Page 85 - 网络防御Emagazine - 2017年11月
2. Hacking for political purposes. This includes both state-sponsored and terrorist exploits, for both access to sensitive information and the distribution of disinformation, as well as unauthorized modifications and denial of service attacks on web sites. 3. Thrill-seekers. No longer limited to the skateboard set living in Mom’s basement, but other sophisticated criminals who apparently experience enjoyment and peer adulation by stealing sensitive information and causing general online havoc. To some extent, it is tempting to “fight fire with fire,” and respond to cyber threats exclusively with cyber defenses. In a perfect world, this would seem to make sense. In some cases, that works even in the real world, and an application or software fix or patch can often overcome a specific cyber security exploit or technical vulnerability. However, beyond cyber-based data breaches, schemes to gain access through non-technical individuals have proliferated, resulting in growth in both the number and costliness of cyber- attacks. In the midst of all this threat spectrum, human vulnerability is still the leading entry point of identity theft and data breaches. Numerous recent surveys report that the vast majority of data breaches are rooted in phishing exploits and are successful due to human failure. Schemes such as social engineering and other manipulations designed to inveigle individuals into launching malware or executable files, and accessing bogus web sites, are often the means used by cyber criminals. Think of a seemingly innocuous e-mail request to update account information for an active account, but with a link to a similar-sounding web site controlled by the cyber criminals, in actuality the means to capture the username and password of the victim. Regardless of the illicit objectives, the necessary defenses must include both IT responses and education of the broader population of organizations and consumers. Without getting all non-IT users to practice good “cyber hygiene,” it is unlikely that the cyber defense system will be successful. As long as there is a human being with a keyboard and a mouse, and access to the system, cyber defenses alone will leave vulnerabilities. This state of affairs has been referred to as “asymmetrical warfare,” in which the opposing sides play by different rules and have different standards of success. The defenders must prevail 100% of the time, while the attackers need only enjoy the occasional success to win. In practice, the most successful cyber defense is a thoughtful combination of IT methods and education of employees and other users who may have access to sensitive systems and data. One example is the human factor in failing to keep all software programs up to date with important patches to combat perceived and discovered vulnerabilities. Another is the importance of keeping all users up to date on the latest methods used by cyber criminals and identity thieves. The established methods of managing the risks of identity theft, especially through education, are the most likely to be used successfully in conjunction with cybersecurity applications. 85 Cyber Defense eMagazine – November 2017 Edition Copyright © 2017, Cyber Defense Magazine, All rights reserved worldwide.