With the world on a seemingly deterministic course towards automation and Internet of Things (IoT), the adaptation and integration of new protocols, bots and devices into our work and home environments means individuals and organisations will be increasingly vulnerable to cyber-attacks. We chatted with one of Australia’s youngest rising tech stars, founder of CIO Cyber Security Andrew Constantine on why there need be no rules in cyber space…

By Joanne Leila Smith

In a 2017 report released by Dimension Data, the cyber security sector has been pegged for some serious industry disruption in 2018, with increasingly sophisticated cyber attacks forcing organisations to adopt a ‘zero-trust security model’. This means more robust user authentication measures through various layers of user credentials over a cloud-based platform will be necessary.

Deep learning will aid this process as artificial intelligence and behavioural analytics will help gauge whether attempts to access data is made by an authorised user or an imposter. To punctuate the inroads deep learning is making, Dimension Data pointed to a recent example whereby Google turned off its machine learning toolset, only to discover that the machines were educating themselves to such an extend that they began to create a new language which system developers did not understand. Deep learning provides organisations an added layer of defense over standard authentication models.

We can also expect to see blockchain technology as another tool of the zero-trust model, which will help an organisation to detect suspicious behaviour and isolate the connection until the user has been authenticated.

According to Dimension Data, blockchain is already being used in public key infrastructure (cryptography used to secure emails, websites etc) as a distributed ledger of domains provide better security than a central database.

The report also predicts deception technologies will be further developed to mitigate the vulnerabilities of IoT sensors being maliciously hacked. Deception technologies (sometimes referred to as ‘honeypots’) introduce thousands of fake credentials onto a network, making it mathematically impossible for hackers to gain access to a legitimate set of user identities. Once a hacker taps a fake credential, the tech team will receive an alert that an unauthorized user is loitering inside the network.

To find out more about the world of what’s to come in all things cyber security, we chatted with Sydney-based founder of CIO Cyber Security, Andrew Constantine.

Constantine burst onto the cyber scene in 2014 at the tender age of 24, and is on track to achieve a remarkable AUD 100 M trajectory by 2021 with his boutique team of cyber security experts in Sydney’s brightest upmarket precinct, Barangaroo.

According to Constantine, now 26, CIO Cyber Security specialises in cracking security loopholes that may be overlooked by organisations. In 2017, he launched a hand-picked community called ‘Inside the Mind of a Hacker’ whereby his team runs workshops and cyber warfare games for organisations that prefer to adopt an offensive, rather than defensive, cyber security strategy.

“IoT is a major security issue because people will always choose convenience over security, so the challenge is to make something secure but easily accessible. We are third party service provider coming in with an outside view. I mean, it’s great for clients to have large documents on policy, but it won’t prevent an attacker from hacking your system. Nothing ever goes to plan no matter how many times you test, measure, test, identify and test again. When a breach happens, it will catch you off guard. Because of this, we don’t play by rules. We solve problems,” says Constantine.

Constantine argues that for organisations, most threats come down to misconfiguration or lack of knowledge when devices are configured, managed and monitored. He says that if there are a hundred devices in your environment, only five may be configured correctly.

“Another major problem we see is companies with legacy applications running on old hardware, which breaks eventually. If I’m a hacker I’ll find it and exploit that weakness. Unfortunately, no one cares until there’s a problem. A CEO won’t sign off on a security budget unless they can quantify the ROI. Threats are always going to be there and you can’t manage it all. Threats are threats because they are unknown. This is why I don’t like rules. In the real world there are no rules around this, so why have them when they don’t apply? Documentation doesn’t mean squat in cyber security as we are only as good as our tools,” says Constantine.

According to a June 2017 benchmark research report, ‘Cost of Data Breach Study Global Overview’ sponsored by IBM Security and independently conducted by Ponemon Institute, quantifying value for spend when it comes to cyber security investment presents a persuasive argument.

The report claims that more organizations worldwide lost customers as a result of data breaches, however, the faster the data breach can be identified and contained, the lower the cost to the organisation:

“Organizations were able to reduce the days to identify the data breach from an average of approximately 201 in 2016 to 191 days and the average days to contain the data breach from 70 to 66 days. We attribute these improvements to investments in such enabling security technologies as security analytics, SIEM, enterprise wide encryption and threat intelligence sharing platforms. In contrast, security complexity and the deployment of disruptive technologies can affect the time to detect and contain a data breach. Although some complexity in an IT security architecture is expected to deal with the many threats facing organizations, too much complexity can impact the ability to respond to data breaches,” (Ponemon Institute, 2017).

The report also argued that disruptive technologies, access to cloud-based applications and data as well as the use of mobile devices (including BYOD and mobile apps) increase the complexity of dealing with IT security risks and data breaches. As shown in the research, cloud migration at the time of the data breach and mobile platforms were shown to increase the cost.

According to Constantine, documentation compliance does not help in a real-life attack. The biggest advantage to combating cyber threats is a passion for knowledge.

“We did a test for a company and it took them six weeks to find out they had a breach. Some companies won’t detect a data breach for 180 days. In my opinion the breach has to be known as its happening or within 24 hours. Anything outside this is a fail. Testing is the most important part to assess real world attack scenarios. To do this, we create cyber warfare games within companies. We drop in a ‘paratrooper’ and no one knows they’re coming except the CIO. We create a crisis and get the IT team to resolve it. It might be a virus or ransomware and we assess how they respond,” says Constantine.

For those who don’t know, a data breach is defined as an event in which an individual’s personal details or debit card is potentially put at risk—either in electronic or paper format. According to the Ponemon Institute study, three main causes of a data breach were identified: malicious or criminal attack, system glitch or human error. A compromised record is defined as information that identifies an individual whose information has been lost or stolen in a data breach. One example is a retail company’s database with an individual’s name associated with credit card information and other personally identifiable information. The report claims that Almost half of organizations represented in its research (47 percent) identified the root cause of data breaches as a malicious or criminal attack.

The report claimed that organizations in Australia, the United Kingdom and Germany were able to limit the number of customer records lost or stolen and, as a result, had lower costs. Whereas, countries in the Middle East and the United States experienced a higher percentage of customer churn due to breaches and had higher associated costs. Organizations in Brazil, India, the Middle East and South Africa had data breaches involving more lost or stolen records, which increased their costs. In short, the more records lost, the higher the cost of the data breach. Cost analysis revealed a relationship between the average total cost of data breach and the size of the incident.

In this 2017 study, the average total cost ranged from USD1.9 million for incidents with less than 10,000 compromised records to USD6.3 million for incidents with more than 50,000 compromised records. In 2016, the cost ranged from USD2.1 million for a loss of less than 10,000 records to USD6.7 million for more than 50,000 records. This indicates that faster the data breach can be identified and contained, the lower the cost.

“On average it takes 167 days before anyone detects a data breach. Part of being ‘combat ready’ is to know your hacker. 95 percent of an attacker’s time is spent in reconnaissance. The hacker will research all publicly available information about your business. If they can identify devices used by your business, the next step will be to identify vulnerabilities. The weakest link in the business are colleagues who deal with external people every day, because these are the ones that can be compromised by being tricked into giving away seemingly innocuous details to a hacker posing as someone else,” says Constantine.

According to Constantine, hackers are strategic planners with more than one trick up their sleeve.

“Hackers research. They are motivated and passionate people. They love challenges and usually don’t want financial gain – they are proving a point. Hackers become hackers because of hands-on experience. They trial, error, test, break, repeat. We need to do that too,” says Constantine.

Interestingly the Ponemon report found that malicious or criminal attacks mostly target Middle East and U.S. organizations. Fifty-nine percent of breaches in the Middle East and 52 percent of breaches in the United States were due to hackers and criminal insiders. Only 40 percent of data breaches in Italy and South Africa were due to malicious attacks.

Italian and ASEAN organizations have the highest percentage of human error at 36 percent and 35 percent, respectively.

German and Indian organizations were most likely to experience a data breach caused by a system glitch or business process failure (34 percent and 33 percent, respectively).

Constantine argues that preparedness for clients is about being comfortable with being uncomfortable when it comes to cyber security.

“You can’t keep doing the same thing. It’s important to keep trying new test scenarios to keep your team at the peak of their game. We test everything every ninety days for our clients. Having a high-performance IT team will be your best offense and defense. For me, it comes down to talent because talent speaks for itself. Better to have one Michael Jordan than a team of ten ordinary players. In cyber security, a company should aim for a lean, dream team,” says Constantine.

We asked Constantine why a potential client should pick his team over a tier one player like Deloitte or PWC?

“Because we’re fucking awesome.”

Enough said.

For those interested, check out Constantine’s next workshop, Inside the Mind of a Hacker on Thursday 22nd March 2018 at the Four Seasons Hotel, Sydney Australia.

Download the PDF version of Andrew Constantine – The Cyber Fire Starter