Small-time cyber attacks might target an individual but the bigger prey are merchants holding large numbers of credit card details that you can skim for small amounts month after month, says Earthwave’s Carlo Minassian.
Photo: Michele Mossop
It might be happening right now to your business, and you don’t even know it. In the past year, cyber criminals have breached computer networks at the Pentagon, the Australian Defence Force Academy and the Australian Taxation Office.
And in the past month alone, hacking attacks at Twitter, The Washington Post, The New York Times, Bloomberg and The Wall Street Journal have hit the headlines.
Yet this is just the tip of the iceberg, according to IT security experts. In fact, most victims probably don’t even know they’ve been hit.
The seven-year hack
“Hackers used to do it for the fame but now they do it for the money or to steal data – and they don’t want to be caught,” says Earthwave founder and chief executive Carlo Minassian. “In the New York Times example, the hackers were in there for three months before they were caught.”
That’s a long time for intruders to be inside a corporate network but by some standards it counts as early detection.
McAfee Asia Pacific vice-president Mike Sentonas says three years is not unusual. In one extreme example, hackers were inside a network for seven years before anyone realised something was wrong.
“The motivations have changed and because of that the attacks have changed,” Sentonas says. “You used to see a lot of attacks designed to cause a service outage but now it’s more about monetary gain or stealing information.”
Australian-based Earthwave resells security tools from vendors such as McAfee, Juniper, EMC and Cisco, but its core business is providing detection and response services.
The company owns analytics software that finds unusual patterns in network traffic and also has a secure operations room where it employs security professionals, many of them ex-hackers, who can intervene in real time.
Minassian says that when Earthwave starts monitoring information security for a government or corporate client, it finds a security breach 95 per cent of the time.
In some cases the organisation is unwittingly sending data offshore, while other times trusted staff members are downloading confidential information every night and then covering their tracks.
“IT managers always tell their C-level executives that everything’s good when in reality it’s not,” Minassian says.
IT managers always tell their C-level executives that everything’s good when in reality it’s not.
“Once we start monitoring you’ll see data leaving your network and you don’t even know it because you’re relying on old technologies to block it.
“The threat landscape has become so much more sophisticated yet organisations and governments are still relying on antique security controls and tools like firewalls and anti-virus.”
He says the reason basic protection software is failing is that the methods hackers use have changed. It is now common practice for malware to be encrypted to avoid detection by anti-virus software and for hackers to launch attacks by renting so-called botnets – thousands of computers that have been previously compromised and can be controlled remotely.
More importantly, the emphasis has shifted to targeted attacks rather than randomly scanning the internet looking for vulnerabilities and this is harder for organisations to avoid – a point echoed by the technical manager for Kaspersky Lab Australia, Sam Bryce-Johnson.
“We used to have the machine gun approach where hackers would go after anything and everything and now it’s more the sniper rifle approach,” Bryce-Johnson says.
Minassian points out that The New York Times had anti-virus software in place but it didn’t catch 43 of the 44 pieces of malware.
“The old thinking is that you can buy a widget to protect you but the whole ideology that protection is the answer is wrong,” Minassian says. “There’s no such thing as data protection – you can assume that you either have been breached or will be in the near future and once you accept that, all that is left is detection and response.”
Sentonas says the services offered by the likes of Earthwave and big four consultancies such as KPMG and Deloitte are good but beyond the budget of small and medium enterprises. He agrees that tools such as anti-virus software are just the starting point and also recommends application-level controls to stop any unauthorised programs.
“A lot of the technology is very reactive and requires updates every single day and that’s hard when it’s a targeted attack and they’re looking for any possible way in,” Sentonas says.
The biggest reason for the huge rise in cyber crime is financial gain. Minassian says the mafia in countries such as China, Brazil and Russia has shifted its attention from drug trafficking to cyber crime.
“It’s all going into cyber attacks because it’s much easier to do and it’s much harder to get caught,” Minassian says. “For me to have to build a lab to make cocaine or grow a plantation of marijuana and take that across borders is much harder to do than to go and steal someone’s money electronically.”
Small-time cyber attacks might target an individual but the bigger prey are merchants holding large numbers of credit card details that you can skim for small amounts month after month, or intellectual property that can be sold to competitors.
A recent study by Konica Minolta suggests that the average cost of a data breach in Australia is $US2.27 million per organisation.
Aside from organised crime, the other source of the rise in cyber attacks is government-directed espionage and warfare. For example, it is now confirmed that the United States, along with Israel, was responsible for the 2010 attack that crippled part of Iran’s nuclear program.
If this is a feature of 21st century international relations, Minassian says Australia is woefully unprepared. While China has 60,000 hackers working directly for the state and the US Pentagon has just increased its hacker numbers from 900 to 4900, Australia’s federal government has just announced the Cyber Security Centre in Canberra with 300 employees in total.
The evidence suggests that the hackers who attacked The New York Times and other news organisations came from China and were targeting individual journalists to find information about confidential sources.
Minassian says attacks come from all over the world but the volume from China “dwarfs” any other country.
The problem of securing intellectual property is not new for any company doing business in China, particularly those manufacturing there.
It’s commonly suggested that business people visiting China have their emails and telephone calls monitored by the state and Minassian goes so far to suggest people use old-fashioned tools like pen and paper instead.
The J. W. Nevile fellow in economics at the University of NSW and the author of The Airport Economist, Tim Harcourt, suggests another approach.
Harcourt has not had direct experience with corporate espionage in China but says business people should be more willing to make use of government resources such as Austrade, not just in China but in a whole range of countries and regions including India, Brazil, the Middle East and Malaysia.
“A lot of people have this hairy-chested view that they should make it on their own but you can forget the free market nonsense – the rest of the world is government to government,” Harcourt says.
“It’s some level of insurance and it’s more people on your side. They’re less willing to try something if you’ve got the government sitting next to you.”