Sophos’ Chief Research Scientist talks to Paschal Keogh about fighting the tide of web-based attacks, blockchain hype, and the power of data.
“Most of my friends were born on January the first,” Chester Wisniewski tells me, raising his voice slightly to be audible over the din of his London hotel lobby. Chester is not, to my knowledge at least, part of some obscure cult populated by New Year’s Day babies. Only listing personal details that are absolutely necessary for the task in hand is just one simple way that tech security specialists, who make up a bulk of Chet’s friends, keep themselves protected online. As the Principal Research Scientist at Sophos, Chet may be one of the world’s leading tech security experts, but at the heart of his advice to consumers and businesses is good, old-fashioned common sense.
Chet has worked in information security for thirty years. He consults with businesses, governments, and law enforcement agencies both in his native Canada and abroad. He is well known as a witty and engaging public speaker, and he is the go-to talking head on television news channels when large companies suffer a data breach.
I learn, afterwards, that I am one of twelve interviewers Chet spoke to that day in London. This doesn’t stop him from spending an hour chatting amicably with me on myriad aspects of tech and data security, from blockchain hype to where is best to live if you are intent on breaking through the firewalls of the west’s information systems.
Of blockchain, Chet is an avowed cynic. “Distributed ledger technology has useful applications, but blockchain is a bit of a buzzword right now. For those of us in security, I can’t see that it helps particularly. But it does make tracing criminal activity a lot easier than some criminals believe. Movements of Bitcoin are, by the nature of the technology, recorded for all to see. I would also be concerned that Bitcoin and other cryptocurrencies that are mined in a similar way are vulnerable to 51% attacks.”
Blockchain is often called a disruptive technology but, for many, the only disruption they have experienced is when their IT systems and power grids have come under strain from crypto-malware attacks. “For criminals, these attacks really don’t deliver much financial reward. In many cases, the crypto mined is worth a negligible amount of money. However, companies and individuals on the receiving end of such attacks can experience massive disruption. The criminal requires little or no technical knowledge to infect an IT system with a trojan horse or malware for mining Monero. The information on how to do it is easy to find and Monero mining doesn’t require specialist equipment in the way that Bitcoin does. But even assuming the malware is undiscovered for weeks it is still only going to deliver a small profit that is completely at odds with the huge amount of power consumed.”
Web-based attacks are far more lucrative, notes Chet. “But they are also easier to detect, with large site owners better equipped to deal with this sort of problem. It is the small or medium sized business that bears the brunt of this sort of activity. Crypto-miners are more likely to pursue small businesses because they most likely won’t discover the cause of their IT problems for longer and have less sophisticated IT security in place.”
Chet is ideally placed to offer a perspective on the challenges faced by small businesses. His seminars are widely attended by this cohort and he never ceases to be amazed by how complacent some people are about tech security. “We are used to taking commonsense precautions with our cash and cell phones when we are out in public, but we still don’t believe that we are exposed to risks online. Similarly, we don’t hesitate to report conventional thefts to the authorities, but cybercrime is underreported, which means that countries are under less pressure to put financial resources toward tackling the issue.”
Compounding the problem is the increase in state-sponsored cybercriminal activity in the past few years. “And what we’ve observed is that these high-level, state-sponsored attacks, which often use techniques that are new to us, are copied twelve months later by sophisticated criminals, and then a year after that by the dumb criminals.”
It’s not only the “dumb criminals” that leave a digital footprint. Finding these footprints and following them to their source is thrilling for Chet because getting into systems to steal data or funds is one thing, doing it without leaving a trace is another. “That’s why I always start my seminars with a graphic of a map of the world, highlighting the countries that don’t currently have an extradition treaty with the United States or the UK. If you are going to break in and steal from large corporations or governments, there’s every chance that you’ll be traced. Better, then, to be someplace where you can’t be touched by western law enforcement agencies.”
Very well travelled, Chet has been particularly impressed by the talent he has encountered in Eastern Europe. Indeed, many talented scientists from the former communist Eastern Bloc nations moved westward after the collapse of the Soviet Union. Those that were left behind in the more impoverished and eastward-looking countries have been vulnerable to drifting toward criminal activities. His own grandparents relocated to the United States from Poland and he has a natural affinity with that country. “There are extraordinarily talented technical scientists in Poland. And Russians led the way in data science for many years. I only wish some of these guys would move west and work for us!”
Chet prefers not to use the term ‘hacker’ for those intent on breaking into our IT systems. “Hacking is about testing the limits of something, its boundaries, finding flaws. Hacking is a valuable tool for security specialists. I prefer to use the word ‘criminals’ because it describes more accurately what these people are.”
Are the criminals always one step ahead, as the media often leads us to believe? “Well, there are two ways of looking at that. On the one hand, security only has to be breached once. So tech security may work 99% of the time, but nobody will congratulate you about that fact after the 1% likely attack has just taken place. Obviously, a fully-functioning, secure system isn’t generating news. In fact, it’s not dissimilar to street crime in that public perception is generally more dire than the reality. On the other hand, the criminal often has the odds stacked against him, and if one attempted attack succeeds it doesn’t matter that the other 99 failed.”
As Chet reminds me, data breaches are nothing new. But with the General Data Protection Regulations (GDPR) in the EU and regulatory moves in the United States, corporations now have stricter reporting laws, meaning that we should learn about such breaches in a more timely fashion than we did in the past. “GDPR is a major step forward and places far more emphasis on reporting than was present previously. There are also far greater penalties in place now for companies that operate in the EU. People are far more aware of the risks they face online than they were in the past, and we are beginning to see a greater understanding of the importance of data privacy.”
But with criminals and states adopting ever more sophisticated methods to steal and misuse our data, it must sometimes feel that the tech security industry is fighting against the tide. “Am I allowed to say yes?” sighs Chet. But there are simple steps we can all take to protect our data. “Keep important information offline. My father kept his important documentation under lock and key. If you must have cryptocurrencies, don’t store them online. Write down your private keys and keep the information somewhere safe. Don’t share information that isn’t necessary. A website may need to know that you are over 18, that does not mean you have to have your date of birth noted on your social media homepage. Simple information, such as an address, a date of birth or telephone number, together with a password that’s easy to crack, makes you easy prey to criminals.”
Although he projects a healthy dose of cynicism and humor in our conversation, Chet has an infectious enthusiasm for his work. He looks forward to attending security seminars where he can catch up with his colleagues from around the world, and trade stories about the cleverest (and dumbest) of criminals he has crossed paths with in his working life. With all his tech security knowledge, I can’t help but ask him has he ever been tempted to go to the dark side. “Actually, I have my moments!” he laughs. “But really I love what I do, and could never spend my life looking over my shoulder.”
At least he wouldn’t have Chester Wisniewski on his trail, and that surely would give him quite a head start.
Read more about Chet’s work with Sophos here