The Art and Science of Cybersecurity

  

Given the number and frequency of news reports these days on the topic of cybersecurity — and in particular breaches in this area — it would not be unreasonable to believe that organisations around the world are fighting a losing battle when it comes to the protection of data and other IT assets. And as we might have read or heard, cyberattacks have become more targeted and sophisticated. No longer just ‘entry-level hackers’, our adversaries now are armed with abundant resources and the most advanced techniques. The standard, age-old defensive and preventive measures adopted by many organisations are proving increasingly incapable of countering these threats effectively. We also see a rapid convergence of IT, operational technology (OT) and the Internet of Things (IoT), making the execution of cybersecurity measures much harder, as these significantly expand the surface for attack. In addition to standard Internet protocols and programming languages, OT and IoT extend the security risks to industrial control systems and communication protocols which often deal with human safety, and essential supplies such as water and electricity.

Whatever it takes to prevent, or protect us from, such threats will have a huge potential impact on the physical world. Obviously, cybersecurity issues affect more than just University staff and students — they ought to concern us all. As such, the leaders in this field must adapt their strategies, frameworks and technologies to deal with threats in a rapidly-changing environment.   

Something Phishy

When it comes to cyberattacks, phishing tops all threats that lead to security breaches today, based on a 2019 report by global communications company Verizon^[1]. Its findings stated that 32% of breaches reported involved phishing, and 94% of malware-related incidents had been found to come through emails. For those unfamiliar with the term, phishing is a form of social engineering that exploits human vulnerabilities, where, for example, many of us would empathise when asked to help in a situation. Likewise, most staff act swiftly when they receive requests from their managers. But vulnerability can also manifest as greed, which may surface when one is tempted with an opportunity to make a quick profit – causing us, for instance, to enter our login credentials without a thought. This is especially so if we are accessing the same website repeatedly without realising the website is fake. 
   

Among the forms of email phishing, impersonation is the hardest to detect, as it becomes increasingly sophisticated with techniques such as the Business Email Compromise (BEC). The Internet Crime Complaint Center (IC3) — which is linked to the US Federal Bureau of Investigation (FBI) — received 15,690 BEC complaints with adjusted losses of over US$675 million in 2017^[2]. A BEC attack is a highly-targeted one. The adversary will conduct thorough research on his subject, finding out his roles, regular contacts, staff subordinates, working hours and even hobbies before launching a personalised attack. A BEC often begins with a casual pretext such as “Do you have a minute?” or “Are you available?” to sense its target’s vigilance and interest in following up. The perpetrator will time it well, impersonate the victim’s manager and appeal for money transfer by claiming that he is overseas and/or just robbed when he is indeed travelling. If this is not sufficient to trick the victim, he will launch a takeover of the accounts of the manager in question (or those of close friends in other cases) and if successful, send a phishing attack on you using the compromised (and yet legitimate) ID.

What is important to note is that while humans form the first level in the entire cyber-defence system, they are also its weakest link. Security measures like email filtering and sandboxing (where a programme is ‘quarantined’ from other programmes in a separate environment so that if errors or security issues occur, these will not spread to other areas on the computer) work best with predefined rules. As such, they are less effective with BEC attacks, as these work on writing styles, the language used, words chosen and expressions of intent. Like an Arts subject, BEC is a language on its own, understood by an individual, and it works by exploiting the social and behavioural dynamics of a society.

Fighting Fire with Fire

Having come to understand the continually-evolving nature of such threats, the University has been investing significantly in cybersecurity in technology, processes and people over the years. We are transforming our cybersecurity strategies and framework in a number of ways. Firstly, we deploy Machine Learning (ML) as a possible solution in situations where humans remain a weak link, such as in the case of a BEC attack. A ML model learns from past data, identifies patterns and makes decisions with minimal human intervention. Once an ML model learns your email writing style, it is possible for your acquaintances to infer an email received was indeed from you or not. Under supervised learning conditions — or if learning is augmented by human intelligence — one can label certain data set to help the ML model achieve a good level of accuracy. It mimics the type of training that is used if the ML model is, for example, taught to recognise a dog by feeding it thousands of pictures of dogs of various breeds, colours and sizes. Over time, the accuracy improves and error rate drops to the extent that the ML is able to identify a dog from a picture that it has not seen before.

Secondly, the University is moving to an Advanced Threat Hunting model. We do this by establishing partnerships with industry experts and become much more proactive to research and listen into the dark web and global happenings as well as blog activity on indicators, variants, targets and the motives behind attacks. We may then deploy deception tools to purposely build a fake environment comprising virtual workstations, servers, devices, applications, services and protocols to detect, lure, entice and ultimately engage attackers. There are over 150,000 devices connected to the campus network. We view every device an asset rather than a burden to our defence as we will enable every device as a sensor, providing us intelligence and insights to potential threats in networks, systems and applications.

Thirdly, we have to strike a balance in the University for our users to do their jobs efficiently and closing off avenues of attack. User Behavior Analytics (UBA) is one of our key strategies, where we detect anomalies in the behaviour of users or systems without imposing extra steps and controls. UBA studies logs of past behaviour to identify standard patterns — such as login hours, assets accessed or data transfer volume, etc. — that can be picked up over a year or more of analytics. The more UBA knows about a user or system, the more precise its patterning and anomaly detection become.

IT takes People Power

For all the measures that can be taken however, science or technology alone is not enough to combat cyber-attacks. The “art” of defence — where humans become aware of the threats and learn to defend against them — plays an important role. As in the case of phishing attacks, we need to change our behaviour and perspectives towards emails received. NUS Information Technology for one conducts regular phishing drills, with an aim to change working culture and behaviour through education. The drill targets various groups of employees at different frequencies and by employing different themes, occasionally through impersonating an important sender. It is fascinating that people’s reactions to various scenarios of appeals for help (with dire consequence to follow if no action is taken by certain deadline) can be vastly different. 

All said, we believe in nurturing a holistic cyber-secure personal lifestyle that includes good cyber-hygiene habits that will permeate the workplace, households and social spaces. Besides modernising our cybersecurity framework, our drive towards lifelong learning will impart the essential skills and behaviour to individuals, and hopefully serve to strengthen the weakest link in the cybersecurity ecosystem. 

^[1] Verizon Data Breach Investigations Report 2019    ^[2] Internet Crime Complaint Centre Report 2017