Four years ago, criminals hacked an internet-enabled thermometer in a casino’s fish tank to access a database of high rollers.
he unnamed North American casino had the device installed to help monitor saline levels and water temperature, unaware that it could be used as a back door into its computer system.
For Hugh McGauran, country manager for Ireland at Israeli-founded cyber security firm Check Point, it’s illustrative of how difficult it is to secure your business in an era of connected devices.
“You would be terrified if you knew some of the things that go on,” he told the Irish Independent.
“We’re constantly chasing what the attackers are trying to do. Threat actors never sleep: They can be in any part of the world; they can automate all their scripts; they can run them; they can let them go.”
Criminal gangs have access to data on software vulnerabilities via the dark web, allowing them to trawl random IP addresses to try to get a virtual foothold in an individual’s device or on an organisation’s network.
“These guys don’t know where you are, in the vast majority of cases. They don’t care where you are. With these guys, there are no rules to the game. There is no honour code. It’s a pay day.”
Knowing how many devices are in your corporate environment – and how to protect them – is the biggest challenge facing chief security officers (CSOs) in 2022, he says, with personal computers and laptops making up only a fraction of the potential “attack vectors” used by criminals to access valuable data.
“I’ve seen somebody crack into one of those robot hoovers and they were able to access the camera on it,” Mr McGauran said.
“I’ve seen people compromise a mobile phone by just installing an app [that is] able to listen in to your phone calls, look at your calendar, take your contacts, remotely control your phone.
“You know every door on your house. You know where every window is. How many CSOs can say, hand on heart, that they know every single device that is connected to their corporate environment?
“How many of them can say that they know what vulnerabilities exist within their environment, in every single device?”
Add to that the fact that organisations need to train their staff on how to spot threats, use new security software and hire a team of people – including a CSO – to analyse threats that are detected.
Just ask the Health Service Executive (HSE) – the State’s largest employer – how difficult it is to prevent a cyber attack.
It started with a click the day after St Patrick’s
It started with a click, the day after St Patrick’s Day 2021, according to a report by consultants PwC, when a HSE staffer opened a malicious Microsoft Excel file attached to an email.
The attack was not identified until two months later, on May 14 – although some suspicious activity had been detected in the interim – when the criminals detonated their Conti ransomware, malicious software designed to publish or block access to valuable data in exchange for money.
The full cost of the attack is likely to be many multiples of the reported €20m ransom demanded, with the HSE’s IT operating budget of €82m set to almost double in 2022.
The HSE would be “typical” of a lot of organisations that don’t have the resources or experience to deal with cyber attacks, Mr McGauran said.
“It’s not just an Irish thing but we are behind the curve, definitely,” he said.
“The UK got their wake-up call in 2017 with [the Microsoft Windows ransomware attack] Wannacry, and that scared the bejesus out of them and they reacted to that.
“The problem is, it’s not cheap and it’s not easy to do if you are massively under-resourced, as [the HSE] are.”
The average ransom demand rose to $5.3m in 2021
According to UK-based cyber security firm Darktrace, the average ransom demand rose to $5.3m (€4.7m) in 2021, a 518pc increase on the previous year.
The latest research from Check Point shows that healthcare is the third most-targeted sector in Ireland, with an overall 189pc rise in ransomware attacks in the country in 2021, compared to 2020.
A ransomware attack just before Christmas on the Coombe Hospital’s systems shows “this trend is not going away”, Mr McGauran said.
“In this day and age, several million medical records will fetch a higher price on the dark web than a few thousand customers’ credit card details.
“The ransomware attack on the Coombe should be a stark reminder to all companies to review your defences against this threat. No one is safe.”
Check Point has 81 core products that aim to prevent cyber attacks and gather intelligence on potential threats.
The firm’s founder and chief executive, Israeli programmer and entrepreneur Gil Shwed, is considered the inventor of the modern computer firewall, but Check Point’s products also shield a company’s data if that external defence is breached.
For instance, Check Point experts spent much of the pre-Christmas period patching up what Mr McGauran called “the cyber security industry’s coronavirus”.
In early December, a vulnerability called Log4Shell was discovered in Apache’s open source programming software, Log4j – a popular error logging library used on around 30pc of the world’s web servers – which could be exploited by hackers to control computers remotely.
Within nine days of its discovery, hackers had developed 60 different variants of the software’s weakness, forcing companies like Apache and Check Point to write and rewrite “patches” to protect connected devices.
“It’s like Covid-19 on steroids with a shot of adrenaline in the back end. It’s moving so, so, so fast,” Mr McGauran said.
It’s bloody scary, but it’s fascinated me all along
“All that stuff fascinates me. It’s bloody scary, but it’s fascinated me all along.”
The Roscommon native has been with Check Point for six years.
After secondary school in Leitrim, he got a degree in computer systems in Limerick, an unusual move at the time.
“When I did my Leaving Cert, I think there were maybe seven or eight of us, out of 120, that went into IT,” he said.
“It was and, I’ll be honest, it still is an emerging field.
“I would absolutely love to get statistics from universities on cyber courses today. I would say a lot of people changed their thoughts on the CAO form last May when they saw what happened with the HSE. They went, ‘That’s going to be an industry that’s going to boom in the next couple of years.’”
Mr McGauran has worked in IT for two decades, starting off as a contractor in the public sector in 2001, when the government’s main website was hosted on what he describes as “an old Dell PC with the case half off”.
The EU’s general data protection regulation, in force since 2018, now requires firms to report cyber attacks.
In the last year alone, several Irish-based organisations have been hit, including packaging giant Ardagh, the Technological University of Dublin, financial services firm Fexco and Jones Engineering.
Last year’s breach of the UK’s Guntrader website still haunts Mr McGauran, as it led to the publication of the names and addresses of thousands of firearms owners, including in Northern Ireland.
“We have to assume that, now, somebody has access to a list of 803 people in the north of Ireland that own weapons. That terrifies me.”
