The threat of losing the battle with cyber criminals
When you think of the term cyber hacker or cyber criminal, you might conjure up images of someone in a dark room using nefarious means to access your personal information. Think again.
Senior Security Consultant from Proficio, Jeremiah Dowd, offers insight into the mind of ‘threat actors’ who are constantly looking for ways into every network—both robust and immature. They’re not only after personal information, but Intellectual Property (IP) and the things which make your business unique. These threat actors are organised, efficient and smart.
The Notifiable Data Breach (NDB) has provided the first legal stage to prod businesses to do the right thing if their network is breached. However, experts agree that until the NDB has some real teeth Australian businesses will not view cyber threat as an expenditure priority.
Jeremiah says, “Cyber security in Australia has grown tenfold in the past few years from an Executive awareness standpoint. However cyber crime is a moving target.” Historically people think, ‘Oh well if we’ve been breached we’ve lost’. “That’s not the case because the threat actors don’t consider it a win until they get the information that’s valuable to them out of your network.”
It’s about recognising when they’re in and stopping them from getting the information out. That’s where the battle is won and lost.
The Security Consultant believes The NDB presents a paradox, “Because if you don’t have the visibility to know you’re being breached then how are you going to abide by the laws?” He says there’s not a lot of “incentive for people to spend capital on the problem.”
Australia is one of the most talent-rich per capita countries for cyber security. Jeremiah says, “There are brilliant people in the market. The problem is the business culture is quite easily a few yearsbehind north America the UK and Europe.”
Threat actors are actively organised
Oddly enough some people still have the image that threat actors are sitting in a basement somewhere at 3.00 am in the morning. “We’re sometimes talking about organisations that occupy skyscrapers with HR departments—including Nation States,” advises Jeremiah.
Cyber criminals are intelligent men and women, “Writing malicious code or coming up with new tactics. Some of them are the smartest people you could find. They’re doing it because they’re successful and because it’s profitable.”
Stage One for Australia’s cyber security landscape
Jeremiah says the NDB doesn’t really have “teeth to it”. Until someone “becomes an example, and it’s going to be a really bad day for that company,” he says, “until that happens I think from a pace standpoint it’s going to be business as usual.”
On the larger end of town, most businesses are already doing things to keep themselves compliant. There are also mid to large enterprises switched on “to recognising they can do a couple of things better.”
But the problem is the NDB laws don’t have a lot of teeth, there’s nothing much to it. It’s a ‘Step one’ in escalating the maturity of the Australian cyber security landscape.
For instance in the US, a CEO or CIO “is held personally liable if it’s found they have not done the correct things to prevent breaches, or loss of Personally Identifiable Information (PII).” Jeremiah says, “That doesn’t exist yet in this NDB model. It’s a Step One to prompt businesses to be better stewards of information.”
What happened prior to the NDB?
Prior to the NDB, when businesses weren’t obliged to notify anyone, Jeremiah says most switched on businesses would do the right thing in the event of a data breach. “From an ethical stance—it’s good practice,” to notify affected parties.
However, there’s the other side of it when a business doesn’t do enough. He says, a bad example is when a business “will wipe systems and go to a backup and go on with business as usual, assuming that took care of the problem, without actually doing or hiring a company to come in and do the proper investigations and or forensics.” Potentially that threat actor is still in the network and the problem hasn’t actually been solved.
The more switched on companies would hire a third party to asses what’s happened. “To understand it, and kick threat actors out of the network and furthermore proactively make changes that will prevent it from happening again.” As opposed to rebooting a server and assuming everything is going to be fine moving forward.
The oldest email trick the most effective
Jeremiah says people still buy into email scams which cost them thousands. Do you remember the emails about the Nigerian prince who needs money? “People still buy into it. Threat actors don’t do it because it doesn’t work, they do it because they can manipulate humans and they’re very good at doing that.”
If an email looks official and is written well people assume it’s legitimate and to this day that’s the easiest way into an organisation. You can throw all the money in the world at it and you’re never going to fix that to 100% success rate.
That goes back to the assumption that it’s going to happen. Threat actors are going to get into our network. “The important question is: Will we know when it happens? Can we get them out?”
Holding your vendors to higher security standards
Vendor management is a massive part of security as well, because you will be doing business with people who are hopefully good stewards of information.
An example is the US Target breach in 2013, which was the largest retail breach known at that time, Target wasn’t the initial organisation compromised. That happened because one of their vendors which was an (heating ventilation and air conditioning) HVAC company got breached. Cyber criminals found their way into Target’s network through that company.
Target’s cyber security “devices were firing for several days but they did not know what they were looking at. They didn’t know that it was an actual problem. They thought they were looking at false positives.” Target came to learn later that it was a massive issue and handled the situation. “They disclosed properly and they did the right things. That’s how you regain customer confidence and how you handle that situation.”
Jeremiah advises for small to medium size businesses earning under $3M “that don’t necessarily fall under the letter of the law, if you want to grow your business and do business with larger organisations it makes sense to do the right things from a security standpoint.” So when a larger business asks about the security you can say; ‘Yes I tick those security boxes’.
The reason your business is a target
The biggest mistake companies make is believing they’re not that big of a target and nobody cares about ‘us’ because we’re small. Jeremiah says, “The fact is that makes you the easiest target and you’re a playground for the threat actors. It is so easy for them. They know they can try various forms of attack methods such as polymorphic malware. They can test their tools on smaller companies and sometimes they get lucky like the Target example.”
Companies taking that aloof stance are the top targets. “If I’m a threat actor,” says Jeremiah “I’ll take the easy path. Why take the harder route? Why not get the quickest rate of return for your efforts? That’s what small to medium businesses are.” They are the most targeted and unaware and so aloof about it because “they have this perception they’re unimportant and that’s absolutely wrong.”
Case study on the theft of PI
Jeremiah was involved with an incident response team hired to do the forensics of a cyber breach. “We had to find out the who, what, when, where and why.” A company made a widget but they started losing all these massive contracts specifically from a long-term client. They asked: ‘Why aren’t you signing up with us, we’ve been doing business for years, are you not happy?’ That company said they’re buying that widget from another company in China. It turned out the Australian company’s “intellectual property was stolen” and then manufactured for much less.
The question I ask business is this:
What makes your business special? What makes your business unique? How do you protect it and what happens when that goes away? When you’re no longer special—when somebody else has that information and capability?
That example happens frequently. “If you have something valuable, it doesn’t matter what it is, if it makes your business successful,” it’s something you need to protect.
Keeping pace with threat actors
Jeremiah warns cyber security specialists need to keep pace with threat actors. “That’s why we have research teams. That’s why we have people hanging out in the dark corners in the dark web and infiltrating that network posing as a threat actor themselves. It’s so they can gain trust and access that ecosystem.”
It’s like the saying: We keep friends close and enemies closer, that’s very much the story of cyber security.
We hope you’ve enjoyed interviews with experts highlighting different perspectives of cyber security and the NDB. We thank Malcolm Burrows, Legal Practice Director at Dundas Lawyers, for his legal expertise; Lani Refiti, long-time security professional, entrepreneur and business technologist and Jeremiah Dowd, Senior Security Consultant at Proficio.