Bruce Schneier and Rik Ferguson on a mature and dangerous industry.
The Exhibition Centre London (ExCeL), home to the recent Cyber Security Expo, is not a place to inspire romantics. Nestled in the Docklands along the eponymous Light Railway (DLR), visitors from the City of London must pass through the unforgiving landscape of Canary Wharf, where big business skyscrapers are surrounded by a seemingly never-ending construction yard.
It is, however, a fitting locale for discussing the state of cybersecurity. Rapid innovation from the tech sector has seen giants like Google, Microsoft and Facebook spring up as quickly as the skyscrapers that adorn the Isle of Dogs. And like the citadels on the wharf those firms are surrounded by a brutal, untamed landscape.
But in cyberspace that landscape is unlikely to leave you alone. As Bruce Schneier, CTO at the security company Co3 Systems, said during a well attended keynote at the Cyber Security Expo: "A sufficiently motivated, skilled and funded attacker will always get in."
His frankness is now common in the cybersecurity community. Public and corporate awareness of the insecurity of modern computing has burgeoned in the last few years, with each breach of a household name (Target, eBay, JP Morgan et al) impressing that fact on us. Like Victor Frankenstein, we have built a machine we cannot control.
How cybercrime came of age
"The way to think of it is that cybercrime has matured as an industry," Schneier said. "There’s a whole supply chain now." Supply chains should be familiar to businessmen, who make use of them all the time, but recently the one specific to cybersecurity has become a fixation among experts, according to Rik Ferguson, vice president of security research at Trend Micro.
The so-called Cyber Kill Chain was developed by defence firm Lockheed Martin, and goes as follows. Hackers first have to do some reconnaissance around the target, often profiling a victim using LinkedIn, a professional social media network. Secondly they find a point of entry, which according to Ferguson is ten times more likely to be third party software than first party.
Spear phishing, in which victims are sent personalised emails, is commonly used to gain an entry point, but compromising websites that a company’s employees frequently browse, known as water-holing, is another popular tactic. From there malware is dropped, and installed, and then hackers connect the victim’s computer to a command and control (C&C) server.
This server allows a hacker to send instructions to a victim’s computer. "Lateral movement" then takes place, in which hackers travel the inside of a network perimeter and see what other damage they can do, which is frequently combated through segmenting data depending on its sensitivity.
Once the hacker is inside and has explored a bit they will try to make off with whatever they can. The final stage of the supply chain is thus dubbed "exfiltration", or as Ferguson has it "stealing your stuff". This complex network shows how sophisticated hacking has become, and points in the direction of how the cybercrooks can be beaten.
Fixing the mess we are in
All the above is taken as read by the cybersecurity community, and anybody who wishes to see it in action can find many reports to that effect on CBR. The next question is equally obvious: what can we do to fix this mess?
As Schneier has it, there is an element of cynicism in how cybersecurity standards are judged these days. "A lot of our security is relative," he said. "If our security is better than someone else’s you’ll do better." It is much like the old idiom: To survive an encounter with a grizzly bear you need only outrun your friend.
Oddly for someone whose job is hawk security products, Schneier has no intention to flatter his customers. "If you cannot tell the difference between a good product and a bad product you’re likely to pick the cheapest one," he said. "In the 90s we had a lot of firewalls. The one’s that won weren’t the good ones."
Many in cybersecurity would like not to see this trend repeat itself. Ferguson wishes companies would take their approach to security from Minas Tirith in JRR Tolkien’s the Lord of the Rings, a towering fortress that sprawls across seven levels. With gates pointing in different directions on each floor, the city was not only difficult to enter, but also difficult to exit.
It would be nice to believe that the cybersecurity of the multinationals quartered on the Isle of Dogs was as labyrinthine as Tolkien’s fictional city. But institutions in cyberspace are less Fort Knox and more public library, with hackers helping themselves to row upon row of records and walking out the building unchallenged. Like Canary Wharf, cybersecurity is about to get the diggers out.