Cybersecurity conferences aren’t usually places where you expect to feel better about the world, but IRISSCON 2022 struck a surprisingly hopeful tone.
Mikko Hyppönen, WithSecure chief research officer, looked back at security’s evolution over decades and reached an unexpected conclusion. “I think we are living in the golden age of cybersecurity. The technical security of our systems has never been better,” he said.
Closed systems like gaming consoles, for example, are secure because their owners don’t have permission to program them. “Creating exploits for modern operating systems today is hard. That’s why attackers go through humans; it’s the only easy route left,” Hyppönen said.
He argued that security works when it costs €100,000 for spyware to hack into a politician’s iPhone. Most people aren’t worth that effort and money. “It is not a failure, it is a success. We cannot create completely unhackable systems; we can just raise the barriers,” Hyppönen said.
Returning to the Aviva Stadium, the event had its largest ever attendance with more than 420 people registered. Help Net Security’s photo gallery captured the flavour of the day-long conference.
Éireann Leverett, CTO of Concinnity Risks, whose talk closed the conference, aimed to hit a similarly optimistic note. He analysed ten years of ransomware and found the problem, in terms of volume and frequency, was in 2014. “So something good is already happening… We’ve already survived peak ransomware in the historical view,” he said.
Although ransom amounts have increased, Leverett said fewer people pay the ransom than might be expected. He analysed 8,000 victims of the Deadbolt ransomware through the unique Bitcoin addresses they used and concluded that just 8 percent of them paid.
Ransomware: don’t pay later
One way to further reduce payments to ransomware gangs is to make victims stop and think. “Most people who pay, pay really quickly… if you get people to delay, they’re less likely to pay,” Leverett said. He also warned against using insurance payouts to cover losses. “Insurance is never supposed to pay for everything. Don’t use your insurance policy as your ransomware response. It’s never going to be enough,” he said.
Joseph Stephens of Ireland’s National Cyber Security Centre, also had hopeful words for the audience. Newly returned from attending the International Counter Ransomware Initiative in Washington DC, he said: “While I don’t think I’ll be up here next year not talking about ransomware, I am more optimistic about a global response to this issue.” His colleague James Caffrey said the EU also plans to commit greater budgets to tackle cybersecurity threats.
With perfect timing, during the conference news broke that police had arrested the suspected operator of the LockBit ransomware in Canada.
Detective Inspector Gerard Doyle of the Garda Siochana National Cybercrime Bureau urged victims not to pay the ransom. “Our position is, you shouldn’t pay a ransom. I understand it’s an economic rather than a moral decision, I know that it’s easier said than done. Will paying a ransom lead to a small firm going out of business?”
DI Doyle gave examples of victims including an unnamed law firm and a large engineering company. He said paying ransoms only incentivises criminals, and doesn’t guarantee the victim’s data will be decrypted, or won’t be leaked anyway. Some 80 percent of victims who paid ransoms got their data back; 25 percent got less than half back. As reported in InfoSecurity Magazine, DI Doyle called on more victims to report the crime to law enforcement.
Mingling in the atrium of the Aviva Stadium
Cybersecurity focused on SMEs
Georgia Bafoutsou of ENISA, the EU’s information security agency, called on those attending to amplify messages about security awareness. In particular, those messages need to focus on small and medium enterprises (SMEs). These make up 99 percent of businesses in the EU, while 93 percent are micro SMEs that employ fewer than 10 people with revenues of less than €2 million.
ENISA will shortly launch ‘AR in a box’, an awareness-raising tool that will include information, guidelines, templates, videos, and checklists for companies to develop their own cybersecurity programmes, as well as metrics to evaluate their success.
All told, IRISSCON featured presentations from 11 speakers including some of the most respected names in the industry. Among the lineup was Avast CISO Jaya Baloo, who spoke about the challenges that quantum computing will create for the security community. Rich Mogull, SVP of cloud security at Firemon, and Colm Gallagher of Commsec Security covered incident response and forensics in their respective talks.
Sharon Conheady’s entertaining talk explored the ethical side of social engineering. Using humour to deliver a serious message, she said social engineering tests done badly can foster a “toxic” security culture. Even small details like using financial hooks as part of a phishing awareness campaign can come across as poor taste at a time of rising consumer prices, she said.
Avast’s CISO – Jaya Baloo
Making security easy: the UX challenge
Dave Lewis, Cisco’s global advisory CISO, called on the industry to “democratise security” by building better tools to protect non-experts. “We have to look at it from a human element perspective. If we’re not taking the time to properly educate people, we’re going to have a bigger problem. The way we improve that is good UX [user experience] design. If it’s easy for them to understand, you’ll get much further… A tool made by engineers for engineers is not doing security. That’s not going to solve the problem,” he said.
He said zero trust – love or hate the term – has value because it focuses on reducing risk. Passwords – and people’s tendency to reuse them – aren’t keeping people secure enough. “Passwords are effectively a house key. It does nothing to ensure who’s coming through the front door… The lock doesn’t care,” he said.
Attendees and speakers networking in the atrium
A lot done, more to do
Overall, IRISSCON wasn’t a case of ‘job done in cybersecurity – because it never is. Christian Heggen, Senior Threat Intelligence Advisor with CrowdStrike, warned that e-crime has increased sevenfold since 2019. Much of this is due to the diversification of the e-crime ecosystem as they specialise in different areas, from access brokers to ransomware as a service operators.
Raj Samani, chief scientist at Rapid7, said that part of the reason why security has become so difficult is because attackers often use tools that aren’t malware per se but enterprise software used maliciously. “So the challenge is to identify the signals through the noise,” he said.
Heggen expanded on this theme, pointing to research showing that attackers are increasingly using “living off the land” techniques, exploiting genuine tools to remain undetected and not trigger any alerts.
Another recurring theme from the day-long event was the importance of sharing information. It’s a message that organisers Irisscert have promoted since the very first IRISSCON back in 2009. Many of the speakers took up this call, with Raj Samani and DI Gerard Doyle among those urging the audience to report incidents and share information. This helps the entire community to understand threats better and learn from them, while law enforcement can allocate resources more effectively when they know the risks they’re dealing with.
Detective Inspector Gerard Doyle
With some encouraging signs in the fight against cybercrime, IRISSCON 2022 sent delegates away with ample motivation to keep going.
All Image Credit: Zeljka Zorz, Editor-in-Chief, Help Net Security