On October 20 2016, One Canada Square, Canary Wharf, played host to the very first WIRED Security Conference, bringing together a whole raft of impressive names to discuss some of the key trends and topics impacting the cybersecurity industry at the moment. Here are some of our highlights from what was a great day full of insight, intrigue and innovative debates.
The Threat to Enterprise – and How to Build in Resilience
Kicking things off, BAE System’s Adrian Nish and Sadie Creese, professor of cybersecurity at University of Oxford, explored the security threats companies are facing in today’s world and outlined the steps they can take to bolster their cyber resilience.
Nish pointed to the recent high-profile cyber-heist of the Bangladesh Bank, in which cyber-criminals successfully made-off with a staggering $101 million, as a prime example of the type of threats looming over the financial sector, highlighting the five specific steps the hackers took to carry-out the attack, which were:
1. The Setup
2. The Intrusion
3. The Timing
4. The Transaction
5. The Subversion
So what can companies do to enhance their own resiliency to avoid suffering the same fate? According to Nish, they need to:
• “Limit administrator accounts; and monitor their use/abuse”
• “Segregate networks; if it doesn’t need to talk to the internet then don’t let it”
• “Perform penetration testing; use intelligence on real attacks”
• “Expect the attacker the subvert your response functions; have out-of-band communications”
• “The adversaries are trained professionals, we need our teams to be too”
“No matter where you work, there is some risk of an insider threat”Sadie Creese
Adding to the conversation of enterprise risks and resilience, Creese approached the subject from the angle of the insider threat, saying that “No matter where you work, there is some risk of an insider threat.”
One of the reasons we are not as equipped as we should be to defend against it, she continued, is because we are failing to deal with people and technology in tandem.
“You need to ask what it means for people in your organization. People under extreme forms of pressure are more likely to be coerced,” she argued.
Creese’s key advice for turning the tide and being more resilient is by being divergent; having the ability to see anomalies and knowing your company by knowing your people, which will also allow you to establish who you are and what you are as an organization.
However, the insider threat will always be there, she concluded: “You’ll already have problems from the inside, take it from me.”
"The main thing we can learn from hackers is how to leverage this curiosity for good, rather than malice”Alex Rice
What Can We Learn from Hackers?
Another topic of discussion was what lessons the industry can draw from the cyber-attacks it is so often plagued with and how the actions of cyber-criminals can actually show us where we are going wrong.
For Mustafa Al-Bassam, advisor at Secure Trading, cybercrime has taught us that there’s an incentive problem across the entire security landscape. Companies are too incentivized to make quick profit; consumers are too focused on getting value from a product they buy; and governments suffer from a conflict of interests – all the while security is seen as a cost to be avoided; becomes the forgotten element; and suffers as a result.
In contrast, the incentives of cyber-criminals are simple: they just want to maximize value from a breach.
“We need to look at cybersecurity as a human versus human problem, where the issues lie in the incentives of companies and people.”
Additionally, as Alex Rice, co-founder and CTO, HackerOne explained, cyber-criminals show us that the industry suffers from a lack of curiosity, and inhibits itself with the outdated mind-set that we must enforce “security through obscurity.”
“The one commonality across all hackers is their incredible curiosity for understanding how technology works, how it can serve us, and how it can fail us. The main thing we can learn from hackers is how to leverage this curiosity for good, rather than malice.”
Ultimately, if you set obscurity aside and ask hackers to look at something and apply their curiosity in a controlled, ethical manner that serves you (such as bug bounty programs), they turn up vulnerabilities that everything else before them has missed.
What’s more, “the organizations that do this for long enough start to take it beyond hackers telling them about vulnerabilities and they incorporate those learnings into their software development lifecycle,” he added.
"Managing the human factor is key to overcoming a cyber-crisis"Moty Cristal
Tackling Cybercrime and Criminal Gangs
Next up was an exploration into the issue of tackling cybercrime and criminal gangs, with NEST Negotiation Strategies’ CEO Moty Cristal saying that, when it comes to negotiating with hackers who hold your data hostage, managing the human factor is key to overcoming a cyber-crisis; cyber-criminals “do have ethics” after all.
Reflecting on his experience as a hostage negotiator, Cristal quipped that “Real life, physical hostage situations are much easier to negotiate [than cyber situations], because you speak with the bad guys, you see the venue, you know how many hostages there are, and at the end of the day, any negotiator knows they have the SWAT team next to them.”
However, what happens in the virtual world when your data is being held hostage, without actually knowing how much? How do you negotiate that?
According to Cristal, the elements of profiling, cost of the deal, internal dynamics and flexibilities are key things to consider here, urging victims to always be mindful of these human factors as they negotiate to help slow, soften or even end attacks.
“With the Internet of Things we are all exposed” he said, “but when we are facing this crisis, remember at the end of the day it’s the human factor that needs to be managed with the technological elements.”
When it comes to gauging where the real cybercrime dangers are coming from, Mikko Hypponen, F-Secure, said it’s vital that we gain an understating of the enemy so we know who we are fighting.
“This has changed over and over again throughout the years,” he continued, “we have a whole range of different hackers today, who all have a motive.”
This might be hacktivists or governments/nation states in some rare cases – but the fact remains that the most likely attack against any organization is being done by organized criminals to make money.
The crux of the problem, Hypponen added, is that battling cybercrime is now so challenging because attacks have evolved beyond our expectations.
“We are now seeing attacks that we did not anticipate when authentication started to get better”Mikko Hyponen
“We are now seeing attacks that we did not anticipate when authentication started to get better,” citing fingerprint readers on smartphones as a prime example.
“Now with fast fingerprint readers pretty much everyone locks their phone right away, which is great, because it means if your phone gets stolen, it’s worthless to the thieves – they can’t open it so they can’t sell it.”
Now imagine, he said, your phone has been stolen, but at least you had a fingerprint reader so the thieves can’t access your data – you buy a new phone and carry on with life. Then, a few days later, you happen to get a message from ‘Find My IPhone’ telling you that your stolen phone ‘has been found’ – great news! – so you follow the (malicious) link …asking you log in to your iCloud account with your credentials. Why? Because with these credentials criminals can reset your phone, without your finger, and gain access to what they need - this is something we are seeing criminal gangs do.
Last to add his thoughts on this topic was Troy Hunt, creator of Have I Been Pwned?, who argued that cyber-criminals are often misrepresented in the media and even by security companies themselves as hoodie-wearing, binary loving, mysterious figures, which generates a sense of fear and makes it difficult for the public to really understand how they actually operate.
“What I find really interesting is when we start comparing this with the real world.” Hunt said, referring to the TalkTalk breach last year. “TalkTalk was in the news, and this detective came out and said, “We think it was Russian Islamic cyber jihadis’ – which is terrifying!”
Then we found out who it actually was – a 15-year-old boy – using free software off the internet, a very different reality to the way the incident was represented.
“I’m finding it increasingly amusing how these incidents are covered,” he concluded.
These really are just a selection of the discussions held on the day, which was enjoyable, well put together and fascinating. WIRED Magazine did a stellar job with its inaugural security conference and I’m already looking forward to the next!