Securing The Internet
Internet Security is a peculiar dilemma. It’s extremely hard and an unenviable task. But also embarrassing to repeatedly get caught napping or behind the eight ball in a constantly evolving threat landscape. As nations and corporations grapple with novel threats and an explosion of entities hooked to the internet, they awaken daily to the reality of its uphill battle.
There is no such thing as getting security just right. Our best defenses today may prove woefully insufficient tomorrow. There is an inherent asymmetry in defending against the digital dark arts. Whereas a rogue actor can get away targeting the weakest link in the chain of cybersecurity, the task of securing the internet gets inordinately hard. The realization that there will always be a weak link is unsettling. A cybersecurity chain is only as strong as its weakest link. Adi Shamir, the Turing Award recipient and the co-creator of the famed RSA encryption algorithm, couched this golden nugget into a quote:
Cryptography is typically bypassed, not penetrated — Adi Shamir
The recent episode is poignant. It is instructive for me as an IT professional who takes security seriously. The brazen nature of the attacks in penetrating Nvidia, Microsoft, Okta, The Brazilian Ministry of Health, and others is a teachable moment in history.
By successfully employing social engineering tactics as their modus operandi, Lapsus$ stole millions of dollars in currency — both regular and bitcoin. They made a mockery of the security apparatus. Based on reporting, the alleged conspirators arrested were kids between the ages 16 and 21. Their ring leader was a teenage whiz living with his mother in Oxford, England. With insane skills to spoof automated activity, he misled folks tracking into believing there was no human involvement. Internet-of-Things firmware can misfire, and the occasional piece of software programmed by humans misbehave to give an appearance of something going rogue. However rare and implausible they seem, they are known to happen.