This article first appeared in The Edge Financial Daily on August 21, 2017
KUALA LUMPUR: Last week, the world’s largest container shipping company Maersk revealed that it had suffered up to some US$300 million (RM1.29 billion) in losses after getting hit by the malware NotPetya, which crippled its operations at 76 port terminals around the world for a couple of weeks in July.
Its chief executive officer Soren Skou said the ordeal was “frankly quite a shocking experience” in an interview with the Financial Times. “[For] most business problems, you will have an intuitive idea on what to do. But with this and my skills, I had no intuitive idea on how to move forward,” he told the publication. Maersk expects the losses to negatively impact its third-quarter results.
The spate of ransomware attacks since early 2016 has been relentless, starting from CryptoWall and Petya to WannaCry in May this year and NotPetya in June — so named as it resembles Petya, but built more to trash infected machines’ file systems than to profit from ransom.
Suddenly, organisations realised that everyone is a target, and are scrambling to try to protect themselves. But like Skou said he learnt, sometimes there is nothing that can be done to stop an attack. A more critical lesson here is learning how to respond to and move forward from a crisis.
EY’s Global Information Security Survey 2016-2017 found most organisations spending an average 70% to 80% on protecting the company, and 20% on understanding the new threats that are coming in. But what it also found was that there was almost no investment in the “react” space, which is what organisations need to do when they are attacked.
“Based on what was seen from WannaCry and Petya, two attacks that happened about half a year to eight months after the survey, organisations are realising they need to know how to manage a [security] crisis, how to respond should an incident occur, the kind of communication they need to send out, how to work with regulators, and how to get back to business as usual. All these questions are now coming up. So, I think spending on the ‘react’ space has been going up,” the global managing partner for cybersecurity services at EY, Paul van Kessel, told The Edge Financial Daily in a recent interview.
While organisations liked to talk to EY about new innovations in the cybersecurity space previously, the discussions are now more about the foundations of their cybersecurity, said van Kessel, “and not so much about the fancy stuff”. Cliched as it sounds, van Kessel said the focus is now back to basics, to get the basic things right.
The Internet of (insecure) things
Besides ransomware attacks, last year also witnessed the attack of the Mirai Virus via Internet of Things (IoT) devices, where reportedly tens of millions of web cameras were used to send simultaneous signals to flood and bring down the server of America’s largest domain name system provider, Dyn. As a result, many popular websites like Twitter, PayPal, CNN and The New York Times were unavailable for hours.
“We are now connecting all kinds of devices to the Internet, and all those devices are basically an entry point because there is no security there. Even if there is already security built in, it’s not possible to maintain it from a central platform like in the IT environment with servers. With servers, if there’s an issue, like WannaCry — which was caused by a flaw in the Microsoft software — we can run a patch and it’s done. You cannot do that with the current IoT devices,” said van Kessel.
There is also no real regulation in the IoT space, said lead partner in EY’s Asia-Pacific cyber practice, Richard Watson. “It’s not like an electrical plug which needs to pass certain certifications to ensure it will work correctly. Anyone can create something to connect to the Internet.”
One C-suite executive of an international bank Watson spoke to recently had shared his worry about all the devices out there that could be used to turn on his infrastructure and launch something like a DDoS (distributed denial of service) attack. “There’s a real sense that the massive [number of] unregulated devices that are coming online have the potential to target traditional businesses that we depend upon,” Watson said.
So with IoT, the risks are going up exponentially, said van Kessel. The picture gets more worrying when coupled with the current lackadasical attitude of some IoT developers when it comes to security.
“I think we need to recognise that history is going to repeat itself. In IT, which started in the 50s, there was a long period of no security. Everyone was focusing on making it work before people started talking about security, when the IT guys found a ‘blocker’, something done but not important to them. Then, people started to see the added value of security as an assurance or guardian. Now, it’s seen as an integral part of everything we do in IT, without which you cannot do digital transformation or online banking. So, cybersecurity is now a means to make money.
“With IoT, it’s going through the same curve. Now, it’s at the point where security is not [seen as] important, but as something to slow [developers] down,” said van Kessel.
“Maybe in five years or so, there will be security standards that can be applied to IoT devices — like you must have passwords that can be changed. That’s probably the direction of travel, but not today. We are still at the begining of this whole IoT theme,” said Watson.
Meanwhile, the issue of cybersecurity is increasingly viewed as part of a country’s national security globally, said van Kessel, which results in places like Singapore, the UK and the US starting to build frameworks to capture the importance of that in their national security.
“Another thing we see coming up is governments forcing organisations to come forward with information on breaches because most breaches are not reported now [for fear of] reputations being harmed. But the bad guys are working together — it’s organised crime. The only way to fight back is making sure we at the other side of the fence are also working together. If we don’t, we are not going to win,” he added.
In the meantime, EY has developed a cyber analytics software to detect things like IoT misbehaviour. “You don’t have to rely on just running antivirus on computers, but can look at things like when cameras start behaving strangely, or other Internet devices doing things they have never done before. We have worked on it in the US. Now, we are bringing it to Asia-Pacific, and we have got clients here who are already using it,” Watson plugged.
Unlike an antivirus software, van Kessel explained, it does not rely on recognising a virus’ signature to sniff out the “bad guy”. Instead, it uses artificial intelligence and machine learning to figure out what is normal behaviour and what is not. “Nobody is telling the computer what is normal — that’s based on your data. When your data changes, you get another set of normal behaviour. It doesn’t know who the bad guy is, but will signal deviations to be investigated.
“It works in real time and can see attacks unfolding as they are happening, so it will flag if a computer is behaving abnormally and you can quarantine it off the network. It gives you early warnings of cyberattacks happening, so you can stop them before they incur more damage,” added Watson.