Interview with cyber security expert Stuart Hyde
Stuart Hyde QPM is a retired UK chief constable who has completed a full career with exemplary service and holds an honorary doctorate for his national commitment to cybercrime prevention and detection. He has helped to shape and lead the UK police response to issues on the Internet and has presented his thoughts widely across the globe.
Since retirement, he has delivered a range of training as far afield as Abu Dhabi and is vice president of both the Society for the Policing of Cyberspace (POLCYB) and the High Tech Crime Consortium (HTCC). He is now an independent cyber security and cybercrime consultant and is the regional business lead for the UK Government's Cyber Security Information Sharing Partnership (CiSP).
What do you think the three most significant cyber security incidents were during 2017?
The Equifax data breach, WannaCry ransomware attack and Bad Rabbit ransomware attack.
In September 2017, cybercriminals accessed Equifax’s systems and obtained data such as credit card numbers, Social Security numbers, addresses and birth dates. This breach typifies the sort of dangers that have increased recently, in regards to people getting access to a large amount of data – they’re much more likely to go for large quantities of data, regardless of how good it is. People will then buy the data and use it to identify vulnerable victims or sell it on through the dark web.
In May 2017, a cyberattack was carried out using the ransomware WannaCry stolen from the National Security Agency (NSA). This incident was a straightforward attack for money: $200 - $300 and you could get your data back. Infections were reported in 99 countries, however, in the UK it manifested itself quickly within the health industry. This was because of how connected the NHS systems are and the fact they were using old software or software which hadn’t been updated. That’s why it was referred to as the NHS attack.
In October 2017, a new strain of ransomware bearing similarities to WannaCry was reported in Russia, Ukraine and elsewhere around the world. Nicknamed ‘Bad Rabbit’, it was delivered in the same sort of way as WannaCry but was more sophisticated. It was also about trying to get money by blocking access to operations and only allowing access on purchase of a decryption code. However, I chose this example as precautions were put in place by the security industry very quickly to stop it. Because of the quick response it was an easy one to fix, but it could have been much worse.
How did these incidents happen?
You’ll never be able to replicate exactly how and why a breach took place. It could be insider threat in the broadest sense of the term – so it could be a criminal or someone with malicious intent working on the inside. It could just be someone making a silly mistake – leaving open their database, their access to information, their profile or even leaving important information lying around, like a password. But when you start looking at these sorts of accidental incidents, the vast majority could have been prevented with better cyber education and simple cyber security precautions – and that’s where the clothes peg or a refrigerator or a car; this is an ever-growing list – essentially the population of the world times about five or six. And any device that you can connect to the internet can be used or abused. This is likely to increase because if you’ve got insecure IoT devices, such as CCTV, photocopiers, fridges, etc. they’re easy to dump botnets in once you’ve gained access. And gaining access to IoT devices is really easy, especially if they’re not protected or default passwords aren’t updated. So, again, it comes back to human understanding.
A botnet is basically a robot network. So it’s where a number of robots connect together and each robot is essentially a little bit of space within your computer which has been hijacked by somebody else. These botnets, connected all around the world, then give that individual a massive amount of computing power which they can then use to send lots of emails simultaneously to a specific email account. Email accounts – even commercial ones – are set up to manage only probably around 10 thousand emails over a certain amount of time, so when it suddenly receives upwards of a million at once it crashes.
This is known as a denial-of-service (DoS) attack. Most organisations have some capability to stop it, however, people can now go onto the darknet and purchase a botnet service to carry out a distributed denial-of-service (DDoS) attack, which originates from many different sources. This means it’s not possible to stop the attack by blocking a single source. And, because companies rely heavily on email, any company that only has one mail system is at a huge risk of blocked operations if they haven’t got alternatives they can use.
Why is cyber security not just a concern for the IT department?
Most attacks are not against an IT department, they’re against an individual and that’s an important part of this. In order to have effective cyber security, everyone needs to be aware. If there was a bin on fire in your organisation, you wouldn’t just walk past – you’d be at risk just as much as the organisation and that’s the mindset people need to have in order to minimise the risk of cybercrime and encourage a culture of cyber security.
I also think there’s an increasing risk from an attack taking place or being helped by somebody on the inside. That’s why people need to be aware of activity and understand what that activity could mean. A lot of money is now being invested in behaviour analysis to monitor potential concerning changes, so companies are able to act in advance of an incident taking place.
What are some of the simple steps you can take to secure you and your company?
The basics, like investing in good antivirus software, ensuring data is continuously backed up and increasing general security via passwords, two-/three-step authentication, badging, alarms, locks, etc. are all good places to start. However, a really simple step that’s often overlooked or undervalued is investing in good cyber security education.
As mentioned before, when you look into cyber security incidents and data breaches, the vast majority could have been prevented with better cyber education and simple cyber security precautions. The point we want to get across is that cyber security is serious stuff. It’s not lighthearted, it’s not just for the IT department, it’s for you as an individual; you cannot rely on your IT department or organisation to do everything.
And I think this is the tone we’ve managed to create in our Cyber Security Awareness e-learning training. Because, when it comes to cyber security, it should be treated as seriously (if not more so) than fire safety.
What threats should we be aware of for 2018?
The main major threat in 2018 will be state-sponsored attacks increasing in scale and scope. If you look at Kaspersky, Symantec, Trend, etc. all their annual reports point towards more state-sponsored attacks going on, although covertly. The targets generally tend to be national organisations or those involved in military designs; it’s basically commercial espionage. The way they’ll try to access their target, however, is through the ecosystem of smaller organisations who work with the targets. Anyone could be the link, the route for them to access the data they need and this could be via insecure cloud storage haemorrhaging data, unprotected IoT devices, ransomware attacks, fake invoice fraud, etc.
Fake invoice and CEO fraud is definitely something that everyone should be made aware of for 2018. Like with people targeting smaller organisations to find a way into the larger organisations, individuals in companies will be targeted as a way to gain access to those who work with sensitive data, such as accounts or HR. And they could probably find out who to target from a company intranet or email account. So, basically, someone could be on holiday and the cybercriminal would know this from their social media account. They could then fake a bill and use all the information they’ve found on that individual in order to convince their colleague in accounts of its authenticity and the bill gets paid.
This next one isn’t really a threat, but it’s definitely something people should be aware of and that’s cyber insurance. Although you might have cyber insurance, it won’t cover you if you’re warned that software has to be updated to prevent cyber security incidents and you don’t update it. That’s why simple patching and updating is so important. And this applies to everyone – not just those in IT. You have a responsibility to make sure that your own devices are updated in order to protect both yourself and the company you work at.
Compliance is definitely something else to keep in mind. A few of the research items I’ve looked at have said that compliance isn’t enough to prevent cyber security incidents. So, even if you are compliant with the requirements of certain pieces of legislation, for example the GDPR coming into effect in May 2018, that’s still not enough – you need to be ahead of it. You need working knowledge and a deep understanding to really protect yourself against cybercrime, because compliance cannot possibly keep up with the changes in technology that are happening every day.
How will the GDPR affect cyber security?
I think that accrediting will become more formalised, particularly after the GDPR comes into effect in May. So, regardless of how much experience someone has with computers and IT, they’ll also need to prove they have received formal training to backup their practical knowledge, such as a Certified Information Systems Security Professional (CISSP) course.
One of the bigger issues created by the GDPR will be the responsibility to inform people of breaches. So, if you have a breach, you’ll need to tell the Information Commissioner’s Office (ICO) and the people whose data has been accessed or may have been accessed. But how do you manage this and what should (or shouldn’t) you do – particularly in relation to your clients and their data? If you get it wrong, the ICO will come down on you – for example, if you have a breach and keep quiet about it nobody’s going to defend you from that.
I always quote two examples for this: in 2015 Dido Harding, CEO of TalkTalk, went on television and tried to bluff her way through it. She was badly advised, badly informed and badly prepared. It was a disaster and, because of that, people remembered the TalkTalk issue. Wetherspoons, on the other hand, had a similar breach not long afterwards. The founder, Tim Martin, went on television and was completely honest – he explained that the system was old, it should have been shut down and they were sorry, but the issue had been fixed and they had put measures in place to ensure it didn’t happen again. He came absolutely clean and people forgot about it.
Another of the bigger issue created by the GDPR is the new fining system: up to €20 million or 4% of the company’s global annual turnover. So, using the TalkTalk example, when they were eventually fined by the ICO for their data breach, it was somewhere in the region of £400,000. If that breach had occurred after May this year, that would take the fine from £400,000 to about £53 million. So, in reality, a fine this large would put most companies out of business.
Working in partnership with Stuart Hyde, Virtual College has created a course on how you, as an individual, can help to reduce cybercrime and promote cyber security in your everyday role. Find out more about the course here or contact us for more information.