Combating cyber-attack
Cyber-attacks enjoy an almost parasitic symbiosis with technological innovation. As the overall prevalence of smart solutions advances, so too does the potential for such attacks. Ciarán Galway speaks with Conor Flynn, a specialist security consultant with over 25 years’ experience of providing information security advice, whose clients include several Government departments.
A steady stream of high profile cyber incidents in recent years have ensured that security is now valued to an unprecedented extent across organisations in both the public and private sectors. While there are multiple accepted definitions, Flynn outlines: “Cybersecurity, to me, is a new buzz word that a lot of the manufacturers came up with in order to deal with threats and risks from the internet. I try to be a little bit more encompassing when looking at cyber and consider the word itself to mean basically anything that relates to a computer.
“Cyber risk, from my perspective, if you’re looking at the broader term, could be anything that’s coming from the internet, from insider threat, malware or it could be from people damaging connections.”
Risk
Outlining the concept of risk from cyber-attack, Flynn asserts: “I think it’s very important when people are talking about risk or threat, that they understand and consider the impact should something happen and also the likelihood of it happening given the controls that are in place. Ultimately what people want is to lower risk. That means you either lower the impact or you lower the likelihood of it occurring. It’s probably easier to lower the likelihood by improving security controls, technologies and processes.”
Geographical origin
While many people identify particular countries or regions as epicentres of cyber-attack origins, the reality is significantly more complex. Flynn suggests: “A lot of people will instantly point to the Far East, the disaffected regions within former Soviet states, some South American countries and Central Africa. There are a number of different sources of attack, including the US itself which has a lot of people who are both capable and motivated.
“However, you will see different sources for different types of attack. If you look at pure criminal activity, with regard to fraud, it’s fairly widespread. A lot of the attacks would appear to originate from certain countries, but they’re actually just a stepping stone, or a point where the attackers try to obfuscate where the attack is really coming from. They often use countries which have poor levels of communication or interaction with people like EUROPOL, the CIA or other law enforcement agencies, as well as poor levels of international relations or cooperation in general.”
These are the most accessible and convenient bases from which criminals will work. At the same time, as global events take hold, pockets of disaffection spring up and hacktivism increases. Likewise, the spread of conflict is often mirrored by spikes in cyber-attacks as belligerents engage in electronic warfare.
Motivation
The motives dictating cyber-attacks are as varied as its geographical origin. Flynn details: “Some of the people who are hackers have the same mind set as people who previously would have spray painted a bus shelter. There’s a little bit of notoriety, a demonstration of prowess and capability. Then there’s the hacktivists who belong to a political campaign, or feel hard done by because of their socio-economic context and therefore join an activist campaign. Then some people engage in cyber-attacks for pure commercial gain. One of the biggest surges in malware activity over the last number of years has been the growth of ransomware. The amount of money to be made as a result of ransomware is phenomenal.”
Whereas in the past it could prove quite difficult to generate income from the use of malicious software, which incorporated spamming, manipulating share prices or soliciting personal details, ransomware enables criminals to access infrastructure, imprint everything and hold the victim to ransom. Consequently, they can extort money, very quickly and, because they typically use Bitcoin, it is easily laundered.
Flynn elaborates: “Ransomware is very difficult to track and, as such, it is very unlikely that people are going to be prosecuted. It involves many jurisdictions and because each individual victim might lose so little in terms of value, many won’t even report the theft to the Gardaí. However, if the thieves hit 100,000 people, then the money they can accumulate can be substantial.”
Exposure
There are different types of assets which are of interest to different types of hackers and likewise, as a result of different events, alternating sectors of the economy experience a surge in attacks. Demonstrating this, Flynn outlines: “During a particular stage of a political campaign or if there is new government legislation being introduced it may focus hacktivist energies from around the globe. Likewise, if a company is launching a new product such as a streaming service, a new game console or a new piece of film or music, they will often be targets for people as well. The gambling industry is one that suffers constant attack through denial-of-service (DoS) attacks and are then held to ransom because there are huge volumes of money being spent there.
“There is an increased likelihood of the public sector being targeted when a political decision is made, a law is implemented or a tax is collected. For example, there was a strong motivation for people who were anti-establishment and anti-government to start targeting public sector IT infrastructure during the protest campaign against Irish Water,” Flynn notes.
Identifying the SME and start-up sector as being particularly exposed to attacks, he stresses that security is often neglected by businesses who are inordinately focused on ensuring survival as their core priority. “A lot of these guys are very focused on keeping their business working, getting their products and services out the door, and consequently they have to rely very extensively on technology as part of that. The IT service providers that are working into the SME sector are more driven towards getting a better product or getting more mail delivered, but aren’t really as focused on security.”
Smart solutions
As the Internet of Things (IoT) revolution marches on, it brings with it new concerns. One of the biggest issues is that, without proper controls designed in from the very beginning, it is possible for these new systems to become a part of the problem. Flynn uses an example: “We’ve seen recently, a number of DDoS [distributed denial of service] attacks, one of which emanated from a tool called Mirai. It used an IoT based platform in the form of peoples’ home security, so CCTV and DVR systems, which were all wide open to a compromise. They were then used to flood all the traffic against different sites.
“The danger is, because the devices have to be so prevalent, they have to be very low cost with a very low power consumption, and consequently security is never really thought of. Therefore, they can be attacked and then used as part of a tool to go on to do other things. We’re experiencing these kind of worries around things like smart metering as a part of IoT.
“It’s worrying because while companies might not highly value the data that’s coming in through these devices, they suddenly have a huge number of machines that can be taken over, controlled, turned on, turned off or manipulated in some way.
Countermeasures
“One of the biggest challenge facing information security organisations today is that anti-virus is dead. The whole concept of using signatures to detect malware. You still have to do it, but all the new malware is evolving so fast that the enterprise companies cannot keep pace with issuing new signatures,” Flynn maintains. However, one of the most interesting countermeasures that has evolved over the last couple of years is a security mechanism that companies often refer to as sandboxing. This is the idea that, as a file is coming into an organisation that you open it in an isolated sandbox environment and watch what it does.
“The idea of these new technologies is simply watching the behaviour of a file. ‘Why is the PDF that I’m opening in my sandbox trying to access the internet? Why is it changing a registry in my machine? Why is it trying to access the hard drive? A PDF should never do those things, so that’s suspicious. I haven’t seen it before, and I’m not saying that it’s bad, but it’s doing something that it should never do’. The behaviour is identified as being wrong and therefore the file is prevented from causing harm.”
Compliance
In regards to compliance with EU directives, Flynn asserts: “We’re catching up. I think that we have been in a very difficult place for the last number of years in both the public and private sector where there has been such a shortage of money to be spent on systems and investments which may not have been regarded as a way to generate revenue, rather as discretionary spends. That has left us a little bit behind the curve.”
Consequently, because the internet is inherently global, if places elsewhere are more advanced and have invested more into technologies it means that we are more exposed because hackers will actually divert their attentions from the better fortified countries to those which are weaker.
“The Network Information Security (NIS) directive and the EU GDPR regulation coming into force, with significant financial sanctions for non-compliance, has focused people’s minds on the responsibilities and the requirements that organisations have. Data protection law has been there for some time, but there has been sometimes a low level of compliance. The NIS directive is the first time that we’re going to see regulation defining what people must do as operators of essential services or digital service providers.”
Culture
Overall, Flynn maintains that information security awareness is low. “There’s definitely a requirement for leadership to prioritise and advance this. We could start with education and incorporate security as part of the curriculum. I think people should be assisted within the education sphere to become a little bit more suspicious and sceptical. We do a good job when it comes to cyber bullying and safety online, but not when it comes to basic security. People’s minds need to be funnelled towards an enhanced analytical and sceptical base in relation to what they do online.
“Generally people have some degree of situational awareness in the physical sphere. People lose this awareness when they go online and there’s this incredible level of trust which is not well gotten for systems that are online. I think a level of scepticism needs to be increased for people because online is not necessarily a safe place to be.”
He concludes: “Unfortunately, it’s hard to envisage anything but growth in the prevalence of cyber-attacks because there are so many devices out there that people rely upon greatly. At the same time, consumers want to make everything quick and easy.
“Conversely, once you’ve got easy to build, easy to power, easy to use and no effort made with security, you’re going to find it easy to attack. If it’s easy to attack, then it’s easy to extort. If it’s easy to extort, then it’s easy to earn. If it’s easy to earn, then it’s going to happen more often.”