Keith That goes back to the initial step of how we have to know the attacker, we have to know who they are, what their capability is and what their motivation is, how they’re going to attack you and what they’re after. That’s all the threat scenario, and once we do that for each, and I’ve come up with eleven sorts of attack threat actors in mind, with nation state, radical active, like Anonymous, and even disgruntled employee and other sorts. You have to know each one of those, because they may be highly motivated but have low capability like a college student right? But if a nation state wants to go after you, like the NSA you’re not going to stop them. If Anonymous wants you, you’re probably not going to be able to stop them, and again it’s a different way of looking at the environment that we’re in, and we now know because we’ve taken Stuxnet and other ones, that was probably written by government agencies, and we’ve taken it apart and other malware we’ve reverse engineered it. That’s proper software development that has gone through a rigorous quality process. Who can do that? Nation states that can have armies developing this software to attack particular people.
Sean I will also go with the bazar versus the cathedral for that. There are a lot of toolkits out now to create systems, and exploit kits which were saleable for licenses by culprits. But then that was leaked. They had this pirated, and it’s $15,000 for a licence and then they released B2 and it has got better capabilities. So the software development thing is also quite broad and there is often outsourced components of it.
Patches on websites are just farmed out to huge armies of people in Bangladesh and so forth.
The market is there to outsource all of this. So what people find is that there is an actor that is hiring and the talent could know that they’re writing Malware, or they could be like farmed out into operational components, and may not actually be a cyber-criminal as such.
Neil We’re talking a lot about various different technology and all that, but I’m finding when I walk into organisations because they have purchased X Y Z technology, at a cost of X, they feel that they’re in a nice secure place. Fundamentally what I ask organisations is ‘Are you aware of your assets?’ Not just your systems – it’s the information that sits on them. It’s the people that access them, and having a controlled environment within that space, and then from there, understanding the risks of that environment. From there you can feed in the technology that is going to mitigate that risk at that stage. Then I find that a lot of organisations tend to go ‘oh I must have X’ and run off and spend their entire budget on something that is fantastic in its entirety, but not necessarily in that environment.
Sean And this Neil has been happening for decades outside of security as well. If you’ve got a sales problem implement some system and then you realise we don’t actually have a sales methodology. So this is not only a security issue.
Neil One of the usual assets that we always use is brand. We always talk to clients about brand, and I think Keith while I agree that a lot of those threat actors you were talking about, most SMBs would say ‘you don’t have to worry about those’. ‘I don’t need to worry about anonymous or hacktivist, because I’m a printing house that prints paper documents, or scan paper documents’.
Sean We’ve seen a very large security company be breached as a pivot point in order to get schematics and design from Lockheed Martin so why wouldn’t an SMB or mid-market client also be pivot point and therefore they might lose one of their big flagship clients. It’s important, but it’s very difficult to quantify brand damage or brand as an asset.
Keith Reading reports like the Horizon Data Breach report we see that exactly. That’s great because it includes the Australian Federal Police, the US Secret Service, the UK, NZ and Dutch I believe actual investigations and they show a lot of what they had and how they were compromised. They’ve all got bank accounts, and if the security is lame and you can hack their system to go in and move money out, even if it’s thirty grand or sixty grand, not bad for a day’s work, and we’ve seen that happen with municipal councils, and things like that where they can go in.