Sacrificial lambs and broken windows: Why NZ is so bad at cybersecurity

A nefarious group of hackers clad in their hoodies with cool names like Acid Burn or The Plague could in theory orchestrate a sophisticated Ocean’s Eleven style digital heist to enter the mainframe of a corporate entity.

The far more likely – and admittedly boring – reality is that most successful hacks are conducted by opportunists who essentially break a window at the back of a building and sneak through.

Hackers are, in most instances, the digital equivalent of a person who goes from car to car in a parking lot to find the one that’s unlocked.

The fascinating 2014 hacking of a Uruguayan medical facility by a security specialist offers a clear example of this. The only thing standing in his way was the login details – and they couldn’t have been simpler.

The username? Admin.
The password? Admin.

It’s still unclear exactly how a group of hackers were able to get into the Waikato DHB system in what has been called New Zealand’s biggest ever cybersecurity attack, but a number of recent global events illustrate that hackers aren’t finding it difficult to sneak into large systems that are meant to be secure.

The hacks of the healthcare system in Canada, Toll Group in Australia and the Colonial Pipeline in the United States, and now a DHB in New Zealand, all point to some worrying trends in cybersecurity, according to a local expert.

Safestack founder and CEO Laura Bell, whose storied career includes a stint in counter-terrorism for the UK Government, says the average IT security team in New Zealand is severely under-resourced.

“Our average security team’s size is 1.2 people when it should be 10 times that number,” Bell says.

Bell describes the people who hold these in-house roles as “sacrificial lambs” as they are the first to lose their jobs when things inevitably go wrong.

“As a defender, you have to stop every possible attack,” she says.

“Going back to the house metaphor, you have to protect every window, every lock, every bit of ceiling panel, all at once.

“An attacker only has to slip past one of those things because they’re not trying to find every vulnerability. They just need to find one way to get in.”

Bell speaks from a place of experience. In addition to her highly stressful work with the UK Government, she also spent around five years as a “penetration tester” – the moniker used for someone who is paid by a company to try to break into systems so that they can be improved.

During this period of her career, she quickly learned that the size of the company provided little indication of how secure their networks were.

“I’ve done testing for large multinationals with massive brands and I’ve done testing with tiny high-growth companies that employ just 20 people and are essentially one step away from working in a basement,” she says.

“I’ve seen better quality in some of the younger companies than I have in larger organisations.”

As technology evolves over years, larger organisations will tend to tag things on to their systems that could leave all the data in a precarious position.

“In one area you might have a crown jewels type application that nobody could ever break into, but then literally on the same server there’ll be a marketing site that uses an old version of WordPress.

“Naturally, because of the way things evolve, we might be tempted to just put something wherever we have a bit of space – and by doing that, we create vulnerabilities in otherwise secure systems.”

In other words, we are inadvertently creating the entry points that hackers are continuously scouring the internet for.

Hackers invariably target bigger organisations in the hope of securing a larger ransom from their efforts.

Bell says the issue of whether to pay a ransom is ethically fraught and really depends on the circumstances of the business.

“It’s a really tricky subject,” she says.

“We’re in a muddle because the frequency and the size of ransoms are going up. Companies face a trade-off between how long the breach will impact their business and whether that will cost more than the amount paid in the ransom.

“The problem is that even if you pay, you have no guarantee that they’re not coming back. There is a risk that by paying we actually incentivise hackers to do more of it.

“But, if we look at the big ones that have happened in the last few months, you see the days and weeks it took these organisations to come back to life and you start realising that a few million dollars might be easier to swallow than all the disruption.”

What’s more concerning is that our idea of the hacker, burning the midnight oil and individually looking for insecurities, is as dated as the hoodies we think they wear.

Bell explains that most hacking these days incorporates the use of automated technology that scours countless sites, identifying known vulnerabilities and possible entry points.

“There’s not a lot of human effort involved in finding a target and rolling these things out. They’re basically going far and wide, looking for the right technologies and the right contact details. It just becomes a numbers game,” she says.

“If you can scale that up big enough and you can get enough exposure and make your emails look legitimate, then you’re going to maximise your chances of somebody clicking through. All the technology that we use to build high-quality, fast-paced software in major companies is the same technology you use to spread ransomware around the world.”

A common mistake businesses make to protect themselves is investing in a security system, but then do little to ensure that’s staffed appropriately to keep it functioning at a decent level.

“It’s kind of like the treadmill effect,” says Bell.

“You buy a treadmill and you feel really great because it’s going to make you fit and healthy. But buying a treadmill doesn’t do that. Actually learning healthy habits and taking steps every day to improve your health makes you healthy. You might use that treadmill as part of that, but it’s not the answer alone.

“New Zealand spends quite a large amount on these devices, but not enough on the teams that are meant to support them.”

The reluctance on the part of businesses or even governments to invest heavily in cybersecurity on a continuous basis can also come down to the psychology of grudge payments.

It’s akin to paying insurance in that it requires you to keep paying a set fee in the event that something may go wrong at some point in the future.

No one wants to make these payments, but you similarly don’t want to be caught in the next tech car crash.

And with algorithms scouring the internet and opportunists knocking on all the windows they find, another breach seems inevitable.

As Bell says: “Humans have always been jerks. We have always found ways to exploit or curse or lie to each other to get what we want. The electronic realm we live in now is just an extension of what we’ve always done. We’re just applying new tools to it.”

Source: Read Full Article