In 2006, UK mathematician (and architect of the Tesco ClubCard) Clive Humby observed that “data is the new oil” – ubiquitous, desirable and enormously valuable. Just like oil, data must be refined in order to realise value; it must be transformed into something that supports profitable activity. However, this is where Clive's analogy is too modest – the refining process is more open-ended; it can produce a multitude of products that do more than simply combust. Unlike oil, for data, value is in the eye of the beholder.
Value of data
Every day trillions of user-created data points are aggregated and put to work to generate efficiencies, cost-savings, innovation and differentiation, against a backdrop of ubiquitous connectivity and rapid globalisation. This has political, as well as commercial ramifications. For governments, behavioural intelligence based on the personal data of citizens represents a tantalising insight into the voting intentions of the populace.
For example, the UK Company Cambridge Analytica played an instrumental role in swaying the outcomes of Brexit and the US and French presidential elections. It claims to hold up to 5,000 individual data points on every man woman and child in the USA (based on demographic and socio-economic information), which it used to help a political client identify susceptible fringe voters and target them with tailored social media messaging.
Of course, governments have been independently gathering, analysing and leveraging private data on a greater scale (and for much longer) under the auspices of security. Intelligence objectives, such as the identification of terrorists or the monitoring of nation states, have been a key catalyst in the growing public tolerance of open surveillance through far-reaching data-gathering legislation and infrastructure.
The key difference here is the target: we are now seeing the ‘weaponisation' of personal data against civilian groups largely indifferent to observation. Every thought, behaviour, relationship, and desire is now an obtainable public record. The convenience and openness of our relationship with social media has left us open to exploitation.
Whatever the moral implications of state actors leveraging personal data for political gain, their actions generally fall within the law. But what about those individuals and organisations operating without the tacit permission of a public mandate?
Historically, cyber-crime was unorganised and chaotic – the preserve of ‘script kids' in messy bedrooms or isolated groups operating without the support of a large criminal network.
However, as we live more of our lives online; as criminal methods become easier, and the rewards greater, cyber-crime is getting organised.
In a 2012 TED talk, the FBI futurologist Marc Goodman drew parallels between the growing prevalence of cyber-crime and earlier criminal innovations – the transition from the single-victim model of highway robbery to a captive audience of 200 targets during a stagecoach hold-up was fundamentally an exercise in risk reduction and scalability. Marc argues that incidents like the 2011 Sony Playstation hack, in which personally identifiable information was stolen from over 77 million user accounts from a single location, are a part of the same continuum.
The same scale that casual observers struggle to fully comprehend resembles a compelling business case for criminal organisations looking for low-risk/high-return revenue streams.
Rise in ransomware
The recent spike in ransomware attacks is also part of this continuum, as criminals realise that data doesn't have to be useful to be worth stealing, but simply emotionally valued. Personal data like documents, photos and videos can be just as valuable (if not more so) than credit card information.
Ransomware attacks are low-level extortion at scale. The necessary tools are cheap and easy to use and the data they target requires no refinement to extract value. They're also incredibly hard to trace thanks to the rise of crypto-currencies, like Bitcoin, which enable the anonymous collection and movement of large amounts of money.
Again, there's a confluence of factors drawing big investment from criminal organisations. The method still represents a repeatable, consistent, low-risk/high-reward revenue stream, but there's something else going on too.
The ‘WannaCry' attack of May 2017 infected hundreds of thousands of machines across the world. This wasn't because the code was any more sophisticated than the Crypto viruses of the past, but rather that it had been augmented with an additional piece of malware called ‘DoublePulsar' – a backdoor implant tool developed by the NSA and leaked by a hacker group called The Shadow Brokers. DoublePulsar functionally acted as a delivery mechanism for WannaCry that allowed one computer on a network to pass the infection onto any and all other computers on the network, causing significantly faster and further propagation than previous incidents.
Stuck in the middle of an arms race
Historically, security flaws were identified, reported and patched. However, The Shadow Broker's leak indicates a fundamental shift in our relationship with software vulnerabilities – namely that they are a fundamental component of state-sanctioned surveillance.
This leak is not an isolated incident – every new service, software, security patch, and operating system brings with it mandated backdoors, vulnerabilities and unknown exploits that cumulatively represent the keys to our personal lives. Cyber-criminals are testing every line of code that is released, every packet of data that enters or leaves a network, every piece of firmware on every device attached to your network looking for a hole or vulnerability to exploit.
The methods and hacking tools used by intelligence agencies are high-value targets, and will become more commonly distributed and exploited by organised criminals in the coming years. Crucially, DoublePulsar was not new technology. Even the most advanced criminal organisations still have a lot of catching up to do.
So if we're stuck in the middle, is there anything we can do?
The most common coping strategy is simply not to engage, and blindly place our faith in service providers to keep our data safe. ‘Security' and ‘Privacy' are powerful nouns, and companies like Microsoft, Apple and Google know it, but against a backdrop of policy-makers expressing open hostility towards the very concept of encryption, they risk losing any real meaning.
This becomes doubly true when you factor in the suspicions among many in the cyber-community that the recent Petya attack on Ukraine was backed by the Russian government. Trusting companies, or indeed, governments to insulate us from the effects of cyber-crime is a hard position to justify whilst Nation States and criminal organisations emulate the same attacks, using the same tools, in parallel.
Furthermore, Ukraine may have been the target, but Petya's effects were felt internationally. Some of the largest companies in the world – including many UK organisations – were paralysed by (allegedly) Russia's aggressive foreign policy. That includes the world's largest law firm, the world's largest shipping company and one of the largest gas producers. How much uncontrollable risk must smaller organisations absorb into their continuity planning before acknowledging that complete ignorance might be an equally effective response?
Creating a meaningful response
So what's the answer? It's easy to get paralysed by the overwhelming variety and severity of the modern cyber- threat landscape, but there are still some positive, practical steps that can both reduce your susceptibility to compromise and improve your ability to withstand and recover from an attack.
The first is obvious, but essential, and all too often ignored: continually and pro-actively secure your IT infrastructure. Take the time to ensure your OS, applications, anti-virus software and firewall are up to date, patched, and maintained. If there are gaps, plug them. This might be painful, or disruptive to resolve, but shoring up basic security must take priority.
The second step is more difficult. Increasingly, threat actors target people over technology. As we expose more of our personal and professional lives to public online spaces, we furnish criminals and threat actors with more source material from which to construct highly credible social engineering attacks. In large volumes, individual pieces of seemingly innocuous information provide breadcrumb trails to new vulnerabilities or vectors of attack.
Spear phishing and whaling attacks are fundamentally about people, not technology, which is why cyber-awareness training remains the most suitable response. Just like shoring up IT infrastructure, this is more about regularity and consistency than a single grand gesture. It's about embedding a culture of security, driven from the top-down and horizontally regarded as a critical priority. Old norms must be challenged, ingrained responses and established processes must be shifted. Directors must attend training sessions alongside new starters, and a culture of vigilance, transparency and accountability promoted at all levels, and within all teams.
In parallel to awareness training, there should be a corresponding tightening of information controls where needed. Workers, including senior managers, only really need access to a small proportion of company data to work effectively. Ransomware propagates fastest when vulnerable senior staff possess needless administrator privileges. Proactively categorising users and limiting access to data shares appropriately can significantly limit the spread of malware around your network.
Preventative measures are only half the equation. A well-rehearsed cyber-incident response plan can stop a potential incident before significant consequences materialise.
The four key words of cyber-response are “Isolate, Identify, Cure and Communicate”.
First, isolate the infection vector by switching off a computer, shutting down the network, disconnecting from another remote office (or data centre), or changing the password to a third party cloud provider's service.
Second, identify what you've been hit by and respond appropriately. Is it a fairly benign trojan, sending out low-level information to an external source, or something more aggressive and destructive? Researching the symptoms of different infections and aggregating them for reference in an incident is an excellent use of time.
Third, start the process of cleaning any infected machines and restoring your services.
Fourth, having a reliable crisis communication plan in place, with clear command structures is critical. Your business-as-usual phone, email and messaging channels may have been disrupted or taken offline to protect core infrastructure. Account for this, and rehearse a communications plan that both enables clear, accurate information to be distributed internally, and includes protocols around careful management of the press, public relations and social media narrative.
And finally, there's the nuclear option. Having a good, well-managed backup of your data, offsite and unattached to your network is an effective last resort when everything else has failed and your data is fatally compromised or lost. In 2015, the FBI's recommendation for organisations infected with ransomware was to pay up. In recent years however, that's changed. According to Malwarebytes' Second Annual State of Ransomware Report, 1 in 5 small businesses shut down after getting hit. The option to independently retrieve data from a point in time before infection could have saved them, in a very practical sense.
Backup is uniquely placed as an effective last line of defence against ransomware, but it requires dedication. Your backups must be properly managed, monitored daily, and regularly reviewed and tested. Day-to-day, it's a mundane process that often gets lost in the daily pressure of business-as-usual operations, but continually prioritising the health and recoverability of regular backups remains one of the most reliable recovery methods from an otherwise bleak prognosis.
Contributed by Peter Groucutt, managing director at Databarracks
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.