The A-Z of security threats 2018
No matter how big or small your business, you need a comprehensive approach to security. Davey Winder talks to industry experts about the whole gamut of cyberhazards
We spoke to 26 experts to see what’s coming.
Artificial intelligence David Rogers, security product specialist at King of Servers
“We’re increasingly seeing AIpowered cyber-attacks, with the aim of going after high-value data. Like a human attacker, AI will learn about its target, tailor its attack and launch it at the most appropriate time. However, unlike a human hacker, AI doesn’t tire and can undertake multiple attacks at once. The key to defence is AI itself: over 90% of security leaders are concerned with AI attacks, and hackers switching to AI, so many organisations are implementing AI defences to boost their existing protection.”
Business email compromise Ramon Vicens, CTO at Blueliv
“A business email compromise can be used to steal money directly – or it can be tied to credential theft, account takeovers and phishing attempts. SMBs should be ready for attacks targeting their executives: enforcing strict BYOD policies for the senior team is sensible. Keep on top of the latest phishing campaigns, and share information with employees to ensure they, and your whole organisation, don’t become victims.”
Crypto-jacking Anurag Kahol, CTO at Bitglass
“Crypto-jacking is when an attacker hijacks your computers to mine cryptocurrencies. It doesn’t directly result in data loss, but it can nevertheless affect your bottom line. It’s also increasingly combined with cloud-jacking (stealing processing power and storage from someone’s cloud account) to further boost mining capabilities. The security principles used to prevent other web-based vulnerabilities can help here: training employees, deploying ad-blocking, using strong passwords, and effective cloud and endpoint protection.”
DDoS Ivo Dijkhuis, information security officer at RIPE NCC
“Distributed denial-of-service attacks are expensive, and most companies can’t afford to maintain their own anti-DDoS solution. However, there are interesting initiatives out there, such as the Dutch not-for-profit National Scrubbing Center, which members – mainly ISPs and hosting providers – can use at cost price. It’s proven to be a very successful, and affordable, concept.”
Encrypted attacks Lawrence Pingreen, vice president of product management at SonicWall
“The SonicWall mid-year threat report found encrypted attacks – which use SSL/TLS connections to evade traditional network security controls – are growing. Many organisations are unaware of the threat, and very few are using suitable mitigation techniques, such as deep-packet inspection of the encrypted traffic. Addressing today’s malware threats means reaching outside the firewall and operating on the network as well as on the endpoint, in a unified threat-intelligence system.”
Fingerprints David Emm, principal security researcher at Kaspersky Lab
“There’s a growing move towards using biometrics as a replacement for passwords – but biometric data stored
“Unlike a human hacker, artificial intelligence doesn’t tire and can undertake multiple attacks at once”
by a service provider is just as vulnerable as a database containing usernames and passwords. In my view, biometrics should be combined with passwords, or ideally more than one other mechanism as additional confirmation. If I choose a poor password and it’s compromised, I can change it; if my fingerprint data is compromised, there’s nothing I can do about it.”
GDPR Dr Guy Bunker, senior vice president of products at Clearswift
“The potential for attackers to weaponise GDPR – by exfiltrating data and then holding it to ransom – should not be ignored. Releasing it into the public domain could result in the victim facing a fine of up to 4% of global turnover, or €20 million – whichever is greater. Hacktivists can also exploit GDPR by making an overwhelming number of ‘right to be forgotten’ requests. This can grind an organisation to a halt, as they must all be processed in a timely manner, or again the company could be subject to a substantial fine.”
Historical breach data Perry Carpenter, chief evangelist and strategy officer at KnowBe4
“The proliferation of personal information ‘in the wild’ is staggering. It comes not only from social media, but also from past data breaches – and the ability to mine and aggregate this historical data puts every organisation at risk of targeted attacks. To mitigate this, people need to be extremely careful with what data they share online, and organisations need to know which users have been associated with past breaches. The organisation can then audit the current password hygiene of the user and take appropriate steps.”
Incident response time David Blundell, managing director at CyberHive
“Reaction time to a cyberbreach is an important consideration. Many of the recent examples of data breaches to hit the news have involved information slowly leaking out for many months before the company spotted what was going on. Reducing the time taken to identify and respond to a breach can greatly reduce the severity of the incident.”
Jumbled security strategies Chris Hodson, chief information security officer (EMEA) at Zscaler
“The chief information security officers (CISOs) we talk to don’t know whether they need antivirus software, enterprise-protection platforms, or enterprise-detection response. And vendors aren’t helping; they’re busy trying to one-up each other and making too many promises.
“No single solution is going to keep you safe if you don’t understand why you have that solution. You need a layered set of services, and an ability to tie technology investments to risk-reduction measures.”
Korea, North Adam Vincent, CEO at ThreatConnect
“We’re living in a chaotic political environment – so make sure you’re aware of possible tactics that may be used in international attacks. For instance, mounting financial pressures against the North Korean government are likely to spur the growth of revenue-generating cyber-attacks against developed economies, including the UK.”
Lateral-movement attacks Barry Scott, CTO (EMEA) at Centrify
“Once a hacker has broken through your defences, they’ll try to move laterally across the network to find what they’re looking for – be it bank account details, credit card numbers or passwords. The first defensive step is to consolidate users’ different credentials down to one, and implement a single sign-on regime in which that one identity gives access to all applications or systems. Multi-factor authentication is also a must, so as well as entering their password, the user might be asked to click on a link from a text or enter a code sent to their phone when they try to log in.”
Mobile malware Matt Boddy, senior security specialist at Sophos
“As personal and business use of mobiles has merged, we’re storing more and more sensitive data on these devices. When malware gets onto your phone, it can get access to all the information stored on the device – or within earshot/ view. Simply installing mobile security software and keeping your device updated with the latest patches can dramatically decrease your chance of falling victim to an attack.”
No-macro Office exploits Corey Nachreiner, CTO at WatchGuard
“We’ve seen Russian attackers use a Microsoft protocol called Dynamic Data Exchange (DDE) to run malicious code from within Word documents, without triggering the macro-blocking features that are built into Office. Many sandboxing solutions can detect DDE-based malware, but users need to be aware of the risks – and they need to recognise the phishing attacks and social engineering tricks that are used to distribute these malicious documents in the first place.”
Opportunistic attacks Tim Brown, vice president of security architecture at SolarWinds MSP
“A lot of hacker attacks are opportunistic. Criminals do a broad scan looking for vulnerable systems, then move sideways to attack. Every type of data has a value on the dark net, so businesses need to ensure they’re not making themselves targets through weak passwords, weakly configured environments and unpatched systems. Hackers don’t need to make use of new or advanced attack methods when vulnerabilities like this are left exposed.”
Patch-management lethargy Tyler Croak, solutions architect at Thycotic
“Patch management is more relevant today than ever. We’re constantly seeing ransomware take over systems that haven’t been fully patched, and it’s costing businesses millions – not just in payments, but also because of the downtime suffered during an attack. Consider creating a dedicated team to focus on patch and vulnerability management: this would typically be an ‘endpoint’ team, but it should include a representative from any team with
a system using the network.”
Quick-thinking adversaries Emily Wilson, director of analysis at Terbium
“Cybercriminals reap the rewards of technological innovation. While businesses are trying to reduce friction for end users, criminals can exploit the same
“If my password is compromised, I can change it; if my fingerprint data is compromised, there’s nothing I can do about it”
technologies for their own purposes. For example, tools that allow financial institutions to process faster payments can also allow cybercriminals to build scalable fraud empires. Organisations need to be constantly looking at new ways to identify and disrupt fraud, instead of relying on reactive solutions.”
Ransomware Darron Gibbard, managing director (EMEA North) at Qualys
“Ransomware reports have dipped since last year, but smaller businesses are still very much at risk. These are the ones most likely to lack a proper disaster-recovery plan, so proactive security is a must. That means getting the basics right: keep your software up to date, deploy patches quickly, and maintain an accurate inventory of your IT assets. You might not think you have much in the way of IT, but you’d be surprised at how much accrues over the years.”
Social media Neil Martin, marketing manager at Panda Security UK
“Social media content can be used by criminals to steal data or to manipulate people’s perceptions. And by putting together seemingly disconnected data, attackers can obtain a huge amount of information. Consumer-affairs publication
Which conducted a study in which volunteers gave only their name and hometown to security researchers. The amount of information it was then possible to dig up was scary.”
Things, Internet of… Charles Eagan, CTO at BlackBerry
“The expanding number of intelligent endpoints in businesses is making organisations increasingly vulnerable. The scale may be less for SMBs, but the lack of process and employee education makes the problem even more acute. To secure a network of hyperconnected things, businesses need to focus on simplicity and integration. Rather than pulling together a patchwork of security components and products, they must rely on a comprehensive security solution from a trusted supplier.”
Unsecured data repositories Anurag Kahol, CTO at Bitglass
“The popularity of public cloud applications has made businesses more flexible and efficient – but many of the most popular services provide little visibility or control over how sensitive data is handled once it’s uploaded to the cloud, and users are expected to blindly trust that their data is secure. As public cloud adoption rises, organisations must ensure all systems are properly configured and secured, because customer privacy and trust depend on it.”
Vendor insecurity Patrick Martin, cybersecurity analyst at RepKnight
“Nearly two-thirds of security breaches today are linked to thirdparty vendors in some way. A third party can hold a wealth of information about your business, and its security is out of your hands. We’re not just talking about long-term service providers, but also suppliers you work with on a shortterm basis. Even third parties who aren’t part of your supply chain are a risk: for example, employees may sign up to newsletters or third-party services with their work credentials. These suppliers aren’t part of your supply chain, but they’re still holding information about your company.”
Web application development Dan Pitman, senior solutions architect at Alert Logic
“Modern web applications are normally made from a collection of modules combined to deliver different functions, rather than built from the ground up in-house. These modules may well contain vulnerabilities, which attackers can easily discover and exploit. In an increasingly modular and agile application landscape, businesses hosting applications should be monitoring all traffic between user and application, and keeping an eye on the wider threat landscape.”
X-axis isolation Richard Agnew, VP (EMEA North) at Code42
“CISOs need to recognise that prevention-only strategies no longer guarantee their organisations’ safety. 75% of CISOs and 74% of CEOs accept the need to shift to prevention-andrecovery strategies. Combined with employee training, this multipronged approach helps organisations minimise the damage from ransomware attacks, data breaches and even cryptomining.”
Your network environment Sean Herbert, country manager at Baramundi UK
“Shadow IT is a threat you can’t ignore. Knowing what hardware and software is deployed in your environment is an essential step towards identifying potential vulnerabilities. Security teams can’t keep track of everything users are doing, so it’s increasingly necessary to rely on automated inventory and network access control tools, to ensure there’s no danger lurking in the shadows.”
Zero password management Sandor Palfy, CTO of identity and access management at LogMeIn
“Weak, stolen or re-used passwords remain the main cause of breaches – yet 75% of IT executives lack control over password security in their organisations. Part of the problem is the blurring of the lines between work and personal accounts, especially in SMEs, which can have a knock-on effect on security. Getting passwords under control can be as simple as implementing an enterprise password manager and educating employees on best practices.”
“Weak, stolen or re-used passwords remain the main cause of breaches – yet 75% of IT executives lack control over password security”