is in the details. It might actually be better and cheaper not strive for 100% security but instead 95% security. The more complex your organization the harder and more expensive it becomes. The more new technology you deploy the more likely you are to experience an undiscovered vulnerability. The more people with access to important systems and confidential data the higher your risks are. Complex systems fail in unpredictable ways, and many companies focus on competing in the market, not in building prefect defense systems.

Do you think the recent high profile attacks will mean organizations will look at fundamental changes to security approaches? Is there the money or the inclination in most organizations for change?
I think the growing awareness and media coverage of some high profile attacks have made it hard for companies to ignore the risks. I hope companies will not take a knee jerk reaction and instead look at the root causes of their risks and address those. What data must remain secure? Do all employees need to administrator access on company provided laptops? Do employees need to surf Facebook during work hours? Are mobile devices secure in case of theft? When a company understands what information is critical to their survival they have a much better chance of creating a security policy that will work.

If the largest companies and institutions have failed to protect themselves, how can small or mid-level companies hope to protect themselves?
Sometimes the smaller the company the more nimble it can be in responding to attacks, the faster you can make mid-course corrections, and the less complicated your infrastructure. The defining elements seem to be quality of security and network staff, the willingness of management to understand and manage their risks, and a culture of continuous improvement and not being satisfied with "good enough".

Do governments worldwide do enough to combat cyber crime? What could be done differently?
The answer could fill a book, but essentially it boils down to this: Governments can't solve the problem alone. It wasn't created by them and it won't be solved by them. What governments can do is help create the right environment, with incentives, education, regulations, and punishments, to help foster a more secure and stable internet for its critics. And when one country is more secure it helps other countries as well, raising all the ships in the ocean even if just a little bit. The opposite is also true. If the incentives and laws are wrong then a government can actually help foster cyber-crime behaviours.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code