Ireland’s cyber security conference Dublin Info Sec 2016 took place this week. Expert speakers took to the stage and outlined the ever-more sophisticated cyber security challenges businesses and organisations are facing. In the first of two blogs, Andy O’Kelly, Chief Architect at eir Business, gives a rundown of the main talking points from the morning session.
The day opened with An Tánaiste Frances Fitzgerald, who, in her capacity as Minister for Justice, summarised the key on-going activities that improve Ireland’s cyber security: the National Cyber Security Centre; EU legislative evolution in terms of the GDPR and Critical Infrastructure; a Bill creating new statutory offences in Ireland; and the modernisation programme within An Garda Síochána, which includes a dedicated Cybercrime Bureau. The Minister mentioned on a number of occasions the difficulties in hiring suitably skilled experts, and this gap became a common theme across many of the speakers throughout the day.
Learning from Estonia
Joseph Carson presented what happens when geo-political tensions move into the cyber domain, as they did in Estonia in 2007. Estonia is a highly digital society, pioneering in areas such as using Block Chain to offer transparency and immutability around use of citizen data. This ‘e-society’ dependency, combined with the experience of being targeted with attacks that defaced digital properties and crippled services with DDoS, makes Estonia’s learning and recommendations highly pertinent. Carson outlined how NATO initiated a Cyber Defence Centre of Excellence, but also how Estonia is considering the concept of Virtual Data Embassies – having persistent copies of their state information in other jurisdictions, protected by the sovereignty afforded by physical embassies – a number of racks of data equipment potentially preserving national cyber assets should the physical state become entirely isolated or worse.
Cybercrime largely going unreported
The subsequent discussion highlighted the lack of awareness and understanding and democratic discourse in general around the topic of cyber security. Brian Honan pointed to the zero level of cybercrime being reported by the Garda Bureau as a stark representation of poor awareness and under investment. Cyber Psychologist Dr Mary Aiken pointed out that most juveniles are unaware of the line at which cyber behaviour becomes criminal, and talents and curiosity that could be nurtured to improve our national capacity of cyber defensive skills can easily slip towards delinquency unnoticed. Dr Aiken suggested the concept of a ‘cyber reserve’, drawing on the skills of private industry based in Ireland to form what sounded like an anti-hacker FCA.
Dr Pavel Gladyshev of Digital Forensics Lab questioned why services that are crucial to society are apparently so vulnerable to attack, and looked for vendors involved in the cyber infrastructure to be more responsible and focussed on security, but questioned whether society is prepared to accept the potential consequential costs associated with more robust protections.
Following a presentation by Terry Greer-King highlighting what Cisco has done as an organisation to move their speed of detection of a security breach down to 13 hours as compared to their industry average of 100 days, the focus was once again on user awareness at the panel discussion. Detective Michael Gubbins of the Garda Cybercrime Bureau noted that such crime is under-reported, and that following on from DDoS last year and on-going CEO email fraud, 2016 has been ‘the year of ransomware’.
2016 is the year of ransomware
Conor Flynn described ransomware as ‘a plague on society of devastating effect’, and that having an incident response plan for recovery was crucial, as is having the right technology that is kept updated, and educating users to ensure they are aware of what they were doing. Anthony O’Mara of Malware Bytes concurred, noting that if a user wants to be stupid, they can be, and no amount of technology will help.
The democratised nature of ransomware software makes every company a target for random attacks, and for every company their data is critical. Greer-King noted that there was no getting away from the need to have intelligent and motivated people who can interpret and then add contextual awareness to security monitoring information and events, and that this is best augmented by a global perspective, as provided by Talos, which looks at 19.7 billion threats per day.
What does the future hold?
For many attendees the most engaging presentation of the day came from Rik Ferguson of Trend Micro. Rik presented an eye-popping array of technologies that we are likely to enjoy by 2020, while presenting the security implications – for instance suggesting ransomware that will post video from your hacked smart home camera unless paid.
Rik pointed to the joints between cloud services – including emerging APIs – as the weak areas where bad actors will focus their attacks, and stressed the need to build security into the new IoT world at the outset, given it may be impossible or too difficult to do later. Rik also urged attention of how data traffic moves within organisations ‘east west’ instead of the over emphasis on how data enters the organisation ‘north south’, recommending that security is built from the centre – your key data – outwards, rather than just perimeter (firewall) inwards.
For example he noted that 90% of malware only impacts on one machine, so the deployment of multiple layers of diverse malware detectors from different vendors is a questionable investment priority, compared to improved global interpretation of events and response. His final recommendation was that cyber security as a domain needed to move outside of the current IT organisation silo where it typically resides, to become distributed and embedded in every part of the business.