The message was simple: Companies should expect to be attacked, according to Telstra chief information security officer, Mike Burgess, who delivered his company’s view of the cyber security landscape at the 2015 Check Point Cyber Security Symposium. The threat, according to Burgess, is both an internal and external thing.
On the external side the threat consists of individuals motivated by fame and fortune; issue motivated groups looking to protest and make a point online by engaging in hactivism to steal data or embarrass organisations or governments; organised crime gangs looking to make serious money; and nation states looking to gain a tactical or strategic advantage.
The insider threat, said Burgess, is not simply the morally corrupt individual seeking personal gain by stealing data, it goes far beyond that and is far more simple and pernicious than many realise.
Burgess said it was imperative to give regard to well-intended individuals inside an organisation or its supply chain, that do their jobs well and with care, but make mistakes or take inadvertent action that puts data at risk.
The Telstra CISO stressed nothing was really new in this. He made the point that the issue is significant because in an age of connectivity and continuous uptake of technology, crime, protest, espionage and even mistakes come at a scale, pace and reach that is unprecedented.
“It’s what makes cyber security a matter of global importance and makes it a significant issue we have to deal with,” he said.
“I hear many people talk about cybercrime, cyber espionage and hactivism. Cybercrime is just a crime, cyber espionage is just espionage and hactivism is just a form of protest.
“But again, because of technology and connectivity, these things can happen at a pace, scale and reach that is unprecedented. The impact can also happen at a pace, scale and reach that is unprecedented.”
Burgess sited the US health provider, Anthem, breach and the loss of 80 million customer records as an example of this new cyber security paradigm.
“Today, it is a reasonably foreseeable event that someone will attempt to hack an organisation or a network to steal information,” he said.
“Today, it is also a reasonably foreseeable event that someone will hack an organisation to disrupt that organisation. This is a reality we must deal with.”
Burgess outlined two important things he felt distracted from dealing with the risk of cybercrime and manage this challenge effectively.
“One of the distraction points I want to talk about is attribution distraction,” he said.
“Don’t get me wrong. I am not saying attribution is not important> I’m not saying you shouldn’t source great technical intelligence and other forms of intelligence to understand the threat and intentions of those looking to steal information or disrupt an organisation. That is incredibly important.
“However, what I observe, what I fear, what I see too much of, are many commentators in the industry and media focus on attribution with very little focus on the root cause.
“No one should lose valuable information where, at the root cause, there is a known remedy. For me that is unforgivable in this day and age. Too much of this distraction around attribution takes away from what we should be focussing on.
Burgess went on to criticise companies like Sony, Anthem and US retailers, Target and Home Depot, for blaming the data breaches suffered by these two organisations on the sophistication of the attacks the firms fell victim to.
“When I see language like that. The use of the word ‘sophisticated’ I do worry,” he said.
“In most of these cases, there was, at the root cause, a known remedy for that vulnerability or weakness. We know what they are. We know socially engineered emails with a malicious attachment, a link to some injection code or the exploitation of vulnerable web facing code is still the primary method by which these actors do what they do.”