As mentioned in our previous article, before the main motive for hackers was a craving for knowledge and banal curiosity. To satisfy it, researchers often did things dubious from the point of view of the government, but in those years there were still very few laws regulating the field of information technology.
However, it is rather difficult to clearly state in laws all the nuances of interactions, as a result of which there are discrepancies in interpretations. It also complicates the activities of information security researchers: it is often unclear where the research-conscientious research ends and the crime begins.
Even within the framework of bug bounty programs, software developers can ask researchers for a demonstration of exploitation of the vulnerability, proof of concept. As a result, the information security specialist is forced to create, in fact, malicious code, and when it is sent, “distribution” already begins.
All this creates risks for researchers, therefore, before conducting certain experiments, it is better to consult with lawyers.
Information Technology Development Cycle
In the modern world, technologies develop in certain cycles. After the creation of some good idea, it is commercialized, a finished product appears and that allows you to make money. If this product is successful, it attracts the attention of cybercriminals who are beginning to look for ways to earn money on it or its users. Businesses are forced to respond to these threats and engage in protection. The confrontation between attackers and security guards begins.
Moreover, in recent years there have been several revolutionary technological breakthroughs, from the appearance of mass high-speed Internet access, social networks to the spread of mobile phones and the Internet of things. Today, using smartphones, users can do almost everything the same as using computers. But at the same time, the level of security in the “mobile” is fundamentally different.
To steal a computer, you need to enter the room where it is stored. You can steal a phone just on the street. However, many people still do not understand the scale of the security risks that technological development carries.
A similar situation is with deleting data from SSDs (i.e. flash drives). Standards for removing data from magnetic drives have been around for many years. With flash memory the situation is different. For example, such disks support the TRIM operation: it tells the SSD controller that the deleted data no longer needs to be stored, and they become inaccessible for reading. However, this command works at the operating system level, and if you go down to the level of physical memory chips, you will be able to access the data using a simple programmer.
Another example is 3G and 4G modems. Previously, modems were “slaves”, they were completely controlled by a computer. Modern modems themselves have become computers, they contain their own OS and run independent computing processes. If the cracker modifies the modem firmware, then he will be able to intercept and control any transmitted data, and the user will never guess about it. To detect such an attack, you need to be able to analyze 3G / 4G traffic, and only intelligence agencies and mobile operators have such capabilities. So such convenient modems turn out to be untrusted devices.
Conclusions on the results of 20 years in information security
I have been associated with the field of information security for twenty years, and during this time my interests within it have changed in parallel with the development of the industry. Today, information technology is at such a level of development that it is simply impossible to know everything within even a single small niche, such as reverse engineering. Therefore, the creation of truly effective protection tools today is only possible for teams combining experienced experts with a diverse set of knowledge and competencies.
Another important conclusion: at the moment, the task of information security is not to make any attacks impossible, but to manage risks. The confrontation between defense and attack specialists comes down to making the attack too expensive and reducing possible financial losses in case of a successful attack.
And the third, more global conclusion: information security is needed only as long as the business needs it. Even conducting of complex penetration tests, which require extra-class specialists, is essentially an auxiliary function of the selling products process for information security.
Safety is the top of the iceberg. We protect information systems that are created only because business needs it, created to solve its problems. But this fact is offset by the importance of the field of information security. If a security problem occurs, it can disrupt the functioning of information systems, and this will directly affect the business. So a lot depends on the security team.
Summary
Today, in the field of information technology, not everything is so easy and serious problems exist. Here are three main ones, in my opinion:
- Excessive attention of governments. States around the world are increasingly trying to control and regulate the Internet and information technology.
- The Internet is turning into a platform for information warfare. Twenty years ago, no one blamed the “Russian hackers” for all the world’s problems, but today it’s in the order of things.
- New technologies do not make people better or smarter. People need to explain why this or that decision is needed, teach them how to use it, and talk about possible risks.
With all these disadvantages, information security today is clearly an interesting area to work in. Only here every day you will encounter the latest technology, interesting people, you can test yourself in the confrontation with the “black hats”. Each new day will challenge you, and you will never feel bored.