Home / Resources / ISACA Journal / Issues / 2020 / Volume 5 / Emerging Technologies Do Not Call for Emerging Cybersecurity

Emerging Technologies Do Not Call for Emerging Cybersecurity

journal volume 5
Author: Demetrio Carrión, CISA, CRISC, CISM, CISSP, PMP
Date Published: 28 August 2020

The world is undergoing constant transformation, and IT is the powerhouse of this process. Data are produced in high volumes every day, and the pace is increasing in areas such as social media, for example, which has evolved from text to images and from images to videos and soon will move from videos to augmented reality (AR) and virtual reality (VR).

Today’s emerging technologies shape the way people live and work as cloud computing, the Internet of Things (IoT), blockchain, robotic process automation (RPA), machine learning (ML) and artificial intelligence (AI) solutions sprout up in the marketplace.1 New attack formats such as Ransomware as a Service (RaaS) are also following the technology evolution.

Emerging technologies are changing the business landscape and, therefore, cybersecurity needs to be reexamined.

When it comes to cybersecurity and privacy, there are two groups with which to be concerned:

  • Cyberalchemists—Those who believe new technologies are the key to turning an insecure world into a secure one just by the fact that they exist2
  • Cyberrevolutionaries—Those who believe cybersecurity must be rebuilt from the ground up and changed in the same way emerging technologies change the world

There is a need for a third group of cybersecurity and privacy professionals who recognize that the IT landscape is ever evolving, yet the fundamentals remain the same. A threat is a threat, a vulnerability is a vulnerability, data are data, and cybersecurity professionals are still protecting the confidentiality, integrity and availability of data and privacy of all people.

On Cyberalchemists

People do not always have good memories. As a matter of fact, they sometimes create memories to support their beliefs and arguments or fill a gap in their recollection of a fact.3 This supports the ideas of cyberalchemists because they do not create a bridge between the past and the future.

Cyberalchemists see technology as a miracle, and they do not focus on the fact that today’s technology is yesterday’s emerging technology. Because they forget to make this connection, they turn a blind eye to cyber and privacy incidents and breaches that affect emerging technologies such as the cloud, IoT, blockchain, AI, wearables and implantables.

There is an abundance of examples of cyberincidents targeting emerging technologies such as instances of information inadvertently leaked from cloud storage,4 double extortion, finance spear phishing, IoT abuse and implantables manipulation.

Despite all the good intentions in creating new products, vulnerabilities exist, and there will always be actors willing to exploit them.

Most of the time, cybersecurity and privacy are not built by design but by default, leading to software and hardware with dozens to thousands and even millions of vulnerabilities. Even if a vendor considers cyber and privacy by design in its engineering processes, experience backs a view that bugs will be present. However, in most cases, fewer vulnerabilities will be present when compared to an engineering process without a cyber-by-design approach. But vulnerabilities will be there to be exploited.

If someone designs and develops a vulnerability-free software, people will find ways to run the software on faulty platforms, people will configure the software with insecure options and software may connect with other applications in ways not anticipated during its design phase.

People are not machines and cannot be built with a cyber-by-design approach in mind (at least not yet). People choose weak passwords; make poor judgments regarding risk;5 are not able to act on every single alarm, incident or threat;6 and tend to value performance over security and features over privacy.

On Cyberrevolutionaries

If past cybersecurity and privacy initiatives did not make us safer, why would they be able to build a safer future? Cyberrevolutionaries speculate that old solutions are not suited to cope with the emergence of the bright, new world. Their core beliefs are:

  • Threats are constantly changing and spreading across industries.
  • The amount of information is insurmountable.
  • AI is spreading at a fast pace.
  • The cloud is not under anyone’s control.

In summary, the new world is practically detached from yesterday’s world.

It is important to recognize the cyberrevolutionaries’ narrative is valid, is based on facts and presents the world as it is. Nonetheless, they do not present a compelling reason as to why privacy and cyberfundamentals should be thrown away and new ones built.

A FRAMEWORK ALONE WILL NOT CREATE A CYBER-READY ENTERPRISE OR PRODUCT.

When looking at the big picture, there are still the same challenges: unpatched systems, weak passwords, unsecure configurations and software, privacy and cybersecurity bolted on instead of built in, and a myriad of well-known controls vastly documented in OWASP Top 107 and the 20 CIS Controls and Resources.8

The More Things Change, the More They Remain the Same

It is important to avoid the extremes. The fundamentals are good, and technologies are not bulletproof.

Cybersecurity professionals should rely on the rock-solid cybersecurity/privacy frameworks and bodies of knowledge and standards to support them when deciding to evaluate, implement or audit emerging technologies.

The US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), International Organization for Standardization (ISO) ISO 27000 standards, (ISC)2 Body of Knowledge and ISACA® auditing guidelines have been around for quite a while, and cybersecurity professionals still fail to fully implement these concepts and controls.

Why should practitioners rely on them? They are trustworthy sources in that:

  • They stand the test of time. Their fundamentals are valid today and will be in the future.
  • They are acknowledged by professionals, organizations and institutions.
  • They are thorough and avoid blind spots.
  • They are risk based.
  • They are integrators providing a common taxonomy.

However, a framework alone will not create a cyberready enterprise or product. It is paramount to keep things simple and base the design, integration, execution and auditing on the confidentiality, integrity, availability and privacy (CIAP) and people, processes and technologies (PPT) models.

Every time a complex problem arises, cybersecurity professionals should refer to CIAP and PPT. CIAP goes directly to the core questions: What is it that is being protected? How does this solution support achieving CIAP?

For example, complying with a privacy law such as the EU General Data Protection Regulation (GDPR) or the Brazilian Lei Geral de Proteção de Dados (LGDP) can be very complex, and it is easy to get caught up in discussions that focus on choosing technology A over B based on someone’s ranked list rather than solving the issue.

Practitioners must focus more on the risk at hand instead of software features. Any solution should be a proportioned response to the risk an organization is entitled to manage and not an end in itself.

Many people used to think that GDPR/LGPD translated into cryptography and data anonymization. This is far from true. It is important to not lose sight of the challenge or issue that is really being faced: getting back to the fundamentals.

EMERGING TECHNOLOGIES DEFY THE STATUS QUO AND THERE IS NOT AN EXTENSIVE BODY OF KNOWLEDGE ON HOW TO ADDRESS THEM.

Avoiding Common Errors

Emerging technologies defy the status quo and there is not an extensive body of knowledge on how to address them. There are not a lot of success cases to back implementation, execution and auditing approaches, and there is sometimes a shortage of skilled professionals to help with this process as the technologies themselves are new and new ways of using them are being created on the fly.

There are several common pitfalls to avoid, though this list is not exhaustive:

  • Security and privacy must not be taken for granted. On the contrary, because a technology is new, it must be tested and scrutinized.
  • Smooth and secure integrations must not be taken for granted. Emerging technologies may have been built to seamlessly integrate with legacy protocols and systems, but that is not always the case. Legacy systems may need to be patched, and inline solutions may need to be created to integrate emerging technologies with old ones.
  • Cyber and privacy diligence and awareness must not be taken for granted. Even if new technology is created to avoid past vulnerabilities, someone could still choose a poor password, fall victim to a social engineering attack or forget to revoke an access. Even after years and years, it is still customary to complete an audit and find weak passwords, IoT devices without secure passwords and protocols, applications with default passwords, and other much-discussed lack of controls.
  • Testing and auditing must not be taken for granted. Many cybersecurity professionals may rely on a big cloud provider running continuous testing and auditing on their services and products, for example. However, it is important to take into consideration that software fails, robots break and technology might operate differently in less than ideal situations. In this example, the big cloud provider’s internal procedures are just one of the protection layers. Cybersecurity and privacy practitioners should add other testing and auditing layers customized to their organizations’ needs and operations.

Conclusion

Emerging technologies should be leveraged for the enterprise’s benefit, and the audit plans, framework and body of knowledge established and designed by the cyber and privacy community should be used for the good of society.

Dealing with emerging technologies is challenging because of their novelty, but there are shortcuts to ease the work, such as:

  • Leveraging cybersecurity and privacy frameworks, standards and bodies of knowledge
  • Keeping it simple by basing solutions on fundamentals (CIAP and PPT)
  • Not taking cybersecurity and privacy for granted in emerging technologies

Endnotes

1 Schwab, K.; The Fourth Industrial Revolution, Crown Business, USA, 2017
2 Alchemists, among other things, attempted to transform mercury into gold. The substance capable of transmuting one metal into a noble metal was called the “philosophers’ stone.”
3 Loftus, E.; “Creating False Memories,” Scientific American, vol. 277, iss. 3, 1997, p. 70–75, http://staff.washington.edu/eloftus/Articles/sciam.htm
4 Morris, B.; “More Keys Than a Piano: Finding Secrets in Publicly Exposed EBS Volumes,” DEF CON 27, Las Vegas, Nevada, USA, 8–11 August 2019, http://www.defcon.org/html/defcon-27/dc-27-speakers.html#Morris
5 Schneier, B.; “Perceived Risk vs. Actual Risk,” Schneier on Security, 3 November 2006, http://www.schneier.com/blog/archives/2006/11/perceived_risk_2.html
6 Carlson, D.; “Maximize Your Security Operations Center Efficiency With Incident Response Orchestration,“ Security Intelligence, 9 January 2019, http://securityintelligence.com/maximize-your-security-operations-center-efficiency-with-incident-response-orchestration/
7 Open Web Application Security Project (OWASP), OWASP Top 10, http://owasp.org/www-project-top-ten/
8 Center for Internet Security (CIS), The 20 CIS Controls and Resources, http://www.cisecurity.org/controls/cis-controls-list/

Demetrio Carrión, CISA, CRISC, CISM, CISSP, PMP

Is the Latin America south cybersecurity leader at EY Brazil. He is a seasoned cyberprofessional with more than 20 years of experience, 15 of them working at EY. Carrión has received two ISACA® awards for achieving the highest grade on the 2007 Certified Information Security Manager® (CISM®) exam and the second highest grade on the 2006 Certified Information Systems Auditor® (CISA®) exam in the South/Central America region.