When data breaches and cyber attacks hit the news, the focus is usually on who is behind them, but it is often basic security mistakes made within organisations that allow them to happen.
Errors and oversights in security are a bigger threat than what the bad guys are doing, in the view of Verizon’s head of global security services, Bryan Sartin, who was up for a chat during a recent visit to the Canberra-based security operations centre the firm opened in 2017.
“See, that’s the scary thing, man,” said Sartin; the major “causal factors” haven’t changed in years but the company still sees them with “tremendous frequency” among its clients.
Breach investigations often uncover major blind spots. “It’s always like, ‘Look, if all this data was stolen from your networks, show me the handful of systems that had to get hacked into in the process,’ and they inevitably say, ‘It’s these two systems; they’re locked out; it’s encrypted,’ and they show us the flow diagrams.
“It’s never just those two. It’s 42 or 52.”
A lot of breaches go back to basic errors—the kind that have been regularly uncovered by state and federal auditors-general—where someone simply forgot to change a default password, or didn’t realise a particular box was connected to the internet when it wasn’t supposed to be.
In one investigation, Verizon found crooks in Kazakhstan selling remote desktop sessions into a client’s system and charging by the hour, due to a fairly simple mistake on the part of the victim rather than any particularly sophisticated work by the perpetrators.
He told The Mandarin large government agencies and enterprises with multiple locations often lacked “basic controls on the [wide area network] to isolate problems that happen in one location and make an island out of it”.
“I mean that that was smart security in 1999, but it’s still more often than not the problem. The other one is four out of five of intrusions involve the exploitation of stolen, weak default, or easily guessable credentials.”
One good way to improve general cyber hygiene, in Sartin’s view, is by “weaponising the employee as a first line of defence” using behavioural nudges. A simple technique that seems to work well in lots of situations is to show people how they compare to their peers.
“So you take divisions of the company and break it down by senior managers, and you publish the results and say: ‘This manager’s team is far worse than all the other ones. This one is in the lead. These guys are at fifty percent and these guys are at the bottom.’
“And then suddenly, this is a management-level issue—I’m starting to see that stuff play well.”
Sartin also runs “executive brief simulations” with leadership teams, walking them through a scenario that starts out simple but gets progressively more dire.
“And then you talk about how the different towers of the operation are going to respond and how they marshal their teams to do the right thing. And you look at the cohesion factor in how they come together. And a lot of times now, when we run those exercises, especially for government agencies, they’ll actually have us coordinate one of those [simulated] spear phishing campaigns against one of the participants in the room, and that always makes it interesting.”
An experimental trial in Britain also validated the power of being caught out by a fake phishing email to help cyber security awareness training sink in.
“The best that I’ve seen is that kind of peer pressure issue—you know, making it a management thing,” said Sartin. “Unless you’re doing that, I just don’t think it sticks.”
In his experience it’s usually a minority who fall victim to this sort of thing but those that do are likely to be tricked over and over.
“There’s a lot of interesting change around security today on identifying higher risk populations of users; how to do that and how to better scrutinise those end users, so you can work quickly to detect when something they do creates a problem—whether they did it on purpose or not.”
The internet of things creates new risks, while the operational technology that controls industrial machinery and some kinds of critical infrastructure is also increasingly open to cyber attacks, like the famous Stuxnet attack on centrifuges in Iranian nuclear facilities. Sartin expects to see new blindspots continually exposed.
“It’s just going to keep on happening,” he said, recalling an attack on a university where a group of students “hijacked intelligent lighting and Coke machines” to shut down a server farm.
“That kind of thing sounds crazy, but we’re seeing just tons of that stuff today, and this university was so locked down and protected and encrypted. They had security figured out, but that’s just a whole other vector and they just went, ‘Oh. We never thought of that.’”
The lesson there is that all new capabilities need to be considered as possible attack vectors.
There’s a growing realisation that critical infrastructure could be a big soft spot in information security attackers. The Commonwealth’s cyber chief Alastair MacGibbon recently warned “society’s greatest existential threat” was a major catastrophe of this kind.
“These breaches are happening, and, you know, they aren’t leading to the theft of data as much as they are manipulation, denial of service, disruption-type attacks and things like that, and they can ultimately hit the civilian population in big ways,” said Sartin.
“I could give you countless examples… and those aren’t now the kind of ‘unicorn’ strange cases that happened a couple of times a year. Now it’s getting up to about a third to a fourth of all the cases that we see in a given year.”
New SOC on the block
Executives from the cyber security arm of the multinational NTT Group and its subsidiary Dimension Data were keen to show off their new security operations centre in North Sydney last month, so The Mandarin went along.
It is part of an international network of 10 SOCs, including four in the Asia-Pacific that have all been completely rebuilt, expanded and upgraded in recent years. The larger space has increased capacity significantly and NTT Security executives expect growth will continue.
They’re all linked up in real-time through a global platform, allowing local NTT Security staff to draw on resources, skills and threat intelligence from around the world in providing managed security services tailored to the needs of their local clients.
Demand is growing partly because “the degree of sophistication to run these things” has increased, explained Dimension Data’s Australian cyber security director John Karabin.
“Only a few of our customers in Australia could afford to run their own SOCs,” he said. “It’s expensive, it’s technically difficult, you need a lot of skilled people and it’s hard to retain them… so they’re looking at partnering with us.”
According to NTT Security’s global chief information officer and Asia-Pacific CEO Martin Schlatter, “The role of the SOC has evolved from a stand-alone security monitoring and alerting environment to one that is much more proactive in hunting for threats and more integrated with each client’s environment—not just the technology—but also at an operational and business level.”
Karabin says the managed security service now often involves risk-management consulting and putting threat intelligence into the specific context of each client’s needs. “We don’t just leave the service at the door, and kind of wave at them occasionally… we make sure that we’re absolutely involved in the organisation.”
This means “integrating the security service into the client’s wider plans, like continuing the shift to the cloud or digital transformation” as well as being ready to respond to critical incidents.
“The language that we use is also changing to emphasise risk rather than technology,” said Karabin. “So we don’t talk about how we can control a billion firewalls or we’re the best intrusion detection company; we talk to our clients now about how to bring down the risk.
“And that’s why we need to engage; we’re investing a lot in consultancy capabilities so when we help clients deploy services across cloud platforms, for example, we want to help them make sure they do it with security in mind. We talk about ‘secure by design now’—we don’t just offer the bells and whistles, we’re trying to incorporate the whole concept of security.”
NTT Security deals with about 150 million attacks each year and produces one of the leading annual threat intelligence reports. It has access to a large quantity of raw unstructured data through reciprocal partnerships, its own network of malware honeypots called Samurai and what Karabin calls its many “eyes and ears” in the pipes of the internet.
Data is analysed to produce information, which becomes intelligence when applied to a specific context for individual clients.
Still, even with all this technology, Karabin told us the one of the best weapons against cyber threats for large organisations was simply security awareness at all levels.
He said agency heads should be taking charge of information security and asking the key questions like: “What are the crown jewels? Are we monitoring them? What is the right posture? Is everyone from the front desk to the back end aware?”
“It’s got to be that holistic approach. I think the problem in our industry is you only need one of those things to go wrong; whether [a breach] is accidental or intentful, it’s still the same.
“So it is beholden of the executive level—and I think that’s been pointed out a few times by different experts and groups—the executives really need to grasp hold of this, which we’re seeing increasingly.”