Are we heading towards a future where cyber attacks are going to be a huge cause for concern?
Call me an optimist, but I believe the recent ransomware news could also have some benefits.
For so long we knew the threat was real, but convincing the management or exec-level team was sometime very challenging, time consuming and security, like many non functional features, was usually not a priority.
I really hope that the big news could be used as a wake-up call and will help us in our resource allocation in the future.
Because I'm convinced many of the victims of the recent attacks knew about many of the required updates and actions, but couldn't invest any time in this because of 'higher priority' for their limited resources to spend their time on.
The issue so far was both a blind trust sometime and a lack of resources in many cases.
Hopefully the fact that WanaCrypt0r made the news (and not only in the specialized news) will act as a needed wake up call and organizations might try to improve their security.
But maybe that's just me being optimist...
They're already a huge cause for concern.
People getting locked out of their data and having to pay money to get access to it is ridiculous. I think governments should recognize cybersecurity attacks a serious crime and come up with ways to counter these attacks, just how we have armies fighting it out against terrorism.
Todd
Software Security TechLead
Funny you ask; I literally just finished spending half the day analyzing WanaCrypt0r and about to hit the sack.
To answer bluntly, YES WE ARE! The biggest concerns is us "connecting" and networking everything.
I'm not a paranoid type of person, but as a security professional since age 18, I can tell you that there is a real threat coming our way if we don't start thinking before connecting. Having your data locked up sucks... But I know guys who can control cars and airplanes, unlock houses, turn lights out, listen to peoples' conversations by hacking a household Amazon Echo or barbie doll, etc...... Very scary but very real... And why? Because some marketing departments at Google, Amazon, and the zillions of other tech companies? Because turning a key or using a lightswitch is so difficult compared with using a cell phone? It makes absolutely no sense.
These organizations and the governments need to get control of this fast. I'm part of a grassroots group called I Am The Cavalry who are out to be the eyes and ears for lawmakers and also raise awareness. Check us out and get involved if you care.
To compound all of the above, programmers aren't even being instructed to get involved most of the time. Frankly, coders are all taught to stay out of encryption, leave security to "the experts", assembly is a language of the past, C is boring and old, etc...
Well I got news for you, bad guys know and use assembly, shellcode and C every single day so if engineers don't know what they're doing, they're going to mop up the entire world with us very soon.
On the non-tech side of things, there's this awful culture out there of throwing a bunch of jargon in privacy policies and EULAs such that nobody reads them (and who can blame them???), and everyone is signing their life away permanently to these giant companies... It's almost fundamentally insane but the big companies found the secret to success: Trick people into thinking what they are getting is free by instant-gratification and then sell them. The free baits folks in because of the logic: "beggars can't be choosers." Problem is, all of this data is being permanently stored and trust me, it's going to be attacked and abused like crazy by malware.
I've seen malware which injects itself into legitimate processes, malware which doesn't need to even be executed, and malware that can flash the firmware in such a way that it is completely invisible to even the operating system and will monitor the system for the remainder of its life.... Malware that can watch your webcam and turn its LED off so you don't know, and other malware which is literally impossible for end-users and even very difficult for professional technical people to locate. Stuff where there's no extra process, no extra thread, every single memory item has a valid signature... But it's in there.
If anyone doesn't believe me well... I see dozens and dozens of pieces of malware every single day that all of the major antiviruses miss... Do you really think all 100,000 machines at these big platforms are malware free? :) If you're not aware of infosec or cyber security at all, go YouTube DEF CON. Grab some popcorn.