Cooperation needed to defeat cyberthreats
9 October 2015 | 0
We live these days in two worlds, the physical world and the cyberworld, said Paul C Dwyer, founder of the International Cyber Threat Task Force (ICTTF) and key note speaker at last week’s Cyber Threat Summit.
In the cyberworld, said Dwyer, cybercriminals rely on a parasitic relationship — they want to remain undetected to continue to draw value from the target. However, he said that because much of cybercrime is actually old things done in a new way, many of the solutions to these problems already exist in areas such as risk management.
Moreover, cooperation and information sharing, said Dwyer, is paramount to defeat cyberthreats, as the cybercriminals themselves are highly organised and effective in sharing the information and techniques necessary to perpetrate cybercrime.
An example was cited where the Oman-based Muscat Bank was targeted. A group pf cybercriminals managed to hack cards to defeat the withdrawal limits for pre-paid credit cards and debit cards. In a carefully orchestrated operation across 24 countries in a matter of hours some $45 million (€39.7 million) was withdrawn from ATMs.
Dwyer said that this could have been mitigated, or even prevented had the industry been more forthright in sharing experiences and information. As previously the same group had perpetrated a ‘dry run’ operation against Rak Bank, where some $400,000 (€353,000) was take in 700 withdrawals from Manhattan ATMs. Because the information from the Rak Bank incident was not shared within either the banking or the security communities, the cybercriminals were able to use the same technique again in an even more daring, ambitious, and ultimately successful, operation.
This, said Dwyer, was why he, who heads up Cyber Risk International, set up the ICTTF. The organisation provides a basis for security and threat information sharing to ensure that organisations share information and experiences as effectively as the cybercriminals.
John O’Mahoney, assistant commissioner, An Garda Síochána, said that within law enforcement here, great strides have been made in combatting cybercrime, and a central plank of this has been cooperation with academia.
The assistant commissioner said this cooperation has led to the sharing and development of new research, which has been of great benefit to the Gardaí, and members of an Garda Síochána now operate in influential roles in the European Cybercrime Centre (EC3) within Europol.
However, O’Mahoney warned that even the lowest level of cybercrime with the simplest methods can often cover three law enforcement jurisdictions, making investigation and prosecution difficult. He also emphasised that cooperation between forces and jurisdictions is vital.
Grainia Long, CEO, Irish Society for the Prevention of Cruelty to Children (ISPCC), warned that traditional methods and structures of child protection are not used to dealing with cyberthreats.
Long said that ISPCC’s Childline is an invaluable tool not only to allow children a means of contacting support, but also to give insights for what is happening with children, both online and off.
“Childline is a living and breathing example of how technology can be used to protect children,” said Long.
Former US intelligence agent, Chuck Georgio, executive director, NoWheretoHide.org, highlighted some of the most recent major cyberbreach incidents and drew comparisons between the CEOs of each of the victim organisations.
He said that senior executives trusted staff, ignored or lived with unnecessary risks and all shared a false sense of security. Georgio said that to ensure the proper levels of investment and support from the c-suite, the principles of behavioural economics must be employed for three key areas.
Firstly, he said that the attitude to compliance, intent for compliance and actual compliance are all individual areas that need addressing. Employees generally want to comply with security, as they aware of the importance to do so, but actual compliance can be compromised if the security tools are unwieldy.
Secondly he said sanctions do not have a significant impact and are not sufficient to change behaviours.
And finally, ‘canned’ security briefings do not work as they do not impart that real implications of non-compliance nor the means to ensure actual compliance.
Georgio said that executives should demand proof of the measures taken to mitigate cyberrisks, of employee training and awareness programmes, patch management, data controls and approved application lists, even for cloud applications.