Cyber security challenge can be met
The popular image of the pizza-eating, ill-kempt hacker, alone in a basement is far from reality, according to Lord Alan West, former UK Minister of Security and First Sea Lord speaking at the Secure Computing Forum in Dublin.
The hacker is more likely to be sat at a desk in an open plan office staring at management consoles, reported Lord West. He said they know this because the intelligence services have observed them directly.
“Cyber security has been shrouded in mystique and fear,” Lord Alan West
“We have seen them by tracking them and looking through their CCTV – cyber attacks are basically about return on investment.”
Lord West explained that most hackers are profit-driven and this dictates their actions.
“If the indicators are green, it is profitable. If they are red, they will drop it and move on.”
In this, he argued, is the opportunity for enterprise to use adequate protections to make themselves the least attractive target, making it unprofitable for the hackers to expend their efforts, and so move on.
However, Lord West said this simple message was not always put forward.
In the past, he said, threat intelligence often bordered on scaremongering. For too long, it was promulgated that cyber security was something only other people could understand.
“Cyber security has been shrouded in mystique and fear,” said Lord West.
It is not, it is about risk management, he argued.
When asked about relations between the UK and Ireland on cyber intelligence, Lord West said that while he was out of such circles for some time, he “couldn’t imagine they are anything other than close.”
Describing the important ties and close economic partnership between the two nations, he said we need to help anyone who is our friend in such matters.
AI and security
The subject of artificial intelligence (AI) and security has receiving much attention lately, and according to Ian Porteous, technical director, Northern Europe, Check Point, there are a number of problems in the area.
Chief among these issues is a lack of data and a lack of expertise.
AI needs large amounts of data with which to be trained for it to be effective. It also needs quite a lot of expertise to ensure the right data, sufficiently enriched for the purpose, is input. Both of these areas are coming up short, Porteous argued.
By way of example, he said that Amazon is thought to have more than 14,000 operatives globally whose sole job is to enrich data to allow its systems to make better decisions.
These issues, said Porteous, mean that for the application of AI in security, access to training data is difficult, meaning that false positives are often high. Also, AI systems are not good on verdict logic, meaning often the judgements made are opaque.
However, he said that AI has a place in security doing what it does best, processing vast amounts of data for meaningful patterns that would almost impossible to determine otherwise. This can function as a decision support system for humans to spot the problems and begin to mitigate threats.
We are starting to see it [AI] revolutionise cyber security, he argued, but it is not a silver bullet.
Pattern detection was theme taken up by industry veteran and security blogger Graham Cluley.
When an IT operative for the Iowa state lottery company, Eddie Tipton, was caught rigging the competition, he very nearly got away with a $14 million prize. But when the investigation went deeper it turned out that Tipton had in fact carried out more or less the same fraud on several previous occasions for his brother, brother in law, a neighbour and others.
Cluley warned that the insider threat is often of greater impact than external hackers, but is also much harder to detect. However, pattern analysis may have caught Tipton earlier in his escapades.
A panel discussion on post-breach activity, composed mainly of speakers, threw up some interesting points. When asked about how to pick an Incident Response (IR) team, all agreed that diversity was key. This was probably best characterised by Dan Wiley, head of Incident Response, Check Point Software Technologies.
Wiley said that a key member of his IR team is an artist. He said that when it comes to direct communication with hackers, it is often necessary to have someone who can be compelling and persuasive. Wiley said his artist is able to communicate with the hackers to maintain a persona that elicits trust, allowing them to gather intelligence more effectively.
Amid the technical and the strategic aspects of cyber security, there was also the human element. Jim A Shields, founder and CEO of Twist and Shout Media, talked about how emotional learning trumps logic-driven learning for humans, and how powerful stories with empathetic characters can be highly effective.
He used various excerpts from training videos and even the first cyber security-based sitcom to demonstrate the points, employing a technique he characterised as “weaponised comedy”.
The human impact was taken further by Lisa Forte, partner, Red Goat Cyber Security. A former intelligence operative, Forte described an anonymised case of a young corporate officer being manipulated through humanitarian and political leanings to breaching corporate confidentiality.
When revealed that they had been played, the feeling of isolation, victimisation and shame must be dealt with, as well as crime of misdemeanours involved, warned Forte.
Process not product
Security is not a product, it is a process.
That was one of the principle assertions of Mikko Hypponen of F-Secure, one of the most respected information security professionals in the world.
Outlining how online crime has progressed in recent years, he said today, we are more likely to be the victims of online crime, than real world crime.
Whereas in the past, he added, we had only to worry about the criminals in our locale, today we need to worry about criminals all over the world, through the reach of the Internet.
He warned specifically about the Internet of Things (IoT), and how some manufacturers were internet-enabling devices without any thoughts for security, and cited the Mirai botnet, and its various incarnations since, as proof.
In true Internet Age style, he cited what has become known as Hypponen’s Law, which states that “Whenever an appliance is described as ‘smart’, it’s vulnerable.”
There is much work yet to be done to secure IoT, he warned.
“We have not yet had the ‘wake-up call’ for IoT security,” he said.
Despite this, Hypponen said organisations can protect themselves by understanding risk and applying resources appropriately. Not every company is targeted by foreign intelligence agencies, he asserted. Understand who your threat actors are likely to be and meet those threats, he said.
This would allow security to become an enabler and security departments to say ‘yes’ when the business asks for things. Security should be the people who allow these requests to be fulfilled securely, he argued.