Page 85 - 网络防御Emagazine - 2017年11月
P. 85
2. Hacking for political purposes. This includes both state-sponsored and terrorist
exploits, for both access to sensitive information and the distribution of
disinformation, as well as unauthorized modifications and denial of service attacks on
web sites.
3. Thrill-seekers. No longer limited to the skateboard set living in Mom’s basement, but
other sophisticated criminals who apparently experience enjoyment and peer
adulation by stealing sensitive information and causing general online havoc.
To some extent, it is tempting to “fight fire with fire,” and respond to cyber threats exclusively
with cyber defenses. In a perfect world, this would seem to make sense. In some cases, that
works even in the real world, and an application or software fix or patch can often overcome a
specific cyber security exploit or technical vulnerability.
However, beyond cyber-based data breaches, schemes to gain access through non-technical
individuals have proliferated, resulting in growth in both the number and costliness of cyber-
attacks. In the midst of all this threat spectrum, human vulnerability is still the leading entry
point of identity theft and data breaches. Numerous recent surveys report that the vast majority
of data breaches are rooted in phishing exploits and are successful due to human failure.
Schemes such as social engineering and other manipulations designed to inveigle individuals
into launching malware or executable files, and accessing bogus web sites, are often the means
used by cyber criminals. Think of a seemingly innocuous e-mail request to update account
information for an active account, but with a link to a similar-sounding web site controlled by the
cyber criminals, in actuality the means to capture the username and password of the victim.
Regardless of the illicit objectives, the necessary defenses must include both IT responses and
education of the broader population of organizations and consumers. Without getting all non-IT
users to practice good “cyber hygiene,” it is unlikely that the cyber defense system will be
successful. As long as there is a human being with a keyboard and a mouse, and access to the
system, cyber defenses alone will leave vulnerabilities.
This state of affairs has been referred to as “asymmetrical warfare,” in which the opposing sides
play by different rules and have different standards of success. The defenders must prevail
100% of the time, while the attackers need only enjoy the occasional success to win.
In practice, the most successful cyber defense is a thoughtful combination of IT methods and
education of employees and other users who may have access to sensitive systems and data.
One example is the human factor in failing to keep all software programs up to date with
important patches to combat perceived and discovered vulnerabilities. Another is the
importance of keeping all users up to date on the latest methods used by cyber criminals and
identity thieves. The established methods of managing the risks of identity theft, especially
through education, are the most likely to be used successfully in conjunction with cybersecurity
applications.
85 Cyber Defense eMagazine – November 2017 Edition
Copyright © 2017, Cyber Defense Magazine, All rights reserved worldwide.
