PwC Cybersecurity: CatchMe if you Kan
Felix Kan is a Partner in PwC’s Risk Assurance Cybersecurity Privacy practice with 10 years of extensive experience. Kan began his career as an ethical hacker and has committed his career to helping Hong Kong companies enhance their protections against increasingly sophisticated cyberattacks.
In the second part of our interview with Kan at the Asian Financial Forum, we discuss the future of cybersecurity and we take a deep dive into his innovative attack simulation tool—CatchMe.
CatchMe if you Kan
Cybersecurity teams face the daunting task of fending off increasingly sophisticated cyber attacks and threats, but for a lot of teams the most difficult challenge is trying to articulate the value of their operations to leadership. Along with his team at PwC Hong Kong, Kan developed a real-life attack simulation tool called CatchMe to justify a return on investment and demonstrate the need for enterprises to allocate resources to cybersecurity.
Prior to creating CatchMe, Kan noted that the most popular services being offered by the cybersecurity community were cyber health check scans with standard virus scanning software. He said, “These scanning tools can basically be run by anyone, you didn’t really need technical knowledge and the results and findings would be the same if you or I did the health check. We felt that we could do more to help our clients understand their specific problems and the truth about those scans is that they are too noisy—as in hacker’s can easily detect and avoid them.”
Kan deduced that taking the stance of the hackers and trying to actively penetrate an enterprise cyber defences was the most accurate way to ascertain what the organization was doing right and what ports of entry needed to be monitored. On Kan’s direction, PwC became the first of any of the Big Four to run attack simulations on their clients, using their own malware and phishing techniques, to detect and secure any point of failure.
Think Like a Hacker
While Kan could not share any of his clients’ names, he was happy to share a walk-through of a CatchMe use case with one of the major financial institutions in Hong Kong. Kan began, “This client approached us and said they wanted us to run a cyber test simulation and they stated that they wanted a clean report. I was surprised and said that we didn’t really do it that way. But the client was adamant that we would not find anything and told us that they had used a different consultant each year for the last five years and every one of them had given their network and security infrastructure a clean bill of health.”
Upon probing further, Kan deduced that the previous consultants had merely executed the typical network scan and policy review and decided that the IT infrastructure was secure and hackers would be unable to penetrate. According to Kan, this understanding of cybersecurity is prevalent in the community but, he said, “That’s not really how hackers work—they rarely attack the main enterprise infrastructure but instead look for small and less detectable ports of entry, and very often they will attack the employees to gain access.”
To begin the simulation, Kan and his team went to the dark web in search of compromised credentials. He said, “On the dark web you can find over nine billion leaked credentials, which are usually the usernames and passwords of former employees. For that particular company, we found around 100 leaked credentials and 30% of them still worked. In three hours we had identified over 30 viable pathways into that organizations network.”
Change your Password!!
Kan explained that compromised credentials are often the result of a third-party hack on a website where an employee may prefer to register with their work email instead of their personal one. A common example of this is LinkedIn which is a professional social media site where people tend to promote themselves along with their employer. In 2012, LinkedIn admitted their servers had been hacked and over 6.5 million passwords had been stolen.
Another issue that Kan noted is that on average, people have about 10 different online accounts and they tend to use the same password for all of them. “People rarely change their passwords and if a hacker can steal a password from one of their accounts there is a high probability that same password has been applied to their other accounts.” He continued, “People like to make it easy for themselves to remember, so if they do update a password it is often just changing one element like the year, for instance—'password2019’ to ‘password2020’. These are very guessable patterns for hackers.”
As advice Kan said, “Think of your favorite song or poem, get the first line of that song and use the first letter from each word. It’s a useful trick and you can easily remember a 20-character password by using that mental cue.”
Future Trends: Blockchain Emerging
According to Kan, the current focus for his cybersecurity team is regarding the trend of organizations adopting new emerging technologies and how to properly protect these organizations as they undergo their digital transformations. He said, “We are talking about keeping organizations that are digitizing and interested in integrating technologies such as 5G, blockchain and other smart technologies. While these technologies enhance business processes, the organizations increase their cyberattack exposure during the transformation.”
Kan spoke briefly on blockchain before we concluded our interview, he said, “We do have a lot of clients who are trying to explore blockchain technology on a small scale. The beauty of blockchain is the decentralized mechanism—for P2P, for more distributed trust there is no agent or single point of failure but this it is hard to actually achieve his decentralized setup for a variety of reasons.” He concluded, “Blockchain’s architecture is fundamentally secure and it can save you a lot of time and reconciliation labor. A blockchain, however, will not stop hacker’s from gaining access using a leaked password and their mission may not be to alter the consensus of the chain but simply to steal data. We cannot assume the applications built on blockchain is secure because of the security features of blockchain. To conclude, blockchain is a new challenge for us but we are excited by the technology.”
Click the link to read part one of our interview with Felix Kan.