Not a day passes without news of cybersecurity – a ransomware attack, data theft, DDos attack, a research identified vulnerability, or serious hardware flaw. At this year's Codemotion Amsterdam, Eward Driehuis, (former research chief at SecureLink and SVP Strategy at Cybersprint) , took us on a hugely entertaining journey through the cyber threat landscape of the last few years including the responsibility of devs, and why social engineering matters.
He explained his role:
"I research threats in a company that actually watches over a lot of European companies right so we are like the watch guards we look over their shoulders everything that happens, and whenever we see something happening that's out of the ordinary, we're gonna either kick the bad guys out or we're gonna do something else to make sure that this company isn't compromised."
A short history of cyber crime: Banking is an early target but also a saviour
From 2006 2010 fraud was a fairly old school: "manipulating the post fields in HTTP requests: if you post a transaction to the server you can just adjust the beneficiary accounts. This is not about bugs, but "the laziness of the banking customers who will click that link or you're just plain phishing them, you're calling them up and saying 'yeah, we're at the bank and we need to double check a code'.
Eward asserts that "the only reason why the banks started cybersecurity as an industry is that they were closing down brick-and-mortar offices by the numbers and replacing them all for online channels so they wanted to maintain the confidence in these online channels. The banks weren’t being hacked, it was the customers."
Enter the nation-states
Eward discussed the notorious NotPetya and Wannacry attacks of 2015 noting
"What many people missed about these two attacks is that not one single victim of both attacks that ever paid the ransom to the criminals got their files back, so maybe they weren't criminals…"
He noted that it was only recently that the security sector attributed WannaCry to North Korean and Russia as the origins of NotPetya. Given the lack of payments, he suggested they leveraged the attacks for destructive purposes rather than financial remuneration and as an opportunity for flexing muscle as to their abilities to cause havoc.
Social engineering requires zero bugs
Bugs are not the cause of cybercrime, humans are: " You just need to convince someone to do something stupid." Eward detail the power of lateral movement where state-sponsored espionage groups create specific malware not recognized by endpoint security meaning :
"You have now a foothold in a company network and then you're gonna look for intellectual property such as marketing plans and big database that can be stolen and leveraged for economic gain."
- Small companies (under 1000 employees) are hit 6 times harder than large organisations, and that cybercriminals preference cryptojacking over ransomware by a factor of 2
- Veteran criminals such can wreak havoc breaking into a company's invoice template
- A legion of Gentleman spies are growing who "Don't target their target, they target someone else: their suppliers, an IT provider, or a service provider who they target through their VPNs…"
- Stupidity is to blame for PWNing.
Ultimately Eward believes that:
"In maybe 10, 20 years we will be more secure than ever, but in the meantime, the system is weak and full of errors and of all of the attacks that we're looking at, I would say 99% attacked the system rather than the software and that's the problem." It looks like social engineering will remain a persist challenge to the efforts of cybersecurity professionals as well as those building platforms and programs.
You can take a closer look at the slides from this presentation over at Codemotion's Slideshare.