Crime is among sectors showing the impact of digital disruption, a visiting Vancouver-based security research scientist told Computerworld Malaysia earlier this week in Kuala Lumpur.
Another sign of transforming times is suggested by Unisys's latest new research, which noted worries about cyber threats have now overtaken physical security concerns for the first time in Malaysia.
Chester "Chet" Wisniewski (pic below), who is Sophos' Canada-based principal research scientist, talked of how simple it has become to set up an enterprise as an online criminal in the current era of digital transformation or DX as IDC calls it.
In this wide-ranging interview, which is part of a series suggested by this year's gathering of IT leaders at Computerworld Malaysia Security Summit (held earlier on 30 April 2017), certain portions have been left out for security reasons.
So what does it take to get into the botnet business in 2017? He first outlined the current scenario "where the development and distribution of malware has become increasingly commoditised."
Privacy, safety and the Dark Web
With more than 15 years' experience, Wisniewski's role is to analyse and share current security concerns globally. His research into computer security and online privacy is powered by the goal of "making security information more accessible to the public, media and IT professionals. As well speaking, he frequently writes articles for the Naked Security blog, and produces the weekly podcast 'Sophos Security Chet Chat.'
A synopsis of his latest writings draws a picture of multi-levels of attack patterns, now reflecting the physical world: in terms of attack sophistication, state-sponsored attacks are at the top, phasing into a strata of organised groups using leaks from state-sponsored tools, merging gradually to a mass of opportunistic lone criminals.
Digital disruption is muddying the levels of attack and criminals are turning to the cyber world, effectively digitising their attempts to steal, he explained.
"It is now possible in the digitised world for someone with little IT experience to launch an attack within an hour - an IT savvy person can do it in within 5-10 minutes," said Wisniewski. "Crimeware-as-Service has made its presence felt especially from the beginning of this year."
Before he performed a live demonstration on his laptop - in a KL hotel lobby - how simple it is to launch a malware attack now, we spoke a little of the dark web.
Wisniewski admitted that there were many dark web users who did not engage in criminal activities but they used Tor (the browser) for privacy and - in the case of journalists operating in conflict zones - for safety. "I have often taught journalists how to protect themselves on line in such cases and am planning to put together a guide soon."
However, he personally felt that as much as "70 percent of Tor users" may be linked to crime - including drugs, ransomware, and pornography. One random example of goods offered comprised 'premium' priced Ecstasy pills - 30 percent above the average price- orange-coloured pills stamped with a caricature of President Trump.
Wisniewski demonstrated opening an account and going through the motions of putting together a ransomware campaign using Satan - a cloud-delivered crimeware service - that offered menu-driven options including how much ransom to charge, distribution of attack and so on.
He first found Satan on about 16th January of this year. "It's crimeware as a service, and cloud driven. Would-be criminals need not concern themselves with servers, applications, firewalls and even a growing range of enterprise level options are available such as two-factor authentication."
"In most regions, it is not a crime to offer such services as Satan. These type of cloud services have end user agreements that include phrases such as this service is 'offered for educational purposes only,' etc.," said Wisniewski.
"As in some legitimate enterprise solutions, you are even offered discounts. For example, if you infect large numbers of users or help to translate the service for other countries - basically, crowdsourcing translations," he added.
Wisniewski said Satan was one of the longer lasting cloud services "There's a fast turnover of crimeware-as-a-service offerings. Some may not have been as good at malware distribution and some - many make encryption errors. Encryption is really hard to get right. There's only one way to write it - the best way. "
Now that we are seeing a digitally transformed crime 'sector' - opening up field for almost anyone with criminal tendencies - how far behind are enforcement efforts?
"The difficulty in what will be an ongoing battle between the good guys and the bad guys is the lack of robust cooperation and regulatory complexities at the government level," explained Wisniewski.
He confirmed that at mid-levels - at enforcement agency and industry level - there was increasing sharing of information. This has helped in recent critical infrastructure attacks in the energy sector.
Data analytics and machine learning form part of the technology arsenal but how does that sit with the human-machine 'battle'?
Wisniewski talked of IBM's Deep Blue, which eventually beat chess grandmaster Kasparov. "No human will ever best a machine. However, machine against machine is a different matter. Long story short: it was found that when humans worked with automation, the combination was unbeatable. A human-machine partnership will beat a machine. Machines provide speed, volume and automation. Humans bring the ability to see patterns. This human-machine partnership is where we will end up."
We then moved to common attacks against businesses with the question: To pay or not to pay ransom? "Officially, the advice is never to pay ransom," said Wisniewski. This sentiment is echoed by most security professionals such as the recent ransom DDOS threat in Malaysia recently. [See - Ransom DDOS attacks hit Malaysian financial firms: Experts advise action plan for IT]
He said in real life, it was a more complex matter. Recently, an Australian law firm found that the cost of legitimate recovery from a ransomware attack would take a week and about 40,000 dollars of staff time. The firm would not be able to work for that week, of course. The ransomware demand to unlock the files was 1000 dollars. What did they do?...They paid the ransom."
"Do backup and do not pay," Wisniewski said. "Use cloud based document services like Google and other Cloud services."
"Encourage communication from staff. IT should view staff not as problems about to click a phishing email but as alarm bells. Reward staff for flagging suspicious messages. If a certain number get the same type of URL link, you can stop the attack and send out an alert," he said, adding that the use of EDR (enterprise data recorder) tools can supply useful logs that lead to appropriate training.
"Reduce detection and speed up recovery!" said Wisniewski. "IT security is risk management. It's urgent to bring down time to patch and keep on top of cybersecurity hygiene. Thirty (30) days to patch is unacceptable these days. Companies must get this window down to 7 days or less. Go faster: practice how you recover your servers. This is my urgent message - ask yourself: How fast can we recover when the next attack comes?"
For some other local security news, see:
Ransom DDOS attacks hit Malaysian financial firms: Experts advise action plan for IT
WannaCry attacks: Former Malaysian hacker predicted healthcare target
Global ransomware attacks prompt national 'WannaCry' alert from CyberSecurity Malaysia
Crash Override, Industroyer malware: CyberSecurity Malaysia calls for critical infrastructure checks
In Malaysia, worries about cyber threats overtake physical concerns for the first time: Unisys Index
National cybersecurity agency honours Computerworld Malaysia for second year running, wins two awards
The latest edition of this article lives at Computerworld Malaysia.
Sign up for CIO Asia eNewsletters.