Protega have been published!
Our Director, James Wootton, has had the following article published in the Australian Security Magazine. Enjoy reading it!
As those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case!
I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’.
It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection!
But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism.
I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security.
Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy. A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us.
Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap):
Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking, ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one!
So, why do we cling to broken technologies that are woefully inadequate in cyberspace?
Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the money and time invested in them If they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!)
Enough rhetoric, present me with a solution already!
Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover.
More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’.
From an organisational standpoint, consider elements of the following, balancing bang for buck:
And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust. I know such a person and a company…..
In the following Protega blog post, our technical director James Wootton, puts a blockbuster twist on the latest high profile IT hackings. Look out everyone...the Cyber Wolves of Wall Street are on the loose...
It’s been quite some time since the infamous ‘wolf’ allegedly turned over a new leaf, but there’s a new world with new opportunities for the cyber wolf, one that is probably going to lend itself to many shady deals, particularly if the current trend of high-publicity hacks of publicly listed companies is anything to go by. If we look at the latest Talk Talk compromise, we can see that there is a direct correlation between share price fall and recovery, relating to the hack event itself and subsequent capture of the alleged hackers.
It made me think of the many movies based upon companies that recognise and profit from such unhealthy events. However, imagine you have the power to manipulate such blips in share price through knowing when they’ll occur, something that I suspect will become a reality, requiring a change in current legislation worldwide and causing quite a stir in the process.
Let’s make a Movie!
Here’s the ‘meat’ of the blockbuster movie I envisage, clearly there’d be a lot more plot and ‘fluff’ around it:
Harriet-the-hacker identifies companies that are publicly trading and clearly have no idea about security, exhibiting all the weaknesses expected of companies grappling with profit versus investment. As part of a complex hedge-fund or speculation gamble, Harriet analyses the viability of shorting shares for those companies that were previously identified.
After randomising and creating a timeline for companies to be hacked, Harriet finds victims who are going to be the patsy (willing or otherwise) for those companies likely to provide a dip and recover profile, a-la Talk Talk. She selects people she can manipulate; script-kiddies, people who’d like to profit, or corruptible insiders.
Harriet then shorts the shares and hacks the target companies, at the appropriate point within the planned timeline, watching the share price plummet! Harriet cashes in once the share price bottoms out and shifts her strategy to a long position.
Harriet laughs as the Patsy gets caught, giggling with delight as she sees the near instantaneous start of share price recovery.
Over a glass of bubbly she watches the share price rise and cashes in once the price is to her liking, completing the financial transaction and sitting back, taking a sip, enjoying the fruits of her labours.
She completes the financial transactions and moves on to the next seemingly ‘random’ victim.
There are also a number of blackmail scenarios available along the way too, which we could slip into the plot. Operational security must be considered as people, particularly algorithmic fraud analysers, may notice a trend when the companies dip and recover. She would have to make sure there are a mix of identified perpetrators and undiscovered perpetrator profiles, with a combination of short and short/long scenarios across a portfolio of accounts, of course, not in her name.
Anyway, I think it’s wise to leave it there and not provide too much detail, after all this is purely fictional!
Hold on, is this already a reality, not a work of fiction at all?
Imagine this isn’t Hollywood, but in fact something that is already occurring. A number of well-publicised recent breaches have involved share price ‘fluctuations’ that were just too darn perfect and predictable for people to have not profited from them. I racked my brains (both the squidgy one and Google’s) to come up with where I’d heard of this ‘scam’ and of course, a legitimate story appeared that paralleled this, in a way that should really rattle the financial regulators of the world!
Anyone remember a hacker named Weev? One Andrew Alan Escher Auernheimer, he who was part of the imaginatively named Goatse Security group that exposed a serious flaw in AT&T’s interpretation of securing sensitive data on iPads. Turns out, that after spending some time in prison (I’m staying well away from the rights or wrongs of that one!), he announced last year the formation of a hedge fund that would short shares of companies exhibiting such weaknesses, but distanced himself from the actual ‘reconnaissance’ process.
Whilst it appears that his dream hasn’t been fulfilled, even after a crowd-fund attempt, TRO LLC (you have to laugh at the troll there) and its website no longer exist. It would seem that should this hedging become a legitimised reality, there would be yet another black mark against the money houses and a loss of confidence. My example above raises some ‘issues’ around the legalities of the described actions, but given a plausible gap between the legitimate and blatantly illegal actions, it could probably be performed relatively risk-free (and no, don’t try this at home kids!, i.e. this article does not condone nor encourage any illegal behaviour – just to be clear).
How do we identify and perhaps legislate against such events?
Well, that’s the hard part. If you consider how many money markets and how many publicly listed companies there are, it’s a target-rich environment. Given the state of some of those traded entities from a risk perspective, I can see how this scam is going to work with a little thought and carefully selected victims.
Big Data Analytics would help here and given access to share dealing data, would most likely identify anomalous behaviour, but we’re a way from this level of inter-connectivity, so it would be relatively easy to hide the money shots amongst a bunch of losing deals. If the ‘Harriets’ of our cyber world were prepared to accept the game would be over after a predetermined time, then the ‘in and out’ will most likely be untroubled. Split the activity amongst many accounts and money mules… who’d know?
Of course, we’re then left with the usual exasperations of the security community and the seemingly not-so-obvious mitigations, aren’t we?
Plugging away at these vulnerabilities and changing an organisation’s risk profile, would make such an attack unpalatable and should cause the Harriet’s of this world to move on to the next, much softer target, assuming of course that the other P-word (profit) didn’t stop the C’s from investing in an appropriate security strategy…
And seriously folks, the poor script writing above, purely fictional, don’t get excited and end up breaking the law, that would wreck my Christmas and yours!
If this thought provoking read sparked your interest, why not head over to Protega's LinkedIn page, where similar blog postings can be enjoyed.
In the following blog post, Protega's Rob Cooper, discusses the recent cyber hacking claims between China and the US. With an agreement between the nations to refrain from espionage activities lasting less than a day, are we all really surprised?!...
On Friday 25th September, US President Barack Obama and Chinese president Xi Jinping cemented an agreement promising that neither nation would engage in cyber espionage for economic gain. However, less than a day after shaking hands, it was revealed that hackers associated with the Chinese government had tried to unlawfully access at least 7 companies. You would think there would be a cooling off period! Did the USA really think that China would not attempt to hack them, and do we really think the USA will stop?
There were many hopeful people, however, who appeared to believe that this was the beginning of the end for cyber espionage from China. According to an article published by DARKReading.com on 27/9/2015, the Information Technology Industry Council (ITIC) lauded the agreement between the two presidents.
Dean Garfield, president and CEO of ITIC, which has been involved with talks between the US and China, stated the following on this controversial topic.
“This agreement finally starts a sustained dialogue where there was very little communication. It illustrates a spirit of cooperation on a sensitive issue, which is a positive signal to technology companies. We will work to ensure this cooperation on cybersecurity will be a bridge to improved market access for global technology companies. ITIC and its members, which include the world’s most innovative companies, will continue to work with both governments to further mutual understanding and ensure implementation of these commitments."
With a long history of disregarding intellectual property, piracy and the like, China do not mess around when it comes to counterfeiting It is big business for them. They don’t simply copy products, but replicate whole companies. Take the example of the fake Apple stores. There are 30 times more fake Apple stores in the city of Shenzhen than genuine Apple stores. These stores are even made to look just like the real thing, with the staff wearing blue t-shirts emblazoned with white Apple logos.
Let’s not forget the ‘Chinese version’ of the Japanese electronics company, NEC. In 2004, it was discovered that NEC products were being counterfeited in China. Imagine the shock and outrage when further investigation revealed a network of more than 50 factories were producing counterfeit NEC products. They were even manufacturing and releasing “new” NEC products.
China has been in the news plenty of late, having been accused of all sorts of cyber shenanigans and attacks but of course they have vehemently denied any wrongdoing or responsibility. Earlier in the year they admitted for the first time that the country’s military and intelligence community have specialized cyber security divisions, although they continue to deny spying on American corporations or possessing the technical know- how to disrupt critical infrastructure.
These groups have been ruthlessly targeting industries of strategic importance to China and other nations, including agriculture, chemical, financial, healthcare and insurance sectors. Protecting your data is paramount for any business and it seems there are a large amount of state financed hackers seeking precious data from companies worldwide.
It will be interesting to see how the USA responds to the allegations of Chinese cyber espionage on American IP…watch this space!
If this blog sparked your attention and fancy reading some more, check out Protega's LinkedIn page.
In the following Blog post, Protega's Jordan Carmichael discusses his views on why solely relying on "cyber insurance" is the wrong approach to take when protecting your organisation's tech environment....
Tech-focused economic observers predict that as a global business community, we will spend more than $1bn on cyber-insurance premiums in 2016. This is astounding growth for any industry and fully supports the theory of continued market expansion within the global tech risk space.