Pundits like me enjoy harkening back to the early days of the Internet. Viruses and worms were the biggest "computer security" threats in those early days of business-oriented applications like Lotus 1-2-3 and WordPerfect. Viruses shut local-area networks down and could create some serious nastiness on workstations, often requiring a full reinstall of operating systems. IT support professionals would anxiously wait for new signatures from our antivirus vendors and deploy immediate network blocks until the wave of infection diminished.
Antivirus software became Thanksgiving dinner discussion fodder. Does everyone need it? What brand should I get? How often do I need to update it? As the antivirus market matured, it became less expensive, more prevalent, and more automated. We outsourced virus protection to our workplace, our operating systems, and our ISPs. We surfed the Internet in relative safety, confident that someone had our backs.
There were no breach notification laws in the United States,1 and privacy law was a hodge-podge of precedence and case law. No one had any idea if their data was compromised.2 We envisioned our biggest threats as the David from War Games, who just wanted to play a game, or Clu, the futuristic hacker hero of Tron, not criminals and spies.
Remember when you booked your first hotel reservation online? Paid your first bill? Applied for a credit card? It was a new frontier of convenience. Billions of people worldwide moved our personal business to the Internet, quickly and gladly. Many of these early adopters were too trusting, unknowingly engaging in risky online transactions. They still believed that if they had antivirus software and kept it updated, all was good. Whether it was online banking or a shady offshore gambling site, they often used the same ID and password.
Transactional data burgeoned, and with it were digital ghosts about each of us — product preferences, time stamps, phone calls made and received, locational information. These increasingly vast stores of data ("Big Data Stores") were actively mined by their proprietors to get inside our minds and try to predict our future behaviors as consumers.
If we could use the convenience of the Internet, so could others. Criminals started seeing new opportunities for fraud in these transactions, looking for ways into the Big Data Stores or using social engineering tricks to grab personal info one individual at a time. Criminals, always willing to brag about their exploits and share their tools with each other, started acting together. Crime syndicates emerged. Big Data Stores of compromised accounts, Social Security numbers, passwords, and credit card numbers were created and updated. Applications were expertly analyzed to find defects, and criminals acted quickly to create ways to exploit these vulnerabilities.
Newly enacted privacy laws like the Health Information Privacy and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA) and the Gramm Leach Bliley Act (GLBA) started to bring privacy concerns to the forefront of the evolving digital life. Everyone wondered what to do about the privacy of all the information now on the web and began realizing that antivirus protection just wasn't enough any longer. Organizational controls sure helped at work, but what about personal bank information, insurance, online purchases?
Cybersecurity programs evolved to meet the changing needs, employing multi-tiered protections at the network, the desktop, on servers, and in applications, and incident management became more effective. New risks required constant end-user education. Just as our digital lives were always connected, users had to adopt an always-on vigilance.
Then came social media, through which we moved most of our personal lives to the Internet. We posted pictures with friends and tagged ourselves at locations and events. It was edifying to have all those connections and get the constant buzz of feedback. Social media was a great method of gathering personal information…for good and bad. Before visiting old friends, just do some quick Facebook recon to remember the names and ages of their children and look like a rock star! Of course, that same information could be used for social engineering. Those names and birth dates may be used as passwords or answers to security questions.
Phishing grew into a significant threat in the mid-2000s. It's still evolving, becoming more sophisticated and easier to deploy and target specific individuals (spear-phishing). In addition to its primary role in perpetrating fraud, it's now often the first attack vector for cybercriminals, who can leverage an end-user password to escalate and exploit more privileged accounts.
Around that time, we started seeing early flare-ups of the "Internet of Things" — smart technology embedded into nontechnical devices. Washing machines send phone alerts when the laundry is finished. Cars can be started remotely from a phone app. You can check and set the temperature in your house from your computer at work. And it's still ramping up, bringing with it a whole slew of risks. The more devices and smart "things" we use, the greater the threat surface. And it's nice that we can control our own cars remotely, but how do we ensure that no-one else also controls that car?
Phones got smaller, then started growing again, but with more power, more features. They were no longer phones, but handheld computers. In spite of that, we still needed a full-function workstation (usually a laptop) and a nice tablet. We no longer interact with just one form of media at a time, watching football on TV while following the Twitter stream via tablet and playing Candy Crush Saga on the phone.
Who's to predict what's next? Certainly not me. I've had too many surprises in the digital evolution to hazard a guess. For a while, at least until the next major digital sea change, we'll continue to see more of the same. Cyber criminals will continue to use known successful tools, techniques, and practices. We'll see threats used effectively against machines and people. We'll see these exploits continue to cause business interruptions and exposure of personal information and business data. We'll need to keep our comprehensive layered security programs in place and evolve them in response to new and changing threats. We'll need to double-down on our technical and administrative safeguards.
After the attack on the Penn State College of Engineering network, President Eric Barron said in a letter to the Penn State community in May 2015, "This new threat will be faced head-on, not just by Penn State but by every large university, business, and government the world over. This is a new era in the digital age, one that will require even greater vigilance from everyone."3 I agree completely.
Notes
- The first state to enact a breach notification law was California, in 2002.
- Let's be honest — there just wasn't as much data on the Internet at that time. Although corporate vendors and financial institutions had plenty of highly sensitive information about everyone, it was kept in vaulted servers, and there weren't as many prying eyes searching for data stores.
- "College of Engineering network disabled in response to sophisticated cyberattack," Penn State News, May 15, 2015.
Kim Milford, JD, serves as the executive director for the Research and Education Networking Information Sharing and Analysis Center, REN-ISAC. In this role, she participates in the National Council of ISACs on behalf of the research and education networking community. Prior to this role, Milford was chief privacy officer at Indiana University, information security officer at the University of Rochester, and information security manager at the University of Wisconsin, leading initiatives such as disaster recovery planning, identity management, incident response, and user awareness. Milford graduated from Saint Louis University with a BS in Accounting and earned her JD at John Marshall Law School.
© 2015 Kim Milford. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.