We often forget that the IT industry is, to all intents and purposes, still a pretty new phenomenon. Leading on from the mass market computers that were created in the 1970s and ‘80s, a whole new generation of tech - and children who would become the adults championing that tech - were born. And some`, would become the anti-heroes of that success story.
‘Back in the day, I witnessed my very first computer breach,’ says Paul Bryant, ‘I had come to terms with the fact that I wouldn’t be grappling snakes and running around deserts like Indiana Jones. My frontline fighting would be on a keyboard.’
This first attack, at Bryant’s first graduate job happened simply by chance. ‘A miscreant - they weren't called hackers or actors back then - accessed a router in our company by guessing the password and channelled the traffic of a particular company to another location for them to use, for whatever reason.’
‘Twenty years on, I recently read an article which detailed an attack which was exactly the same in technique and outcome as that distant attack that whetted my interest in all-things-security. It is hard not to be depressed witnessing this, but equally, things have evolved. That said, a company's ability to resist an attack is still mostly an exercise in Darwinism.’
Looking for the magic bullet
As consumers of tech, we have all lived through the different patches and upgrades. The rethinking of old tech into the amazing gadgets we carry around in our pockets today. So why, 20 years down the line, are we still looking at successful attacks, that are no different to their predecessors’ a generation earlier?
Bryant continues: ‘One area that is consistently challenging is ensuring the configuration of an asset is sound. That all necessary bells and whistles are enabled, that the sensible application of control and oversight on the asset is correctly done. This is challenging and the reason it is challenging is that the answer to what is the right configuration is not that obvious. Equally, working out what is proportional versus operational simplicity is also not that easy.
‘Those who are successful, do this grounded in knowledge of how breaches actually occur and by distilling the most common techniques used by attackers into a set of imperatives for protection - or at least detection. They also understand their own landscape better than those who consistently fall foul of attacks.’
What is important - and what’s not
In our world of ever-increasing data, Forbes estimates that 90% of the data we have today was created in the last two years - we’re in a position of either dealing more efficiently with that information overload, or facing the fact that we can’t protect everything. This leaves the IT profession with some very tricky ethical questions. What to save, and what not to?
Bryant says: ‘You have to decide what is important and what is not. You have to accept that sacrifice is necessary to keep the business operational. This means that not responding to an attack until a certain point allows you to be most effective, rather than jumping to respond to low priority events or even just noise.
‘In order to have the time needed for deliberate preparation, you have to know when to step in, and when to not.
‘The best people in cyber know all the bells and whistles and carefully manage their response, acquiring technologies when necessary, but also ensuring in-built capabilities in operating systems and applications are used more appropriately.
‘Finally, they have a fighting reserve of capabilities to fall back on, i.e. more draconian measures which can be implemented quickly should events escalate. Misconfiguration in cloud, according to Crowdstrike’s most recent reporting, causes over 30% of breaches. And, whilst it is not reasonable to expect that companies will slow down, there is certainly an argument that going slow to go fast is a useful strategy.’
Creating a perfect storm
Implementing the right tech is one thing, implementing the right tech and getting it used in the right way is quite another. While the shortcomings of the programming can be rectified and new products developed to suit the evolving need of the workplace and of society, the ‘people’ element adds uncertainty to the situation.
‘Many companies think that acquiring the right technology is “job done”. They don’t realise that it’s a triad of people, process and technology that creates the solution. If you don’t have the right people or process to use the tech, it won’t be used properly resulting in wasted investments and disillusionment. An outstanding piece of technology, of itself, can never be used as an alternative to people, training or process.’
So how can we up our game?
Traditionally, people have worked in silos. Our workplaces have all evolved to delineate skills into different, very separate departments, with limited cross over. However, with the advent of tech serving every single area, across every business, there is less of a ‘them and us’ feeling about the IT department and everyone is taking a personal responsibility with protecting their employer, digitally.
‘A former CISO boss of mine recently wrote that, “often 100% of the knowledge is held by 10% of the people. Whereas a successful entity ensures that 10% of the knowledge is held by 100% of the people.”
‘This information, by and large, is shared with the few and hoarded almost against commonsense. Whilst one does not want to flood an audience with information, I have never met a non-IT security person who did not want to learn more - if only someone was willing to unpack a few acronyms for them and provide adequate insight. Many end users are simply kept in the dark by their organisations, rather than being fully onboarded as extensions to the security team.
‘In my current world, my team produces threat collateral. This includes exact replica phishing emails, malicious documents and malicious sites to test outcomes before they become threats.’
As phishing campaigns and malware becomes more sophisticated, training in-turn has to be more sophisticated to truly test the individuals. Organisations such as Birmingham Airport are instigating ongoing training, with a monthly programme of testing and video content to keep security front of mind in everyone at every pay grade. In fact, if employees don’t take their training seriously, they can be locked out of the IT system altogether. So just how does this training work?
Red team? Blue team? White hat? Just test
While pen-testing is as old as IT systems themselves, recent years have seen new testers come to the fore. There has been a new flourishing in IT of the ethical hacker. The person who finds vulnerabilities and is paid handsomely in bounties that will keep them surfing the beaches of Bali or travelling the world. For many of today’s testers, or often ethical hackers, it is a game of finding and exploiting vulnerabilities, in any way possible - just like a bad actor would.
Bryant continues: ‘Much security testing focuses on the adherence to a process and on a sample of the application deployed in a non-real-world way. Whilst red team testing and (more realistic) open-ended testing is more prevalent, it is not as prevalent as it needs to be.’
So, what happens when you open your screen and find the message: “Your important files are encrypted. We guarantee that you can recover all your files safely and easily. But if you want to decrypt all your files, you need to pay. Payment is accepted in Bitcoin only.”
‘How do you get hold of thousands of pounds worth of bitcoin? And what is the price of not paying? Recently, an e-crime actor demanded £300,000 in bitcoin to release a company’s data - or they would expose the breach to the press and local data control entities. So, pay the criminal, or pay the fine for not adequately protecting your data? Alternatively, invest in testing and securing your systems now and you won’t have Hobson’s choice.
‘When a boxer steps into the ring, it is not the first time they have been punched; when specialist soldiers abseil into a building, they have done it tens if not hundreds of times before. Conversely, in the cyber security arena, many breaches are handled by people with limited experience, without trusted partners already briefed and primed. Creating realistic and challenging testing scenarios is the only way people will get the experience they need to deal with a major breach, before the breach happens.’
21st Century cyber
Resilience isn’t factored in as readily as it should be. While many companies are looking for the ‘Black Swan’ of breaches, it makes more sense, instead to focus on duplication, redundancy and contingency for the worst-case scenario.
However, what we should be looking at is sharing intelligence, open discussion with industry peers (to establish and evolve planning or even architectural patterns) and developing a resilience that will give companies’ the ability to cope. The recent coronavirus pandemic has highlighted some of the challenges of remote working. When push comes to shove, the remote access solutions of a company are being tested across the country - and many workers are finding problems with that access, including a major outage of Microsoft newcomer “Teams”.
What can we do better?
While there is still a lack of knowledgeable, informed and adequate preparation, recent events have helped to sharpen the focus. Previously, we have all looked at the immediate fire that has needed extinguishing and not what has caused the fire itself. Like the aforementioned ransomware, there is a fear among some IT professionals that they are damned if they do and damned if they don’t. Bryant says, ‘They fear that the negative findings from testing will be used as a “blaming criteria” rather than a nugget of self-improvement.’ So, what can be done?
Bryant believes that there needs to be more of a culture of shared responsibility for IT systems. ‘Boards are more aware of cyber and this has actively challenged companies to improve from above. Adherence to compliance frameworks has been augmented with much more practical frameworks with qualitative outcomes. And, mostly importantly, attackers are having to work harder, and are having to continue to evolve. This is borne out of the fact that many cyber criminals are now upgrading to tactics that were previously used by nation state groups.
‘There is still a lot to be done, but it will be accomplished by level-headed pragmatism, preparation… and the occasional outstanding piece of technology.’