When suspected Pakistani hacker, Faisal Afzal (or Faisal 1337, as he’s known online), hacked a Kerela government website last night, he left one simple message posted there: “Security is just an illusion”.
He’s right, you know.
Case in point: the Ashley Madison hack. While similar privacy breaches happen with alarming regularity – and the Ashley Madison breach is hardly the biggest – the case highlights just how vulnerable many seemingly important systems are and the disastrous consequences when those systems are compromised.
Long story short: A group of hackers, calling themselves the Impact Team, had taken offense to Ashley Madison’s service and patronage, compromised the system and demanded the company take down the site along with one other, Establishedmen.com (a site that connects rich men with young women). When the company didn’t comply, the hackers released the stolen information, including chat data, user names and addresses.
Emboldened by their success, the hackers then conducted an interview speaking about the ease with which they had destroyed a company:
“We worked hard to make fully undetectable attack, then got in and found nothing to bypass,” said the hackers. “Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”
When asked who their future targets might be, the hackers responded: “Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.”
Though the hackers where vocal about their apparent commitment to family values, the consequences were, by all accounts, tragic, with at least two suicides and numerous blackmail attempts linked to the breach.
And it’s not just the big players. Smaller businesses fall victim with alarming regularity, such as recent casualty I Love Ugly.
But if there is a silver lining in the whole mess, it’s this: it’s got the world thinking about the real-world ramifications for all this uncontrolled information. As our dependence on ones and zeroes continues to grow in step with Moore’s Law, our risks are deepening too. Far beyond the simple privacy and reputational issues, there is huge potential for disaster.
Image: Screenshot from the hacked Kerela government website
The power grid
Cyber-insurers such as Lloyds are starting to look seriously at big-picture ‘severe-event’ scenarios as digital networks and shared platforms form connections that can be exploited by hackers to create widespread impacts. While we are familiar with business-specific attacks and their consequences, catastrophe-level attacks that affect many companies, and society at large, are being seen as an increasingly reasonable cause of concern.
A 2015 Lloyds Emerging Risk Report, titled Business Blackout: The insurance implications of a cyber-attack on the US power grid, speculates on the implications of a major cyber-attack on the US, using the US power grid as an example.
According to the paper, the scenario, while improbable, is “technologically possible,” and could cost anywhere between US$243 billion and US$1 trillion, causing the failure of health and safety systems, disruption to water supply, and chaos to transport networks as infrastructure collapses.
Roger Smith, professional indemnity manager at Allianz, says that with scenarios such as these, the risk is not so much in the impact of the attack, but in our ignorance of just what that impact might be. It’s a classic case, he says, of not knowing what you don’t know.
“The paper goes into a lot of details about the losses that aren’t usually considered cyber risks,” Smith comments on the report. “Hospitals have generators but if large scale problems happen, you won’t have fuel to run them. The same goes for traffic lights, those generators will quickly run out too, causing chaos. Even people with their own generators will run out of fuel. You’re going to have premature deaths in hospitals, physical losses to property and fires where suppression systems are no longer operational.”
Business and risk
While doomsday scenarios such as the above are perhaps as unlikely as they are dramatic, the inability to accurately gauge the nature of the threats being faced poses its own problem.
“Take the Ashley Madison case,” says Smith. “That company was planning on doing an IPO. If [the hack] had have happened after a shareholder float, those shareholders would have taken action against that company, and/or its director personally because the company was negligent, and that’s not something that’s often taken into account, because who was expecting it?”
“Similarly, one of the elements of cyber-risk that most concerns the boards of companies is reputation damage. How do you put a value on that?”
Smith points to disgraced internet hosting company Distribute.IT, which was hacked in 2011. The company, which once had a 10% share of the Australian domain names market, failed to create online backups of its core content. When the company suffered a denial of service attack, all of the data, websites and emails belonging to its 4,000 customers evaporated overnight.
But it’s not the hack that killed Distribute.IT, says Smith.
“Distribute.IT died because no one had faith in the service. Reputation is the great uninsured risk.”
How do you hack someone?
So if it’s difficult to gauge the size and extent of a specific hack, can we at least understand the mechanics of it? That too, it turns out, is problematic.
“There are a multitude of ways,” says Adrian van Hest, partner at PwC. “But how you gain access to information is really quite contingent on what that information is and who wants to get it.”
“Hackers may want to bring down a website, or get a political message across, so they’ll grab whatever information they can and splash it across the web. Organised criminals however, they don’t work that way. They’ll keep it quiet and you might not even know you’ve been hacked.”
Image: Adrian van Hest, partner at PwC
In regards to the nebulousness of the risk profile, Smith concurs.
“When we talk about the nature of attacks, the most important part to understand is the motivation. You’ve got 15 year old boys with laptops, you’ve got activists, terrorists, organised crime and foreign governments. Some are looking to disrupt or gain publicity, some are looking to harm people. Increasingly there is a commercial market on the internet, where you can, for a small cost, buy a virus or DOS attack and direct it at your victim. And there’s a market there so the sophistication of attacks is increasing.”
Smith says that while there is a perception that only big companies are being targeted by hackers, that’s simply not the case.
“Hackers are most often looking for low hanging fruit,” he says. “And anyway, if you want to get to a big company, you’re often better targeting their suppliers. Smaller companies don’t have the same systems in place that the bigger companies have, that’s your way to get in.”
Not like in the movies
In this day and age, the way computer systems are attacked is usually less dramatic, and often far simpler, than the average Hollywood blockbuster suggests.
Idealog managed to get comment from one anonymous hacker, and he put things in far less glamourous terms:
“The most common way [to compromise a system] is to use the phone,” he says. “Just call an office worker, say something like ‘I am from the IT department, we think someone is trying to hack your computer…we urgently need to know your password!’ Boom, someone will tell you their password.”
“Then, if the system has remote access, you can log in as them and have access to everything they do.”
“You then use this person’s information to sound like you know what you are talking about, and call someone else at the company with more control, and improve your story. Ask for their password, login as them and repeat. Social hacking is what it’s called. All the security companies want you to improve your system, but actually education is the best way to stop hacking.”
Research commissioned by Vodafone in 2014 revealed that 56% of New Zealand businesses are attacked at least once a year, and almost half felt that their businesses did not have adequate tools or policies in place to mitigate the threats they face.
Similarly, a recent PWC survey said that only 28% of New Zealand businesses have a mobile security strategy in place (compared with 54% of businesses globally).
But companies should be taking these incidents seriously. Though mobile has revolutionised the way business is being done that revolution has also introduced of a serious new level of IT security risk. Mobile phones, USB drives and other external devices expose business networks and systems to malware, they can be used to remove or steal business information, and by communicating business data over unsecured wireless networks, mobile devices invite compromise. These days, a well-meaning but oblivious employee with a USB stick can pose just as significant a threat as any maliciously-minded outsider.
“Businesses need to weigh up the costs and benefits and ensure that there have appropriate security policies to manage this risk,” says Paul Ash, director of the National Cyber Policy Office.
“There is a tendency for businesses to think that cyber security is a technical issue for the IT folk to sort out,” he says. “Businesses need to manage the cyber security risk – just like any other risk to the commercial success of the business. It is an executive leadership responsibility.”
Image: Paul Ash, director of the National Cyber Policy Office
“Put cyber security on the agenda before it becomes the agenda.”
[The New Zealand government provides its agencies with advice on how to mitigate the risks from mobile devices. This guidance is publicly available here].
“BYOD [Bring your own device] does represent a certain vulnerability, but it’s only one of many,” says Smith. “It’s not all black ops. It might simply be fat fingers.”
All the things
If mobile and the rise of BYOD has created a whole new level of complexity for business, the increasing connectivity of everyday devices, and our growing reliance on those devices at a personal and corporate level, is creating more vulnerabilities.
The looming ‘internet-of-things’ explosion, with a predicted trillion devices connected by 2020, and 50 billion machines exchanging data daily, will, and is already, creating new opportunities for hackers.
The hacker we spoke to said that without addressing this new level of complexity, we’re likely to be vulnerable in ways we can’t yet anticipate.
“If there is a mistake in your hardware it can be complex to update and also possibly mean people can access things in your home,” he says.
“Like if baby camera software has security faults, then anyone can access a live stream of your baby. Or control your lights in your home.”
“The risk is always in human error…programmers make mistakes.”
So you’ve been hacked
With threats coming from both inside and outside the business, a connected and increasingly data-driven workforce, and an underprepared executive tier, what recourse is there when disaster inevitably does strike?
“When a hack actually happens, you have a decision point,” says van Hest. “Recovery versus evidence gathering.”
“Do you just need to get back online or do you need to look for evidence? Because that evidence is often the bit you lose when you dive into the recovery route. It’s a juncture and it’s usually the case that you have to pick just one – that’s why having a plan is so important. If you’ve thought about it beforehand, you’re well placed, but if you’re doing it on the fly, you’ll be lucky to manage it without significant impact.”
“The key is to have a plan, think about your alternative options and consider insurance.”
Smith says that ultimately there’s no substitute education.
“First of all, understand that all businesses are exposed,” he says. “You have cyber-exposure, so understand it. Every aspect of the organisation needs to be considered from the angle of ‘what are the risks here and what can we do to increase our resilience to this risk?’”
“Historically, that was the responsibility of the IT guy. Next it went to the board level. Now you’ve got to get it into every single aspect of the organisation – for example, legal, contract management and HR. It’s a case of making it part of the whole business culture.”
“How you do that will differ from company to company of course, but that’s why you need to understand your own business.”