CSO Perspectives: There's more to security than hiding your laptop under your mattress

Jeff Lanza, former FBI Agent, takes the stage. #CSORS17

That's the key theme for this year's CSP Perspectives Roadshow which hits six cities across Australia and New Zealand.

The opening keynote at the first event, held in Adelaide, was given by 20-year FBI veteran Jeff Lanza, who spent most of his career investigating white-collar crime and representing the FBI in the media. Lanza says we have the ability to detect fraud but wonders why it is still such a major issue.

"We have the technology to prevent fraud, so why are we victimised?"

Lanza says the technology we rely on can fail or the people involved make mistakes. And all of this is made more complex by the increasing number of vectors created by the growth of the Internet of Things (IoT). This is exemplified by the emergence of driverless vehicles, such as Otto, a trucking service operated by Uber. And Lanza reminded the audience that former US Vice President had his pacemaker disabled by doctors who feared it could be accessed by hackers.

To protect your network in the IoT world, Lanza says you need to know what devices are connected to your network, who has access and to ensure the device firmware is kept up to date.

The other key threats Lanza noted were phishing, ransomware, and DDoS attacks. He cited examples such as the Bureau of Meteorology, ABS and Dyn attacks last year. And with attacks now costing hackers about the same as coffee and a muffin for a month, it is trivially easy for attackers to launch actions against targets.

Ransomware has had some significant impact. While some cases, such as US hospitals, are well known for paying ransoms, cases such as a sheriff’s office were discussed by Lanza. In that instance, eight years of evidence files were locked up. The law enforcement agency paid the ransom.

While crime epidemics aren't new, says Lanza, the new criminals are much harder to catch because they operate across international borders in jurisdictions where cooperation with international authorities is not given.

Today's criminals don't use guns and threats to steal. Lanza noted that US$17.2M was stolen from a CEO through a Business Email Compromise. This was done by duping a CEO into authorising a series of wire transfers. Toy-maker Mattel lost US$3M in a similar way and investment firm Ubiquiti lost also US$50M the same way.

None of those losses were covered by cyber insurance. And most banks indemnify themselves against customer losses where authorised credentials are used to initiate bank transfers.

So, how can these threats be prevented?

Lanza says the threat landscape involves many differnt parties. He says the process starts with complete and continual enducation of employees. In a study conducted by Verizon on their own staff, 150,000 phishing emails were sent with staff. Almost a quarter of the emails were opened and more than one in ten users clicked on attachments that could have been infected in some way.

One of the tools used by threat actors is to appeal to emotions. For example, they send messages purporting to come from the tax office or a bank which appeal to emaotions to coax people into clicking.

"Common sense is so important. Never let emotion get in the way," says Lanza.

With CEO fraud, or BEC, one of the most common tools used by threat actors is to use email domains that closely resemble the real domain. Wire transfers should be verified by phone and two-factor authentication can also be used to reduce the risk of BEC.

Ransomware is probably the most common malware threat today. Delivery of ransomware can occur through phishing, infected flash drives, and malvertising - advertisements that are infected with a malicious payload, says Lanza.

Some ransomware attackers are offering to decrypt files if the infected party will give up tow other companies that are likely to pay if infected - a practice know as "snitching" says Lanza.

Where companies choose to pay the ransom, it's not that easy. In the case of the hospital in the US that paid US$17,000, the received 900 separate decryption keys making recovery very complex.

Lanza says good has malware detection and user education. A better defence layers a solid backup and recovery process on top of that. The best defence is to have a backup that is protected from encryption.

New types of ransomware now look for backups as well as working data. Effective backup systems are air-gapped from core data. And they are also verified - not just the backups but also the restoration process.

However, all those defences are moot from the "enemy within" - insiders who work against the interests of their employers. Their motivations could be ideological or financial says Lanza.

Finally, Lanza gave some advice for the packed room. Lock smart phone screens and use strong passwords. He also suggested penetration testing was critical and recommended companies follow the ASD's Essential Eight.