ITMPI FLAT 004
Main Menu
Home / ITMPI Insights / Over 30 Years of Hacking—and No Improvements on the Horizon

Over 30 Years of Hacking—and No Improvements on the Horizon

It is 31 years ago that Cliff Stoll discovered a hacker tunneling into US government networks by passing through his computers at the Lawrence Berkeley Lab. Stoll was asked to clear up a billing discrepancy, discovered the German hacker who was working for the KGB, and alerted the US government managers of the networks that the hacker was targeting. He later wrote about it in The Cuckoo’s Egg, which remains an excellent read.

Unfortunately, Stoll did better than average by today’s norms. He discovered the hacker in his own networks within a month and was able to independently monitor that hacker to the point of alerting the real targets of the hacker. The performance of the US government administrators 31 years ago was identical to what we see today. Today’s norm is that hackers generally are discovered by a third party, have been in the network for the better part of a year, and exploit a known vulnerability, according to the annual Verizon Data Breach Investigation Reports.

Clearly, we are doing it wrong if we have not improved our performance over the past three decades. What we are doing wrong is focusing on the hackers rather than on the vulnerabilities that they exploit, probably because the vulnerabilities are our responsibility. Almost all successful intrusions exploit well-known vulnerabilities for which patches or fixes are available. Computer hardware and software come with vulnerabilities, the majority of which are accidental or result from the fact that security is not a metric for original equipment manufacturers. That is changing, but slowly, and the proliferation of new—flawed—equipment grows much faster than the repairs to old well-tested equipment. As an example, consider all the Internet of Things (IoT) cameras that shipped with default passwords and were used in the enormous October 2016 distributed denial of service attacks (DDoS). It is hard to argue that default passwords are an unknown vulnerability.

To change the trajectory of cyber security for the next 30 years, we need to understand that security can only be achieved by changing our behaviors rather than relying on others or governments to defeat all hackers. The police cannot stop all burglars even if we do our bit by installing alarms, fences, lights, locks, and window bars. Those systems help us deter and detect an intrusion, but we would never dream of thinking that the police would stop all crime on their own, even if that is orders of magnitude simpler than stopping hackers.

Computer security cannot be accomplished by anybody but the users and owners of the systems, just as only Cliff Stoll was able to detect the hacker on his systems and defeat the threat.

 

Hans Holmer will be presenting a free webinar with ITMPI on April 19! Sign up here: Cybersecurity Fundamentals: Crawl, Walk, Run

About Hans Holmer

Profile photo of Hans Holmer
Hans Holmer is a Senior Cyber Strategist with over 25 years Government, Human Intelligence, & Private Industry experience. Mr. Holmer is the recipient of a host of awards for his work and contributions, including: CIA Intelligence Star, CIA Career Commendation Medal, 3 CIA Meritorius Unit Awards, 11 CIA Exceptional Performance Awards, Director of National Intelligence Meritorius Unit Award, National Intelligence Certificate, National Intelligence Award, and U.S. Army Commendation Medal. Hans Holmer brings multi-cultural, multi-lingual IT (particularly cyber security) and human intelligence expertise to the mix of leadership skills that defines aQQolade. A successful strategist and planner, performing complex analyses and briefing at the highest levels and accomplished public speaker, Hans is a leader and developer of multi-disciplinary teams.

Check Also

No More Limits! Why WIP Targets Are Better for Improving Team Performance

For decades now, the Operations Research and Industrial Engineering communities—and especially Lean and Theory of …

Leave a Reply

Your email address will not be published. Required fields are marked *