Modest rise in incidents belies wider info sec situation
25 November 2016 | 0
Last year saw a 14% increase in reported information security incidents, according to the latest figures from the Irish Reporting and Information Security Service (IRISS).
At its annual conference, IRISSCON, IRISS director Brian Honan, told attendees that the number of incidents reported in 2016 had risen to 29,804, from 26,137 in 2015.
The sources of these reports were victims of incidents, third parties, law enforcement and other computer emergency response teams (CERT).
Breaking the figures down, Honan said the vast majority were inbound distributed denial of service (DDoS) attacks at 93%. Of the other 7%, outbound DDoS accounted for 2%, with malware and phishing (hosted) at the same. The final 1% was accounted for by command and control servers for botnets.
Honan said the major concerns expressed were around ransomware, DDoS and CEO fraud, though he was quick to point out that CEO fraud is not an information security issue as such, and more a social engineering-based fraud that leverages digital communications.
Honan said that, unfortunately, the figures and the general information were all too familiar. He emphasised basic protections that can be taken against ransomware to ensure that even if an organisation is hit with an attack, it can be mitigated and recovered from quickly.
Ensuring that back-ups were regular, appropriate and up to date was the number one recommendation, followed by the implementation of a reputable antivirus solution. Keeping all operating systems and applications patched and up to date was also, critical.
Honan recommended blocking all going I2P and other peer-to-peer traffic, as he said “there is no need for this kind of traffic, so block it”.
He rounded off his advice by saying with the proper protections in place, organisations could confidently refuse to pay the ransom. Elaborating, he said that even by paying, there is no guarantee that a resolution would be forthcoming. He said that sometimes organisations are hit with old infections and the originators may not even be monitoring anymore, meaning money will disappear and there will be no decryption key. Also, he said that many criminals simply take the money and provide no key anyway.
Feeding the ecosystem
Paying up simply feeds the criminal ecosystem, Honan warned, and so perpetuates the cycle. Refuse, he advised and report any incidents to the Gardaí.
He also advised that a free information service exists at nomoreransom.org which has an archive of decryption keys for common attacks, which may help recover files and digital assets.
An interesting, if somewhat ominous presentations came from Norwegian research scientists Dr Marie Moe of SINTEF. Dr Moe has an electronic cardiac pacemaker. Naturally as an information security professional, she wanted to know how secure the device was, describing it as a piece of hardware running software that lives in her body. She asked the room full of infosec pros, “can hackers break my heart?” Alas, the answer was yes.
“As a security researcher, I see this as an attack surface, a way to attack inside my body,” said Dr Moe.
Dr Moe detailed her extensive research which found that proprietary code, a lack of standards and susceptibility to configuration signal intercepts meant that there were a number of vulnerabilities to her device. One proof of concept showed how the normally 10-year battery could be set to drain in hours.
She urged the medical devices industry to adopt a “Hypocratic Oath for connected medical devices” that would ensure cyber-safety by design through anticipation and avoidance of potential failures. She encouraged third-party collaboration to engage with willing allies to improve security, resilience and reliability. Device makers must provide evidence capture to facilitate observation and investigation. There must be resilience and containment to prevent cascading failures. Finally, there must be a facility for cyber-safety updates, correcting failure conditions once known.
Christopher Boyd, malware intelligence analyst, Malwarebytes, presented his extensive researches into the end user licence agreements, terms and conditions listings and privacy policies that come with many applications these days. Finding them unwieldy and inaccessible, he took one example from a popular game from Google Play.
Including linked or referenced documents and materials, Boyd found that a user would have to read through “406,000+ words across 4 related categories covering up to 212 privacy policies — not far off the combined wordcount of ‘Lord of the Rings’!”
Boyd highlighted the fact that such an undertaking would be ridiculous, and yet, it was legally acceptable to present user agreements in such a manner.
Language was the central theme of Dr Jessica Barker’s talk. An information security consultant specialising in the human factor, Dr Barker focused on the terms used in the industry and how these can affect perceptions.
Delving into the etymology of the term ‘cyber’, Dr Barker highlighted the fact that while cybersecurity is deeply unpopular as a term to describe what information security professionals do, sometimes it is necessary to use such popularised terms, especially when speaking to line of business people.
Irrespective of the attribution of the term, whether to Norbert Wiener for his 194os ‘cybernetics’, or William Gibson and his 1980s ‘cyberspace’ Dr Barker cited surveys she had carried out of both professionals and the general public which showed the term ‘cybersecurity’ had far greater resonance than information or data security.
As such, Dr Barker said that it would be necessary to use the term when engaging with non-information security audiences to reduce ambiguity.
“What we are trying to do in this industry is get people to care about something they don’t understand,” said Dr Barker.
In this context, she highlighted a tendency among information security professionals to use the term “user” as a pejorative, which was damaging to relations.
She emphasised that with security awareness more critical than ever, anything that prejudiced users of technology to the basic message of information security was something that needed immediate attention.