Cybersecurity

1.  DESCRIPTION OF TECHNOLOGY AREA

Cybersecurity is a fundamental pillar in the construction of information systems. This is a statement that we all undoubtedly endorse, but when it comes to doing more than endorsing it, nuances begin to emerge. Because cybersecurity is truly a complex thing to achieve.

Attacks are no longer handcrafted, fruits of a curious mind. Nor are they visible. Today’s attacks are silent, prolonged and, above all, terribly automatic. So automatic, that a new server in a cloud provider receives its first attack in an average of 10 minutes.

The goal is no longer to destroy the systems or to disable them. After all, we can solve this if we have been diligent about maintaining backups. The goal now is to break into a system and take advantage of its computing power, or access to private information. These long term attacks are known as APTs (Advanced Persistent Threat), and some of the things they target are crypto-mining, inclusion in a zombie botnet for distributed denial of service (DDoS) attacks, data theft, fraudulent data storage (paedophilia, for example) or using a third party’s computer to commit unidentified attacks.

If we think about it, it is only natural. We have experienced a technological boom. In the 1990s, few people were managing their lives online. But today it is rather the opposite: it is rare to find someone who does not manage his or her life online. The number of servers, applications and devices has grown exponentially. So has the number of targets.

Cybercrime has become a global marketplace, moving more money than drug trafficking and arms sales, according to a study published in 2019. In 2018, more than 10.5 billion incidents were recorded worldwide and nearly 75,000 new types of cyberattacks were detected. These are unprecedented levels. In Spain, there were more than 90,000 attacks in 2018, or about 250 attacks a day. The economic impact, worldwide, is more than one trillion euros.

Currently, the large number of devices connected to the network, thanks to the explosion of the IoT, and the emergence of disruptive technologies such as Big Data and Machine Learning, are making attacks more complex and more difficult to detect and stop. There is a saying in the world of cybersecurity that states that there are two types of companies: those that have suffered a computer attack, and those that have suffered it but have not realised it.

On the other hand, although it is true that we have tools that assist security teams in detecting incidents (SIEMs, etc.), the new paradigms of container-based software development invalidate certain assumptions that these systems make, drastically lowering their effectiveness.

In addition, cybercriminals are beginning to collaborate and work together. There is a culture of information sharing and even a number of services that are just a click away on the Dark Web, and this is now referred to as Cybercrime as a Service.

It is therefore of paramount importance that software developments, infrastructure maintenance and cybersecurity incident detection and management tools evolve and adapt to this new reality.

2. EVOLUTION

The future of cybersecurity inevitably involves adopting new technologies and new paradigms. Enabling technologies such as Big Data, Machine Learning and Blockchain will be of vital importance in building the security systems of the future. On the other hand, new application development paradigms present new challenges, which current cybersecurity systems do not take into account.

Cybercriminals, who are sometimes a step ahead of cybersecurity professionals, are already beginning to introduce techniques based on these new technologies, and this can only be effectively stopped by fighting fire with fire.

 3. USE CASES AND APPLICATIONS

3.1 CLASsIC CYBERSECUrITY

 Systems

It is responsible for ensuring the security of information systems based on configuration and management of updates. Some of the competencies that fall under this area are:

• Inventory of software / hardware.
• Configuration management.
• Protection against malware / ransomware.
• Email configuration to avoid spam, phishing, etc.
• Antivirus configuration.
• Software updates management.

Networks

Its mission is to configure and monitor the organisation’s networks to reduce risk, limit damage and detect attacks early. Some of the competencies are:

• Network monitoring for malware detection
• Web Application Firewalls (WAF).
• Intrusion Detection System (IDS) / Intrusion Prevention System (IPS).
• Network configuration.
• Network segmentation.
• Anti DoS / DDoS.
• Servicios de seguridad gestionados

Managed security services

These systems are in charge of collecting information from the other elements of the system, for example from routers, IDS/IPS or directly tracking network traffic. This information is stored in data repositories and is analysed in search of malware signatures or patterns that suggest that an attack is being received. If this is the case, an alert is issued to a security operator, who studies it and, if necessary, intervenes. Some of the elements within the managed security services are:

• Security Information and Event Management (SIEM).
• Software Vulnerability Management (SVM).
• Security Operations Centre (SOC).

legal compliance

In spite of the fact that we are lagging behind the real world, there are more and more regulations that force companies to comply with a certain minimum of security. There are also process certifications that guarantee that a company complies with these legal requirements, such as ISO 27000, COBIT or CISSP.

Mobile

Mobile phones have been used for many things in recent years, including receiving business mail, linking a directory on your corporate computer to your personal cloud, or even using VPN solutions to access the corporate network from home or from outside the office. That is why cybercriminals have begun to exploit vulnerabilities in mobile devices as entry points to data or corporate networks. Basically, the same system risks apply, but specifically to mobile devices, with malware (often distributed through official stores) being the main threat.

EncrYPTION

Today’s computer systems increasingly involve the use of large amounts of data, often containing information of a private or sensitive nature. In this type of scenario, it is essential to handle this data carefully to avoid potentially disastrous consequences. In the industrial sector, for example, disclosing corporate secret information to competitors can cause great economic losses, as well as negatively affect the company’s relations with its customers. 

Cryptography addresses this problem by providing various techniques to achieve secure communications, even in the presence of agents with malicious intent. The application of cryptographic techniques during the implementation of computer systems is essential to ensure the security of data throughout their life cycle, i.e. from the moment they are collected and stored, to the moment they are used, including their processing. An illustrative example is the use of Public Key Infrastructures (PKI) in online banking or e-commerce platforms to enable the secure transfer of information between the various parties involved.

3.2 Trends in cybersecurity

Cloud security

Classical defence strategies are built on the basis of axioms, for example, the IP address does not change, or the number of requests is a constant. Most tools that assist in attack detection assume these axioms to be true, which is why they are not as effective in cloud or container-based environments where these rules simply do not apply any more.

Microservices-based development strategies also pose other challenges. When developments were monolithic, they had scaling disadvantages, but they enjoyed other advantages, especially in security. For example, if an operating system or a package on a server had to be upgraded, we only had to upgrade it in one place; or if we only had one request of the application, we only had one port to protect, whereas in a resilient, container-based environment we can have multiple requests running at the same time.

Another fundamental difference between monolithic developments and microservices is that the former made little use of network traffic, since communication took place within the program. Microservices, on the other hand, are constantly communicating through the network, introducing a new attack vector to be exploited by cybercriminals.

Therefore, if we are to consolidate container-based development, we have a challenge ahead of us. The industry must provide new threat detection and management tools specific to container-based or cloud-based architectures.

Applied Artificial Intelligence

It is clear that we are losing the battle against malware. Malware detection mechanisms are signature-based. Basically, once a malware is detected for the first time, you get a hash of its executable with MD5, which results in a set of numbers and letters that serve as the unique licence plate of that malware. That licence plate is stored in a database, and if another file with the same signature is detected, a malware detection alert is triggered.

This system, which seems reasonable, does not have a skill that new generation malware has: the ability to mutate itself. Basically, they change their source code very frequently, which modifies their ‘license plate’ and makes detection very difficult.

Classic malware detection systems are based on what they are and not what they do. And this is where Machine Learning comes in. The use of Artificial Intelligence to recognise the behaviour of malware instead of its structure is proposed, among other uses such as prediction of network packet parameters, classification of network attacks (scanning, spoofing, etc.) or clustering algorithms for forensic analysis.

Blockchain

Blockchain technology focuses on generating trust over an unreliable medium. This end in itself is practically the definition of cybersecurity.

Blockchain is a decentralised system, but the information about the operations performed on it is transparent, and indelibly available to all members of that network.

In this way, all members, or nodes, can record, write and read data, and moreover, these actions are not only recorded in the blockchain log, but also cannot be repudiated, so we make sure that whoever has done something has really done it, without being able to justify it as identity theft.

In addition, data that circulates through this blockchain is encrypted for the members of this blockchain, so even if it is intercepted by someone outside the network, this data will be unintelligible.

In essence, the distributed nature of blockchains does not provide any hackable input, or any single point of failure that exposes all the information. This does not mean that a blockchain cannot be compromised, but it does mean that, if it is, only the node’s data set will be affected, greatly reducing the impact.

Zero Trust Architecture

In the classic understanding of information systems, we trust that what is connected from inside the network is secure, while we distrust what comes from outside the network. This scheme is called castle-and-moat-security.

Over the past few decades, we have focused on making taller castles and deeper moats, but cybercriminals have repeatedly proven their ability to find ways to jump the moat and get into the castle.

Zero Trust Architecture is a security model that requires strict verification for every person and device accessing resources, or a private network, regardless of whether they are located inside or outside the network perimeter. The principles on which this architecture is based are as follows:

• Attackers are inside and outside the network.
• Rule of least-privilege-access. Users only have the permissions they need, not more.
• Microsegmentation of the network.
• Multi-factor authentication (2FA, 3FA, etc…).
• Strict user access control. Everything requires authentication.
• Strict device access control. They also require authentication.
• Constant monitoring of the system.

industrial CYBERSECURITY

It is undeniable that the Internet has also reached the industry, and the changes it has brought about can be described as a revolution, the fourth industrial revolution. Industry 4.0 affects all aspects of the industrial value chain, including industrial communications and security.

Industry 4.0 cannot be understood without IT/TO convergence, i.e. the integration of information technology (IT) systems, used for data-centric computing, with operational technology (OT) systems, used to monitor events, processes, devices and make adjustments to business and industrial operations.

Thanks to this convergence, traditional factories are evolving towards the concept of the “Smart Factory”, a production facility that is highly digitalised and connected.

Smart Factory extends outside its walls through tools such as Cloud Computing (cloud offers bandwidth for storage, applications and services where the value of confidentiality and ownership of data is highlighted), Big Data (processing of large volumes of data at high speed, helping to make decisions) and social networks (Twitter, Facebook, LinkedIn, YouTube…, which facilitate dialogue, communication and exchange of information between customers and suppliers).

We must also add the arrival of IoT (Internet of Things), which has led to a new paradigm of great connectivity with minimal barriers, where low cost is one of the most relevant characteristics.

However, the industry presents a completely different situation, where security, reliability and latency are still paramount, and where stopping systems due to failures or maintenance tasks is not an option. This is not surprising, since these characteristics directly affect the quality and efficiency of processes and products, which directly affects the ultimate benefit of the company. In addition, a failure can trigger severe consequences that might affect the safety of operators or company assets. This high level of technical and business requirements acts as an input filter for these new technologies: those IoT technologies capable of overcoming this filter and offering operational guarantees for business-critical environments are now called Industrial-IoT (IIoT).

It is clear that the adoption of all these technologies by the industrial world has meant that a large flow of information flows from factories to the outside and vice versa, in an environment that traditionally has many shortcomings in cybersecurity, which has made them a clear target for cybercriminals who want to carry out attacks, such as massive theft of sensitive data, both personal and corporate; distributed denial of service (DDoS) attacks against third-party services on the Internet; device blocking/hijacking attacks, which can block critical infrastructure or national/international security; and device tampering attacks, which can have a cyberphysical impact and cause material damage to infrastructure, users or the general population.

For all these reasons, the industry has been forced to evolve in cybersecurity matters, moving from the usual “air gap” (isolation of the OT networks from the IT networks) to adopt in-depth defence strategies common in corporate IT networks, in which the organisation’s assets are protected with more than one security measure, so that in order for an attacker to reach a data or information, the attack will have to violate more than one security measure. Usually these barriers are:

• Physical access. Staff access controls, physical disabling of unused device ports, …
• Updated systems. Systems must be updated to avoid known vulnerabilities.
• Network security. Security devices are increasingly advanced and have greater functionality, so they require the same attention as non-industrial IT systems.
• Vulnerability analysis (ethical hacking). Periodic vulnerability analyses should be carried out to review the status of both internal and external services. This is a regulatory requirement in areas like banking. In order to keep services as secure as possible, it is essential to know what the current weaknesses may be
• Awareness. It is necessary to inform users how they should correctly apply the organisation’s security policies. There is no point in investing thousands of euros in perimeter defence systems if the users are victims of phishing or expose their passwords to the public eye on a post-it on their screen.