"In fact, it has been brewing for a while, as research by ISACA in 2017 found that only 50% of CIOs and IT leaders took any meaningful action towards improving security following the WannaCry ransomware attack," Tony Jarvis, the CTO for Asia Pacific at Check Point Software Technologies, told iTWire during an interview.
"Many are using their security budgets to meet compliance requirements and avoid fines, while we should be striving to turn the situation around."
Jarvis' role includes educating audiences about the risks associated with cyber threats and he also provides thought leadership about challenges that cyber attacks pose to businesses.
Having had a background in leadership and experience in network security, he claims to have a comprehensive understanding of how organisations can successfully adopt cyber security solutions that align with their business objectives.
With more than 15 years' experience in the IT industry, Jarvis says he can translate complex issues into clear messaging that enables organisations to confidently understand their security posture. He was interviewed by email, about some issues highlighted in the company's latest security report and also a few general topics.
iTWire: Can you comment on the accelerating cyber threats, such as banking trojans?
Tony Jarvis: Looking over the statistics prepared by our research team for 2018, one thing is clear. The prevalence of threats in Asia Pacific, when analysing the number of infections based on malware families, is either on par with the global average or even higher.
There are good reasons for this. The Asia Pacific region is a business hub, with multinationals setting up global headquarters in the area. Attackers want access to proprietary information, intellectual property, customer databases, and more. Additionally, we have witnessed an increase in the disposable incomes in many of these countries. That means for specific attacks such as ransomware, chances are higher that victims would pay the ransoms demanded.
While the number of attacks may change between geographic regions, the categories of attacks themselves do not. Asia Pacific, the Americas and Europe/Middle East/Africa all reported cryptomining as the number one threat for 2018. Far more than a nuisance due to attackers taking over CPU cycles of their victims, it has the potential for services hosted in the cloud to result in unexpected and significant costs.
When CPUs reach 100% in the cloud, additional virtual servers get spun up, which the user is then charged for. Knowing that an attacker has a backdoor into compromised machines should also alarm businesses, as the type of malware being deployed could change at the attackers’ discretion.
Mobile devices were another significant attack vector throughout the previous year. All too often, businesses fail to deploy protections for mobile devices. We are increasingly seeing cyber criminals target mobile devices to get their initial foothold into an organisation, and from there, they are able to spread to other workstations, servers, data centres and cloud services.
Banking trojans are a mainstay in the threat landscape today, with attackers devising new ways of gaining access to individuals’ accounts. Ransomware is another similar attack that is intended to deliver financial profits over a short window of time.
What about the increased vulnerability of cloud computing?
Whenever there's a major breach, you hear the same advice every time. "Reset your passwords", they always say. Part of the reason behind this is to protect you from others logging into that breached service with those stolen credentials. But you need to go further than simply resetting the password on the affected site. You also need to go out and change your passwords for every service using those same credentials.
This is because credential stuffing is a very real, and very successful form of attack. Attackers get hold of the usernames and passwords from a breached database and try to use them to log into other sites and services.
As organisations are shifting apps to the cloud, phishing and credential theft are becoming a bigger problem. These attacks pave the way for account hijacking. According to studies, 54% of data breaches on SaaS platforms are due to account takeovers. With the challenge of detecting bot activity behind credential stuffing, it becomes harder and harder to identify true insider threats.
According to a report titled "Cyber Security Generations Survey among IT Professionals", from March 2018, 76% of organisations have experienced attacks against more than one vector, such as PCs, on-premise data centres, cloud, mobile and IoT devices. However, only 3% of those surveyed had a full suite of protections, leaving them vulnerable to such attacks.
How does the rise of malware-as-a-service empower individuals without the skills to create or deploy their own malware?
Many have asked why cyber attacks have ramped up so quickly. We’ve moved past the traditional method whereby talented individuals slave away creating malicious code and figuring out ways of getting it to their victims. That whole model has changed.
Instead of having a very skilled person creating and then using their own exploits, that person may now simply create the infection method and then rent it out to others who use it as a service. This is actually called “malware as a service”. It means the average person on the street can pay a relatively small fee, download a tool and then use that to carry out their campaign. All the work in the back end is managed by an organised criminal group who get a cut of the profits.
Indeed, the line between nation state adversaries and regular cyber criminals is blurring. With the release of NSA exploits and other leaks, tools that exploit zero-day vulnerabilities capable of doing significant damage are now widely available to those willing to leverage them.
So while the most elite of hacks used to belong to nation states who would carefully and selectively use them against hand-picked targets, we now have a situation where regular cyber criminals with quite low skill sets are able to use these powerful weapons however they see fit. We also see a change in the attack model being used.
Nation states would typically find a way into an organisation, usually through a zero day, and then take their time as they stealthily find the information they are after, and gradually exfiltrate it. Hackers with lower skillsets would typically prefer to speed up the process, in what we call a “smash and grab”, meaning they usually make themselves known as they don’t fly under the radar. Their objective is to get in and out quickly, or perhaps encrypt files, or even delete them.
What are the biggest security issues in 2019 and how can companies be better prepared and protect themselves and their assets?
If I was pushed to put one prediction for 2019 at the top of my list, it would be this: we are about to enter an era of mass complacency. Headlines around data breaches were previously met with shock and concern, though today they are increasingly becoming the norm. No longer are data breaches isolated events. We are now seeing cases of individuals having their personal data compromised for the second or third time.
Companies themselves are being hit successfully with subsequent attacks. All of this will contribute to an apathetic mindset that “the worst has already happened”, which is extremely dangerous. In fact, it has been brewing for a while, as research by ISACA in 2017 found that only 50% of CIOs and IT leaders took any meaningful action towards improving security following the WannaCry ransomware attack. Many are using their security budgets to meet compliance requirements and avoid fines, while we should be striving to turn the situation around.
At the same time, 2019 will herald in a raft of laws aimed at alleviating the situation. [The year] 2018 has been a significant year from a regulatory perspective. The GDPR came into effect and certain countries have begun bolstering security requirements around critical infrastructure. California has witnessed the introduction of a Privacy Act similar in nature to the GDPR, and has upped the ante by being the first state in the US with an Internet of Things cyber security law.
The proliferation of such laws is needed not only because new technologies necessitate guidance around their lawful use, but also to compel organisations to meet certain minimum requirements. Perhaps the largest surprise from a regulatory perspective throughout 2018 relates to mandatory disclosure laws. These laws, which require organisations to disclose details around data breaches, have been blatantly ignored by those who’d prefer to keep such attacks out of the public eye. Knowingly violating the law is a practice that we can only hope will decline as social pressure to notify of such breaches ramps up.
Finally, the year ahead will see many organisations fumble in terms of deciding what security initiatives to invest in. Those paying attention would have noticed that industry trade shows and conferences have seen an explosion of niche vendors offering their products and services. For some, this will make sense, but for the majority, it’s fair to say that security teams are grappling with an army of products that are hindering their efforts rather than helping.
Industry analysts often recommend consolidating existing security solutions for a variety of reasons, one of them being simplicity. Complexity is making the job of keeping organisations protected more difficult than ever. As decision-makers evaluate the options available, confusion may lead them to ultimately adopt the same projects as their peers, or perhaps even fail to invest at all. For those finding themselves in such a situation, it may help to ask what business problem each option is intended to address, and whether it is the highest priority at the current time.
Every year, many security companies issue detailed reports of increasing threats and gloom and doom. Would you agree that this has become the best marketing tool for this industry?
I would personally treat such resources as sources of information, though it is true they are at times used as marketing material. The job of decision-makers in charge of security operations is to analyse the information available, relate it to their own risks and needs, and determine which actions to take. Threat trends are one of those tools that they can leverage in performing this function.
In terms of marketing efficacy, I believe the cyber security industry has the wisdom of experience. We’ve seen the fear tactics used before, and it doesn’t serve organisations well as the industry has collectively been desensitised to such practices. We believe that it is far more beneficial to be honest with clients, understand their situation, provide them with factual data that they can validate themselves, and build a long-term relationship built on trust.
When will the security industry act to root out the snake-oil salesmen from within? Here is a classic case.
Such cases do happen, and when they do, it becomes general knowledge fairly quickly. Bloggers, journalists, and well-respected industry experts on LinkedIn all weigh in with their opinions on the matter. It effectively becomes water-cooler gossip the following day, and is never good for a company’s reputation. For that reason, companies who take the ethical high ground do tend to be well respected.
Security companies have increasingly become political players. CrowdStrike and FireEye are two companies that come to mind. Given that attribution is the most difficult part of any investigation, why did so many companies (and that includes Trend Micro and SecureWorks apart from the two named) provide attribution for the DNC hack?
I can’t comment on behalf of the vendors listed, but I can share Check Point’s stance on the matter of attribution. Many are quick to want to attribute an attack to the responsible party. While this has its advantages, some recommend avoiding the "attribution trap". Forensic efforts should be aimed at profiling the attacker only to the extent necessary to understand their intent and techniques. Defences can then be adjusted as necessary in order to bolster security.
The problem with attribution is that it is incredibly difficult, and the advantages it offers may not justify the time and expense involved. Just because the comments in malware code are made in a specific language, it doesn’t mean the authors of that code were native speakers of that language. Often, they may intentionally attempt to make it appear to originate from a different part of the world to avoid attribution themselves and point the finger elsewhere. The same is true of IP addresses and domain names – these can be falsified, so we need stronger evidence.
There is a difference between attribution and speculation. Unless you can be extremely sure of the origin of the attack, it may more likely be a case of speculation. And for the victims of such attacks, their time and effort may be better spent trying to clean up the mess left behind by the attack instead of asking where it originated from. This is especially true if it happens to come from a country that does not co-operate with international law enforcement agencies.
Lastly, Check Point does, and has in the past, attributed attacks to cyber criminal groups or nation states. However, we only do so if we are very sure of the evidence.
Why did no security companies speak up when Kaspersky Lab was being hounded for doing its job and unveiling details of malware released by the one entity that should be guarding people – the US Government?
Unfortunately, this question falls out of my remit and I don’t want to talk out of turn. I’m able to address questions specifically around cyber security, but am not knowledgeable enough nor have the facts required to make political commentaries.