The message I always give to organisations is that against a sufficiently motivated individual, your network really doesn’t stand a chance,” according to Stuart Clarke, CTO of Nuix.
If that sounds defeatist then Clarke, who has provided expert evidence on digital forensics in civil and criminal courts in numerous jurisdictions, says businesses can take steps to protect themselves, including to contain and reduce the impact of a hack should one prove successful.
Speaking to IFSEC Global, Clarke also reflects on the importance of coordination between physical security such as CCTV and access control and security software on desktop PCs.
Sydney-based Nuix, which has offices in 45 countries, offers services in cyber security incident response, insider threats, litigation, regulation, privacy and risk management.
In the following Q&A the erstwhile head of forensics and technical operations at Millnet also discusses the much-underestimated insider threat and the challenges posed by the internet of things.
IFSEC Global: Please tell us a bit about your background, Stuart?
Stuart Clarke: After studying a digital forensics degree I joined a private organisation as a sandwich on the degree to do computer forensic investigations.
In the early days that was a lot of work on behalf of the police, investigating various different crimes. But increasingly what was happening in the industry was large organisations with a web presence were being hacked.
And PCI information, some payment card industry information such as credit cards etc were being compromised, so we were engaged to do those investigations.
I started using Nuix, in around 2007, not really for investigation work but more generic data analysis tasks. I always thought Nuix could be very useful in the cyber security space but never really felt it was the right time. Instead I was writing my own scripts, my own utilities, to investigate these PCI breaches.
Over two years ago now I approached Nuix with the idea that I think the industry and the products are ready to move into cyber security. I joined Nuix as director of cyber security and investigations.
Since then I’ve spearheaded their cyber security product development offering and services.
Subsequently we released a product called Nuix incident response, which I was the product manager of, and we’re in the midst of developing more products.
We’ve been growing at an incredibly fast rate. We really put a lot of emphasis on developing tools that industry practitioners need and want. That was a big pull to the company for me.
I’ve always had a passion for solving problems and Nuix likes to solve the problems that analysts are facing.
IG: Cyber crime is increasingly on the radar of the IFSEC Global audience – phsyical security professionals who deal with CCTV, intruder alarms, access control…
SC: Certainly in my earlier career, although I was investigating cyber crime, we did try and get people to think about physical security as well. Because with the best will in the world, you put all the encryption in place, our passwords are only on machines, but physical security has a part to play as well to address the cyber threat.
One of the things that is a real drive in the industry now is combining human and machine data. So if for example you use your swipe card to access a building, and you work on your machine during the day, that may be very relevant.
But this comes down again to the intelligence side of things. So if I see activity on your machine on a given day, if I correlate that activity with the CCTV system or swipe card system, and find you haven’t actually entered the building, then suddenly it becomes a cyber issue.
So there are certainly specific reasons why that level of physical security becomes a crossover. And that’s becoming really powerful now as IoT [Internet of Things] comes to the fore. The increasing number of people with dashboard cameras, for example, wearable technology and things like that, really are creating more issues.
IG: The convergence of IT and physical security also has implications for the roles of IT and traditional security professionals and how they’re evolving and overlapping…
SC: They are unique skillsets and I think it really needs to be a joint effort. We certainly found when we were doing investigations that it’s very hard to teach someone to become an investigator, for example. It’s less difficult to teach someone IT skills.
So for that reason it does need to be a collaborative effort. One of the important things to recognise is that regardless of your specialist expertise, you generally are facing a common enemy, that someone is trying to get access to something you’re trying to respect.
Physical security experts have to work closely with intelligence people and cyber people. And that really does give you the best defensive posture, if you like, bringing in all those different skill sets to address that common enemy.
IG: So many massive organisations are suffering major hacks or data leaks. Are big companies still complacent, or is the threat just so amorphous and difficult to guard against?
SC: The message I always give to organisations is that against a sufficiently motivated individual, your network really doesn’t stand a chance. As long as it’s an external facing network, a sufficiently motivated individual with the right resources will find a way in.
It doesn’t always come from outside; it can come from within. The media focuses on hacking; the insider threat doesn’t draw the same attention. There’s several reasons for that, but it’s still a huge risk to organisations. Not only do they have to worry about protecting their perimeter, they have to think about how they protect themselves from within, which is really challenging.
IG: And how can they protect themselves more effectively?
SC: There’s a lot of moving parts, which make it very hard to get on top of this. One of the big things the industry suffers from is a skills shortage.
There’s a big effort now from the government [in the cyber space]. In the past 12 months they’ve put in place initiatives with academia to try and address the skills shortage. It’s something that really needs to be done.
The threat landscape is also changing so rapidly. Roll back to my first forensic investigation, I was investigating a single computer with an eight gigabyte hard drive. Now you probably have a laptop, maybe a PC as well, a tablet, a smartphone, cloud storage etc… it really adds complexity into the mix.
So it’s not to scaremonger to say that security can’t be fixed. It’s a question of if we accept we could get breached, how do we reduce the impact and contain the incident in a timely manner?
And the way we do that is to understand our own threat landscape. So in the industry we refer to protecting your crown jewels, and effectively that could be intellectual property.
That could be customer data. If you can focus on where that is stored, put the necessary protection mechanisms in place and make sure you know who has access to that information, audit that periodicity, then if a breach does happen, not only do you know what your risk factor is, but you can also respond in a much more factual and accurate way.
That really is the approach, and really where businesses need to step towards. Security is not something you buy off the shelf and click a button and it goes away. It’s a very holistic thing to address, really.
IG: What about how individuals can protect themselves? It feels like it’s impossible to avoid having huge volumes of your personal data out there on the web, vulnerable to theft.
SC: We’re obviously a very social world now and we’re almost encouraged to tell people what restaurant we’re in at a given point in time, who we work for, where we live and who our family members are. Aggregate all this information together and you really start to compromise your own identity.
It’s not just the technology issue; it’s an educational and awareness issue too. We really need to leverage educational resources to a greater level.
And they do exist. There are very good, high level resources out there online to help people understand how to protect themselves online.
How much information do you put on the internet? Would you really go into your local restaurant and tell people some of the information you quite happily put online.
I think the message is to update your privacy settings on social media, regularly change passwords, try not to use the same password on multiple accounts. I know that’s challenging but it reduces the threat landscape, if one account gets attacked and only that account has one password and your other accounts have a different password, suddenly the incident is changed a bit.
IG: Passwords are a nightmare to manage and remember. Do you think ultimately biometrics will ultimately replace passwords and solve the problem to a degree?
SC: A username and password is something we refer to in the industry as single factor authentication – so you just need one thing to authenticate. That has it’s vulnerabilities whether it be a passcode or pin code, whatever it may be.
What we need to move towards, and actually it is starting to happen with various different web-mail providers, is allowing users to do two-factor identification.
There could be three levels of authentication: something you know, something you have and something you are. So it could be two-factor authentication through passwords plus biometrics.
Alternatively you log in with a password and are sent a secure code to your mobile phone.
Increasingly we’re going to start to see that and I think it’s a step in the right direction. But it’s a bit slow to the party in my eyes. You’ve been able to do two factor authentication for a while, but it’s not been the most accessible unless you really have a good knowledge of IT. Now it’s being made a lot simpler and more accessible to the average user.
IG: Traditional crime has been falling across the Western World for about three decades. Are organised criminals surmising that cyber crime is both more rewarding and easier to get away with?
SC: It’s a tricky one. There’s not a lot of facts to hand on that.
They are obviously two distinctly different avenues of committing crime, the physical element versus the virtual element. I think because the virtual element is so infant, reporting and detecting on those crimes is still not to a level where it is in the physical world.
Back in medieval times we learned that if we had a moat around the castle it’s suddenly more secure. Gradually we’ve learnt that the more layers of security you put around something in the physical world, it does become more secure.
We’re now going through that evolution phase in the virtual world, where actually the same principles apply. The strength in depth, segregating your security, all those different principles do apply, they just haven’t evolved to the same level just yet.
IG: They’ve recently just added cyber crime to the overall UK crime statistics for the first time, haven’t they?
SC: They have. And cyber issues are increasingly going to impact on critical infrastructure and things like that.
But it becomes quite a vast thing. Do you generically refer to cyber crime as ‘cyber crime’ or do you build little pockets? Cyber fraud online, identity theft etc… so it becomes its own field of crime, of expertise if you like.
IG: Last question now: Is there anything else that’s worth spotlighting in your field?
SC: The growth in the Internet of Things is a great interest of mine because it presents an opportunity for us to learn from the security mistakes of the past. But it also presents challenges in that IoT devices such as wearables are fairly cheap commodities.
A lot of them fall within the £100-£200 range, sometimes less. Really where is the return on investment from a security perspective there?
These things are designed to last maybe 12 months. It presents an interesting dynamic in my eyes. Is the onus on the customer to make sure their security is in place around their wearable devices or on the manufacturers?
And because it’s quite an emerging discipline still it does present challenges, and I hope we learn from the mistakes we made with mobile technology.
IG: What mistakes were they?
SC: Effectively, security was an afterthought. Security has to be built in from the outset. I mean Blackberry technology built security in from the outset and it was fantastic. That really is a model for us to follow. And I’d like to see the same happen with IoT, and I think it’s going to be interesting in 2016 to see where that goes.
The other thing which I think needs to be addressed in the media and in business is the insider threat, as I mentioned earlier.
It’s just a reminder really that security doesn’t just happen on the outside. It touches on various different disciplines and skillsets, and needs to be a combination of technology and people and education and awareness – both at an individual level, all the way up to board level.