CSOs talk ransomware: Peril and profit | #expertANGLE
There may be no stopping cybercrime, but the best way to defend against it is with knowledge. Know what the threats are, what they can do, how they’re changing, and how to protect your business, and you’ll be all the more prepared for when the inevitable attack comes. As such, SiliconANGLE reached out to several security experts, asking for their insights on the state of cybercrime and hacktivism they face today.
What are the common tactics and threats?
First and foremost, one must understand the cyber threats that are out there, particularly the most common ones. Ransomware attacks are certainly major threats, and among the more damaging to a good variety of organizations. Andrew Hay, Chief Information Security Officer at DataGravity, explains:
“I think it’s safe to say that malicious encrypting ransomware is probably the most prevalent and impactful threat from the past year. We’ve seen numerous stories of hospitals and other businesses being extorted in the popular media. The conversation is becoming commonplace outside of IT and security circles as more individuals are affected at work and at home.”
Michael Machado, CSO of RingCentral, concurs with the danger of ransomware. “Any attack that denies you access to your information has a huge impact,” he says. “Ransomware has been in the news lately, but this could just as easily be a sustained DDoS. The point is, being denied access to their information in any manner would have a huge impact on every person and every company.”
Like any malware, ransomware must first infect a device before it can take action, whether through an infected download, malicious link, or direct access. Once infected, the malware can download, encrypt, and destroy vast amounts of data.
“Most targeted attacks take minutes or seconds for the initial compromise,” explains Ed Cabrera, VP of Cyber Security Strategy at Trend Micro. “But it takes months or years to detect them.”
Human Error
However, humans can often be easier to exploit than machines. We can be fooled by a well-crafted email or official-looking form, and social hacking takes advantage of that. Jatin Maniar, MicroStrategy, Inc.’s Sr. Director of Marketing, notes: “Identity theft from exploitation of human vulnerabilities is the most common type of cyber threat these days. It results high profile data breaches and fraud which causes significant financial, IP and reputational damage to organizations.”
Industries at risk (all of them)
It’s also important to note that just because your business is not related to technology doesn’t mean it’s safe from cybercrime. As Hay noted, hospitals are often targets of ransomware attacks, but generally any business that holds data or IP assets, particularly those of monetary value, can be targeted.
Personal information, particularly Social Security numbers, as well as insurance information, W-2 forms, and patents are all tempting targets, and are all information that can be stolen from practically any business.
Jeff Schilling, CSO at Armor, explains:
“Defense contractors and medical innovation companies are still seeing very sophisticated attacks by nation state actors looking to steal intellectual property. Healthcare providers are still being targeted for their large quantity of healthcare records by organized criminal actors, since medical records are worth more in the dark web exchanges. We are also seeing regional banks being targeted by organized crime groups because they, in most cases, have not elevated their security posture and still provide a lucrative target where million of dollars can be stolen.”
“Cyber criminals will tend to go after specific targets where they feel they can make the most profit,” adds Mike Kun, SIRT manager, Akamai Technologies. “Whether that’s a spearphishing attack to deliver ransomware, or attempts at extortion.”
Growing with the times
Of course, as technology grows, so do cyber criminals, their methods, and their tools. A more mobile work environment and more connected technology are great for businesses, but also provide more targets.
Andrew Hay elaborates:
“A typical organization’s attackable surface area has increased dramatically with the growth of Internet of Things (IoT)/bring-your-own-device (BYOD) technology. As a negative byproduct, organizations find themselves encountering a lack of data-awareness – that is, they are unable to account for and secure sensitive data. As an example, most PCs, laptops, and mobile devices can be configured to limit access to data using installed applications or network-based access controls (such as a firewall). However, how does one install similar applications on a webcam?”
And yet at the same time, the more things change, the more they stay the same. While there are new targets and methods available, cyber criminals also know that there are classics that still work.
“Phishing emails and website drive-by exploits still work very well,” Jeff Schilling explains. “What has changed is the threat actors have upped their game in operational efficiency. They are able to reach a broader audience with their threat activity by orchestrating the activities around the Cyber Kill chain with multiple teams.”
Defend yourself
Looking at just the threats, it may seem like a bleak situation. Cyber criminals can deploy a number of tactics and attacks to strike whoever their target may be, and from there they can steal data, hold it for ransom, sell it, commit identity theft or tax fraud, or carry out any number of further crimes. There’s no safe industry, no surefire way of avoiding being targeted, and you can even be infected without knowing it.
Scary, right? And yet, there is still no reason to be afraid. There are ways of preparing for cyber attacks, protecting data, keeping backups safe, and otherwise having an in-depth defense strategy.
“First, companies must settle on a security framework and strategy,” Schilling explains. “The Cyber Security Framework, initiated by the US Government, and produced by NIST, is a great reference document to use to define your strategy and assess your maturity level.”
Hay adds: “Companies should seek data-aware solutions that deliver analytics, insights, and security for unstructured data. If IT professionals can quickly and easily visualize the who, what, when, and where regarding their data and reduce risks, they can increase productivity and drive organizational success.”
However, Maniar stresses that people need to be as secure as a program.
“It is well understood to have a defense in depth strategy. What is becoming more obvious is protecting the weakest link – People. Having a strong, single, trusted identity with adaptive authentication is critical as number of systems expand. It can mitigate the risk of identity theft and privileged user abuse, which is usually root cause of high profile data breaches. For example – having a single digital identity on your mobile device with strong authentication and one-time passwords to access your IT systems and physical facilities would be valuable to cut down most major attacks which exploit password-only system’s vulnerabilities.”
Knowing how to react after an attack is essential as well. Machado states:
“When it comes to recovering from attacks, preparation is your ally. The first step is to have open discussions in your organization and make sure all the stakeholders understand that attacks are a constant and periodic breach is inevitable. Yes, periodic. Don’t assume it won’t have. Don’t assume it will only happen once. Plan for it. Plan both your technical and business recovery in advance. Have contracts with breach response vendors, outside legal counsel, cyber risk insurance, and so on. Walk through scenarios (whether or not you call them table talk exercises) and determine where your critical response teams have strengths and weaknesses that will both help and hinder investigation and recovery efforts. Have your data backed up, known good system images and binaries that you can rebuild from, know your breach disclosure timelines. Think through what you’ll want to get accomplished quickly in a crisis, and what you and other teams will need to get it done.”
He adds: “Have members of your team join industry groups, get training, attend conferences, and build relationships with peers, with vendors, and so on. This is especially important if there’s no one initially in a position to plan and communicate security strategy.”
Machado also offers up five tips for good security:
-
For the love of all that is good, use strong authentication. If you would care that it is hacked/stolen/compromised/modified, then use strong authentication. To illustrate the point, here’s one report from a few years ago where 100% of the data breaches that Mandiant investigated involved use of legitimate credentials. Check out page 2 http://www.utdallas.edu/~muratk/courses/dbsec12f_files/trend-report.pdf
-
Defense in depth isn’t just a saying. Layered defense is important because there’s always something that can bypass something else. Build a mesh (not a mess!) of security measures.
-
Encrypt all data and signals that you care about in transit and at-rest. When you can, encrypt end-to-end.
-
Act as if. Build your security measures, and operate your info sec program, with an assumption of breach, not an assumption of safety. Any apathy on our part is ground that we surrender without making the adversary work for it.
-
Keep everything patched. Inside your network. Internet facing. Personal computing equipment that you use at home. It doesn’t matter. Patch all of it.
Should the worst happen, having good, up-to-date backups is key for recovery. Cabrera recommends what he calls a “3, 2, 1 rule” – save three copies, in at least two different formats, and keep at least one offsite.
In conclusion: stay smart and stay safe
So while the threats posed by cyber criminals are very real and very dangerous, they are not insurmountable. A good defense is the best offense, which means constant vigilance, good authentication, and strong security features. Strong password security is a must too – that doesn’t necessarily mean changing them every month, just keep them strong and hard to break; always remember the famous words of Dark Helmet: “12345? That’s the kind of password an idiot has on his luggage!”
No matter what your industry, cyber security is essential. The threats won’t stop, but neither will efforts to combat them, to defend against them, and to make sure nothing of value is lost.
photo credit: man@work 343/365 via photopin (license)
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU