More companies pay cyber ransom than you would imagine

If malware is implanted in your company servers and you receive a ransom demand,
you are very unlikely to tell people that you decided to pay up, right?
In a recent survey from Threat Track Security, 30 percent of the 250 organizations polled
said they would negotiate with a cyber-criminal to get their data back. Though that
means 70 percent would not support negotiating, the survey also found that 86 percent
of security professionals believe their peers at other organizations have done so.
The percentage of those willing to negotiate was even higher among organizations
that had already been hit by a cyber-extortion scheme. Nearly 40 percent of security
professionals said they are employed at an organization that has been targeted in
that kind of attack, and 55 percent of them are willing to negotiate.
Given the proliferation of ransomware attacks, this issue poses a real question for
enterprises. Symantec released a report demonstrating how one hacking operation
may have raked in 3 Crore in ransom payments in a single month.
Assuming the best case scenario, where an organization pays, gets the key to decrypt
their data and is able to remove any malware, then adopting this strategy leaves
you with one major exposure – all of your data has, at a minimum, been touched by
a malicious actor. At worst, it has been modified without your knowledge.
Typically, most security professionals recommend organizations never negotiate
with criminals. Paying a ransom does not guarantee an attack will stop in the case
of a “denial of service” attack, and it does not guarantee in the case of ransomware
attacks that the organization’s data will actually be recovered. It also sends the
message to other criminals that the technique will be successful.
Negotiation is sometimes used as a last ditch effort to halt an attack or decrypt
data held ransom, but there are steps that can be taken to avoid getting into such
a rough spot. Organizations suffering a denial of service attack should work with
their Internet Service Provider to mitigate any outage caused. Your ISP can often
block the “broadcast storm” technique used by the bad guys. Ransomware and data
destruction can often be thwarted by good housekeeping – running full backups
overnight, and keeping the backup copies off-line (and certainly not accessible on
your company network, for obvious reasons!). Then the most you will lose is the
data since last night’s backup. Some backup systems work in real time, meaning
that you will lose no data and only suffer a short business interruption while your
IT people re-initialize your computers with the clean versions prior to the attack.

All Talk and No Action

For the first time ever, CEOs have ranked cyber security as their top business concern.
And yet there is little evidence that they are taking action to mitigate this risk. 43%
of companies surveyed report that their spend on cyber security is flat year-onyear.
Why is there such a contrast between concern and action? Well, here are some
possible explanations:
1. Their in-house technology advisors are reassuring them that they have this
under control. After all, that is why they have their job, and they don’t want to
undermine their role by admitting that security is woefully inadequate.
2. CEOs are prepared to take a risk that their company will not be compromised,
because they believe that they are much less important targets than Banks,
Financial Services companies, Defence companies, Government agencies etc.
3. They don’t want to spend more money on “insurance” than is absolutely
necessary. After all, money spent on defending against an attack will not help
their business grow and prosper.
4. The budget cycle lags their awareness, and it will take a year or so for budgets
to be adjusted appropriately.
Let me address each of these obstacles in turn, and explain why they must be
1. Your IT employees are often part of the problem. They need this issue to be
important enough so that they have a job, but not so important that you
expect measurable results. They focus 80% of their efforts on preventing a
compromise, knowing that they cannot foil a smart hacker. They are poor at
detecting these inevitable intrusions, but they rely on the probability that you
will never know. So they continue to implement product-based solutions that
address aspects of the problem, knowing that the adversary will find the gaps
in the defenses.
2. It is a fallacy that the bad guys only go after the big prizes. Many small-cap
companies have been compromised and held to ransom, but they don’t say
anything because they don’t want to lose the trust of their business customers.
3. Money spent on protecting your intellectual property is an inescapable part of
the cost of being in business. You can’t buy worthwhile insurance policies, so
you must take sensible steps to mitigate the risks.
4. The bad guys exploit the inertia and bureaucracy in businesses like yours.
A glimpse of best practice comes from a survey of the best managed US
companies2, where their digital security spend is increasing by 46% year-onyear,
rather than staying flat at average companies.
It is time to take action. Conduct an impartial audit of your capabilities and
vulnerabilities – you will be shocked by the results, and will probably discover some
quite significant losses that nobody in your organization knew about.

Travel to High Risk Countries

If you or your staff need to make a business trip to a “high risk country” where your
emails or your digital files may be compromised, there are common-sense measures
you should take to avoid giving away your company’s trade secrets.
Firstly, you should understand that some cultures do not have the same attitude
towards intellectual property, and copying is not against the law. In some countries,
state-sponsored espionage is commonplace. So it will help you to realize that such
behavior is not criminal in that nation; sometimes it is encouraged by the state; and
there is no way of prosecuting a perpetrator.
So please, leave your laptop computer at home. Don’t travel with any device that
you cannot carry in your pocket. When you go out to dinner, the worst thing you
can do is to put your laptop into the hotel safe. Visiting business executives are
routinely targeted, and authorities (and other bad guys) will access these safes with
an override code and download the contents of laptop computers. Of course you will
never know, because nothing goes missing. If you absolutely must take a laptop (e.g.
to make a slide presentation), then use a “clean machine” that your company issues
specifically for such trips, and they will quarantine it on your return. Such a clean
machine might be a Chromebook, which cannot store your files locally on the device.
When using a smartphone or a tablet, never connect to WiFi services at the hotel,
airport lounge, conference center, or the guest network of the company you are
visiting. These WiFi networks are almost always compromised. Instead use the 3G
cellular network, where your signals are much more difficult to intercept. Using
your smartphone as a personal hotspot, or with a WiFi hotspot adaptor, can make
it more convenient for you to use multiple devices on your 3G cellular connection,
but please watch the number of connections to your personal hotspot, just in case
an intruder is within range.
In any case, when you connect to the Internet, you should use a VPN (virtual private
network) utility on your mobile device in order to access your company network.
VPNs connect you to your home country server via a secure “tunnel” through the
public internet, and encrypt your data. But educate your staff not to simultaneously
log into any of the Chinese Internet portals — including those run by Baidu, Alibaba
and RenRen — because that gives a hacker a back door into your company VPN.
In summary, awareness is key. Make sure any of your staff planning to visit such
countries gets a briefing in advance, and when they return, they never connect
their devices to your company network without first getting them screened by the
IT staff, otherwise they will infect your servers with malware.

Seven Steps to Securing Your Company’s Digital Assets

Your company has lots of plans – strategy, products, sales, information systems
etc. It probably doesn’t matter if there are a few gaps in these plans, because your
adversaries (competitors) will never know about the gaps. However cyber security
is a unique exception to that rule – your adversaries will actively seek out gaps in
your capabilities, and they will exploit these gaps. That’s why it is so important that
you have a holistic cyber security plan, and equally important that you test it.
A holistic cyber security plan includes the following seven steps:
1. AWARENESS. The tone is set from the top down. The board and C-suite need to
acknowledge the importance of protecting your key digital assets (“the family
jewels”). They should sponsor an awareness campaign. They should create a
risk committee, led by a board member, including representation from IT, Audit,
Legal, HR etc. Quarterly reports to the board should become business as usual.
2. RISK ASSESSMENT. Create a risk profile of your company’s operations, processes
and assets.
3. CATEGORISE, MONETISE & PRIORITISE. Categorise operational activities against
the risk profile. Assign a financial value for each category of risk (“Value-at-
Risk”). Determine the materiality of the risks, and prioritise them in terms of
importance & urgency.
4. EVALUATE YOUR CAPABILITY. Quantify your company’s level of capability to
defend each risk category. Use a standard framework that helps you diagnose
your capability maturity (e.g. C2M2) and gives a basic benchmark of your
capabilities relative to other companies in your sector.
5. FUND. Establish your company’s appetite to self-insure, or to buy insurance, or
to take corrective action in order to minimize a loss. Using the formula Risk
= Probability of Occurrence x Consequence of Occurrence, decide how much
you are prepared to spend in order to mitigate this risk (the number is usually
in the range of 10-20% annually of the total value at risk).
6. CREATE ACTION PLAN. Construct a roadmap of improvements consistent with
the priorities and available funding.
7. EXECUTE. Resource the work, either internally or using third parties. Implement the
initiatives. Monitor & test the effectiveness. Support ongoing operational excellence.
The wrong time to think about this sort of planning is when you discover an
incident. Instead you should anticipate the incident and prepare well before you
are engulfed by the crisis of responding. The key is to test your preparedness with a
“conference room pilot” on paper, or better still with a practical test that simulates
a real incident, and could include third parties acting as ethical hackers. In our
experience, over 90% of all cyber security compromises could have been averted or
minimized through the use of common-sense awareness, processes and controls.

Threat Intelligence – the new front line?

For many years our front line of defense has been the humble Firewall.
A firewall is a software program or piece of hardware that helps screen
out hackers, viruses, and worms that try to reach your computer over the
Internet. It works as an On/Off switch, driven by a static set of rules for the
source (IP address or port), destination (session), and application. Even
modern architectures (called “Next Generation”) can be defeated because of
limitations on processing power, which determines the number/complexity
of rules and the depth of inspection of the packets that pass through. Think
of a firewall as a switch with limited brainpower. That’s why you also need
second-line and third-line defenses, such as anti-virus software to detect
malware that slips through the Firewall.
Now all that is about to change. There is a new breed of network appliance which
separates the switching from the brain, thereby allowing each to do a much better
job – the switch can now control all inbound and outbound Internet traffic and also
inspect all internal traffic on your Intranet; and the brain allows far more complex
rules to be used. Such complexity would be unmanageable if the rules had to be
manually updated, and the breakthrough comes because the brain is fed by realtime
threat intelligence sources. There are now a number of such sources available,
including CrowdStrike, Cyveillance, ThreatConnect, ThreatTrack, iSight, and a
comprehensive feed for the BFS sector (the Financial Services Information Sharing
& Analysis Center, ISAC). Just as stock market traders use feeds from Bloomberg,
Moody’s, Thomson Reuters etc. and process them with low-latency algorithms,
so does this new cyber security appliance. In the latter case, the result is far more
actionable, because the real-time threat intelligence can be used to immediately
block IP packets, thereby extinguishing the compromise attempt at source without
human intervention.
The difference between real-time and non-real-time is highly significant,
because it breaks the traditional paradigm of Prevent/Detect/React.
Conventional wisdom says that you do your best to prevent malware getting
into your network; then you work hard to detect patterns of known code; and
then you mobilize your team to clean the malware out of your systems. Antivirus
signature downloads from companies like McAfee, Symantec and Trend
help to respond within a day or so of a new threat emerging. But typically it
takes a company an average of 212 days between intrusion and detection,
and by then the damage is done and the clean-up effort is huge. Just think of
the savings you could make if the entire process was automated in real-time,
and that is now possible with this new breed of devices capable of over 700
trillion effective security decisions per second.