With large-scale global cyber-attacks like WannaCry, Nyeta and Bad Rabbit hitting the headlines in 2017, cyber-security has been catapulted into the boardroom of organisations here in Ireland. On 1st November, Dublin Information Sec 2017 delved into the world of IT security with an impressive and varied line-up of expert speakers.
Tánaiste and Minister for Business, Enterprise and Jobs Frances Fitzgerald set the scene in her opening remarks when she said that “cybercrime and security is one of the biggest challenges of the digital age”. And certainly, that insight was reinforced as the packed programme of speakers took to the stage throughout the day. But the Tánaiste was quick to point out that while cyber-security is a challenge and will continue to be, there are also opportunities there, particularly for Ireland. “As home to the top 5 global cyber-security firms, there is an opportunity to create a self-sustaining cyber-security ecosystem here, one where indigenous small and medium enterprises and multinationals could work together.”
Entering the world of the cyber criminal
Another recurring theme running through the presentations was how persistent and sophisticated cyber criminals have become; and it’s little wonder, by 2020, cybercrime will be a $2 trillion business, according to Paul Hogan of Ward Solutions. Paul advocated that new approaches are needed to tackling the exponential rise in volume of attacks and sees AI and machine learning as promising technologies to assist in addressing the threat. He referenced use of IBM Watson in support of security analytics, including this story of how it successfully diagnosed a patient in 10 minutes. Paul also mentioned the importance of people in the cybersecurity response, in making decisions, based on the percentage calculations made by AI.
We heard from Mark G and Joseph Carson, two ethical hackers, who detailed the methods hackers use to access networks and data. Social engineering has quickly become one of the easiest ‘attack vectors’, taking far less effort than ‘classical’ hacking. Hackers typically spend 90% of their time on recon, or digital footprinting, where they scour the internet, social media and elsewhere for details on individuals’ lives that they can then use to spoof them and access sensitive data. Here’s the unsettling Mike G youtube video for hacking a physical safe:
Paul Rascagneres of Cisco’s Talos Threat Intelligence Unit also gave an illuminating presentation on the origins of the recent Nyetya and Bad Rabbit Ransomware attacks. The geeky amongst us, myself included, were fascinated by how malicious actors use legitimate locations as vehicles to deliver its malware – a backdoor in popular tax software or popular “watering hole” sites to deliver malicious flash player upgrade pop-ups. It gave us a great sense of the skills, creativity and ingenuity required on the front lines to detect, mitigate and respond to these nefarious activities.
Paul’s advice was to focus on patch management, and also to look not just at back-up but at restores – how long does it take to get your organisation back to an integral condition? Finally, he noted how important incident response readiness is, which was a theme across the day.
Educate users in clear, simple terms
We also heard that education can go a long way towards mitigating the risk of employees falling victim to spoof calls, texts or emails. Dr Jessica Barker spoke about the human side of cyber-security, and how security professionals need to re-assess the way in which they talk to users. “People are suffering from cyber-security fatigue. Be aware of that when teaching them.” She recommended that as people learn in different ways, it was important to incorporate doing, seeing, listening and speaking activities as part of cyber-awareness training.
Several speakers throughout the day reaffirmed Dr Barker’s message of education. We heard from expert panellists that a third of cyber-security attacks are staff-related, a statistic that reinforces the need for education, particularly in the three Ps: patching, passwords and permissions. John Cassidy of Ground Labs spoke about how a robust permissions and password policy goes a long way towards mitigating data breaches.
Taking an architectural approach to IT security
eir Business CITO Paolo Perfetti carried on the discussion about getting the basics right. Patching, AV, email protection, perimeter protection and web filtering all need to be continuously maintained and updated, and he also stressed the importance of people – “the best IPS is our excellent staff,” he noted.
Paolo was also quick to point out that it’s not just all about investing in security; it’s about working with security in mind all the time, for example when designing new services as well. That architectural approach was echoed by all speakers on the day, along with the importance of board buy-in.
This management buy-in was highlighted perfectly by the HSE CIO Richard Corbridge, who took us through the organisation’s reaction to the WannaCry ransomware attack. Through effective communication, a set chain of command, and rapid-fire reactions, the organisation was able to foil over 10,000 attempts by the malware to breach its defences. We will be featuring a breakdown of the HSE’s story in an upcoming blog post over the next few weeks.
GDPR, Brexit and IT security
No cyber-security event would be complete with mentioning of the impending GDPR legislation. Brian Honan and Daragh O’Brien had the task of explaining the challenges that lie ahead for Irish firms in the face of GDPR, and also the impact Brexit could have on data security practices. If nothing else, these presentations served as a reminder of the importance of shoring up their data security strategy and documenting it every step of the way.
Brian Honan mentioned the uncertainty as to whether the UK would be considered an adequate third country in terms of data privacy post-Brexit, and the potential impact this would have on where Irish companies could keep their data – for example UK-based data centres. He also referred to the present IT industry climate as resembling that of 1999 in advance of Y2K – a lot of so-called ‘experts’ and a lot of panic.
Daragh dispelled myths and slayed some monsters associated with GDPR and also shared an excellent “GDPR summary on one page” which informed all top level GDPR considerations in an easily digestible manner.
The importance of information sharing to combat cyber crime
Keynote speaker at the event was Jeannette Manfra, US Assistant Secretary for cyber-security at the Department of Homeland Security. In a comprehensive presentation, Jeannette highlighted how information sharing will be critical to the future of cyber-security. While the US has come a long way in its efforts to share information between government and industry, there is still more to do, particularly on an international scale. Jeannette attested that only through collaboration and taking a joined-up approach will governments and organisations take control of cyberspace and make it more secure for everyone. She stated that unlike other spaces of conflict, industry and the private sector share the cyber-security frontline with government.