Steve Durbin, ISF: Only AI-Based Security Solutions Will Fight AI-Based Malware

The ISF is one of the world's leading independent authorities on cybersecurity and information risk management and Steve Durbin is its managing director and has been for almost a decade.

Since the Information Security Forum has its eyes on everything that happens in the cybersec sector, we wanted to find out more on what risks we are taking, how the world is going to change, and more, so we had a very interesting chat with Steve Durbin, ISF managing director.

TechNadu: Cybersecurity and risk management are some of the areas where you are a specialist, so what we'd like to know is just how do you feel the past few years have been in terms of the evolution of cyber-attacks. Are we seeing more aggression or have things followed a somewhat predictable path?

Steve Durbin: Over the past few years, the pace and scale of information security threats have continued to accelerate, threatening the integrity and reputation of today’s most trusted, global organizations. Businesses are struggling to cope with the quantum speed and complexity of global cyber-attacks being carried out by organized cyber-criminal syndicates.

In addition to exposing the personal data of individuals, the list of targets that we know have been successfully attacked over the past few years include a veritable Who’s Who of government, business, and technology, including some of the world’s most technically sophisticated organizations. Moving forward, organizations of all sizes need to prepare to be targeted at any time, and at any place, by multiple attackers. Organizations that wish to keep pace with these developments, and remain financially viable, need to take action now or face severe consequences. With the speed and complexity of the security threat landscape changing on a daily basis, those organizations that don’t prepare will be left with significant reputational and financial damage.

TechNadu: What are, in your opinion, some of the biggest threats to our cybersecurity these days for companies, but also for individual Internet users?

Steve Durbin: Criminal organizations are going to continue their ongoing development and become increasingly more sophisticated. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will also struggle to keep pace with this increased sophistication and the impact will extend worldwide, with malware in general and ransomware, in particular, becoming the leading means of attack. Email-based attacks such as spam and phishing (including targeted spear phishing) are most commonly used to obtain an initial foothold on a victim’s device. Cybercriminals behind ransomware will shift their attention to smart and personal devices as a means of spreading targeted malware attacks.

TechNadu: We've seen a rise in bug bounty programs, both in-company sessions and some led via specialized platforms. What is your opinion of these programs? Do you believe we're going to see consistently more white hackers now that there's a chance at properly monetizing this talent? Subsequently, will we see fewer black hats or hackers that have turned ethical thanks to the existence of bug bounties?

Steve Durbin: Bug bounties have always been a matter for personal choice – some companies have embraced them as resolving bugs they would not otherwise have been able to find, others are not so keen.  What we can say with certainty is that a market for vulnerability acquisition is emerging, driven by organizations such as Zerodium, which will pay millions of dollars for individual zero-day vulnerabilities.  This illustrates the increasing monetary value of vulnerabilities and potentially changes the motivation both for the disclosure and for bug bounty programmes.  As criminal groups or nation-state actors understand the potential of zero-day vulnerabilities, unethical vulnerability disclosure will escalate, leading to more vulnerable software and associated disruption to business and endangerment of customers.  The market for buying and selling vulnerabilities will continue to expand.

TechNadu: The IoT industry keeps rising, but we don't see better security in most of these products, aside from some big-named companies. Numerous cybersecurity experts are calling for some kind of regulations to be imposed, even by governments. Do you think that's a good idea?

Steve Durbin: Organizations are adopting smart devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, I expect that there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what is being secretly captured and transmitted by devices such as smartphones, smart TVs or conference phones. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection.

The fact is that security can be expensive, and these devices were never designed with security in mind.  They were created to provide and process information at the lowest possible cost. However, by maintaining an open connection to the individual’s home computer (a device which may, in turn, be connected to an employer’s network) it offers intruders a portal to inflicting damage that goes well beyond the owner’s home devices. Securing these devices may become an appropriate topic for government regulation.

TechNadu: We've seen a growth in Artificial Intelligence (AI) integration into our lives via various tools we use, whether we're talking about personal assistants or our security tools. AI has been discussed so much, in fact, that many fear singularity is just around the corner (when the reality is much different, of course). Do you think we need more AI implementations into our daily lives or should we be, instead, drawing a line somewhere?

Steve Durbin: In the coming years, attackers will take advantage of breakthroughs in AI to develop malware that can learn from its surrounding environment and adapt to discover new vulnerabilities. Such malware will exceed the performance of human hackers, exposing information including mission-critical information assets and causing financial, operational and reputational damage. Many believe that AI will bring huge benefits to society, especially in areas such as research and healthcare. However, it will also be deployed in more damaging ways, one of which will be to build computer malware that can change both its form and purpose. Attackers will use this artificially intelligent malware to find new ways to access an organization’s network and disrupt its operations. Mission-critical information assets such as trade secrets, R&D plans, and business strategies will be targets for compromise – all without detection.

 As it is AI-based, this new form of malware will learn from its environment, analyzing applications and systems to discover and exploit new vulnerabilities in real time. It will be hard to distinguish what is safe from unauthorized access and what isn’t. Even information previously believed to be well protected will be open to compromise. Conventional techniques used to identify and remove malware will quickly become ineffective. Instead, AI-based solutions will be needed to fight this new malware – leading to a race for supremacy between offensive and defensive AI. The eventual winners will be hard to spot for some considerable time.

TechNadu: The ISF has recently released a new briefing paper on Blockchain security. While the initial feeling was that blockchain can be quite safe, it seems that's not necessarily the case. What are the risks here and what should companies looking to implement this technology do to keep the data secure?

Steve Durbin: Blockchain’s indelible and visible record provides many advantages. But this record does not render blockchain immune from security issues. Blockchain is not as ‘tried-and-tested’ as older technologies such as databases and directories, where security strengths have been identified and weaknesses addressed over time. There are few individuals available with extensive experience of securing a blockchain network, who are able to identify and manage security issues effectively. With transactions performed directly between parties, there is no intermediary to resolve disputes. Parties to a transaction, particularly members of the public, may have less protection than when using intermediaries such as credit card companies, payment services, and banks, who can help in the event of a dispute and return money where fraud has been committed.

As blockchain is put to different uses, it is vital to cut through the hype to understand its merits and disadvantages.  After all, it may not always be the best solution to a problem; directories, databases and other types of data store still have value. While there may be a commercial advantage from being at the forefront of adopting blockchain, prudent organizations should be aware that blockchain is immature and unforeseen security issues may emerge. Consequently, organizations should place a particularly strong emphasis on evaluating the risks of developing or using blockchain applications before trusting this innovative approach.

TechNadu: Children today grow up in a much more connected world than we did, but they also grow surrounded by various dangers that the Internet brings with it and most parents don't know what they should do under these circumstances. What is the best way for parents to guide them through these challenges?

Steve Durbin: I believe that it is about creating a safe and transparent environment.  What I mean by that is that we need to educate children to be safe online through our own practices and by showing them where things can go wrong.  There are some great videos on YouTube that talk about privacy and checking out websites to make sure they're safe for kids to browse.  It is important that they know the need to keep personal information private – names, addresses and so on.  They need to avoid strangers and check the appropriateness of the sites they are visiting.  These are relatively similar whether we talk about an online or offline environment.  The biggest challenge for parents is mentally making the transition to a digital environment.  I would also recommend that parents ensure there is downtime, periods when technology is simply put away and children reminded that the world also exists outside of cyberspace – and it can be equally or even more interesting than the cyberworld they access via technology.

What do you think of what Durbin had to say? Let us know in the comments section below and please share the interview online so others can read it too. Follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.