Challenges of the cyber era

Cyber attacks are definitely not a new issue. More than a decade ago, large-scale cyber incidents began to surface. Since then, several serious cyber incidents have taken place. A review of them leads quickly to a simple but certain conclusion: cyber threats are continuously increasing and they threaten not only commercial and governmental secrets but also people’s everyday lives.

Although at first glance this seems a bit exaggerated, if we take into consideration a few facts, we shall easily conclude that it isn't. DDoS attacks, like the one that took place against Estonia, can influence people's daily transactions with banks, companies, etc., and the more sophisticated SCADA attacks can control the critical infrastructure of several countries.

The increased level of cyber threats has led several countries to organize not only Computer Incident Response Capability Centres, but also special military commands, units, etc., in order to defend the national cyberspace. Some of these countries have also announced that they will be prepared to counter-attack, if required.

All the aforementioned facts are clear evidence that we are moving beyond a critical threshold regarding cyber security. We are moving to a new cyber era which presents many more challenges; challenges that require more actions, better preparation, worldwide co-operation, and probably a far more clever approach to deal with this new domain - the fifth domain (following land, sea, air, and space).

New vulnerabilities are discovered every single day and many of them are exploited in the wild. There are even more unpublished vulnerabilities which sometimes are silently patched, or we learn about them only when a large-scale exploitation has taken place. You do not have to be an expert to understand that this trend is not going to change. Although there is no silver bullet against 0-day threats, it is now evident that a new approach is required to handle them. When you cannot eliminate them, you must find a way to effectively defend against these unknown threats. Defence-in-depth is one strategy that is used; however, it does not seem to be enough. Should new defensive strategies be applied, or should the existing ones be enhanced? Is it a lack of policies, of procedures, of security devices, of training, or of them all?

Proper handling of 0-day threats becomes much more important when the targets are networks and devices used by critical infrastructure. It is only in the last few years that the issue of SCADA exploitation has come to the surface, and there is definitely a long road ahead. Extensive research and co-operation of companies and organizations is needed to develop procedures, security guidelines, and defensive measures to protect critical infrastructure.

But this is not the end of the story. Critical infrastructure is not the only target. An ‘all-time classic’ is the end-user. Humans have always and will always be the weakest link. The latest trends in human exploitation show mobile devices, smartphones, and other end-user modern personal devices as popular targets. And when the end-users are not safe, then critical networks and devices are not safe either. Not only because of the potential exposure of personal, and sometimes sensitive, data, but also because end-user exploitation can be the back door entrance to other more important networks.

The situation becomes even easier for attackers if we take into consideration the plethora of personal details that can be found on social networking websites. All of this online information can help attackers to launch social engineering attacks against their targets more easily and more effectively. Personal security awareness regarding the threats that arise from the exposure of personal data is definitely needed, but apart from that, better protection of this data is also required to ensure that it will not be used by third parties.

Smartphone vulnerabilities are another indication that the adoption of new technologies always leads to new vulnerabilities and, consequently, to new attack vectors. Obviously, things become much more serious when such new adoptions include new protocols, especially if they are related to the IP protocol, the “heart” of the Internet. Although during the last decade we have seen a lot of controversy regarding the time that IPv6 will finally replace IPv4, and many, sometimes contradictory, predictions regarding the exhaustion of IPv4 addresses have been published, it is inevitable that the transition from IPv4 to IPv6 will eventually take place. It is due to the necessity of preparing and moving to the IPv6 era that on June 8, 2011, the “World IPv6 Day” was organized by the Internet Society in order to help motivate organizations and companies across the industry to prepare their services for the transition. This forthcoming transition from IPv4 to IPv6 should not only find the industry and the community well-prepared, but any security issues related to the new protocol should have been eliminated. It would be rather disastrous if, in the rise of the IPv6 era, significant security incidents were to take place due to its implementation. As of the end of 2011, 102 vulnerabilities related to IPv6 in various OS implementations have been recorded in CVE, and perhaps many more will follow when this transition takes place.

All the aforementioned issues are only a few examples of the challenges we face in this new cyber era, the era that has just emerged. Not only are new defensive measures needed because the existing ones have proven to be inadequate, but a new way of thinking about security is also required to handle these new threats. The better we prepare, the fewer the unexpected situations we shall face.