I samband med det cyberhot som växer sig allt större och starkare för företag världen över har teknologiskribenten Alan Zeichick skrivit en artikel som belyser hur vi bäst skyddar oss från företeelser som till exempel ransomware och stölder av personliga uppgifter.
Teckna din prenumeration på Aktuell Säkerhet här
Relaterat till artikeln finns det en tio minuters lång dokumentärfilm på YouTube.
Artikeln är på engelska och finns att läsa här nedan:
Combating the Current Threat Landscape
Advice from the experts on how to interpret — and defend against — today’s biggest threats from ransomware, ransomworms, credentials theft, and advanced spearphishing
By Alan Zeichick
Alan Zeichick is principal analyst at Camden Associates, which focuses on enterprise cybersecurity, networking and software development & Editorial Director at NetEvents.
Major corporations are brought to their knees by ransomware – and it’s affecting not only their business operations, but also their quarterly earnings and share prices. Credentials theft literally gives hackers the keys to the kingdom, letting them access network servers and databases without tripping alarms. Ransomworm propagates across networks, stealing resources and becoming difficult to eradicate. Advance spearphishing entraps everyone from government officials to corporate financial officers, resulting in embarrassing PR mishaps and unrecoverable wire transfers based on clever trickery. What’s an enterprise to do? What’s the CISO to think?
Duncan Brown, Associate VP of IDC’s European Security Practice, blames much of the collateral damage from these sorts of attacks on a false belief about the likelihood of such an attack making an impact. “The biggest surprise about the WannaCry attack was that it was a surprise to many people. Most of us in the industry were acutely aware of the threat — but we got wrong was the risk assessment.”
Brown continued, “There was clearly a failure in the risk assessment in terms of organizations misunderstanding the likelihood of these attacks,” which was demonstrated in the poor incident response to those attacks.
Citing the 2016 movie, “Equity,” Brown recalled that one of the characters said, “Half the world is paranoid and the other half’s password is ‘password.’” The challenge is to find the right balance between paranoia and complacency, so that organizations are safe, but can still operate in a nimble, agile way.
Security Is Truly a High Profile Issue Right Now
“We’ve just shown is that the most common used password is ‘password,’” laughed Eduard Meelhuysen, Vice President of Bitglass. “So how do we educate those employees to make sure that they understand the risks which are at hand?”
There’s a real opportunity here, Meelhuysen explained. “The WannaCry outbreak was fantastic, in that everybody in the entire world knew about this outbreak, bringing security awareness to a high level. What do we do with that?
When it comes to taking action, he said, “There’s not much internally in terms of what we can invest in technology, but more in how do we educate those customers. We must educate those employees to know that their password is not secure. We need to show them new ways of authentication, or new ways of logging on to a new system. That’s true of cloud computing too: We need to make sure we have more control.”
Meelhuysen isn’t optimistic, however. “Education is key, but we will be always behind the curve and always those hackers or phishers or builders of ransomware will be in front of us.”
Breaches Often Start with Bad Web and Email Policies
Not every attack starts with a phishing email or a hacked website, or a careless mistake by an employee. However, in today’s most attention-getting breaches, such as ransomware, ransomworm, and credential theft, Jason Steer said that email and web policies and protective technologies are betraying enterprises.
Steer, Solutions Architect with Menlo Security, said that relying on employees to always do the ‘right thing’ will always fail. “Do I click on this link? Do I click on the email? Should I go to this web page? Should I install that Flash player update?” We can’t be reliant on employees to differentiate between good and bad. Who is to blame? Not the employee. It’s everyone who built these solutions used by the employee.”
Pointing out that email and web are the two primary mechanisms delivering ransomware, every day into every business, Steer noted that, “If I look at my web browser, every web browser you’re using, you’re using a web browser architecture that’s 23 years old. There’s not another protocol in your organization where you take unsigned, unauthenticated active code and execute it on your PC without any controls. But we do it on every website and every time we go to a web page. Yet we think that’s acceptable.”
“That’s why we have to really re-think how employees use the Internet and access the Internet,” argued Steer, “because the controls and technologies we use for defense are not effective today. If we focus on detection and look at spearphishing, there is no malware to detect. Even when we do the education and awareness, compelling well-written emails will convince employees to make bad mistakes.”
What Went Wrong? Let’s Point Fingers at Both Sides
Carl Gottlieb, Consulting Director at Cognition Secure, and said there’s plenty of blame to go around for the slow incident response to today’s biggest attacks, no matter the cause. “There will always be crime, and there will always be victims of crime. For the victims, the two areas of blame are vendors and IT.”
He explained: “The security industry has got a massive amount of blame. We build security products in a lab, we test they work, and we roll them out. Then we don’t ever acknowledge how they will perform in the real world” – such as in environments where anti-malware or anti-virus products aren’t kept current. “As vendors we know this goes on, we know people can’t update their software for good reasons, yet we skirt around the issue. We need to be building products that actually survive the real world environment.”
On the enterprise side, Gottlieb said, “IT departments, and InfoSec departments as well, failed by not including security risk assessments into business risk assessments.” So, IT should have made the case that updating old operating systems, and staying on top of patches, would reduce business risk. Also, under Europe’s new General Data Protection Regulation (GDPR), “We can say privacy is now a way we can gain competitive advantage. If we focus on getting business-critical risk assessments into IT, we can avoid incidents like WannaCry.”
Two Essential Motivations: Sex and Pain
“Psychology and science tells us that people are motivated by only two things, sex and pain,” observed Greg Fitzgerald, COO of Javelin Networks. “In my opinion, pain has not been felt here because I mean security is a risk — and when you take the pain from ransomware, ransomworm or credentials theft, I don’t think people have felt the pain.”
The pain has to increase before more enterprises become serious about preemptively fighting these sorts of attacks, argues Fitzgerald, because up until now, cybersecurity has only been an insurance risk. “If we can shift the costs, the pain, into that realm, what is it going to cost me versus what is it going cost the attacker?”
Up to now, Fitzgerald said, all the costs are borne by the victim. “We spend as an industry $100 billion defending ourselves with all these cybersecurity technologies, yet none of it is working. We have more cyber security technologies in the world today than ever in the history of the world yet we have more successful cyberattacks ever.”
So while there’s pain, not enough people feel it, he said, and it’s not yet painful enough to sufficiently change enterprise behaviors. “We talk about blame or the pain, pain hasn’t really been felt even though we talk about it today, it’s still not there to create that action.”
Fitzgerald pointed to the recent data breaches at the Target department store chain. “The Target attack cost billions of dollars. The CEOs and executives were fined, and some were thrown in jail. Yet, the company settled out of court for only $19 million. The company stock has rebounded and the company is doing great, the brand integrity is still there. Pain is a brief opportunity for companies to invest properly, because people’s memories are very short.”
You’d Better Be Prepared
Pain? No pain? The real question should be, “Backups?” Laurance Dine, Managing Principal for the Verizon Investigative Response Team, pointed to a lack of preparedness — and a lack of proven ability to restore information that might be destroyed by ransomware or other attacks.
In theory, Dine said, large organizations have systems in place to deal with data corruption or destruction, but “the vast majority of people that were hit with that ransomware had no idea what they were going to do, how they were going to restore the data, what they had in place.
Dine agreed with Fitzgerald’s comments about the cost of the attack: “It’s all about taking away the profitability of the attackers. If you have backups that you can restore in the same amount of time that it takes to pay the ransom and get your data back. You’re better off going with the backups aren’t you? So the attacker gets nothing.”
“The number one key thing to have in place is to have your data available to restore in case of an attack,” he reiterated. “Ransomware is not new, ransomware has been around for a very, very long time. It went dormant for quite a few years but it’s back because it works and criminals are making money off of it. If we take that away then they’ll go and find something else to do.”
The New EU Regulation Could Spur Better Practices
The GDPR, set to go into full effect in 2018, emphasizes privacy and data protection – and if companies fail to follow good practices and suffer a breach, they could be hit with significant fines.
It’s widely believed that GDPR provides opportunities for companies to gain a competitive advantage by quickly complying with the regulation, said Cognition’s Gottlieb. “Related to cybersecurity, GDPR is great. Yes, we’ll have massive fines, but the fines are going to be a lot bigger than class action law suits and or PR damage. GDPR forces investment to reduce business risk, Before, we couldn’t ever think of a really good business justification to buy a firewall, now we can. The boards that get the benefits, the wake and win with GDPR, they’re the ones that are going to do very well out of it.”
What about the cloud, asked Bitglass’s Meelhuysen. “When it comes to GDPR, if you don’t have the proper tools in place, the cloud will really hinder you. You need to take control of data moving into the cloud to ensure GDPR compliance. Most companies are moving to the cloud because of cost efficiency. We must also ensure they are safe and GDPR rules are met. GDPR is helping us get more attention from the board room, in terms of the budget being spent on security.”
Get Ready for Technology Investment
The latest generations of malware – including ransomware, ransomworm, credential theft, or spearphishing – are real, and are costing enterprises significant money in terms of lost productivity, service outages, fines and lawsuits, and shareholder value. The high profile of these breaches and the new GDPR rules should make addressing the threat landscape a priority issue for the corporate boardroom. Be prepared for significant new investments in combating this threat landscape, and those investments can’t come too soon.
