RiskUKAugust2017

More documents

Recommendations

Info

How Can We Combat ‘Virtual Hackers’? The WannaCry ransomware attack in May, which affected elements of the National Health Service (NHS), has farreaching implications for the nature of the threat presently facing our connected economy. Nicola Whiting outlines the growing threat of automated cyber weapons in criminal hands and observes how leading organisations from NATO to the FBI are borrowing from the hackers’ ‘playbook’ in order to fight back The revelation that the WannaCry attack was probably the work of a ‘script kiddie’ indicates that the automation of hacking techniques is now enabling amateur hackers to launch attacks with nation state-level expertise, a development that dramatically increases the severity of cyber threats facing today’s major organisations. What was once the preserve of military forces and spy agencies is now within the reach of basement-dwelling hacktivists and generalist cyber criminals. The WannaCry network infection vector was among a slew of sophisticated tools apparently stolen from America’s National Security Agency, demonstrating that advanced cyber warfare technologies developed by Governments are increasingly falling into the hands of ordinary citizens. This could be construed as the equivalent of intercontinental ballistic missiles being stolen and sold to street criminals. Not only does this development dramatically increase the number of potentially devastating cyber attacks the world might face in times ahead, but also renders it that much harder for the authorities to trace the perpetrators. In the same way that automated cyber weapons may replicate the work of skilled Black Hat hackers, new software can autonomously replicate the work of leading White Hat hackers, analysing entire networks for vulnerabilities with the knowledge and skills of a penetration tester. The WannaCry attack on the NHS is a good example. Just as the attack was launched using an automated network ‘worm’ coded to find vulnerabilities, parts of the NHS were able to use their own automated tools to identify vulnerabilities and successfully protect themselves against the attack. Some NHS Trusts used the automated Nipper Studio tool to replicate the skills of expert human penetration testers and harden their firewalls and network devices at a speed and scale that’s beyond human capabilities, duly finding and closing vulnerabilities before they could be attacked. Nipper Studio creates a virtual model of how the setting and rules interact with each other and understands the interactions just like a human would, but in a fraction of the time and with repeatable accuracy. NHS Trusts with well-tested procedures in place and which had used automation to harden their networks against attack went unbreached when WannaCry struck, subsequently ensuring that the highly sensitive information in their systems remained secure. Rise of cyber warfare Behind the escalation of cyber attacks lies the increasing investment by Governments, terrorists and other groups in ‘cyber-offensive’ capabilities: the development of hacking tools that offer the ability to penetrate enemy networks and systems and project ‘cyber power’ around the world. The capability of automated cyber warfare systems was first illustrated by Stuxnet, a selfreplicating cyber worm which destroyed over 1,000 nuclear centrifuges across an Iranian nuclear facility, setting that nation’s nuclear ambitions back by at least two years. Security expert Claudio Guarnieri has noted that the so-called Regin malware, recently used to attack EU diplomatic delegations, also bore the signature of a nation state spy apparatus. Another such attack recently knocked out the Ukraine’s national grid. These military-grade cyber weapons are percolating down into the online underworld, largely because cyber weapons are far easier to steal than conventional armaments. It’s both easier and cheaper to copy a code than a cruise missile. Today, an entire cyber arsenal can be spirited away on a USB stick. In the subterranean networks of The Dark Web, there’s now a highly-developed cyber 60 www.risk-uk.com
Cyber Security: Risk Management for Automated Cyber Weapons arms ‘bazaar’ wherein criminals can purchase the cyber equivalent of smart bombs, complete with user guides, money-back guarantees and TripAdvisor-style user ratings. Powerful custom-made tools designed to exploit unpatched vulnerabilities and autonomously reproduce themselves across the world are widely available to buy, rent or franchise. They can also be repurposed and customised for any particular task, from hacking a bank through to attacking a hospital. These sophisticated weapons often contain an autonomous ‘transport’ mechanism that enables the malware to scan for vulnerabilities and spread itself along with a ‘payload’ that then delivers the attack. The Internet is also replete with intelligencegathering tools that lie dormant inside an enemy system like a cyber ‘sleeper cell’, covertly mapping out the network architecture, domains, servers and IP addresses of potential targets. A recent investigation showed that the UK’s national rail network had been unwittingly infiltrated by four nation state cyber attacks which appeared to be ‘exploratory’ exercises. Two-way relationship One cyber expert has warned the US Government that: “The Internet allows malicious cyber actors to deliver weaponised tools at a scope and scale we’ve never seen.” Even worse, nation states are deliberately ‘leaking’ cyber weapons to illegal hacker collectives, hiding their activities behind proxy groups. The relationship works both ways, with cyber crime groups also sharing tools with Governments in return for payment or protection from prosecution. These tools then work their way lower down the food chain until they end up in the hands of low-level hackers, with the end result being that highly classified cyber offensive expertise is being transplanted into the laptops of teenagers. According to cyber security body (ISC) 2 , this comes at a time when the Human Resources needed to prevent these increasingly advanced and widespread attacks are in scarce supply. The world is set to face a shortfall of 1.8 million cyber security professionals in five years. Rising demand for a dwindling pool of talent is pushing up the cost of hiring, rendering it increasingly difficult for companies to recruit and retain the necessary and best talent. Given this major manpower shortage combined with a rise in automated hacking tools entering wider circulation, business and industry is now under greater threat than ever before. The central problem is that machines are far faster and more efficient at hacking than “The central problem is that machines are far faster and more efficient at hacking than humans. Automated tools can launch many simultaneous worldwide attacks at a speed and scale beyond the capacity of human attackers” humans. Automated tools can launch many simultaneous worldwide attacks at a speed and scale beyond the capacity of human attackers. For example, computer ‘worms’ are capable of autonomously replicating themselves millions of times in order to simultaneously infect a wide array of targets. To illustrate that statement, studies have shown how an automated worm could ‘infect’ a single lightbulb and then cross-contaminate all neighbouring lightbulbs, spreading like wildfire to plunge entire cities into darkness at lightning speed. In this way, widely-available automated weapons dramatically increase the speed, power and reach of cyber attacks on faraway targets. Autonomous tools also enable human hackers to cover their tracks, like a thief evading detection by sending a drone to burgle a house. While companies lack the time and Human Resources needed to find and fix all of their vulnerabilities, automated tools afford cyber criminals limitless time and resources to find and exploit vulnerabilities. It’s no surprise that, in a race between human defenders and autonomous attackers, the humans are losing. To turn this around, we simply must use autonomous tools as a defence mechanism. Automating our defences Whereas traditional ‘dumb’ scanners indiscriminately bombard a network from the outside in the hope of exposing a vulnerability, modern ‘smart’ tools can autonomously scour the individual blueprint of any network or system to find deep structural vulnerabilities and explain how to fix them. It’s the digital equivalent of going through every line of an architect’s drawings and identifying weaknesses in the structure within seconds. ‘Smart’ tools dramatically reduce the demands placed on heavily-overstretched Human Resources, using automated systems to plug the cyber security skills gap that shows little sign of diminishing any time soon. With advances in automation enabling today’s criminals to launch devastating attacks in minimal time and with few Human Resources of their own, we really must begin to deploy the same ‘smart’ technologies to cut the time and cost of shoring up our defences. Frankly, we neglect to do so at our peril. Nicola Whiting: Chief Operating Officer at Titania 61 www.risk-uk.com
Page 1 and 2:
August 2017 www.risk-uk.com Securit
Page 3 and 4:
August 2017 Contents 44 Meet The Se
Page 5 and 6:
Editorial Comment Many applications
Page 7 and 8:
News Update “Clarification on reg
Page 9 and 10: News Analysis: Counter-Terrorism Pr
Page 11 and 12: News Special: BSIA Security Personn
Page 14 and 15: ISO 22316: Preparing for Brexit The
Page 16 and 17: All Things Being Equal recommends t
Page 18 and 19: Institute of Risk Management Are yo
Page 20 and 21: BSIA Briefing References 1 https://
Page 22 and 23: Physical and IT Security Convergenc
Page 24 and 25: State of Mind: Developing ‘Risk C
Page 26 and 27: On The Mark: Safeguarding Your Comp
Page 28 and 29: Touched By A Physical Presence Phys
Page 30 and 31: Net2 Entry Touch Smart, Simple Door
Page 32 and 33: FIRE SAFETY New Qualifications for
Page 34 and 35: FIRE SAFETY False Fire Alarm Manage
Page 36 and 37: FIRE SAFETY Fire Alarms and Detecti
Page 38 and 39: FIRE SAFETY Audible and Visual Prot
Page 40 and 41: FIRE SAFETY Following the Grenfell
Page 42 and 43: FIRE SAFETY Emergency Lighting Stan
Page 44 and 45: Meet The Security Company This is t
Page 46 and 47: Advertisement Feature Reaping the B
Page 48 and 49: The Security Institute’s View rel
Page 50 and 51: Resilience Revisited: Turning Our A
Page 53 and 54: FIA Technical Briefing Fire Prevent
Page 55 and 56: FRONTIER PITTS Protecting Your Worl
Page 57 and 58: Security Services: Best Practice Ca
Page 59: A New Model for Guarding Cardinal's
Page 63 and 64: Training and Career Development equ
Page 65 and 66: Risk in Action St George in the Eas
Page 67 and 68: Technology in Focus Vista unveils V
Page 69 and 70: Appointments Helen Ball Helen Ball
Page 71 and 72: BENCHMARK Smart Solutions BENCHMARK
Page 73 and 74: CCTV CCTV Rapid Deployment Digital
Page 75: SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKAugust2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?