A Conversation with Intel Security

Douglas Cooke

Douglas Cooke, Director of Sales Engineering, Intel Security Canada

July 4, 2016

Northern Micro sat down with Douglas Cooke, Director of Sales Engineering with Intel Security to discuss what Intel Security is doing to address the new realities of cyber-security. What follows is the first half of their conversation.

Who should be concerned about cybersecurity in Canada?

Anybody that’s using a computer, even the most basic ones people have in their personal lives, has to be concerned because they have important personal information on their PC, financial information and information about their families – all of which is under attack by hackers.

If you think more about the business community, everybody has to be thinking about cyber security because every business has data and information that may be valuable to somebody else.

The bottom line is that everybody needs to be concerned about cyber-security these days.

Where are these attacks coming from and originating from?

There are some areas with more activity than others – for example, we know some activity comes from Eastern Bloc countries while some activity comes from Asia. So it’s hard to necessarily define exactly where it’s coming from.

It all comes down to money, and in most situations it’s to have financial gain. There’s organized crime doing it, there are individual hackers that are knowledgeable doing their own thing, and there are some nation-state activity that’s happening which is more limited against who it’s being done against. But it’s hackers all around the world generally attacking anyone that’s out there.

There’s many different motivations for it, but the primary motivation is financial.

If you were to put an unprotected server on the internet, within a matter of minutes, there would be people probing that system trying to understand if there’s value on that system and compromise the box in order to get information and make financial gain on it.

There’s always activity that’s out there doing things. Some of that’s reconnaissance, and if anything does show up on the internet, there are people that are looking at it and just trying to see what they can find; and on the other side of it, there’s a lot of targeted activity where a hacker group will use specific campaigns against someone in various ways to get credit card data from a retailer for example.

These attacks might be about social engineering to go after someone, but it’s just everywhere. There are really many different motivations for it, but the primary motivation is financial.

What are the most common types of attacks that that businesses should be concerned about? 

There are a few categories for these different attacks. There’s a lot of malware that’s used out there that’s used by less sophisticated hackers, and this is malware that will do different things – keyboard streams for example – so they can get onto a system.

There’s a wide variety of viruses and malware mainly trying to get a presence in an organization from where a hacker can get a foothold and do other things like extradite data. That’s all out there, and all the malware that’s been used in the last 5-6 years gets used over and over again in different ways.

There’s lots of variance of those types of viruses. So there’s a lot of activity in that way; but just in general, companies have to be concerned about it, and a majority of that will have issues on production because it could make the systems and environment unstable. It could be gathering data off their systems for example.

One of the things that’s very interesting these days is ransomware where a hacker will use some type of mechanism to get control over a workstation; or if they’re lucky enough to get a server where they get control, they can  put a stream up that says, “I’ve encrypted your data. If you don’t forward me money then I won’t give you access to your data back.”

Newspaper Headlines - Intel Blog Picture

News articles detailing ransomware attacks across Canada.

Ransomware is a new thing that’s getting lots of publicity, and it’s very troubling for companies because it can severely impact their ability to continue their business.

Isn’t using a firewall or antivirus enough to protect businesses from these kinds of attacks?

This is something that has changed in the past few years – the technology that’s been used previously is just not effective enough.

The firewall marketplace in particular has gone through many changes which first started many years ago, and firewalls we’re initially a very crude mechanism to say, “I want my organization to be able to reach out and talk in this way to the internet,” and you could sort of filter what happened inside and outside of your organization.

Typically what you want to do is filter the majority of access that was coming into your organization to be extremely limited; and before the internet, computer systems were tout between companies; but you would only allow point-to-point connection. You would only allow these computers to talk to these versions and specific computers and really tie it down.

And that’s what the security industry is: it’s an arms race.

Because of the internet, overtime you had to open things up and a firewall could only work on a protocol level. It was missing things because people would hide things in this older HTTP protocol. What you would traditionally do was look at the protocol against this system or that port and shut it down; but if there was something inside the protocol, you couldn’t have visibility of it.

So firewalls changed over time, and now they’ve become much more knowledgeable about what’s happening within the protocol: they have visibility and they can filter it even better than they used to. But again, the hackers just get better and they find more ways to get around these newer, better security technologies.

Similarly with antivirus 20 years ago when I started the business, there were only a couple of hundred viruses per month. Each vendor including McAfee knew about every virus, and we could detect and prevent and clean up every virus that impacted users. So unless you were the first user to get it, we could protect everyone else.

The problem now is that there are half a million viruses per day, and vendors like ourselves can’t keep up and evaluate each and every one of them and get information back to our customers about what the latest ones are today. It’s just too big of a problem.

We’ve had to adapt to things; and as a result, the hackers have adapted. That’s what the security industry is – it’s an arms race. We provide capabilities for known tactics by hackers and build technologies to stop what they’re doing. Then they adapt to these new measures, and in turn the security industry has to adapt once more.

Right now, we have to adapt from firewalls which have gone to the next-generation to obtain even more capabilities that are still not good enough; and the antivirus capabilities we’ve had in the past have to be changed and enhanced so that they do a better job. We’re in a constant race.

What are your predictions for the greatest threats in the Canadian IT security space in the next year?

I think what’s most relevant for the majority of governments and businesses in Canada is a general vigilance against the more sophisticated attacks. A big class of those is ransomware right now, but that’s just one class of many.

You’ve just got to have a comprehensive approach, and not the fallacy that one tool is going to do everything.

Some would talk about the growing threat of mobile, and there are new things that are happening with mobile. But I think in general that the main thing organizations have to build up to is the general threat of the sophisticated hacker. That’s the key issue organizations have to spend their time thinking about.

What are the biggest misconceptions that you commonly find in the Information Security space?

I think that the biggest misconception is that a single tool, some silver bullet, is going to solve all of your issues. That some fancy new thing on the network or some fancy new thing at the desktop is going to solve your problem, but that’s just not the case. Maybe there are some new capabilities that are out there that will slow the hackers down for a small period of time, but they will simply learn to move around it and find some other way to get you.

You have to take a complete approach, a strategy approach to security and think of it in a more holistic fashion with a set of properly integrated security capabilities across the network, endpoints, and cloud activity. You must have a comprehensive approach and eliminate the fallacy that one tool is going to do everything.