By Jon-Michael C. Brook, Principal, Guide Holdings, LLC
Q: Why is it important for organizations and agencies to stay current in their cybersecurity training?
A: Changes accelerate in technology. There’s an idea called Moore’s Law, named after Gordon Moore working with Intel, that the power of a micro-chip doubles every 18 months. When combined with the virtualization aspects necessary for cloud computing, technology professionals tackle ideas seen as science fiction 30 years ago. You carry around more processing power in an Apple Watch than launched the space shuttle. Big Data, Blockchain, Internet of Things, AI and self-driving cars were inconceivable. Now you see advertisements for the NCAA trend analysis (Big Data), Bitcoin (Blockchain), Alexa and smart homes (Internet of Things), AI (Watson) and Tesla. Humans create all of this new technology; we’re flaw ridden, and cybersecurity researchers find exploitable bugs every day.
Training for developers is important —they’re a small population and make a huge impact limiting the types and quantities of flaws. Training for general users helps them avoid clicking malicious links, phishing schemes and opening files of unknown pedigree. Staying current keeps users only a half step behind the latest exploitation schemes; everything turns over entirely too fast for reliance on 10-year-old security knowledge. Ransomware wasn’t something we trained people on 15 years ago, even though the PC Cyborg virus demanded the first $378 payment in 1989. Now, people clicking a link could lock out a company’s entire data store.
Q: Do you find that most organizations and agencies employ a workforce that is woefully undertrained in cybersecurity?
A: There are companies like KnowBe4 and PhishMe that specifically target under-trained employees. KnowBe4 calls it the Human Firewall—accurate when it works properly. In the cybersecurity world, we’ve said for years two things about users—you have to trust someone, and users are the weakest link in any computer architecture. We made inroads limiting the damage by segmenting networks, limiting access privileges and better authentication capabilities, but training is a moving target and people forget or get careless.
Q: Is cybercrime on the upswing? Do you have statistics or studies to back this up?
A: The trends for cybercrime show increases in the total occurrences. Part of that is “who’s” doing the work for the majority of the takeovers. In many cases, self-replicating viruses and bots do the work—they don’t sleep. Some cybersecurity researchers find flaws and immediately publish their sample code. Not contacting the product manufacturer first is irresponsible. The sample code gets weaponized and added to existing exploit development kits and loaded into malware, including ransomware, for instance. Ransomware encrypts all the files on a drive and rose from 22nd to 5th-most-common malware between 2014 and 2016 (2017 Verizon Data Breach Investigations Report). Recently, the city of Atlanta was hit with a $51,000 demand.
Executives at a company the size and stature of Uber decided to pay a ransomware demand. They clearly didn’t have good backup and recovery processes, and we can’t expect the 718,000 other victims in 2016 to do much better. Uber, in turn, funded the next round of development. According to Symantec, the cyber criminals saw per-victim value increases of 266 percent from 2015 to 2017, and continue their efforts. There are over 50 families of ransomware alone. That’s families—not applications. Cracking a single variant in a family doesn’t necessarily eliminate that version’s effectiveness. An effort by Europol and several cybersecurity vendors to inform users and collect decryption keys started last year with the site nomoreransom.org.
Q: Which organizations are currently most targeted for cybercrime, and why?
A: There was a quote in the New Yorker during the 1950’s where Willie Sutton answered the question why he robbed banks. His response was straightforward: “I rob banks because that’s where the money is.” This trend has held true throughout history, be it land during feudal times, stage coaches and trains during the Old West, and finally cybercrime today.
So where is the proverbial money in today’s cloud-connected, on-demand, app-everywhere world?
The industry most people think of with cybercrime and fraud is the credit card and banking institutions referred to as the Payment Card Industry (PCI). They really worked to lock everything down starting with the Payment Card Industry Data Security Standard (PCI-DSS) in December 2004. The rationale was simple —rampant fraud in the late 1990’s. They were losing every time someone called about a bad charge.
Credit card companies are steadily improving to the point now where your bank tracks your location and habits and will proactively block suspicious transactions, calling or sending a text message as an additional authorization step. I’ve seen it fail miserably (a friend of mine received a deny on a charge at the local Kroger after using the same card at the same store weekly for the past 18 months) and work stupendously (a $1 Burger King charge in Mexico while I was buying snacks at the Ft Lauderdale airport). The chip cards are also reducing fraud, as they prove to the card processors that you have the original card and not a fake copy. The Payment Card Industry does such a good job now that bulk credit card numbers on the Dark Web cost pennies per thousands.
That’s not the same for the healthcare industry, however. Personal Health Information (PHI) continues to be the most profitable data, running in the $0.50 to $7 range. That is down significantly from the $150 range less than 5 years ago. However, extensive health histories provide a treasure chest of fraud possibilities but are now purchased with additional information purchases like birth dates, Social Security numbers, and driver’s license data. Knowing a patient’s previous diagnosis of high cholesterol makes fake claims for heart procedures more plausible. CIPP Guide pointed out how common abandoned medical records were 10 years ago. Doctors place a premium on their time, but the HIPAA compliance actions for Electronic Health Records (EHR) and the ease of which the information may be destroyed eliminates the same sort of abandonment. It does open up a new situation, where a patient actually wants their previous health history to continue with a new practice. At that point, people must take personal responsibility and keep their own EHR.
Let’s investigate where the money isn’t … sort of. Cyberattacks were a significant part of the Russian attacks on Georgia and the Ukraine in 2017. One of the first nation-state attributed cyberweapons, Stuxnet, set back the Iranian nuclear program in 2010 by attacking power plant equipment—Supervisory Control and Data Acquisition (SCADA)—responsible for their uranium enrichment centrifuges. The Russian Government election interference in the US elections is a continued congressional topic. And early in 2018, the city of Atlanta experienced ransomware demands. While governments typically have big budgets, getting to them will prove more difficult.
Lastly, the area I’m most concerned about is transportation. Money is replaceable. More “intelligent” features are making their way into mass production, from braking assist and lane departure to auto-pilot. Two researchers demonstrated a remote automobile attack at the DEF CON hacking conference in 2015. The conference introduced a Car Hacking Village, where attendees could try the exploits themselves. Since that time, self-driving vehicles, including cars and semi-trucks are under development by Tesla, Uber and NVidia. Uber recently suspended self-driving car tests after a pedestrian accident in Arizona on March 19, 2018.
The possibility of a driverless future, where there is limited road rage and fewer traffic fatalities sounds promising. The fact of the matter is that the systems use external connections to download updates. History shows remote updates as a vulnerability. The automobile immobilizer/remote disablement feature flaws were demonstrated in 2016. The possibilities to stop a car suddenly are already part of police controls for theft prevention and recovery. Hollywood TV shows dramatize accelerating quickly. The prospects of ransom or terrorism are frightening at 60 MPH.
Q: How bad is cybercrime expected to be in the future?
A: Cybercrime success in the future depends on the diligence of everyone involved. Punishment for unacceptable behavior was documented in biblical times. Deterrence depends on risk versus reward similar to the drug trade. The main difference surrounds education—hacking requires access to computers and coding skills. In the US, our Bill of Rights and Constitution keeps American hackers from being executed with the exception of treason. Life in prison or heavy fines are the punishments of choice. If you don’t have money, the heavy fines don’t look as daunting. A serious prison term carries a bit more weight. That’s not how most of the US laws read currently. Kevin Mitnick, one of the best known hackers, received a 5-year sentence after breaking into several corporations’ networks, including Pacific Bell’s voice mail system. The main charge that got him jail time was wire fraud.
Folks outside of the US, especially organized crimes in the poorer nations of Africa and Asia, already show a great deal of interest in cybercrime–mostly phishing schemes. Eastern Europe also has several well-known hacking groups. Their tools are getting better and easier to use. That’s a double-edged sword—less knowledgeable users will probably make implementation mistakes that allow projects like NoMoreRansom work.
Cybersecurity protections will continue evolving. Organizations within the PCI are now asking for continuous access to your location data so they can correlate your spending with your charge card and ATM usage, the next logical evolution in their fraud detection. Until you forget your phone. And at that point, we need to adjust where the “money” is, and start examining what can be done with your location information and other low-hanging fruit. If criminals know you’re not in your residence, will the crime statistics show a spike in burglaries? Will social engineers or phishing scams target you based on the most susceptible device? Email scams work best on your tablet, text scams on your phone and click fraud on your laptop?
Q: Who are these cyber criminals and where do they come from?
A: In the past, we dealt a lot with individual hackers. There were hacktivists and folks who wanted to see how they could get in and what they could do in infiltration. That has since moved to organized crime, with the bulk of cyber criminals motivated by money, and how quickly they can turn whatever they find into cash. Most of the latest attacks are external, financially focused, and automated to increase return on investment.
Q: A lot is now being discussed about cyber criminals holding the data of individuals and organizations hostage. How is this possible and what can be done to prevent it?
A: The data hostage taking refers to a type of malware called ransomware. It is so named as a ransomware infected system will scramble all the stored data using encryption and demand payment for release of the decryption key. Most anti-virus companies will catch all but the latest 0-day hacks (those not yet discovered by cybersecurity professionals).
Keep the cybersecurity software up to date. Likewise, keep ALL your systems patched—most operating systems will automatically install them and unlike the old days for desktop systems at least, everything won’t crash. Mobile device users are slightly less accepting of auto-updates, for fear of favorite apps no longer working or battery draining updates. Keep in mind, the favorite apps could be part of the reason for the patch. Lastly, invest in some sort of backup software. Plenty of choices will automatically save all of your files—Apple has iCloud, Microsoft has OneDrive, you could use Google Drive or Amazon’s S3 cloud service. There are plenty of third-party solution providers, including Carbonite, CrashPlan and others. Make the best choice that fits with your lifestyle—if you own all Apple devices, that’s probably your best choice. And as mentioned on nomoreransom.org, paying the ransom equates to venture funding the next round of attacks.
Q: Besides cyber blackmail, are there other new schemes in cybercrime that organizations need to be aware of?
A: An emerging scheme involves stealing cycles from people’s web browsers, or cryptojacking. It’s a combination of Bitcoin mining and a “free” component— the advertising revenue stream is augmented or replaced with either pornography or a game depending on the user set. There is additional code on the page that uses your computer to mine Bitcoin for them. My kids were playing a tank game that crashed my system from heat. Bitcoin thefts a couple years ago (see Mt Gox, for instance) were popular because there was little risk of getting caught. With cryptojacking, people think it’s just a poorly written web page and restart their browser/computer. You never get something for nothing.
These examples highlight the negatives and shouldn’t all be seen as daunting. The technology behind Bitcoin opens up a new world of possibilities around worldwide money transactions. A company called Ripple, an “altcoin” using the same blockchain technology, based their whole business model on efficiently and effectively moving money between countries in Southeast Asia. IBM commercials tout the advantages for our food supply and eliminating “blood diamonds.” Even with all the accident reports on driverless cars, autonomous vehicles have the potential of saving millions of lives eliminating driving under the influence or distracted driving. EHR and smart watches, for instance, allow doctors access to continuous monitoring of vital signs, looking for abnormalities day-to-day rather than relying on just the annual patient screening. All of these were science fiction or unfathomable even 20 years ago. As a society, we need to be aware and diligent of criminal activity, but being aware shouldn’t scare the world into a techno-free cave.
Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.