Darktrace, a cyber security firm founded by senior members of the UK government’s cyber community (GCHO and other intelligence agencies), recently gave a series of talks for Digital Jersey. They discussed the sophisticated attack methodologies and current state of the art technology in the cyber crime world, together with how governments and businesses might protect themselves.
The key learning points are discussed below:
Cyber crime and the role of the board
Cyber crime should be treated by boards as an economic issue and not a technological one. The impact of a breach can fundamentally damage a business’ ability to operate, its reputation and balance sheet. As such, boards should treat the subject with broad lens rather than an IT specific one, evaluating all aspects and stakeholders. Attacks can come from an almost unlimited range of sources including staff with legitimate access to data (that they subsequently misuse) and supplier networks. Often trusted partners are attacked as part of a strategy to gain entry to a business upstream.
At one time hackers were thought of as basement dwelling teenagers, compromising systems to take them for a virtual a joyride. However, hacking has developed considerably over the last ten years from a hobby into a controversial mainstream activity. The emergence of hacking groups (socially or politically motivated) and collectives like Anonymous are the result of a maturing industry, which gives some clues as to what we might expect in the future. Sophisticated attacks will be launched on whomever they deem appropriate with the results widely publicised for maximum damage. Other groups are seeking to increasingly commercialise their skills, which can be purchased and applied with relative ease, providing the ability for anybody with a motive to launch a sophisticated attack. In response businesses have implemented a range of security processes, however prudent companies work from the premise that their network is already compromised and include an element of forensic management in the overall security matrix.
Security from a national perspective
Given the digital entry points to Jersey are both known and manageable, it could be possible to create a virtual steel ring round the island to protect the jurisdiction. This would add a layer of management and security making the jurisdiction safer for business by identifying threats sooner and communicating them to ensure businesses are suitably fortified.
Cyber criminals take advantage of business’ lack of desire to discuss and share the nature of breaches. This means that attacks are successfully re-launched against other businesses, in the knowledge that details of the attack vectors will not have been shared. Despite the obvious business benefits this forum does not exist yet. The development of a cyber learning community could be highly effective in the propagation of timely relevant intelligence to help the community combat similar attacks.
Business continuity at a national level
Globally we are ever more reliant on technology, much of which is delivered over the Internet, resulting in both ubiquity and efficiencies. However, as more systems are delivered via this medium it becomes easier to lose perspective, both of the overall reliance on the Internet and the implications of life without it. A denial of service could come through criminal intent, but just as easily by other means such as natural disasters.
In a recent simulation by the French government, in which the disaster scenario was a fire in a major IP peering point, the country ground to a halt within six hours and the simulation had to be stopped. A number of key learning points stemmed from this exercise, the most significant of which was the reliance of key systems on the internet without viable alternate solutions. Clearly then, business continuity planning and desktop scenario testing is just as applicable to governments as it is to business, in fact, it is arguably far more important.
Progressive governments such as Estonia are enabling eGovernment solutions, however, they have been successfully attacked and taken offline. What can be done to protect against such a situation? When it comes to a country’s security, one possible solution could be to have a parallel cloud based (with possible reduced functionality) disaster recovery solution, so that in the event a country is compromised, key functions could be run and administered remotely.
In future, as society becomes more reliant on data services, after a regional or national crisis, the pressures to restore Internet connectivity will dwarf what we see today. There are early manifestations of this beginning to develop as aid organisations treat deploying mobile phone towers as part of aid packages to accelerate rebuilding disaster zones.
Organisations today have a huge amount of information. Some of this information is highly structured (for example, CRM systems) and other data exists in an unstructured form across a wide range of systems such as email and file servers. At the same time, some data needs to be easily shared (press releases, for example) and other data, such as private medical or tax records, is highly confidential and subject to data protection requirements.
Given the cost and complexity involved, anyone seeking to protect all this information equally is going to struggle to do so. To address this, organisations need to look to classify their data and identify the information assets that are most valuable to them. This may be because of the competitive advantage obtained by holding the data, or the cost to the business of losing it. Once this has been done, controls and monitoring can be designed to provide the greatest protection to these 'crown jewels'.
That does not mean ignoring the rest of the business – just applying appropriate levels of control and starting with the basics first, building maturity over time.
Education has a key role to play in cyber crime prevention, students should be exposed to the potentially dark side of the art and guided towards ethical behaviour, addressing this in the curriculum at multiple stages.
An extension of Jersey’s existing values
Jersey has a reputation for being a safe and stable jurisdiction and we have an opportunity to extend this in the virtual world to create a technologically advanced society that is expert at protecting data and preventing cyber crime.