Rik Ferguson, VP Security Research, Trend Micro in conversation with Deanna O’Connor about cyber criminal activity targeting businesses.
Q. Where are we at right now as regards regulation when it comes to cybercrime?
The General Data Protection Regulation (GDPR) is a really good step forward in that area. Business people are far more responsive to regulation and legislation than they are to changes in the technology environment. It’s really positive to see legislative bodies or regulatory bodies of one description or another getting involved in information security and cyber security and building at least a framework for security.
Certainly if you are GDPR compliant, same as with anything else compliant, whether it’s Payment Card Industry Data Security Standard (PCIDSS), GDPR, or any other, it doesn’t mean that you’ve built a secure enterprise, but it certainly means you have a good framework to build security into the way that you do business.
Q. Do you think it’s where it needs to be, or are we only at the baby steps level?
I think we’re beyond baby steps because it’s not the first security regulation to come out of the EU and it’s certainly not the first computer security legislation. We had that nationally and we’ve had that internationally and we’ve had a lot of law enforcement collaboration in terms of how we go about prosecuting and collecting and sharing information.
Obviously you’ve got the expertise of the security industry, which is 20 to 30 years’ worth of knowledge and applied expertise. But where it’s a real step change is how scary it is as a regulation, because that’s where legislation and regulation has fallen down in the past – with the notable exception I suppose of something like the Computer Misuse Act (1990), and its various other national equivalents throughout the EU, that carries the threat of jail time.
But that’s for illegal activity in terms of breaking into somewhere you are not supposed to be in; it’s not about how you handle other people’s information.
GDPR is the first one that’s actually had significant teeth that people will take notice of because, previously, you could make a business decision about whether you wanted to be compliant or not, as the cost of compliance may have been greater than the cost of non-compliance. So if it’s more cost effective for you to not bother and pay a fine, that’s a cost of doing business – a risk management and financial decision.
People in EU countries tend to look at cyber attacks and say it’s a US problem
Now that we’re looking at GDPR with a potential 4% of the previous year’s annual gross turnover, suddenly the numbers start getting big and the more successful the business is, the bigger the fine that is going to be levied. So the more data you hold nominally, the more attention you are going to have to pay to it. It’s a great way of doing it.
If you look at the Yahoo breach, the notifications of the breaches over this year and last, when they notified the first one I was thinking, ‘What would have been the case if GDPR had already been in force?’ And I looked at the annual turnover figure of the previous year and calculated 4% of it and it was something in the order of $170m, and that’s just the regulatory fine.
Then you’ve got all the other costs that they have already incurred: loss of share value going through an acquisition that’s cost them a large amount of money; there has been direct financial costs to the CEO and other senior members of the business who have effectively not been paid and in some cases had to step down; there’s the cost of notification and remediation; and there’s the cost of investigation.
So, when you’re starting to factor in that 4% fine along with everything else, the costs are no longer negligible. So, that to my mind is why GDPR is a significant step forwards. People have to take notice now.
Q. Is there anything else you would like to see?
The thing with regulation – particularly regulation in the cyber area or even in the IT area in general – is that the authors have to work in relatively broad brush strokes because they are dealing with a lot of different industries, in a lot of different areas and technology itself is moving on.
And the way that people do business is moving on continually and always accelerating. So you can’t be prescriptive, you can’t say ‘you must use this technology in this way at this time and you can tick all the boxes and be compliant’ – you’ve got to be more about processes and you’ve got to be more general.
So I certainly wouldn’t say it would be great if it was more specific, because it wouldn’t – it would actually be less helpful. But where it would be great to see some clarity in GDPR, and this may just be my reading of it because I’m not a legal professional, it appears to me that we could do with more clarity around what actually constitutes a breach, and under what circumstances is a breach a breach.
And are there circumstances under which it’s not? So, if you look at breach disclosure notification in the US for example, although it varies state by state, if the data stolen was encrypted and the encryption key was not stolen, it doesn’t count as a breach, as the data was not stolen, so you don’t have to notify. If you can’t read it, it’s not a breach.
Is that the case within the EU? Who knows? Does a ransomware attack count as a breach? Obviously, criminals had access to your environment, they had access to your data, they were able to encrypt your data and demand a ransom, but do you have to notify? If you can demonstrate that it wasn’t stolen, what are the obligations around those kinds of circumstances that would be hugely helpful, because one of the things that really drives awareness of risk is notification.
I think people in EU countries tend to look at cyber attacks and say it’s a US problem; those guys are disproportionately targeted and getting a lot of stuff stolen and they’re really bad at security. But that’s because they have to notify, so we hear about it, and in Europe people brush it under the carpet and pretend it didn’t happen.
Anyone who is selling their services to EU citizens – including the good old UK when they finally complete their madness of withdrawal – they are still going to have to comply
One of the great things about GDPR is that, although it’s an EU regulation, it’s global in scope and scale, which is fantastic. Anyone who is selling their services to EU citizens – including the good old UK when they finally complete their madness of withdrawal – they are still going to have to comply.
It almost made me laugh when I heard Theresa May’s government say they had decided to adopt that regulation and it would become part of UK law – you’re going to be subject to it anyway if you are digitally selling services to people in the EU, you don’t have a choice about whether you adopt it or not – same in the US, same in China, same in Russia; doesn’t make any difference, and that’s a massive thing. That’s a first and it’s a really good first.
Q. What really keeps you awake at night?
Certainly the Internet of Things (IoT) stuff is big. It’s still slow but we’re certainly seeing focus from criminal innovators on IoT-type platforms. So, not looking at the WinTel platform but looking at Advanced RISC Machine (ARM) processors, and looking at the Linux platform – that’s clearly a shift towards IoT-type devices because that’s the platform that many of them use – some kind of Linux derivative operating system and a different chip set on board.
We’re seeing slowly the number of malware focusing, particularly on that combination, increasing, just like we saw ransomware slowly increasing and then it exploded. Now is our chance to get ahead of the game.
There are a couple of notable offices in Dublin that have IoT connected offices, such as Accenture’s new Innovation Hub and Microsoft’s new campus. There will be a lot of that within the building so will this be happening more?
Yes, and there a couple of really interesting proof of concept (POC) type attacks out there. Obviously, because it’s POC stuff, it tends to be more visually amusing – people may look at it and think it’s just a stunt.
But it’s not just a stunt; it is proving a concept, that’s the point of it. I saw a fantastic video online of a drone flyby which had some weaponised code on it. That was a wormable piece of malware that would compromise wireless light bulbs.
So just by flying past the building that had the wireless light bulbs, it would compromise one of them and, because it was worm functionality malware, it would spread between the light bulbs over the mesh network and the outcome was that all the lights in the building were flashing SOS.
It just shows that there are routes in. And while things like light bulbs may be on their own mesh network, that mesh network is still connected to the rest of your corporate estate.
If you can’t secure them directly, how are you going to monitor those other areas of your network for malicious activity and what other kind of new avenues for data loss and data leakage do they represent, which are currently off radar for you?
Q. Potentially, if you have a light bulb connected to a network that your servers are connected to, are there real ramifications for data?
Even if it just represents your initial beachhead within a corporate environment and you’re able to develop some wormable code which can then go and explore, if there is an open connection between A and B, then, you just have to work out how to make it work in your favour as an attacker.
So IoT is one thing. The other thing, which was part of our prediction document for 2017, is something that we call business process compromise. Business email compromise is already a big thing. According to the FBI it cost businesses $3.1bn between 2013 and 2015.
They haven’t released any 2016 figures yet but I am sure it will be larger. It basically involves invoice fraud, CEO fraud, compromising an email account that belongs to a senior executive within a business and using that to socially engineer someone in the finance department to pay a made up invoice to a criminal account number using a lot of social engineering pressure. We’ve seen a company in Germany that lost €40m in one transaction through business email compromise.
We’ve seen a company in Germany that lost €40m in one transaction through business email compromise
A US company lost $480,000 because somebody who worked in finance had received an email from the inbox of their real CEO: “I’m giving you the responsibility for this particular file. It’s part of a mergers and acquisitions activity, so you can’t speak to anyone else about it. It’s all privileged communication. Just letting you know you’re probably going to hear from Kevin Shapiro from KPMG. He’ll probably contact you.”
That’s all, the first email had no requests for payment, just scene setting and this is all social engineering. Then the victim gets a phone call from ‘Kevin Shapiro’, who is obviously a criminal. “Hey, yeah it’s Kevin Shapiro, KPMG, I’m in charge of the due diligence for the acquisition activity. I’m going to send you an email with instructions of how to make the payment.” Put the phone down, followed up with an email, external now, from fake KPMG guy: “There’s $480,000 that needs to be paid for due diligence for the acquisition. Here’s the bank details, here’s the wiring instructions.”
And of course it was sent. Then another email acknowledging receipt a couple of days later and requesting a further $18m for due diligence fees which, when you’re talking about M&A activity, isn’t a substantial sum. Luckily, that was enough to raise the victim’s suspicions and he started to question it internally and the transfer wasn’t made, but notwithstanding they lost half a million. And so globally a figure of $3.1bn over two years is potentially even a conservative estimate.
Where we’re expecting to see that grow over 2017 is more into business process compromise, rather than simply business email compromise. Business email compromise, of course, will carry on as it’s lucrative.
But we’ll talk about criminals actually inserting themselves into business processes and making digital changes within a business to be able to extract money without direct human interaction, for example. So, potentially being able to change account details within a process and then remove themselves from the environment and just watch the money roll in.
Q. So, the less human interaction, the less chance there is that someone is going to notice something is wrong presumably?
If you manage to change the account number of two suppliers to a business, and you get all of their money for a month, no one is going to raise any questions probably until a month has gone by and the supplier starts looking for their money.
Q. What should people be doing?
In the business email compromise and business process compromise-type scenarios, it’s all about process. Obviously, you’ve got to make sure that you have effective security in place and multi-layered security looking at different functions (black listing and white listing functions), you’ve got behaviour analysis, intrusion prevention, post-level firewalling, machine learning – fantastic technologies need to be there, but at the end of the day these kind of attacks are going after humans and human weaknesses and emotional pressure.
So, you’ve got to make sure that your workforce is educated; that they are aware that these threats exist and that people will be attempting to use them. More importantly, you’ve got to make sure that your workforce is empowered, that everyone feels that they have the ability and the right to question an instruction even from someone at CEO level, CFO level, MD, board, whatever.
If they feel that it is going outside established processes, they have got to know that it is alright to demand that the person demonstrates that they are who they say they are, even if they are the CEO.
In fact, it is to be rewarded, rather than sanctioned. It’s really important to create that culture to empower employees to be able to question when they feel uncomfortable. Aside from that, it’s the process stuff – making sure that you have got secondary sign-off, making sure that any change requests for important details go through a particular process that takes a set period of time, and making sure that any outgoing payments get that secondary sign-off.
Also, that there is not just one person responsible for making those kinds of sensitive financial transactions – it’s about the right tools from a security perspective, the right education from an employee perspective and the right processes from a business perspective.
Q. What industries are doing the best and worst in terms of security?
I don’t even know if you can break it down. Different business verticals are challenged in different ways. If we look at the healthcare vertical, they often operate on limited budgets, particularly in public healthcare systems. So, they find themselves squarely as the targets of ransomware attacks right now, and data theft attacks against medical institutions are massively growing.
If you’re in manufacturing, you’re probably more at risk of those kinds of business email-type attacks if you have a large supplier base and you pay large amounts of money.
You’re the type of person that these types of criminals will go after, because that kind of extraction of large amounts of money fits right into your regular business processes, it’s not going to stand out. Whereas if you ask a hospital to transfer €10m, someone is going to say, “We don’t have €10m!”
You’ve got to make sure that your workforce is empowered, that everyone feels that they have the ability and the right to question an instruction
Different verticals have different challenges – banks, financial institutions, retail. Retail has the point of sale compromises that you need to focus on. We’re seeing compromises across the board in all of those verticals.
In some of those areas we see some great information sharing, financial services being a fantastic example. They have a long history of exchanging indicators of compromise, threat intelligence and information between banks and financial institutions.
Wouldn’t it be great if representatives from different verticals were able to aggregate data within their industry and come to an industrial sharing group or body, whether formal or informal, because they all had valuable lessons to learn in their own areas, which each of them, and the security industry too, could benefit from sharing?
The more we share, the more secure we are in terms of information about compromise and tools and techniques of attack.
Q. Do you think there is a country that is more on top of this?
There is certainly more awareness with more developed economies. That’s the only thing that you can say. I think where it’s more interesting to look is where there is more awareness of the criminal potential. The more developed the economy, the more developed the risk management ecosystem. It’s interesting to look at where the expertise is in terms of crime.
The business email compromise stuff is largely driven out of west Africa. Similar criminal groups who were behind the 419 scams, the Nigerian emails. That’s why they are very good at the social engineering aspect of it because they are used to dealing with humans and emotions, and not particularly with malware tools and techniques.
A lot of the compromising targeted attack-type stuff is driven out of the Ukraine and there is a large pool of very talented people with very limited prospects in terms of earning a good living in legitimate business. The temptation to do it through crime is that much greater.
Mobile malware is largely driven out of China for a few reasons: it’s a hugely mobile-focused economy in terms of devices and Google Play store is not accessible in China, so everyone relies on third party app stores, which are breeding grounds for mobile malware.
Brazil was traditionally the spiritual home of old school banking malware, so we still see a lot of that coming out of Brazil. That’s a really interesting area to focus on. How can we help the CIS, Russia and all the former Soviet states to make better use of their computer science graduates and skilled coders to build their own digital future and take away the temptation to go into cybercrime?
My work with Europol is focused on going after the people who commit crimes to make sure we actually get arrests out of it, rather than just taking away infrastructure. But to nip that in the bud, to go right down to root level, we’ve got to look more at why people get into crime in the first place and what can we do to make that less attractive.
Taking away the finance is certainly one great way of making it less attractive – but, we need to increase opportunities to have a legitimate career outside of cybercrime. If there is a skill shortage – which I dispute – but if there is, maybe we need to broaden our horizons in terms of who we are looking at. We should spend more time making that career more accessible.
Rik Ferguson is the rock star of the cyber security world. An industry thought leader and frequent speaker at events – he gave fascinating talks at both Dublin Tech Summit and Zero Day Con in Dublin recently – he is actively engaged in research into online threats and the underground economy.
He also researches the wider implications of new developments in the information technology arena and their impact on security, both for consumers and the enterprise. I caught up with him to discuss the latest in regulatory efforts and where businesses need to be focusing their efforts to combat cyber criminals.