Yesterday, the Toronto leg of the Tech Security Conference took place. The event brought companies and industry leader together to discuss the constantly mutating landscape of threats in the digital world, and what can be done about them.
Complexity and simplification were themes that ran through the entire day. Both the complexities of the attacks that many companies face, and the simplicity that is needed to adequately defend against them.
Though it may seem counterintuitive, secure networks have simple but sturdy defences against the most complex attacks. The problem with complex security networks, is that inherent in an intricate security apparatus is different pathways in, and weak points.
“Complexity is the enemy of security, absolutely,” said Ted Maniatis, a security solution expert.
As threats evolve security has to, aswell. Many persistent threats to companies and users haven’t changed over the past decade. DoS attacks, for example, have existed for nearly as long as computers have been connected to each other, and are still prevalent for many companies. What has changed is the goal of many of these attacks. Rushes of traffic are sent in to find weak spots in security systems, so hackers can later exploit those weaknesses to steal data. For security experts, this means keeping a level head during an attack.
“Denial of service attacks create stress, and that can lead to poor decisions,” said Sean Power, a solutions engineer at DOSarrest. Responding to a DoS attack today involves looking for the same weaknesses the hackers might be looking to exploit.
“It’s a game of chess between the two teams,” added Power. It’s a game where the attackers consistently have the advantage, because while the security team looks to secure data that DoS attacks are often after, the hackers may change their goal depending on how the security team reacts. Plus, the obvious targets may not be what the hackers are going for. Medical records are estimated to sell for more than ten times more than credit card numbers on the black market.
For now, one aspect to keep data safe of DoS attacks is having an entire separate scrubbing layer that all traffic has to pass through; a node entirely removed from the network to screen users coming through. This kind of system can identify attacks, even ones that have specific targets and move much slower DoS attacks traditionally have in the past.
While the room was full of people who work in the tech security field, almost every lecture had an air of clearing up some misconceptions, and explaining that hackers are getting more technologically sophisticated that’s not necessarily how the most catastrophic breaches happen. Shane Phair, from Cleo, a company that specializes in moving data within and between companies, told an anecdote of a CEO who was mailed an iPad. The CEO thought the iPad was a gift, or part of a giveaway, and within minutes he was signed in and exploring the new device. Unbeknownst to him, the device was infected, and leaving it connected to the company’s network allowed hackers to kick the door down.
There were several other horror stories of hackers infiltrating networks using creative means to get their hands on data, but often the most calamitous breaches come from the most basic and understood techniques available to hackers.
Techniques like spear phishing, and ransomware, while comparatively new in the security world, have been around long enough to be considered common, and how they work isn’t a mystery at all, but they remain the most effective. Ransomware is so effective that even governments have thrown their hands up in the air when dealing with such attacks.
“Decryptions used to be available, but that’s no longer the case. Not even governments will help you here,” said Elaine Poelhuber, a client service manager from ZeroSpam.
The malicious files in ransomware are hidden as email attachments. They may show up in inboxes as receipts that demand to be printed, or any other kind of email that urges a user to open an attachment. Once opened, all of the data on a device will be encrypted until a ransom is paid, almost always in Bitcoin, but sometimes in another crypto currency.
Ransomware has become so prevalent that analysts looking at the hundreds attacks in aggregate have noticed the ransoms prices have been steadily dropping. Sometimes they’re as low as one bitcoin, about $55.
Another shift in the world of ransomware is the targets. Early on, hackers would go after whales, large companies that would pay massive ransoms to get their data back. Now, small businesses are increasingly likely to be targeted. Hackers usually go after small businesses because they’re easier marks, and less likely to have sufficient backs ups. This doesn’t mean big organizations aren’t still targeted. Just in February, the LA hospital payed $17,000 to get their data back.
Attacks on small business are on the rise, as are attacks in Canada, only by four per cent over the past two years, but there’s no indication that the rise will slow. Just in March, Ottawa hospital was hit with ransomware, but they had sufficient back ups and just wiped their devices clean, rather than paying the ransom.
The FBI estimates that in the US ransomware accounted for roughly $18 million in paid ransom, but ZeroSpam thinks that figure may be higher because many companies hit by the virus don’t report. Today, hackers who don’t have the skill to figure out how to build their own ransomware can go online and buy a ransomware service, an indication of common the problem has become.
“It’s based on an equation where the cost of damage is greater than the cost of recovery, or the cost of the ransom. As long as that equation remains true, the industry will remain,” said Poelhuber.
Even with these threats, often from overseas, looming for businesses, it’s still much more likely that a breach will come from inside an organization, rather than through a hacker. Seventy per cent of all breaches happen this way, as well as some of the most well known examples in history. Edward Snowden, Wikileaks, and it’s expected the Panama Papers were all inside leaks. And there were companies at the conference who specialized in monitoring company employees to stop leaks just like those.