A hacker breaks into a company’s network, gives himself administrator access, then proceeds to steal a bunch of seemingly innocuous documents, bypassing financial records and bank accounts.
To the untrained eye, this makes no sense.
To cyber security expert Charles Widdis, this happens every day and is not surprising in the least.
“If you're a company doing business with other countries, you can expect that you're being hacked – because they want to know your negotiating position,” says Widdis.
The unfortunate thing, Widdis adds, is that many executives who run these companies in Australia don’t accept this really happens.
“I don’t think they accept that there are people whose job it is – they get paid – to take your information. It’s not some guy eating pizza with a bottle of coke in a dark room. It’s an employee in a company that’s attacking you.
“It’s nothing personal, he doesn’t dislike you – it’s just a job. At the end of the day, he goes home, he’s got a family to feed.
“In a previous job, we were dealing with an incident and noticed the attacks would die down almost on the dot at 5pm Beijing time, because the attacker’s gone home for the night. Now, why is there nothing happening today, on Monday? It's a public holiday in China today. The reason you're not being attacked is because he's at home, enjoying his public holiday.
“It’s a real thing and it goes on.”
Are you watching?
Corporate espionage is often depicted as the stuff of movies, but in reality, organisations around the world are having information pilfered from their networks.
Last year, research centre Ponemon Institute revealed it takes companies an average of six months to detect a network intrusion, and a further two months to contain it.
That’s six months of a hacker making their way through your system without anyone noticing, without anyone taking any action.
“Just having antivirus and a firewall, and the fact your machine isn’t going up in a flaming mist, does not mean you’re not being hacked,” says Widdis.
“I’ve seen so many companies in Australia who say, ‘We’re not compromised, we’re OK, we have a firewall’ and I say, ‘So you’re monitoring, you’re actually looking for indicators of a compromise?’ and they say, ‘No, but we have antivirus and I’m sure if we get compromised, we’ll start getting alerts from that’. That’s not how it works.”
Widdis says that at one place he worked at years ago, hackers got in through an old unpatched machine.
“It had just been sitting there for years, unmaintained. The compromise was a publicly disclosed vulnerability that needed to be patched.
“Because that company didn't have good patch management, the computer didn’t get patched; because they didn't have good asset management, no one really knew it was there or what it was doing. It was just sitting there as it always had.”
The machine was compromised in what Widdis describes as “very traditional, very textbook methods”.
The hackers were able to escalate privileges, take control of the administrator account, create additional accounts, and compromise the entire back end, he says.
“They were now administrators on the company’s own network. The company didn't know, and they didn't know for another two years.”
What hackers want
Contrary to popular theory, these hackers do not want your money.
No, there is something far more valuable at a company deliberately targeted by hackers.
“One of the very interesting things, which I think some companies may underestimate, some of the information that was being taken out was very bland and very boring. It’s the kind of information you would say, ‘Who cares about that?’,” says Widdis.
“They targeted the company’s quality management system and a lot of their business process information was being taken out, as well as their research papers.
“The briefing that was given to the company by external consultants was, ‘Well, you need to understand that these third world countries, they can copy the product, but what they don't have is your history. They don't have the reputation. They wouldn't know how you run a business that's a multinational and extremely successful.’
“Sometimes it's not your IT, but maybe it's things you don't put value to. You have a very good business management system, you have a very good quality management system and they want it – why bother building their own when you could just take someone else's?
“The boards and management, they get it that they need to protect their systems, they need to keep the lights on, but I think they continually underestimate espionage and the industrial attack side of it.
“I think that will increase, it’s not going to stop because we're not doing enough to stop it, we're not doing enough to protect ourselves around those areas. It’s not taken seriously.”
A career in cyber security
Widdis has been working in cyber security before cyber security was even a thing, working his way through the ranks in a “very traditional IT career”. He began working on a help desk, moved into network administration, network management, Windows management, and server management. He then progressed to running IT for businesses, and doing design and build work for companies.
It wasn’t until the mid-2000s, Widdis says, that security started to become a topic of concern.
“We'd always been doing patching, of course, and you had antivirus here and there, but it was around about 2005, 2006 that I think things started to turn in the industry and we realised that this security thing needs more than just your system admin guy or someone running around. We actually need someone to do this full time.”
When he had an opportunity to become involved in some fraud work a previous employer was investigating, he took a role as a full-time security professional.
“I don't think I would have even thought of that as a career at the time, that this was a full-time thing. It was more of, there's a role here for someone to do security, and that seemed pretty interesting to me.”
Widdis’ expertise lies in ISM security management frameworks, implementing security frameworks for companies, and policy and governance around security.
“Add on to that, I work very closely with the industrial security, looking after or around industrial control systems, SCADA, manufacturing OT security, those kinds of areas,” he said.
What keeps him up at night
Today, Widdis is the Security Strategy and Planning Manager in the utilities sector, at a major power distribution company in Victoria.
“We don't deal a lot with intellectual property or competitive advantage or things like that. We deal with: you turn the switch and your lights come on – and that relies on us being able to control the power grid, to control the network.
“What frightens me at the moment is losing control of our SCADA systems, of our safety systems; losing control of the ability to operate our infrastructure.
“It's being controlled by a random kid who's hacked in for fun, or it's being controlled by a malicious person who's now saying, ‘We'll give you control back when you transfer 1,000 Bitcoin to us.’
“That's what concerns me.”
Widdis says that in addition to escalated levels of corporate espionage, we can expect to see more ransomware attacks on individuals and a “few more large scale industrial incidents targeting industry, such as power and utilities” throughout the year.
Charles Widdis is an ACS Certified Professional (Cyber Security).
In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.