company insight
“11-year-old children can launch a DDoS attack against your company for three dollars an hour”
IET.tv and Olexander Hryb, Event Producer at the Institution of Engineering and Technology, met up with McAfee’s Chief Scientist, Raj Samani, to talk about security solutions, preventing the next WannaCry and why it’s childishly simple for an 11-year-old to buy stolen data on the dark net
I was asked once by a journalist: can you come in and show us how ransomware works? We’d like you to come to the studio and show us how you run a ransomware campaign. I said OK, but I’m quite busy; can I send my 11-year-old daughter?
Raj Samani,
McAfee Chief Scientist
He thought I was being facetious, and I do tease people a lot, but I wasn’t being facetious – I was being truthful. My 11-year-old daughter can go on the dark web, and she can run a ransomware campaign. She can buy stolen medical records; stolen credit cards. She can have cocaine delivered to our house. She can even hire a hitman.
We talk about adversaries, and we worry about things like nation states, but honestly, 11-year-old children can go out and run a campaign that can disrupt you. She can launch a DDoS attack against your company for three dollars an hour.
Take the WannaCry incident: 8,000 operations were cancelled. 8,000 people weren’t given medical care because of a malicious piece of software that went out and caused disruption – and we knew how to fix that. It wasn’t new; we knew in March that this is how you could stop this particular vulnerability being exploited.
How do you combine your role as a scientist and industry specialist at the same time?
My job is to help define the technical strategy for McAfee, and that’s very important, but actually we have a role and responsibility in shaping our digital future. For example, there was an email that was opened and an entire country’s power was taken down. So as an industry and as a society, we as security practitioners have a key role in helping safeguard our future.
Whose job it is to protect national assets from hostile attacks, whether it is nation-states or hackers?
Quite frankly, if you want to live in a world in which your insulin pumps, your cardiac equipment, your cars are being held to ransom, then let’s just keep doing what we’re doing.
But if you want to properly protect assets, every single person has a role to play. Companies like McAfee of course have a key role to play: we provide the technologies that go into these solutions, but I think the employees have a responsibility to play. I think the companies themselves need to invest appropriately. Equally, government and regulators have a role to play, as does law enforcement.
Institutions like the IET also have a fundamental role: getting people to understand what the fundamental responsibilities of all of us are; giving people the right training; being open and collaborative; sharing best practice.
We need to stop looking at cybercrime as a separate area of crime. It is the evolution of traditional crime. If you look at what EC3, the European Cybercrime Centre have done, they’ve got established relationships with agencies all across the world. So it needs to be seen as a global issue.
It’s ridiculous that we live in a world in which we had the DDoS extortion attacks, and they went after Bank 1, Bank 2, Bank 3, Bank 4. Why didn’t Bank 1 contact Bank 4 to say that this is happening and please put these protective measures in place? Why do you have to find out later? So every single one of us has a role and responsibility to play.
Who needs to be pro-active – the industry or the regulators?
I think that the regulatory system definitely has a role to play. The market, as well, has a role to play – you read about Sonos for example, stealing your personal data and changing all of their terms of service.
Fundamentally, I think, it starts with us as an industry. I ask this question all the time whenever I speak to an audience, and I’ll say: 'When was the last time you spoke to your CEO?' Generally, there’s one hand that goes up. How many security practitioners do you know that are on the board? How many of them are CEOs, CIOs, CTOs now?
We as an industry have become practitioners that don’t go beyond our discipline. And yet finance and marketing and all these other disciplines are now making the decisions in all aspects of business. So I really want to get to the bottom of why we as an industry are still seen as an IT or technology function.
What more should we be doing to help drive the innovation; to help drive the types of appliances that are going to be keeping us alive, or keep the lights on, or keep the water clean?
Raj Samani will be giving the keynote address at the IET’s Cyber Security for Industrial Control Systems on 7-8 February 2018. Read the full interview at www.theiet.org/cyber-ics
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang