The Hard Truth: Cybersecurity is in Crisis.
October 15, 2024
Naoris Protocol is building the Decentralized Cybersecurity Mesh to protect every device across the hyper-connected world from cyber threats and associated risks.
Naoris Protocol restores cybersecurity to all sectors of the economy using a contrarian p2p design pattern that turns previously considered single points of failure into multiple points of defense.
Every device becomes a trusted validator that constantly monitors every other device in the network, identifying, evaluating and reacting to threats in real-time.
In our introductory Hello World blog post, Naoris Protocol set out an overview of the What, Why, Where, and How. In the following blog posts, we dive further into the Problem, the current Cybersecurity Industry Posture, and the Naoris Protocol Solution.
Is Current CyberSecurity A Market Failure?
The hyper-connected, digital world is so completely interwoven into our daily lives we take it for granted. From finance to work to shopping to well-being to personal relationships; nearly every facet of life is conducted through device and screen, dependent on a plethora of critical applications, and yet our digital world is facing a catastrophic security failure.
With increasing high-profile attacks and year-on-year data breach reports heading in the wrong direction, there is something fundamentally broken; the numbers and stats don’t lie.
Unless we reimagine and redesign cybersecurity, by 2025 we will face a $10 trillion cyber damage problem, which equates to around 7% of global GDP. While global spending on cybersecurity products and services has never been higher, expecting to exceed $1.75 trillion cumulatively for the five-year period from 2021 to 2025.
Cyber investment has also never been higher, with 2021 being a stellar year for cybersecurity startups.
In Q3 alone more than $14 billion in venture capital investments bolstered new companies, doubling the record of $7.8 billion in 2020. In August 2021, President Biden hosted a cybersecurity summit urging tech giants to increase their security efforts backed by a $2 billion war chest earmarked to improve a range of cybersecurity systems.
Yet something doesn’t add up. The cybersecurity community is struggling to maintain parity in the endless arms race between defenders and attackers.
Although each year the industry spends more on global cybersecurity budgets and achieves record investment, the cost of cyber attacks and cyber damage dwarfs the expense. From this standpoint, there is arguably market failure across the cybersecurity industry.
Like Dominoes We Fall.
Our last post included a mind-boggling link to the Information Is Beautiful visualization of the World’s Biggest Data Breaches & Hacks. Since 2017 breaches and hacks have accelerated exponentially, either through direct cyberattacks or poor internal security hygiene on behalf of businesses, organizations, and governmental entities.
Here are some highlights from 2020 and 2021.
U.S. convenience chain Wawa had 30 Million payment card details stolen. Estee Lauder had 440 Million records hacked, an unknown amount were plain-text email addresses.
Wishbone had 40 Million user records leaked containing usernames, email addresses, mobile numbers, and even some password information.
Pakistan Mobile data leak of 115 Million subscribers exposing phone users’ full names, home addresses, mobile phone numbers, national ID, landline numbers, and date of subscription.
Hospitality exchange service Couchsurfing 17 Million users’ data leaked, Nintendo security breach exposed 300,000 accounts where hackers used various accounts’ payment information to make illegitimate purchases.
Facebook has 533 Million records lost including phone numbers, full names, locations, email addresses, and biographical information.
Experian Brazil’s 220 Million personal data leak, and the daddy of them all…the Solar Winds cyber attack. The Solar Winds breach is so impactful because hackers were able to install malicious code into the company’s software system that spread to its 33,000 clients, going undetected for months. Hackers were able to spy on private companies like the elite cybersecurity firm FireEye and into the depths of the US Government, including the Department of Homeland Security and Treasury Department. The conclusion is the Solar Winds hack will cost $100 Billion to clean up and it may never be resolved, meaning the malicious code has so deeply infected systems, networks, companies, and government that hackers can still gain access to exploit those environments and networks once again.
The average cost of a data breach currently stands at just over $4.25 million, representing a significant cost across all industries.
In addition, users often experience a compromise of their private data, where one data breach can result in a cascading leak of personal information. The problem cannot be understated: the 2017 Equifax hack compromised the private financial data of over half of the population of the United States.
It’s not just confined to the US or the West, it’s global.
The current detection time for a breach is about 280 days on average, and these are the ones that represent reported data leaks. Many of them, especially the more advanced ones, are never detected, with most hacks and leaks going unreported. If big tech and Web2 businesses are knocked over like ninepins, then what’s happening to critical governmental and citizen data, and related public-sector agencies?
The Pentagon, various militaries of the world, infrastructure, energy, water, food production, and supply chains? The problem facing cybersecurity is ubiquitous, involving every person, group, community, organization, business, and government on the planet.
The Pandemic and Lockdowns: A Gift to Hackers.
During the pandemic, we witnessed a massive digital migration. From 2020 the world moved online as lockdowns forced us to stay home — shopping for goods and services, accessing healthcare professionals including personal health records, distance learning for schooling and higher education, from meal to household goods delivery, and of course working from home. The exodus was complete.
Meanwhile, cybercriminals only saw an opportunity, to become more organized and double down on their efforts. Hacking now takes place on a corporate scale with hacking groups even contracting out to independent malicious actors who get paid for successfully breaching set targets.
In our brave new digital world of hybrid working and living, conventional enterprise perimeters have changed forever.
Adapting to the upheaval, traditional location-centric businesses have had to rapidly evolve into distributed enterprises, where both workforce and customers are spread out geographically.
The result of shifting boundaries means enterprise cybersecurity teams have new problems to grapple with; how to trust and identify who and what should be allowed access to their networks in a sea of device and network complexity.
As we journey online, attacks using usernames and passwords have increased a massive 450% up from 2019 with over 1 billion records compromised in the U.S. alone. Questionable yet common security practices like sharing or reusing passwords, basic management issues like 2FA not being enabled, best practice lapses such as systems not being patched at all, or in due time, or the non-removal of access for leavers and movers, all the way to a phishing email, have given bad actors an easy path to personally identifiable information (PII) which is found in one-third of all breaches.
All this leads to the unwanted download and execution of threats such as malware, spyware, ransomware, etc, it’s no wonder all these potential vulnerabilities compounded with human error inevitably lead to mass data breaches.
The Gift Is You and Me.
As ever, it’s the common mobile and desktop user that is least protected. Check Point published mobile security research showing nearly half of respondents experienced employees downloading at least one malicious app during the last year. Another finding was that 97% of organizations dealt with mobile threats that used various attack vectors.
It’s certain the vast majority of threats, aka Riskware in mobile devices go unreported or undetected until it’s too late.
With a majority of users having devices that are personal in nature, being stand-alone or not on any organization or management structure, like Banking trojans, this type of malware is particularly attractive to mobile attackers, as it combines a trojan with a keylogger and sometimes complete remote control on the attacker side.
On March 20, 2021 security researchers discovered the existence of a new trojan for banks, identified as Vultur. The researchers confirmed that it has screen recording and keylogging capabilities. It isn’t as prevalent as it is on desktops however, it is rapidly growing on mobile devices as they are used by the majority of people while slowly replacing desktops.
Ransomware is a form of malware that encrypts the user’s personal data and then holds it as a “ransom” up to the point the criminal is compensated. Other threats are posed by data theft Adware; security researchers at Kaspersky found it was responsible for 61.43% of all malware detected on mobile devices in the first quarter of 2021.
Desktop trojans also provide an access point that allows an attacker to run software or control the device remotely. One kind of Android malware type that was discovered in early 2021 could collect and transfer data from phone contact information to text messages, as well as browsing data while remaining unnoticed by users. Keyloggers that can also include screenscrapers, reside on a device of a user and record every keystroke to try to discover important data such as PII, banking, or health-related data.
Billions and Billions of Devices.
The total number of connected devices is set to exceed 50 billion by 2022, up from an estimated 21 billion in 2018. From cars to smart home devices, from connected industries to smartphones, laptops, and computers. Every second, 127 devices hook up to the internet for the first time.
Because centralized cybersecurity configures devices to operate independently of each other and not in harmony, each device by default becomes a single point of failure. This hugely increases complexity and reaction time, while expanding the attack surface area allowing underlying devices to be easily exploited by malicious actors.
It is extremely difficult for businesses, enterprises, and governments to manage these complex networks and their devices due to the sheer numbers and complexity. Currently, there is no capability to validate devices for basic cybersecurity standards in a way that is distributed in nature, provable, trusted, immutable, and auditable.
As there is no unifying governance between network devices with the ability to validate and monitor device behaviour and trust status moment to moment, the Web2 ‘single point of failure’ cybersecurity model, cannot be trusted.
The world needs a cybersecurity layer that`s decentralized in nature instead of siloed, a completely different approach in how we deal with cybersecurity, how we defend against cyberattacks, how we manage structures that bring awareness of threats, and how we implement those defenses.
Naoris Protocol: Decentralized CyberSecurity Mesh
As current cybersecurity cannot deliver the level of effectiveness for citizens, businesses, and governments across all sectors, vertically and horizontally, Naoris Protocol proposes a decentralized approach by design and default, one that is blockchain-based and enables new capabilities for defense that have been until now, reserved for Web3 systems only.
The Naoris Protocol is a non-competing complementary solution that leverages blockchain consensus, providing an additional decentralized security layer that allows existing cybersecurity solutions to operate as normal.
Naoris Protocol’s primary concern is with the trust status of devices and networks.
Naoris Protocol has created a disruptive and contrarian design pattern that makes networks safer as they grow, not weaker by turning any device, by its nature a centralized point of risk, into a trusted node and validator of trust. Use cases operate within their own private cybersecure Verge Cluster, with their own rules, governed by a distributed assurance consensus. Through this approach, Naoris Protocol is bringing decentralization into centralized environments.