The human factor of cybersecurity, in all its forms, remains one of the industry’s biggest cybersecurity threats. This is judging by the number of times it came up at Irisscon 2019. Marking its tenth anniversary, the Irish cybercrime conference has become a fixture in the events calendar for security professionals.
Since its earliest days, the Irisscon ethos has been to share information and help security professionals and IT staff to learn from each other. It’s also to gain advice and best practice from recognised experts in the field. This year’s lineup of speakers tackled a range of subjects. This included subjects from cybersecurity threats and trends, to privacy concerns, the industry skills gap and social engineering.
Cybercrime incidents in Ireland: the rise of cybersecurity threat
Brian Honan, head of the Irish Reporting and Information Security Service (IRISS) and also CEO of BH Consulting, began proceedings with a look back at some of the headline figures from this year so far. Already, Irisscert, the voluntary computer emergency response team, has recorded 43,000 incidents since the start of the year. Over 80 per cent of this number were DDoS attacks against websites hosted in Ireland. In addition, almost 6,000 Irish websites were compromised to steal personal data. Working with other computer emergency response teams around the world, IRISS identified 624 attacks against systems in other countries which originated from Irish IP space. Infosecurity Magazine have a report of Brian’s talk.
Infosecurity professionals can defend their organisations better by first identifying what systems and data they need to protect the most. “The higher the value it has, the more resources you put towards protecting it,” Brian said. The most effective investment an organisation can make is in security awareness training. This makes employees aware of the risks, and of the controls in place to safeguard important or sensitive information.
Industry professionals were the subject of the next speaker’s presentation. Carmel Somers spoke about the difficulty many organisations have in sourcing cybersecurity skills in today’s crowded market. “It is one of the key things every organisation should be facing and looking at,” she said.
Addressing the security skills gap
Carmel chairs the Cyber Security Skills Initiative (CSI) Advisory Board of Technology Ireland ICT Skillnet. Over the next three years, the scheme plans to train 5,000 people in cybersecurity skills. As a result, they plan to help 4,000 companies to tackle the cybersecurity skills issue. In 2019, more than 1,000 people and 400 companies participated in the initiative.
Organisations could identify people already working there and upskill them through CSI to meet the need. “You may have people in your organisation who are not in an IT role but have competencies that would make them a good fit for a cybersecurity role. This is a business issue, not just an IT issue,” she said. Brian Honan pointed out that this is an excellent opportunity for companies. They can boost their own security resources for a relatively small investment, as the CSI is Government-funded. The video of Carmel’s presentation is here.
Are all cybercriminals geniuses?
Speaking of skills – or possibly the lack of them – Graham Cluley’s entertaining talk posed the question: are all cybercriminals geniuses? His presentation had the style familiar to listeners of his podcast, but behind the humour there was a serious message. Organisations too often hide behind the myth of the sophisticated attacker to excuse their own poor defences against cybersecurity threats. In reality, Cluley said many common attackers’ techniques are not sophisticated or ground-breaking. “If something is working, why go to the extra effort of being sophisticated?”
Reflecting the diverse lineup of speakers that Irisscon attracts, Jelena Milosevic considered privacy and security from a medical perspective. A paediatrician and ICU nurse, Jelena is a passionate advocate for cybersecurity awareness raising in healthcare settings. One of the biggest risks is the fact that there’s often just one person in a healthcare organisation who is responsible for security and data protection. As a result, they spend much of their time fighting fires. Many medical devices are connected to the internet yet vulnerable, she said.
Cybersecurity threats to medical data
In her very well received talk, Jelena said medical data by its nature is extremely sensitive and for that reason, highly sought after. Furthermore, the risk isn’t just limited to patients but also employees or third parties, ranging from charities to hospital visitors. Data protection consultant Sarah Clarke, who was at Irisscon, wrote on Twitter that medical data can be used for secondary purposes such as marketing, insurance profiling, often without adequate transparency and minimisation. As a result, that can lead to a breakdown in trust between medical staff and patients. It’s easy for security and data protection to be perceived as abstract concepts, but Jelena put the risk in stark terms. “When there is no trust between a patient and a doctor, there is no healthcare,” she warned. The full video of her presentation is here.
The ransomware economy – a serious cybersecurity threat
Unsurprisingly, ransomware made an appearance at Irisscon, as McAfee’s chief scientist Raj Samani took a deep dive into the GandCrab strain. Explaining why the problem is getting worse, he said the average ransomware payment went from $24,000 in Q4 2018 to $36,000 in Q1 2019. “The price is going up because people are paying,” he said. It is becoming more of a cybersecurity threat to businesses.
McAfee has researched the affiliate model that’s emerged around some forms of ransomware. This involves developers effectively outsourcing delivery of the malware to hidden parties throughout the world. GandCrab was the most prevalent form of ransomware. As a result, from 2016 to 2019 and its developers claim they made more than $2 billion. Samani said there was a forensic level of accounting needed to track how many infections and how much money each affiliate was making. “Almost anybody can contribute and be a part of this model… it really is cybercrime as a service,” he said.
Ransomware has a visceral real-world impact in areas like healthcare. Infected hospitals were forced to turn away patients and switch off internet connectivity to protect the network. “We live in a world where a nurse can open up an email, and a hospital has to turn away patients… and yet they say that this is a computer issue,” said Raj.
Calling out to industry and to security professionals, he said the time has come to combat ransomware more aggressively before cybersecurity threats like it spread to other vulnerable areas. “This is our ‘you shall not pass’ moment. In the future it will be other critical devices and IoT equipment at risk.”
Emerging expert talk
For the first time at the event, Irisscon dedicated a speaking slot to an up-and-coming security professional. The inaugural ‘emerging expert’ was Emma Heffernan, a student and part-time security analyst. Giving her very first conference talk, she looked at the human side of social engineering attacks. She also looked at what could happen to someone who’s been affected by it.
Echoing Brian Honan’s comments about the need for awareness training, Emma asked: “Can we afford to not invest in our employees? We need to train our humans… We can patch software, but we can’t patch humans.” Communication is key between employees and employers, Emma added, making the point that effective training includes clear demonstrations of the behaviour an organisation wants to see. In addition, team building exercises also help to embed the lesson. A link to her video is here.
CSAM as a cybersecurity threat
The next presentation tackled an extremely sensitive yet vital subject. Mick Moran, formerly of Interpol and now Garda liaison officer to France, made an impassioned plea to infosecurity professionals and sysadmins. He wants them treat Child Sexual Abuse Material (CSAM) as a cybersecurity threat on their networks, and to use their knowledge to help victims. “This is a societal problem that everyone needs to contribute to – and that includes infosecurity professionals… By your technology tools, you can make a difference in people’s lives, especially children’s lives,” he said.
It’s extremely likely that this material is already on company networks without being spotted, he said. However, rather than deleting it, he said infosec and IT professionals can follow steps to report it responsibly through proper channels. “If you follow the steps as every human should, you’re not in possession of it as per the law. Don’t delete the best possible chance of having that child saved,” he said.
In addition, victim identification initiatives like Europol’s trace an object website are also a way that security workers can make a positive contribution. “If you can find the victim, you catch the perpetrator. Most importantly, you safeguard the child,” Moran said. Despite the uncomfortable subject matter, the presentation drew widespread applause. The video is available here. However, we advise that some people may find the content disturbing.
Kirils Solovjovs, one of Latvia’s most prominent white hat hackers and bug bounty hunters, walked through the challenges of vulnerability management. His talk (video) was titled “patches will fail us” and he talked about the risks involved in using shared code and open source software. “Where does your software come from?” he asked. Since it’s not possible to protect against everything, it becomes a question of prioritising and profile the cybersecurity threats, he said.
Dan Raywood, deputy editor of Infosecurity Magazine, swapped reporting on the conference for speaking at it (video here). His presentation echoed some of Carmel Somers’ points about skills in the industry. His publication carried out independent research into security trends and the findings included how job ads for cybersecurity roles often require unachievable levels of experience and qualifications. One anonymous contributor to the research summed up the situation as “They want them to be cyber ninjas straight out of university and pay them entry-level wages”.
In fact, the human factor of security was the second most common security trend identified in the research. Even when organisations manage to recruit people into security roles, Dan said it was questionable whether those people are encouraged to move up the ranks into senior positions.
Jenny Radcliffe, the ‘people hacker’ gave a talk about understanding how humans lie. Her work involves performing social engineering and security investigations, and her entertaining talk (full video) looked at the many ways that some people try to trick others, and also why many humans are very bad at spotting when this happens. “Learning how to spot deception, or credibility interception, as it’s also known, is useful for defenders,” she said.
Dave Lewis closed the conference with a keynote that looked at the concept of zero trust to tackle today’s cybersecurity threats. This developed from the fact that many attackers are on networks long before being discovered. “When you have attackers able to get into systems very easily, it’s frustrating,” he said (video here).
The zero trust/trusted access approach to cybersecurity
Now that the traditional perimeter-style network has all but disappeared, defence needs a new approach. “You need to be able to check the hygiene of a device that’s attaching to your network… if you’re using zero trust as an approach, you are asking for a certain level of security and patching for them to be allowed in. Make sure that you’re not accidentally introducing problems into your environment,” he said. Alternatively for anyone uncomfortable with wording like ‘zero trust’, Lewis suggested ‘trusted access’ or ‘risk reduction’ instead.
It may have seemed a downbeat note to end the conference, but Lewis said that many of the problems stem from issues that have been around for many years. They include unpatched devices (Bluekeep is unpatched on 1227 systems in Ireland today, he said); tracking user devices, and ensuring people aren’t re-using simple credentials and passwords that are easy to guess. Dave had a call to arms for the infosecurity professionals in the room. “We need to make sure we are part of the solution, and not being relegated to ‘just a cost centre’.” Therefore, security can’t keep saying no when the business wants to adapt and change.