1989. Acid wash jeans, Bon Jovi and the compassionate conservatism of the Reagan Era were actually, unironically popular. The Berlin Wall fell, free elections were held in the then Soviet Congress of Deputies, Vaclev Havel became president of Czechoslavakia, and pro-democracy rallies held sway in China. And, SC Media was born.
It was a time of sincere commitment to the democratic process, a time of opening borders and minds. And yet, while there was no “cyber” before “security,” it was also the time when we shared a nursery with the worldwide web and online security was seeing its first serious incursions and attacks.
Stu Sjouwerman, founder and CEO of IT security training company KnowBe4, points out that there has been “a massive change in the InfoSec landscape these three decades. Organizations were far better off 30 years ago, because any type of hacking had barely started and was mostly teenage pranks. Cyber-crimes were few and far between,” say Sjouwerman. “Today we have an extremely well-developed criminal ecosystem that is very active and capable. In this particular case, it was indeed the ‘good old days’.”
Larry Ponemon, founder and chairman of the Ponemon Institute, points out that while the fundamentals of security have not changed, the technologies and organizations themselves have matured. “Fraudsters used to steal your wallet or your personal account,” Ponemon says. “Now that’s chump change.”
Three decades ago, when SC Media was first published, the first real antivirus from McAfee Networks has been available for one year and there were no commercially available firewalls, according to Leonid Shtilman, serial entrepreneur and executive of several IT security firms. “Today antivirus is a commodity and doing much more than just searching for virus signature. With all these new endpoint companies with a market cap in billions are coming,” says Shtilman. “Vendors are creating honeypots for intruders, creating solutions, developed all kind of two-factor authentication solution. Today, attackers are [focused on] earning money, while most of attacks or viruses in 1989 were childish proof of intellectual superiority of attackers.”
At the RSA conference in 2018, there were more than 500 vendors, whereas 30 years ago there were none, according to Michele Guel, distinguished engineer and chief security architect for the security and trust Organization at Cisco. “Today, there is a tool for almost anything we want to do and that in itself is a challenge,” Guel says. “Many organizations have solutions from 20-30 vendors. Organizations are, for the most part, better off than they were 30 years ago. But that does not mean the same organizations have the level of security posture needed for the level of risk that exists.”
Grant Bourzikas, CISO and vice president for McAfee Labs, says that while attacks are “fundamentally similar to what they were 20 years ago, as it relates to the vectors of exploits and vulnerabilities many of the defenses that were deployed 20 years ago are the same, and implementing good security hygiene and fundamentals are still relevant today.” The “annoying” script kiddies of previous years have been replaced by well-funded and organized nation-state attack-focused, massive denial of service, ransomware, and theft of customer records and intellectual property for financial or political gain attackers, he points out.
In some ways though, the more things change, the more they stay the same. Techniques that were used “25 years ago are still in use. Phishing is still a major threat,” says Sam Curry, chief security officer for Cybereason. “I remember thinking ‘it’s not sophisticated but it’s working.’”
Over the years, cybersecurity has seen a number of high-profile breaches effecting virtually every sector from healthcare to financial to retail to government and beyond. While seemingly no enterprise or agency can consider itself “safe” from attack now, there have been several breach events along the way that have captured the attention of the industry and the mainstream consumers themselves – becoming “ah-ha” moments that woke people up or incited change.
“Major breaches, especially through third parties, have focused industries, regulators and technology providers on the broader risk challenges and the need for cooperation,” says Catherine A. Allen, a long-time banking industry executive and currently CEO of the Santa Fe Group, which also manages Shared Assessments, a third-party risk management service. “The advent of nation-state and protestor adversaries that want to create reputational or operational risks are new. It’s not just about the money.”
While many of these cybercrimes certainly do have a financial element, one of the key malware attacks that turned heads was Stuxnet – not only for how pernicious and debilitating it was, but, as Curry points out, it showcased the use of a cyber-attack as “the extension of politics by other means. [Malware] like this had been used before, but Stuxnet really got a lot of attention.”
Curry also cites the DigiNotar hack in 2011. Not only was the Dutch certificate authority, owned by VASCO Data, compromised – putting doubts on the security of certificate authorities in general – but the attack “forced the entire legal system to go back to paper and pencil, it had real ripples and implications on a whole industry,” Curry says.
Lysa Myers, a security researcher at ESET, cites the famed Melissa virus and Mirai botnet as both having profound effects on the IT security industry and the average layman. “The Melissa virus outbreak took computer security, specifically malware, from the realm of urban legend to the evening news,” she says. “And the Mirai botnet was the point where people stopped regarding internet-connected devices as no more dangerous than their unconnected siblings.”
Similarly, the Target and Home Depot breaches, “hitting in such a short span and affecting such popular retailers had a lot of effects that we’re still just now starting to see,” Myers points out. “This was the moment where it became clear to a lot of organizations that breaches are not a matter of ‘if’ but ‘when,’ and that no matter what industry you’re in, your business must also include protecting customers’ data.” Also, the revelations of Edward Snowden had a profound effect, still being felt widely today, by bringing privacy and security to the front of mind for a lot of people who’d not considered it before. “It also gave governments and large organizations a chilling example of the damage that could come from insider threats,” Myers adds.
Sometimes, it’s not where the breach comes from, or the malware that’s used that captivates minds and grabs headlines – some cyber events have become well-known for what happened after the attack. “Equifax was a milestone in cybersecurity because of the way it was managed, the cavalier attitude [of the company],” Curry says. “The way internal executives comported themselves [made it] all seem suspicious.”
Also, the result of the credit bureau’s CEO resigning as a result of the bungled management of the attack pointed out clearly that when a cyberattack happened, anybody’s head could land on the chopping block – not just the CISOs or a member of the IT security team, he adds.
Even recently, with allegations of election tampering in the U.S. Presidential race in 2016 and this past November during the mid-term elections, public opinion about the pervasiveness and widespread effects of cyber-incursions is being shaped. Russia in particular is a “textbook example” of the massive crime wave that typically takes hold in a country after the fall of a communist regime, according to Sjouwerman. “With the state and existing mafias merging into a kleptocracy, [Russia has] allowed and even fostered cybercrime these last 15 years,” he says, adding that the emergence of government-supported organized cybercrime on the whole has been a huge (and unsettling) major development.
Allen agrees. “One of my nightmares is about attacks on the grid and other critical infrastructures that will create chaos and anarchy in countries, including our own,” she says. “We’ve seen what the Russians and North Koreans can do and we are not prepared in the United States.”