Cybercrime , Fraud Management & Cybercrime , General Data Protection Regulation (GDPR)
Maersk on NotPetya Cleanup, Troy Hunt on Kid-Perpetrated Data Breaches, and More(euroinfosec) • June 14, 2019Data breaches, incident response and complying with the burgeoning number of regulations that have an information security impact were among the top themes at this year's Infosecurity Europe conference in London.
See Also: Webinar | The Future of Adaptive Authentication in Financial Services
Keynote speakers focused on changes in the cybercrime landscape, how big businesses continue to get hacked by children - and what that implies about the state of corporate cybersecurity defenses - as well as complying with European privacy and data security regulations, among many other topics (see: 11 Hot Sessions: Infosecurity Europe 2019).
Here are 10 highlights from a selection of the keynote presentations at this year's Infosecurity Europe.
Cyberattacker Hype Continues
Troy HuntData breach expert Troy Hunt, who runs the free Have I Been Pwned? breach notification service, called out a lack of precision when some officials and law enforcement agencies approach cybercrime.
As an example, he referenced the early, official response to the October 2015 TalkTalk breach. "There was a quote from a detective who said: 'We think it's Russian Islamic cyber jihadis.' It's a true quote; you can Google it," Hunt said.
"And the thing that struck me at the time: You're basically just picking scary words and combining them all together. And I hope I didn't upset anyone by saying that these words are scary, but obviously they're just trying to string together something that makes impact," he said. "Now as it turns out, the only part of this which was actually accurate was the cyber bit, and even that I'm not so sure about."
Big Businesses Keep Getting Hacked by Kids
Troy HuntThe TalkTalk breach turned out to be the work of a 17-year-old, resulting in what the telecommunications giant said was £77 million ($97 million) in cleanup costs.
"How does a 17-year-old child do £77 million worth of damage to a massive multinational?" Hunt asked (see: U.K. Man Sentenced for 2015 TalkTalk Hack). "Kids and the damage they do via data breaches is massive, and there's a huge amount of communication between literally children about how to break into websites and do this sort of damage."
To illustrate the challenge, Hunt played a clip of video on YouTube in which a young-sounding narrator walks through how to use an automated tool to exploit SQL injection flaws, which he appears to pronounce not as "ess-que-el," as professionals say, but rather as "squirrel." In other words, the kid apparently has no idea about the concepts underpinning structured query language. Regardless, he appears to know how to wield an automated hacking tool to remotely dump databases.
Large Darknet Markets Disappearing
Jamie BartlettCybercrime markets reachable via the darknet - aka using the anonymizing Tor browser to browse .onion sites devoted to cybercrime - are dying out, politics and technology expert Jamie Bartlett said in his keynote presentation.
In his talk - "Discovering the Digital Underworld: Privacy, the Dark Web, Tech & Democracy" - Barlett detailed how many sellers have been favoring "smaller markets that are single vendors rather than large marketplaces that are easier for the authorities to manipulate."
That's been a long-forecasted consequence of police successfully busting so many of these large marketplaces (see: Darknet Disruption: 'Wall Street Market' Closed for Business).
Beyond simply rolling up the administrators and top sellers, Bartlett said such sites have also been undercut by authorities creating accounts on these sites and using them to write fake reviews.
Markets Shift From Drugs to Data
Jamie BartlettInitially, darknet markets focused almost exclusively on bringing together sellers and buyers of narcotics, Bartlett said. But that's changed. "Now it's really more about stolen information."
What should organizations from which such data might have been stolen do about it? In response to an audience question about subscribing to darknet intelligence feeds, Bartlett said he thought that if the price was right, that was an excellent idea.
"It's very good for your company to get an early heads-up if your data is being sold there," he said. Even if it was just corporate email addresses or names showing up on darknet markets, monitoring for that occurrence "just gives you a little bit of a head start in case this kind of thing happens."
Maersk: Transparency Helped Save the Day
Adam BanksTransparency was a repeat theme at this year's Infosecurity Europe, including during the keynote presentation delivered by Adam Banks. Banks is the CTO and CIO of Danish shipping giant A.P. Møller-Maersk, which got hit hard by the NotPetya malware outbreak that began on June 27, 2017 (see: NotPetya: From Russian Intelligence, With Love).
Banks said Maersk's systems were fully patched, and that the malware infected every system that it touched. "This piece of malware was designed specifically to destroy data processing capability," as well as "to destabilize the government by destabilizing the tax flow," he said. "Of the 7,000 companies that file tax returns in Ukraine, 7,000 were hit."
In Maersk's case, he said, the malware successfully infected every Windows system - all primary, secondary and backup systems - in just seven minutes, before lying dormant for 53 minutes, and then irreversibly crypto-locking everything, including all primary, secondary and backup system, including DHCP and Active Directory servers.
Banks said about 9,000 people worked 20-hour days for nearly three months to get Maersk back up and running again.
Ultimately, the outbreak cost Maersk about $350 million, including lost revenue. But Maersk earned plaudits for its transparency during the crisis. Banks said this was also key to keeping the shipments flowing. Notably, Maersk secured agreements with every country that it ships to, allowing the firm to retro-file all customs forms once its systems were back up and running. As a result, Maersk still got 95 percent of the goods it was shipping to the right place, on time.
What about the other 5 percent? "I had to go and apologize to the head of Toyota, because we shipped his cars to Australia instead of Europe," Banks said.
GDPR Still Looms Large
Panel: "Navigating Complex Regulatory Oversight to Ensure Privacy, Security and Compliance"Regulations -including the EU's General Data Protection Regulation, which went into full effect in May 2018 - remain a dominant concern for organizations, .
In a keynote panel, "Navigating Complex Regulatory Oversight to Ensure Privacy, Security and Compliance," representatives from the Bank of England, Penguin Random House UK, News UK and the U.K. Information Commissioner's Office talked about the upside - and occasional downsides - of dealing with regulations.
Although moderator Brian Honan, president of BH Consulting in Dublin, focused the discussion on the broader regulatory landscape - including the updated EU ePrivacy Directive - panelists and audience questions kept returning to GDPR.
Broadly speaking, however, panelists highlighted how many regulations, including GDPR, have helped to improve their organization's security posture.
"With the EU GDPR, it really helped for executives to understand what needs to happen to protect the data of your customers," said Titta Tajwe, CISO of News UK. "So it did allow the CISOs to get the budget they needed to do the work they'd already been asking for, for a long, long time."
PCI Is Outdated
Titta TajweBut Tajwe said not all regulations are so useful, singling out the Payment Card Industry's Data Security Standard, for example, as being little more than an unhelpful "tick-box exercise."
"At [retailer] John Lewis, I had responsibility for PCI and GDPR, etc., and I can honestly say that the PCI schema was almost a distraction, because what we found was it was very prescriptive," said the Bank of England's Steve Wright. "It almost wasn't appropriate for our environment," he said, noting that the retailer had "to almost reverse-engineer the those controls to ensure compliance."
From left: Titta Tajwe, Deborah Haworth, Brian Honan
"Does more complex regulation improve security or not? It depends on the regulation," said Deborah Haworth, head of information security for Penguin Random House UK. "Regulation that prescribes things for you and removes a company's opportunity to operate under its own board's direction is never going to improve security, because everything becomes 'is it black or white' or 'are we right or wrong?'"
Wright, who's now the Bank of England's GDPR and CISO adviser, said that PCI initially got the industry "to collectively really pull our socks up," but is much too prescriptive for current requirements.
"The challenge is that we need regulation, we need regulators, I get that," he said. "But it is a real challenge, almost a paradox, because you can't dictate too much, but you need to be in a position to self-certify or self-attest that we are doing enough."
"We always tell every organization, get the basics right," said Peter Brown, the ICO's group manager for technology policy. But he noted that for large organizations especially, much more extensive risk measures might be required.
Start Here: You've Been Breached
Steve WrightIn terms of basic challenges, "90.8 percent of breaches is still human error," which highlights a lack of data "accountability, ownership and responsibility," said the Bank of England's Wright.
"My approach to this has been to build what I call a defensible position. So almost take the assumption that you've been breached, and it doesn't matter what regulation you fall under, you're going to be asked to justify some of the decisions that were made, that led up to that, and the only way you can do that is by looking at your risk assessment, and understanding where your data is, what you're doing with the data," he said.
"Then you're going to build up a really defensible position for when the proverbial hits the fan ... and you're going to be able to defend yourself," Wright said, regardless of whatever any specific regulation requires.
Cambridge Analytica Likely Failed - This Time
Jamie Bartlett in front of a photograph of Alexander Nix, who was the director and CEO of Cambridge Analytica before it declared bankruptcyThe conference also focused on more big-picture questions of the intersection of technology and society. Bartlett, who previously led the Center for the Analysis of Social Media at U.K. think tank Demos, said one of the biggest threats to democracy is the use of micro-targeting to influence voters. That was the model practiced by Cambridge Analytica, which he said may - or may not - have helped President Donald Trump win three crucial swing states in the 2016 election, each by less than one percentage point.
The micro-targeting being practiced by Cambridge Analytica "was pretty industry standard - lots of people were doing the same thing," he said. "They were probably just slightly better at doing data analytics than the Clinton team was. But this misses the point. Our elections are changing fundamentally."
Thanks to advances in data science, he said, organizations can use "data science and subtle nudges" to micro-target smaller and smaller groups of people. "This is not really what elections are supposed to be about," he said.
Instead, elections are supposed to be about grand visions: Who best to govern the country, and what will they bring?
Election Dystopia Looms
Jamie BartlettBartlett warned that unchecked election micro-targeting could lead to widespread disenchantment with the electoral system. Ahead of last month's European Parliament elections, for example, British people were being shown political advertisements saying that the EU was trying to ban Brits from drinking tea. (Spoiler alert: Such claims were false.)
"How will an election look 10 to 15 years from now, if we carry on down this same path? That's not really about this election," he said, but rather about the future of elections.
Bartlett offered a vision of what data science might do in the future, based on using smart refrigerator data to correlate an individual's normal dinnertime - say between 6 p.m. and 6:30 p.m. - with social media monitoring that reveals they tend to produce slightly angrier tweets around then, likely due to their being hungry. Meanwhile, data scientists might have concluded that people who are slightly angrier are more open to messaging by political candidates espousing law-and-order messages.
"So lo and behold, when you open your smart fridge at 6:50 pm, Jacob Rees-Moss is going to pop up with a message for you and for you alone," he said, referring to the Tory British MP who often espouses far-right viewpoints.
What's the fix? For starters, greater transparency. "The problem is that the rules that we've created just aren't in keeping with the technology that we have, and that's what's causing so much of the tension," Bartlett said. "Our rules at the moment are essentially designed for an age of television and billboard advertisements, not direct, micro-targeted adverts."
What might new rules look like? Bartlett said he'd like to see records kept of every advertisement directed at every individual, backed by automated software to ensure that everyone plays by the same rules, including being transparent about the source of every advertisement, all governed by a regulator that is completely independent from the government.
Photographs by Mathew Schwartz