Online attacks against such prominent targets as Sony, Target and Home Depot have brought cybersecurity and digital privacy to the forefront of the national consciousness.
But as the technologies we use grow more sophisticated, so will criminals’ attempts to defeat them, according to Chris Doggett, North American managing director of Kaspersky Lab, a Moscow-based international information security firm. In an interview this month in Washington, Doggett said financial fraud and identity theft pose far more danger to Americans than shadowy hacking groups such as Lizard Squad, which has taken partial credit for breaching Sony’s systems.
He added that no network is ever completely secure – and told a chilling tale of vulnerability on Wall Street. The following transcript has been edited for length and clarity.
Question: What are some of the big issues in cybersecurity now, and what do you see as the top priorities in 2015?
Answer: What we’ve seen is a major acceleration in cybercriminal operations, number one, and then secondarily in cyberespionage operations. Targeted attacks have been on the rise, and they’re now a major part of the threat landscape. That’s something that’s been of a lot of interest to us in the security community and something we do a lot of research on.
The common theme we see is that the actors in a lot of these operations, whether they’re criminals or nation-states, have continued to become more and more sophisticated and more and more elusive. So it’s become harder and harder to uncover these operations, unless they’re folks that want to get recognized.
Q: Which do you see as the more pernicious threat: the Lizard Squad-type hacking groups or state-based actors?
A: I think it was Bruce Schneier who referred to the Lizard Squad guys as being kids playing politics. I think that’s troublesome and certainly in the case of Sony some of the information disclosures are damaging, for sure. But I think the more concerning areas are more primarily based around financial fraud and theft. It’s very clear that organized crime has started to really become a major player in the cyber-threat landscape, so most of these attacks that we see that are major thefts are very sophisticated and involve almost an ecosystem of different players.
In this past year we saw just how deeply these guys can get into the systems. For example there was a major operation that we saw in Eastern Europe, “Tyupkin,” which involved ATM attacks. These guys were basically able to upload malware to ATMs and then send mules into this ATM network and have them walk up to a machine at a prescribed time and enter a code that would bring up a management console that would show them how much money was in each cassette in the ATM. And they could select to dump the cash out of that cassette right into their hands, and then they had to go make a drop. That is clearly a sophisticated attack.
Q: It certainly seems like there have been more data breaches and hacks in the past year. But are there really more, or are people paying more attention?
A: I think it’s both. We’re now seeing 325,000 pieces of new malware daily coming through Kaspersky Labs. We saw a tenfold increase in mobile malware over the last year.
Many of these operations we’ve discovered recently have been going on for a year or several years. But certainly there’s a much higher concentration of them. People are waking up to the fact that systems are fundamentally insecure. The presumption that things were secure, whether it’s their company’s data or their money in the bank, people are waking up to the fact that that’s no longer true. And it hasn’t been for some time.
Q: In a lot of retail breaches, consumers have been hit with fraudulent charges that they didn’t have to pay. Who bears the cost for that?
A: As companies have woken up to the fact that “pretty good” security is no longer enough, they’ve had to really up their defenses and that includes upping their costs, significantly increasing the amount they’re spending on securing their systems and infrastructure. Ultimately, that flows down to consumers. Cybercrime and cyberespionage has a very significant cost: You’ve seen estimates from hundreds of millions of dollars a year to tens of billions of dollars.
Q: Can you tell me about how business needs differ from consumer needs?
A: The challenge for corporations is that they no longer have a perimeter. We used to think about this perimeter where everything was either outside the firewall or inside the firewall, and it was easy to control on a network infrastructure. With mobile devices there’s no longer a perimeter. The perimeter is the device. Because your phone is sitting there on the table.
Q: I’m taking it out of the building, I can download all kinds of apps.
A: Sure, and it’s got direct access into your (company’s) e-mail server, for example. And that’s just one of probably many things you can do with your mobile device. And, yes, you’re taking it into a lot of dangerous environments.
DarkHotel is a specific operation where attackers are targeting C-level executives at major companies, and they’re compromising hotel WiFi networks such that when you go to log into the hotel network, you get into the network and you think you’re on the hotel’s network, but they’ve actually gotten into the middle, so to speak, and your device then tells you, “Oh, you need to download a security patch for Adobe. Click here to update.” And you’re actually executing some malware on your device.
Why are the C-level execs the target? Well, a couple of reasons. First, C-level execs are famous for wanting the rules bent for them. “I know you’ve got your security policies, but just make my iPad works, please!” That kind of thing. And number two, it’s much easier to pick up and anticipate when those people are going to be in that hotel.
Q: I imagine they’re also more attractive targets, too – access to more information.
A: Yeah, unfettered access to pretty much all information in their company. If you’re compromising their devices and using that as a way in, that’s a pretty good bet you can get anywhere you want to go.
To tell you a little story, I used to run a boutique security consulting organization that specialized in doing vulnerability assessments. The thing for me that was most shocking (when) I was talking to the CEO of a company or the VP of security was that I could guarantee them that I could break in. I’d say, “Look, I guarantee if you let us use every tool in our toolbox, including social engineering, that we will find at least one way and usually multiple ways into your organization.” And they’d say, “How can you guarantee that?” Very simple answer. If we don’t succeed we will write you a report telling you we couldn’t find a way in, and you don’t have to pay us a dime.” You know how many of those I gave away for free? None. Not a single time did we fail.
Q: All this inevitably leads to the Sony hack, and I wonder if you’ve had any opportunity to look into that.
A: Well, I'll start by saying my comments reflect an outside view as opposed to an inside view. So nothing that I’m commenting on reflects any relationship that we do or don’t have, or any interaction that our company may or may not have had with Sony. But, yes, I’m certainly familiar with what’s going on and I think it’s another example of where we can say that “pretty good enough” security was totally insufficient.
If Sony, for example, had been monitoring their network flows, they could’ve easily detected that there was a lot of data being exfiltrated from the organization. Fairly easily. That’s one example that as an outsider I can say is common guidance for companies, and some basic, top-10 guidance likely would’ve protected them from that happening.
(The Sony attack) certainly appears from an external view to be not terribly sophisticated. More along the lines of your garden-variety hacking operation than a highly sophisticated state-sponsored cyberespionage group, for example.
Q: So you’re skeptical that North Korea was behind the driving force behind this.
A: I think the way I would put it is, attribution is very, very difficult to do conclusively. And certainly there’s nothing that I’m aware of – in terms of diagnostic information in Sony’s case that provides either conclusive or high-confidence-level attribution to North Korea. Is it possible the Sony attack was a highly sophisticated attack that’s been made to look not so sophisticated and that there have been false flags planted? That’s possible.