Coronavirus and the dark web: if you haven’t experienced a cyberattack yet, you will
Spray and pray, script kiddies, phishing, bring your own network, wardriving. Sounds like newfangled Gen Z lingo, but it’s actually part of the cybercrime lexicon that you need to be aware of to protect yourself and your business.
There is a whole economy on the dark web built upon your stolen data – with an economic cost of approximately US$5t worldwide and US$1b in Australia alone. With the sudden and swift shift to remote working, cyber criminals now have around 40% more “open doors”, wifi weaknesses and gaps in security to exploit. If you haven’t already experienced a cyberattack, you will. There’s a lot of money in this and when it only takes a few seconds to download ransomware script, it’s little wonder we are seeing more hackers and cybercriminals testing our systems.
Hear from Matt Green and Chris Watson, Partners and cyber security experts, as they shine a light on the dark web and what businesses (and more importantly, their people) can do now to ensure they have the right security measures and culture in place to protect yourself and your business from becoming a cybercrime statistic.
Available on Apple Podcasts, SoundCloud, Spotify or within your browser
Welcome to Boardroom.Media. My name is Velvet-Belle Templeman and I'm here talking to Matt Green and Chris Watson, Cyber Resilience Partners at Grant Thornton. Matt’s cybersecurity experience spans across governance, operations, technical testing, controls, assurance and incident response. And Chris has extensive experience in cybersecurity and forensic investigations including 12 years in the City of London police as a detective in the crime scene investigation unit. Today we'll be talking about the dark web economy built on stolen data and how working from home has created a bonanza for cybercriminals. Thanks so much for joining us, Matt and Chris.
Thanks very much.
Now Matt, in this sudden remote working environment with so many people working from home, the dark web really is having a field day. What has set this in motion?
Well, what we have is an exponential increase in people no longer working from the office and there's a number of factors in this, but let's just put a figure around it. Since the whole coronavirus remote working shift occurred, we've seen a 40% thereabouts increase in remote desktop and that's the technology used by a lot of organisations to connect remote employees back to corporate systems. So what we now have is if I'm a hacker, I've got 40% increase in targets. What we have also is remote desktop that's been turned on in a rush. So lots of organisations not prepared for work from home necessarily. So in really short time they've gone from having a network at work to getting people to access their kit from home. And that requires exposing your technology, which is, you know, really complex to the internet once it's exposed to the internet, the dark web, the hacker community, all the nefarious villains that we talk about start trying to get in.
It's just the way they do it. They have tools out there that are scanning permanently for new desktop instances of remote desktop. They have tools to go and look for what they call open ports, which is essentially new front doors. And so they're out there, they're looking for these things. They see a whole bunch of new ones, potentially ones that have been rushed out really quickly so they don't have the right kind of security enabled. They may have already had some vulnerability in their system already and that system that's now turned on and facing the internet allows those vulnerabilities to be exploited from the internet. If we then combine that with the fact that really rubbish passwords such as password one, two, three, welcome one or one two three, four, five, six, are still really common passwords, that's a recipe for high risk, poorly implemented technology and really weak security credentials.
And you sort of wrap that up in COVID-19 themed ransomware where they send out dodgy emails to try and get you to click on the link or download the piece of software to lock your system up. That's a great opportunity for the hacker community in the dark web to roll out their old tricks, which are very effective. We know everything these days can be bought as a service. You know, you buy your music as a service, you buy your cloud storage space as a service. You can buy ransomware as a service. If you want to get a ransomware up and running, COVID-19 themed, you can have that done in 30 seconds if you know where to go on the dark web. So we've got all this melting pot of new things from the hacker's perspective and they've just decided they're going to redouble their efforts because there's lots of targets and lots of targets they'll be successful against.
So on the hacker scale, what should we be preparing ourselves and our businesses for?
That’s a great question, Velvet-Belle. The first thing to think about for any business is actually you are vulnerable. If you haven't already been attacked, you will be attacked. So don't for one moment think that you are not going to be an attractive target or that you're not a big player, so no one's going to be interested in you. The global economy or the economic cost of cybercrime is thought to be around US$5 trillion. For Australia specifically that's thought to be about $1 billion. There's a lot of money in this and that means that everybody is a target, but really, as you inferred there, there is a bit of a scale and depending on the type of business that you are, depending on where you're located, the type of services that you offer, you'll be more or less attractive, to a different kind of hacker and the scale ranges from at one end you have, what are known as script kiddies.
They’re people who literally just download pre-packaged attacks and they fire and forget and they do that for a variety of reasons. It might just be mischievous. It may be that they have a bit of an axe to grind with a particular company, but more often than not they're just starting to look see because they can. Then you get to, I guess, organised crime where in days gone by, you’d have bank robbers going in with shotguns into the bank. Very dangerous, quite a high likelihood of being caught or shot and put away. Now they don't need to go out. They can just perform exactly the same extortion, ransom and fraud, but do it with the comfort of being behind a screen. And then you get onto the James Bond end of things, the state sponsored terrorists where it is very often with state sponsored cybercrimes they’re very often sort of in the news, things where X, Y, Z country has hijacked the internet of another country or they’re behind the bringing down of certain government websites in another country.
So there's a broad range of hackers out there and their skills generally speaking, increase as you go up that scale. So you'd find that the organised crime will have a very professional, well organised, well drilled and very skilled workforce. And then the state sponsored cybercrime, up another level again. So you have to really think about what kind of target you're posing out there. If you're a defence contractor, you're probably going to be more concerned about state sponsored or organised crime because you've got some pretty valuable data in there. If you're the high street sausage seller, you're probably more concerned about sort of more mischievous or malicious attacks and you would put your defence in accordingly.
So the key thing there is in order to understand where you might fit in on that scale, is to rethink about undertaking a risk assessment of what your business does, where you're located and the kind of information that you hold so that you can best prepare yourself for these kinds of attacks. Remember $1 billion is a big pot of money that people are definitely motivated to go for.
And Chris, can I ask you, how does this actually work? I mean, how do cyber criminals identify these vulnerabilities?
Yeah. And Matt already sort of referred to a couple of aspects there, but the number one method for, I guess, starting this whole process off is to get information and the key thing about information is about obtaining the information and I'll touch a bit more on sort of the value of that in the moment. But it’s something like, it's estimated to be 6.4 billion emails are sent a day that are phishing attacks and the whole purpose of those phishing attacks is to lure or to force somebody into giving up some information to have them click a link that takes them to a dodgy site or that downloads malicious software onto the network that they're operating from. The key there is around getting access to information and that information is highly commoditised, it's incredibly valuable.
I think we've all heard of, you know, the dark web, it’s that sort of mysterious thing that's out there. And if you think of the classic iceberg, you've got the internet, which is a little bit poking out that the stuff that the Googles and the news sites that we go to, poking out the top. Then there's a large part which is called the deep web, which is a lot of databases and private information repositories that sit there. But then sitting right below that, right at the bottom of that is the dark web. Now that is in and of itself, its own economy. There’s organised crime, there's the script kiddies and the state sponsored actors that we mentioned before, but they are their own businesses buying and selling information. And again, it’s estimated, it's very difficult to put an actual figure on this because you know, by its very nature, it's dark and unseen, but it’s thought to be doing at least US$500,000 a day in transactions.
Now to try and break that down a little bit further, there's things that these people are after. As I mentioned, it’s information and very often it's personal information that can be used to de-fraud bank accounts or to get money from somebody else. Now, credit cards, one of the key traded items and credit card details and one of the most key traded items out there on the dark web can go from anywhere between 9 and 12 US dollars a card depending on the particular flavour of card and the country of origin. So you see to get up to this billion dollars that we're talking about in Australia alone, that's a lot of credit card information. It's a lot of personal information that needs to be gathered. So these phishing exercises, that's why we see that there’s billions of these being sent out a day.
So this all really must be keeping IT teams up at night, I would imagine.
Without a doubt, Velvet-Belle, and it's important to understand that, you know, IT has a really defined function if you like, in terms of they're usually looking after the things they expect to look after, whether that's a help desk ticket, whether that's, you know, backing up data, whether that's providing a new laptop to a company employee, things of that nature. This shift to remote work has exponentially expanded the environment they have to look after. So in the past where we had a relatively neat and defined network where we could reasonably understand where the network edge was and basically had control over which devices were allowed to connect or indeed, where we weren't doing remote desktop or we weren't exposing our business to the internet in a big sense, the fact that we had a weak password was perhaps less of a risk, for example.
Now it's a really high risk. This quick switch to remote working we’ve probably turned on new technical services. So this might be something that the IT guys have not necessarily been used to managing in the past. We’ve more than likely turned on a bring your own device environment. So if I was in my office and I used a desktop machine and we didn't have a ready supply of laptops, I might be using my computer at home now to access work systems. And we are almost certainly reliant on home wi-fi, and we've moved to this bring your own device and bring your own network construct. So in the past where I looked after maybe one office or multiple offices, I might now be looking after tens or hundreds of networks as opposed to just the two, the four of the six I was looking after when we knew about our little defined environment.
If we combine that with, you know, as I said, weak passwords, combine that with a $5 trillion economy, there's lots of people who want to get in and now IT have to defend against a whole bunch more of security threats and security risks. They might not have the tools to do that as well. Good security does require software to let you know what's going on and if the new remote environment has been rolled out, but we don't have the software to have visibility over it as an IT manager, I'm probably really quite concerned that I don't have security tightly wrapped up like I need it to be. If I then throw in home routers, maybe it's got a default configuration on it where the, you know, the original username and password hasn't changed. That's a weakness. If we talk about, you know, all these connected Amazon Alexas and Google Assistants and things like that. Maybe I've got some wi-fi enabled light bulbs. Maybe I've got a home video camera system for security purposes.
Not all of these devices are designed really well. Not all of them are designed with security in mind. So they too can create weak points. If we then sort of wrap this into a bundle with the phishing emails that Chris referred to earlier, combine that with a weak password as an IT manager, the risk and complexity that I have to manage, not to mention just the geographical spread of my network, that's a real recipe for trouble.
So there's a lot of responsibility for our IT teams then. Now Matt, are all businesses targets or are there some that are more attractive than others?
All companies, all industries, all targets, big or small sophisticated or not, it doesn't matter. You're going to be targeted, as Chris mentioned earlier, and if you haven't been hacked you're almost certain to have attempts at being hacked. And we only have to look to the media to see recent examples, Austal Shipbuilders, Toll Holdings, things like that, they were really prominent cyberattacks on really big organisations. They had, you know, processes and tools and techniques and people in place. So they were, you know, relatively prepared perhaps. But what we've got out there is a community of lots of soft targets as well and that's organisations that haven't really paid any attention to security in the past other than sort of the default settings that come out of the box or some minor tailoring perhaps. And Chris mentioned earlier, if you've got a particular set of IP or something you might be quite attractive.
What we see from our experience is, if I want to say break into the Defence Department, that's probably going to be too hard. But if I want to get the Defence Department's information, I'm going to target one of the third parties that supplies to Defence and has access to that information because their systems may have a weak point that hasn't been covered off or their systems may not be as strong enough or their training of their teams and their staff members may not be strong enough. So I might be successful with a tailored phishing campaign. At the other end of the scale, those script kiddies, the person that goes and buys the ransomware in 30 seconds, they're just going to become part of that. That network of emails going out, doing what we call spray and pray, which is where you just send out volume.
You hope that someone clicks on the link or downloads that bit of software and that your ransomware kicks into gear, encrypts their system, you hope they don't have a backup. And we've seen a number of examples in the press about organisations that have had a ransomware hit them and they don't have a data backup. And then they're liable to have to just pay the ransom or rebuild their systems and they're too often very big exercises. And when you’re paying ransomware it gets you into a whole sort of legal debate as to well, you don't know who you're paying, so can you pay that? Can you pay that ransomware legally? So there's a real challenge around dealing with some of these issues as well. But everyone's a target. Most always organisations will have some sort of vulnerability in there, if it’s not a technical vulnerability. It will be a vulnerability of a staff member who's not fully trained or fully aware and therefore the security risk increases again and again.
Okay. So if we go out and we buy Symantec or Norton 360 or McAfee, would that be enough to stem the tide?
Look, it’s a start and I certainly wouldn't discourage anybody from installing them and running any of those great products, but they are not the complete solution. Matt has already mentioned a number of other different aspects to it. One of the key ones is making sure that you have robust passwords and having been involved in forensic investigations and cybercrime for the last 20/30 years. The fact that we are still routinely using password 123 as one of the most common passwords is both depressing and frightening to be quite honest. So antivirus is a great start but we need to be better educated with it. There needs to be a greater understanding and particularly in the environment of, as Matt has described, it's not so much a bring your own device but a bring your own network. We, you know, companies, are all relying on the end point security or individuals in their homes.
Now these are, you know, somebody has just popped along to JB Hi-Fi bought a router and installed it. It's going to probably be a basic configuration. If somebody has done something with it, they have changed out new passwords or they've created new accounts, they’ve probably given it a simple password. So an education around what security means for the home network is really, really important as well. Switching on multifactor authentication is another key thing that needs to be done. I also wonder whether we might see a bit of a resurgence in some old school hacking techniques such as back in the, I think, Matt, was it early 2000s or mid-2000s, 2005 something like that, there was a thing called war driving and it was quite sort of comical. They were all these articles on how to build a wireless sniffing device out of a tube of Pringles, and you’d see all these script kiddie types wandering around the streets at that time in London with a can of Pringles trying to detect wireless signals that that had very little security on them and then hack into them.
And they would then actually mark a nearby location that indicated what kind of wireless network it was, how secure it wasn't, whether it had been hacked on it so that others could come around and do the same thing themselves to try and get more information. We might see a resurgence in that kind of activity. You know, if you think about an apartment block in a well built up area, it would be child's play to try and find any number of vulnerable wireless networks there that could then be used to get into the organisation. So antivirus, yes, but education is absolutely key. Robust passwords are absolutely essential, wherever you can switch on multifactor authentication.
One organisation that I did an investigation on as a result of some social engineering and phishing, a CFO of an organisation, received an email from somebody who purported to be the CEO of the parent company. As a result of that email, the CFO sent $12 million of the company's money offshore. That company no longer exists now and that's simply down to a lack of understanding around the threats that are out there, understanding how phishing attacks are constructed and asking some basic questions of the information that they're receiving. So if there's one thing that I want people to take away is educate yourself as to the threats that exist out there and how to suitably protect yourself.
I don't think many of us really appreciated the scale of the economy built on these cyber vulnerabilities, which is really being highlighted with so many working remotely. Looking to the future, Matt, how will this experience change the way businesses operate?
So Velvet-Belle, we're seeing a lot of commentary on the permanent increase in work from home. It appears to be working really well. A number of people are liking the social adjustment, the lack of a commute, the ability to be home more frequently, more easily and a sense of feeling that they can, with the right technology, continue to be as productive as they were in an office space. So that's going to drive, I think a permanent shift in what IT teams need to manage. This fragmented nature of the workforce will be bigger than it already is and therefore IT will need to manage things differently. They'll need to put a strategy together around managing a remote workforce. So bring your own device policy. They might even need to extend that to actually how they might educate their users about what a good home network security setup looks like.
So something really basic like that. They might need to increase their own level of corporate security. So they might need some new tools, they might need some new software, they might need a new staff member. These are all future focused things that they need to sort of start thinking about now as we return to the new work environment in however many weeks or months’ time. Most definitely, organisations are going to need to clean up what they've already put out. So if we rushed to put remote desktop out there, we're probably going to have to go back and have a really good look at what our configuration is and whether it's appropriate. What we did see straightaway when coronavirus kicked off was lots of organisations offered up their software tools, at either heavy discounts or even for free for a three or six month period.
A lot of those tools will have been adopted, but IT sort of needs to take a step back now and say, Is this the right product, particularly when this free period is coming to an end, is it the right product and have we actually deployed it properly? Is it deployed in a secure as possible manner? And have we implemented it across our existing IT properly? Just because that's the one I sort of tactically chose at the time, doesn't mean it's the strategic choice that I should retain. And there probably needs to be a little bit of an extension of thinking outside of the IT environment. Lots of organisations will have moved, their workforce is remote but still need to do work with things like paper signing documents for example. So what am I doing as an organisation about the fact that people are now printing these documents at home potentially and disposing of this document, say in the recycling bin.
So we've got to extend our thinking around data security and data privacy as opposed to just information security. I think it's really important that organisations do a bit of a health check around what their security is and what their vulnerabilities are so that they can find them, patch them. As Chris said, do a risk assessment, understand what your risks are. This is all really important to do's on the list for when we return to normal. And then most importantly, training your staff on how to spot security issues, how to deal with security issues and how to behave in a secure manner. Because not only does that help you from an employee awareness perspective and in securing the organisation, but it also helps the end user from a personal security perspective and a security of their home internet and their home technology. And because we all do so much on that now, that's a win-win for the organisation and the staff member.
Some really critical information there. Matt and Chris, thank you for your time.
Thank you very much, Velvet-Belle.