Last year, the WannaCry cyberattack showed the world the rapid and destructive power of cybercrime. Targeting vulnerabilities in older versions of Microsoft Windows operating systems (OS), the virus rapidly spread between computers and networks all over the world. As a result, hospitals, banks, businesses and various other organisations in over 150 countries were crippled by the anonymous infection, which locked hundreds of thousands of users out of their computers and demanded ransom payments of $300 in the untraceable cryptocurrency Bitcoin.
At least12 Australian businesses reported being affected in the initial cyberattack, with more suspected of suffering without informing the authorities.
Frustratingly, Microsoft had recognised the vulnerability, and issued software ‘patches’ to fix the hole. Yet many companies and individuals either didn’t install the fixes, or were using unsupported, older versions of Windows, leaving their systems exposed.
This global incident was one of several cyberattacks in 2017 costing about $2.5 billion in ransomware payments, according to antivirus software firm Bitdefender. It highlights a common problem in businesses both in Australia and abroad: a weariness or reluctance to deal with computer cybersecurity. Known as ‘security fatigue’, studies in the USA have shown many computer users feel overwhelmed and even bombarded from being on constant alert, adopting safe behaviour and trying to understand the nuances of online cybersecurity issues at work. Yet, with cyberattacks on the rise and becoming ever more sophisticated, there has never been a greater need to adopt secure practices.
“A successful cyberattack can cause major financial, reputational and legal damage to companies,” explains Sanjay Mazumdar, CEO of Data to Decisions Cooperative Research Centre (D2D CRC). “Cybersecurity is not just an IT issue — it is the board and executive’s responsibility to focus on the cyber resilience of their business.”
But what should businesses do to protect themselves? Mazumdar suggests they follow the Australian Signals Directorate (ASD)’s ‘Top 4’ and ‘Essential 8’. “These are simple strategies,” he says. “The mantra all organisations should remember is ‘Catch, Patch and Match’.”
The phrase is an easy-to-remember summary of core cybersecurity actions. If businesses ‘catch’ malicious software by only running a whitelist of approved applications, ‘patch’ their applications and OS with updates, and ‘match’ the right people with the right access, ASD estimates that at least 85% of intrusions can be prevented. As for the remaining 15%, those cyberattacks could still infiltrate security-savvy businesses because current computer systems, no matter how advanced, leave doors ajar for attackers. At the same time cybercriminals are becoming increasingly sophisticated in sniffing out these chinks in the armour and exploiting them.
Because nobody knows where the next breach could come from, it’s critical to have early warning systems so businesses can be told of imminent threats with enough time to protect themselves quickly, thus stemming the spread of cyberattacks.
Organisations such as CERT Australia, the national computer emergency response team, already help Australian businesses understand the cyberthreat landscape and better prepare for, defend against and mitigate cyberthreats and incidents.
“Big data analytics is a critical component of addressing cyberthreats,” says Mazumdar. “It can help with detecting anomalies in a network that indicate malware or Trojan Horse attacks [a computer program that misleads users of its true intent], or in staff behaviour — e.g. downloading unusual amounts of documents — which could be an indicator of an insider threat, like the Edward Snowden leak in the USA.”
The team has a number of research streams that may ultimately culminate in revolutionary cybersecurity outcomes. For instance, the D2D CRC Integrated Law Enforcement program aims to build a technology that pools and presents data from government, police, armed forces and intelligence agencies. This has led to the spin-off NQRY™. “NQRY specialises in next-generation investigative tools and effective investigation management solutions for law enforcement and public safety organisations — essentially digitising a law enforcement agency’s lines of enquiry,” Mazumdar says.
Another D2D CRC project — Beat the News — has developed an automatic forecasting capacity for law enforcement and national security agencies. This has since been commercialised through D2D CRC’s first spin-off company Fivecast™.
A world-leading forecasting technology, Fivecast is able to automatically and accurately predict the occurrence of future population-level events such as social disruption, political crises and election outcomes. The Minority Report-like technology looks into the future to predict what might happen, when it will happen and why.
Meanwhile, D2D CRC’s Predicting Cyber Exploits project is developing a system to predict when and how a publicly disclosed vulnerability will progress. With funding from the Defence Innovation Hub, the technology resulting from the project will allow decision makers and system maintainers to proactively mitigate high-risk threats before they are actively exploited by cybercriminals, and respond quickly if and when hackers do attempt to exploit the threat.
Ultimately, this results in national security threats like cyberattacks being detected earlier, and a reduction in the probability of them occurring.
Another way to try to predict a cybercrime is for computer security experts to think like cybercriminals. By understanding the weaknesses and vulnerabilities of computer systems and how they can be exploited, they can get a step ahead of the hackers.
This is exactly what Yuval Yarom from CSIRO’s Data 61 and colleagues did to find the Meltdown and Spectre computer vulnerabilities, which were disclosed in January 2018. “By causing the processor to speculatively execute instructions that were crafted for this purpose, we could get secret information from the OS or from other programs,” says Yarom.
Stemming from a design flaw in what is called ‘branch prediction’, where a central processing unit makes an educated guess as to what it will compute or process next, Spectre and Meltdown exploit a vulnerability in devices that are simply doing what they are designed to do. This flaw allows malicious applications to bypass memory isolation in order to access the contents of memory. “Spectre and Meltdown use covert channels to get the secret information,” explains Yarom. The combination of covert channels and branch prediction is what enables the vulnerability, and worryingly this means bypassing traditional security measures, thereby exposing billions of devices.
Although cybercriminals have yet to build functional code to exploit the vulnerability, cybersecurity experts are racing to build patches to protect organisations and individuals worldwide.
Of course, cybersecurity experts would have a much easier job if the computer systems they were attempting to protect were secure by design. Yarom’s Data61 colleague Gernot Heiser has been working on secure OS for 25 years. His 7500 lines of C code that make up the seL4 microkernel — a microkernel being the bare minimum of any OS — was a major breakthrough, as it was the first to be proved mathematically correct, thereby making it practically unhackable by today’s standards. Unfortunately, seL4 is too expensive for widespread adoption.
Heiser’s work now focuses on reducing the cost of seL4 to make it more affordable and to ensure the microkernel is secure against highly sophisticated future cyberattacks. He thinks that by observing the exact timings of actions, extremely talented hackers may be able to steal encryption keys and thereby eavesdrop on communications, or even masquerade malicious code as legitimate services. Heiser is now enhancing the microkernel against these ‘timing side channels’. “Fundamentally we’re developing OS technology for keeping systems secure,” he says.