Keynote speaker Raj Samani, chief scientist, fellow, McAfee, told SC Congress* delegates this morning that cybersecurity is wider ranging than IT systems - and everyone is now recognising this including the attackers, from low level scammers to espionage actors.
*(Congress is a digital event, free online live for the rest of today and available for three months, here)
Samani (paraphased below) explained:
At the start of the crisis, some ransomers such as Maze said they would not go after healthcare, and I naively believed that as we went into lockdown, criminals and offensive crews in states would slow down - but it's the one thing that didn’t slow down. It doesn't matter what the global situation is, Cyber criminals will go after their aims, and it has flourished in lockdown.
As we looked into type of Ransomware campaign in Feb, there were not so many, and it was low level malware groups that were using Covid-19 as a lure, but as we got into lockdown, we saw heightened activity - 10s of 000 of malicious urls, lots of rogue malware, and every scumbag across the world using the worst time we have experienced, and they didn’t care. They only cared about making money. But we shouldn’t really be surprised. We already knew they try to cheat and steal money from disaster relief.
The most targeted countries were those most affected by Covid-19, so at one point it was Spain, US, China and the map of attacks almost correlated to infections globally. Yes, the finance sector but healthcare was in the top three. So it's the last time I give criminals the benefit of doubt.
We usually see 12,000 to 15,000 malicious urls per day but during the crisis we saw a massive spike in uls being registered related to the pandemic, which tells us there was a huge amount of automation, and it was very fluid; within a day or hours the url was no longer functioning. It's the last thing we needed - people kicking us when we were at our lowest.
We always look at the IT, the malware, the county behind it, but it has a direct impact on our economic future. The exact impact of cybercrime is impossible to accurately quantify as a lot goes unreported or unknown. A particular breach is forgotten in a week and we fail to learn from it.
But there is a GDP/economic loss from cybercrime - estimated about half a percent, but many countries are not able to report on it so if we look at statistics from say Germany and the Netherlands which is believed quite accurate, they report the impact as about 1.6 percent of GDP. It has a direct impact on the economic future of countries affected and so needs to be taken more seriously. It's about a country’s future prosperity.
In that respect we are doing pretty badly. GDPR has been a tremendous movement to get transparency of information, and get controls in place to see data. But it has had negative aspects too - ‘Who Is’ went dark and it's one of the first steps for law enforcement to see who registered a domain. While only about 13 percent of domains used accurate information, a lot can be learned from using the metadata there, linking urls with the same actor etc. With GDPR it was deemed as personal information. The Internet Organised Crime Threat Assessment (IOCTA) report discusses the law enforcement challenges of this move and says that we are making it more difficult for ourselves. Maybe we are not collaborating well enough, not getting our view put across to those making these decisions. Maybe we are just seen as IT geeks and not getting our input in these sessions where decisions are being made.
In contrast the bad guys are collaborating and working together, there is a cybercrime world ecosystem, even in countries without internet capabilities, their criminals have access to this capability. FInfisher, Hacking team and similar cybertools are being used by others (than democratic governments) - our tools are being taken from us, and companies are willing to sell tools to carry out attacks; more adversaries are becoming more capable each day, and outsourcing as well. The top 100 cybercriminal kingpins have more capability than most counties and their capabilities are for hire.
The platforms we use are used against us. Would the Brixit result and certain elections have had the same results without the impact of these platforms?
To suggest cybersec just an IT issue, is laughable. It is hitting our healthcare, our very democracy. Criminals can see we are not stopping them and they have the audacity to taunt our industry. In research that canvassed ransomers, a third answered and all said they had absolutely no fear of getting caught.
There ae issues within the industry, a lot of angst about toxicity, the way we treat people from minorities, and gender issues. I’ve not seen it but I have been told it occurs - though with 18 hour days during the Covid-19 crisis, and more ransomware attacks than ever seen in terms of impact, you wonder how it is even possible to engage in such divisive activity..
We need to create an environment and culture that is more inclusive and gets more people in. If we create barriers or a perception of toxicity, how do we address and attract more people into our industry? How do we change? It's small things.
Recently doing vulnerability research we compromised iParcel home delivery, to remotely unlock their box. iParcel published the research themselves and re-tweeted it (obviously after having fixed the vulnerabilities) - and recognised cybersec research enables creation of better products. Originally finding vulnerabilities always resulted in a legal threat, now vulnerability research now more accepted, that it does create better products, though there are still some legal threats.
Tools like no-more tansom - are beginning to make a difference - with 100 partners contributed. The iparcel example and what the , NCSC is doing with cyber-first. So ask yourselves, what can you do? EG a zoom talk to kids, mentor someone coming into the industry, write a blog to encourage entering this industry
The world needs our industry, but if we create barriers and walls and are seen as the IT function, that will be our future. We need to reshape who we are and where we are as an industry. It's also important that we look at due diligence - companies that do the right thing and get compromised should not be treated the same as a company that say used ‘password’ as its password.