Getting your Trinity Audio player ready... |
Cyber threats are a living, breathing phenomenon and defending against them requires both technological ingenuity and educating the humans using that technology.
As befitting a tech-focused summit, the recently held CoinGeek Conference in Zurich didn’t shy away from the threats posed by digital bad actors. Bryan Daugherty, Technical Outreach Manager (North America) at Bitcoin Association, assembled a panel comprised of Seth Halloran, Senior Network Engineer, Prime Technology Services; Aaron Jervis, General Manager, ReefIT; Dean Little, Co-Founder & Lead Developer, Bitping; and Danny Pehar, CEO, Web Safe Inc. to help illustrate the dark side of the digital revolution.
Pehar began by noting the evolution of malware from essentially digital vandalism—hackers showing off their coding skills by randomly targeting systems with viruses simply for the pleasure of seeing things break—to a business model with targets selected for the sensitivity of their data and/or the company’s capacity to pay great sums to regain control.
This evolution from vandalism to commerce—and publicity surrounding the steep ransoms that companies have proven willing to pay – means the threat isn’t going away. Moreover, the ‘vulnerability environments’ spawned by the growing number of devices on which network data is stored are providing bad actors with an ever-widening range of potential entry points.
Pehar cited the infamous incident reported by Darktrace a few years ago of an unspecified casino that had its network compromised after attackers breached an internet-connected thermometer in an aquarium in the casino’s lobby. Once inside, the hackers were able to access more valuable targets, including the casino’s database of high-rolling gamblers.
ReefIT’s Jervis noted that as recently as five years ago, it was rare for a small-to-medium sized business (SMB) to be attacked this way. Nowadays it’s constant, in part because SMBs are likely to have less protection than large enterprises. SMBs with more valuable data, such as medical clinics that might have thousands of detailed patient records, are particularly vulnerable.
Pehar added that the costs associated with ransomware attacks aren’t just counted in terms of the ransom paid. There are also legal fees, the loss of trust in a brand … in many cases, the ransom may turn out to be the smaller cost.
Bitping’s Little agreed, noting that the average cost of a Distributed Denial of Service (DDoS) attack on an SMB in 2018 was $78,000, rising to $2.3 million for enterprises. Little noted that there was a major asymmetry between monitoring and preventing such attacks and the cost of reacting to them once they’re underway.
White hats v black hats
Little said his customers include cryptocurrency exchanges, streaming platforms, gaming platforms and other entities for which being forced offline for an extended period represents very high stakes. Bitping allows its customers to stress test their services ahead of time to fully understand their vulnerability.
Bitping does this through what Little calls “a commercial, honest, law-abiding version” of the botnets that hackers use to attack their prey. Bitping works through a distributed network of real user nodes in 70-odd countries who’ve downloaded Bitping’s software and run it on their computers. These users allow Bitping to run tests of its customers’ sites in exchange for micropayments in BSV on a per-use basis.
Major players such as Amazon and Google offer their own testing services but Little says Bitping is optimized for false positives rather than false negatives. If Google tries to hit your website and it says you’re offline, you’re probably offline. But if they say you’re online, that may not reflect reality, because Google lies at the center of the network, while most attacks occur on the fringes.
Little believes Bitping’s network of nodes can offer customers a far more granular and distributed version of data that’s more representative of a company’s end user experience. Little says this can include asking whether “a user in this country with this internet service provider in this location on this device on this OS on this browser can perform this task.”
Little says Bitping wants to ramp up its ability to simulate DDoS attacks to allow for greater testing ahead of time. Bitping is also working on ways to allow customer networks to redirect traffic to other servers to minimize downtime while under attack. Currently, Little says in most cases the server under attack is the very thing making the redirect decision, effectively melting down while trying to mitigate the meltdown. Not good.
Logging on to BSV
RouterSV was announced as a project prototype last November and Daugherty asked Prime Technology’s Halloran about its capacity to help families detect breaches of their home networks by storing router logs on the BSV blockchain.
Halloran said attackers generally prefer to clear logs to cover their tracks, allowing them to remain in the network as long as possible while masking what they’ve done and how they did it. Putting these logs on an immutable blockchain ensures the preservation of these records, allowing easier and earlier detection of an unauthorized intrusion.
BSV can also ensure that an enterprise’s IT department isn’t contributing to their vulnerabilities through either sloppy workmanship or more deliberate hijinks. Having an extra level of check-and-balance allows you to determine what changes were made to a network, when they were made and who made them.
Humans suck
Daugherty asked the panel how to strengthen the weakest part of any network’s defenses, namely, people clicking email links without knowing where that link might take them. Pehar agreed that education is often overlooked in favor of technological fixes, and while society mostly gets the impact of cybercrime, people neglect to recognize the probability of being a victim of cybercrime, aka the ‘not going to happen to me’ syndrome.
Pehar cited four key educational planks: 1) What’s the valuable thing you have that bad guys want? If you don’t know that you need to protect your driver’s license number, you probably won’t. 2) What types of attacks are out there and how are the bad guys winning? 3) Where are you most vulnerable to these types of attacks? 4) What to do after an attack.
But when humans fail, Bitping’s Little said early detection was key. Nearly half of DDoS attacks aren’t detected by companies (large or small) within the first hour. Little believes that Bitping’s model of incentivizing its nodes through low-fee BSV micropayments could accelerate discovery of attacks and thus minimize downtime.
Referencing the Fastly internet outage that made headlines last week, Little said that if Bitping’s systems had been in place, the outage would have been detected early enough to prevent half the internet going down. Little said the outage should encourage discussion of how BSV’s data-handling capacity might allow information to become more accessible and the internet’s structure more secure.
ReefIT’s Jervis said he gets depressed when he comes into a situation in which a company has been compromised and he sees that the basics of defenses weren’t in place. Properly securing a network isn’t rocket science anymore, yet inattention to these defenses could mean a business is closed for good within a week.
Jervis added that insurance companies are increasingly asking what digital defenses a company had in place when considering how to settle damage claims. Evidence of a half-hearted approach to defending one’s network can lead to claims being rejected, so even if the attack wasn’t fatal to a company’s fortunes, the damage to its bottom line will linger.