Cyber Security Risks: An Ever-Evolving Challenge
Using any technology comes with risks. Understanding that risk and how it evolves as technology evolves is essential to helping you minimize those cyber security risks.
See The Constantly Evolving Subject of Cyber Security with Stephen Cobb for a complete transcript of the Easy Prey podcast episode.
Stephen Cobb is a best-selling author of dozens of textbooks on PC and LAN security and software usage. He has over thirty years of experience in digital security and data privacy and has a master’s degree in security and risk management. He has been a Certified Information Systems Security Professional (CISSP) since 1996 and has founded two successful security startups. Currently he researches harms caused by the abuse of digital technology.
Finding an Interest in Cyber Security Risks
Stephen got involved in computer technology in the late 1970s. He started by teaching people how to use computers and various software programs. At one point, someone who had taken one of his past classes asked for help with a stolen computer. As he looked at the problems this stolen computer caused his former pupil, he realized how many issues a single stolen PC caused. He started thinking about computer-related security.
At that time, he was writing textbooks about computers and how to use different software programs. He had the opportunity to write a book about computer security. His books on specific software sold tens of thousands of copies – he assumed a book on security that wasn’t limited to a specific software would have an even wider readership.
It turns out that he was very wrong. His book on security, The Stephen Cobb Complete Book of PC and LAN Security (titled by the publisher, not him), only sold a few thousand copies. And all of those were to people already interested in security.
One of the things that appealed to me was the fact that [security] was a never-ending subject.Stephen Cobb
But Stephen didn’t give up. He knew cyber security risks were an important topic that would keep evolving as technology evolved. At that point he had no educational background in security, but he did have a deep interest. He worked on antivirus and firewall testing and spoke at the first firewall conference. Eventually, he found his niche: Thinking about cyber security risks and the risks of using technology.
Evolving Tech and Evolving Risk
In the 1960s and 1970s, people viewed computer technology negatively. There were student protests at Berkeley against using computers. Stephen himself only became interested when PC technology emerged. He could clearly see that it was empowering and had great benefits. But he could also see downsides and cyber security risks.
When you connect two computers, you more than double the risk. The core of network security is being able to share some things with some people, but not everything with everyone. How to actually do that, though, is a challenge – one that expands and changes as technology expands and changes.
Stephen started a security consulting firm to help people deal with those risks. When his first firm was acquired by a larger company, he started a second firm. His firms did a lot of work with spam, framing it as a theft of resources. They also did a lot of training, which was always Stephen’s focus. Not only did they do training courses, but they also did private training and specific training for people in security.
Companies at this time were just starting to hire Chief Privacy Officers. These CPOs would go to the IT department and tell them to do certain things, and IT would reply that it couldn’t be done. Stephen’s training explained what you could and couldn’t do with computer security. Part of his goal was also helping people understand what kinds of cyber security risks and challenges were out there.
Becoming a “Security Evangelist”
After selling his second consulting firm, Stephen got a call from ESET, an internet security company. They invited him to come work as a “security evangelist.” Even though ESET sold internet security products, Stephen’s job was to talk about security without pushing any product.
He did a lot of awareness work, teaching people about what cyber security risks existed. He also had a small research team finding out how to reverse malware. They ran a blog called WeLiveSecurity where they talked about security-related topics. In essence, his job was to look at emerging cyber security risks and threats and explain the implications of what he and his team found.
When the Target credit card hack happened, Stephen’s team had the first article on what to do. The banks all said that changing cards to chip and PIN security would solve the problem. Stephen disagreed. There is a concept called crime displacement, where a crime prevention program doesn’t prevent the crime, just moves it to something different. Switching cards to chip and PIN security would just change the problem, not solve the problem.
Researching the Human Element of Cyber Security Risk
Eventually, Stephen went back to school for a master’s degree in security and risk management. In 2016, he had the opportunity to do some research on risk perception to find out why some people don’t understand cyber security risk.
For example, ESET’s internet security product is a good product, but it has a support line in case someone does get malware or a virus. People would ask him, “Does this mean the product doesn’t work?” Stephen has never seen a case where the product failed. In cases where someone who has the product has a problem anyway, it’s always been a human error at fault. A company didn’t have the software installed in the affected department, for example, or they turned it off to do an upgrade and never turned it back on.
Understand the limits of the technology … and clearly, human behavior becomes a very big issue.Stephen Cobb
Since becoming semi-retired, Stephen has spent more time looking at human behavior and cyber security risk. He found the COVID-19 pandemic especially revealing. It was a situation where people needed to come together to solve a big problem. In some ways, we did. But there were also many people who exploited the pandemic for malicious or selfish reasons.
The Cyber Security Risk of Evolving Scams
The FBI’s Internet Crime Complaint Center (IC3) has seen a trend in romance scams and cryptocurrency scams. Specifically, they’ve seen a new fusion of romance scams leading to fraudulent investments in cryptocurrencies.
When someone is running a scam, they want to somehow get the victim’s money. First, they use some method to gain the victim’s trust. Once they have that trust, they need a way to get their money. Traditional romance scams rely on sympathy. They spin stories like losing their passport and being stuck in a foreign country to get their victims to send them money to “help.” But by adding cryptocurrency to the mix, they can talk up an opportunity. Convincing their victims to invest in this “can’t-miss opportunity” is easier when they have the trust of a romance scam.
But just because there are new cyber security risks doesn’t mean the old ones are disappearing. Ordinary cryptocurrency scams and romance scams still exist. Tech support scams are still going strong. Teenagers having misguided fun are still out there. There are still organized criminal groups.
I tried to pull together broad lessons I’ve learned about security. One of them is that it’s cumulative. Threats are cumulative and challenges are cumulative.Stephen Cobb
We’re also seeing new cyber security risks. State actors weren’t a problem twenty years ago, but we’re seeing more of them now. Bluetooth and USB previously weren’t a cyber security risk, but every technology that comes along is eventually abused. Malicious actors can take over a building’s automated systems to lock people out. Hackers can combine ransomware with vehicles to hack a car’s electronics and make it useless until a ransom is paid. Self-driving cars could be taken over to kidnap people – we haven’t seen that yet, but it’s possible.
The Problem of Dismissing Cyber Security Risks
One of the biggest problems in managing cyber security risks is that people tend to dismiss them. Someone who finds a vulnerability might bring it up and say it’s important, someone could attack through this vulnerability. People respond by wanted to know how likely it is. If they consider it unlikely, they don’t think it’s a problem.
The amount of cybercrime happening right now is depressing. And it’s not factored into future plans nearly as much as Stephen thinks it should be. Whatever we’re planning for future technology – whether it’s Artificial Intelligence, the next pandemic, or self-driving vehicles – nobody is thinking about what kind of mess malware could make of it.
For example, AI is made out of chips, code, and data. When people look at the cyber security risks, they tend to look at the data. But chips and code can be hacked. What happens if a hacker disables a server that you’re using for real-time analysis of something critical, like medical scans? Stephen thinks we aren’t considering those cyber security risks enough.
This is something I’ve struggled with – how to get people to realize that abusive code and abusive systems are part of life.Stephen Cobb
For a lot of people, cyber security risks are still a fringe issue. But they aren’t – they’re everywhere. Over the past few years, we’ve seen almost every possible way to scam someone through their smartphone or the internet. And security is getting more complicated, with multiple steps required to do anything securely. In addition, some scams are very convincing. If the internet wasn’t required to function in the modern world, could we in good faith recommend it?
Cyber Security as a Moral Issue
If you halved the number of people prepared to abuse technology, cyber security would be more than twice as easy. We haven’t made cybercrime an abhorrent thing to do. Drunk driving, for instance, is universally considered wrong. If you’re caught drunk driving, you often don’t get sympathy fro people. But breaking into digital systems and exploiting them for gain isn’t seen as nearly as morally reprehensible.
Solving security is really a human behavior problem and a moral, ethical problem.Stephen Cobb
The FBI has come a long way in persecuting cybercrime. Stephen has been impressed by some of the US’s sanctions regarding Russia’s invasion of Ukraine. It can be beneficial to name foreign actors, even if they can’t be immediately arrested. Identifying them can limit their options. And there was one case where five cybercriminals indicted in absentia were arrested when they went on vacation.
Cybercrime is a type of crime where getting people to stop doing it is very possible. Breaking and entering is not a very transferable skill, but cybercriminals have coding and computer stills that can be useful in many legal jobs. If we can encourage some cybercriminals to use their skills for legal professions instead, we can significantly reduce cyber security risks.
Cybercrime is a crime where desistance is quite possible … desistance is the idea in crime that people give it up.Stephen Cobb
Stephen sees a strong economy as one pathway out of cybercrime. In a prosperous economy with fuller employment, someone who writes banking code during the day won’t need to write encryption-breaking code at night to make ends meet.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
All security is personal. The first step towards better personal security is better security awareness. But in…[Read More]
With so many people working from home now, one big question employees have started asking is: Can…[Read More]