The Biggest Challenge to IT in the Future is Security
“The biggest challenge to IT in the future is security. Security could negatively impact connectivity to public networks. If these problems cannot be successfully addressed, I envision a time of closed, private networks and less information sharing. The risks now are so great and getting worse every day that we even see foreign governments toppling superpowers the way Russia toppled the US and put its puppet in charge because of weak controls and poor security.” – Jay Bazzinotti
Did you watch Mr. Robot? I remember the first episode and being immediately sucked in. A computer hacker turned vigilante shuts down a man doing, we’ll say “nefarious activities”, and gets him arrested by tipping off the Feds. Hackers who do good are like super heroes. They are the digital equivalent of The Punisher, meting out justice with an uppercut delivered to the chin of wrong doing. So before I get too off track, the reason I mention Mr. Robot is that even as good of a hacker as Elliot Alderson is he still needs to get pieces of information from a number of sources. You see him using Facebook, online yearbooks, and even calling and impersonating credit card companies in an effort to get just enough information to piece together a password or the security questions so he can reset the password. So no matter how good your security is with technology, you still have to make sure that your people understand security as they are often your weakest link in the security chain.
According to the aforementioned article by Jay Bazzinoti: “The biggest problem isn’t the machines, it’s the people involved at every level, inside and out. I worked in computer security for many years and I can see it’s almost hopeless. In my last role I surveyed hospital security in the US. In many cases IT didn’t even rescind authentication privileges of employees fired for as long as six months. The biggest threats are not from the outside – they are insider threats, both innocent and malicious. Even well meaning people in Government, for example, leave lap tops with classified information on buses by accident. People in the office find security too inconvenient and find ways to get around it. Malicious people shoulder-surf or use social engineering. In a previous job we had a “White Hat” hacker who socially-engineered himself into a secure control room of a nuclear power plant.”
How do we Create Better IT Security?
In order to create better security we have to create a culture of security. Businesses must educate their employees on the importance of keeping the company’s information secure. When I worked at Texas Instruments we had annual “IT Security Awareness Training”. In that training they told us how often people lose important things like phones, laptops and usb drives and those items compromise IT Security. They also told us how some individuals would actually steal and sell data by sending it digitally coded in a photograph or carrying it out via usb drive. Obviously this is illegal and stealing a companies’ trade secrets is prosecutable by law. I think most people know this is wrong, but the people we are concerned with are those who unwittingly share content about their company with friends or family members or even on Facebook.
According to an article on HelpNetSecurity.com, the age of employees is actually the greatest factor in keeping data secure. Basically their research has shown that older employees are a more secure employee. And would you think that gender plays a part in security? Well, the study also showed that men are more secure employees. Interesting data for sure. But the good news is that people who are educated on the policies of their workforce are more secure: “… there is a strong correlation between norms and behaviors: the more people understand and internalise their organization’s norms (policies, regulatory issues as well as informal rules), the better their security behaviours are.”
So the onus is on the business when it comes to educating their employees on IT Security. IT Awareness should be part of the orientation process when a new employee is hired, but it is not something that is just “one and done.” Recurring training should be scheduled at least once a year, but reminders can be sent out on a quarterly basis. Software should be kept updated. Computer virus software should be updated often and user passwords should be changed and they should be required to make them complex and not easy to hack.
I thought the article from HelpNetSecurity was good, but I had to disagree with one of their bullet points when it came to IT Security…
- Know your culture – use a tool to map it out (disclaimer: CLTRe provides such a tool as a service).
- Ensure a gender-bias-free organisation – “Our study shows that males and females have large differences between how they understand and work with risk and security. A good balance of the genders, throughout the organization – from top management all the way down – can be crucial to handle security risk appropriately,” he points out.
- Ditch awareness programmes, and focus on facilitating good behaviors using what we know from social psychology: norms, peer pressure, social relations.
The last bullet point says to ditch awareness programs. When I worked at Texas Instruments I thought these programs were not only a good reminder, but they were educational. Creating good behaviors is good, but over time, security issues change. New types of hacking, ransomware and other security threats arise and how are individuals supposed to be educated on these threats? It is one thing to force information on a user, but if you have a training session then individuals can ask questions and better understand the importance of their behaviors. It is also a good way to make sure the individual gets the information. Sending out emails is great, but we all know that we are overloaded with content so it is too easy to just delete an email and the critical content is never read by the end user.
Top 10 Ransomware Attacks in 2017
Speaking of new threats, it is still hard to believe the impact that ransomware is having on businesses. According to an article on techrepublic, Merck, the pharmaceutical company lost 300 million in the 3rd quarter of 2017 due to a ransomware attack. These attacks can be devastating. Even as someone who works in information technology it is easy to forget how many of these attacks happen each year. Here is a list of the top 10 attacks in 2017 alone. This list is from Techrepublic.
NotPetya started as a fake Ukranian tax software update, and went on to infect hundreds of thousands of computers in more than 100 countries over the course of just a few days. This ransomware is a variant of Petya, but uses the same exploit behind WannaCry. It hit a number of firms in the US and caused major financial damage: For example, the attack cost pharmaceutical giant Merck more than $300 million in Q3 alone, and is on track to hit that amount again in Q4.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
WannaCry (also known as WannaCrypt) has been one of the most devastating ransomware attacks in history, affecting several hundred thousand machines and crippling banks, law enforcement agencies, and other infrastructure. It was the first strain of ransomware to use EternalBlue, which exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol.
Locky is currently the top payload in terms of ransomware and across all malware families, according to a report from security firm Proofpoint. While Locky was 2016’s most popular ransomware strain, new variants called Diablo and Lukitus also surfaced this year, using the same phishing email attack vector to initiate their exploits.
CrySis—typically spread by hacking into Remote Desktop Services and manually installing the ransomware—started last year in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware, Webroot noted, because cybercriminals can compromise administrators and machines that control entire organizations. In May, some 200 master keys were released allowing victims to decrypt and unlock their systems, ZDNet reported.
The Nemucod ransomware family has been active since at least 2015, and arrives in the form of a phishing email that appears to be a shipping invoice. Then, it downloads malware and encryption components stored on compromised websites.
SEE: End user data backup policy (Tech Pro Research)
Jaff arose in May 2017, and heavily mimics tactics used by Locky. It uses the Necurs botnet to send millions of spam emails to targets globally over just a few hours, and demands victims pay 1.79 Bitcoins—currently more than $6,000.
Cerber uses ransomware-as-a-service to allow non-technical cybercriminals to extort payments from victims, with the developers of the malware taking a cut of the money gained.
Cryptomix is one of the few types of ransomware that does not have a type of payment portal available on the dark web, the report noted. Instead, victims must wait for the cybercriminals who locked their machine to email them instructions for payment in Bitcoin.
Jigsaw, first seen in 2016, embeds an image of the clown from the Saw movies into a spam email. When the user clicks it, the ransomware encrypts their files, but also deletes files if the user takes too long to make the ransom payment of $150, according to Webroot.
How much did ransomware cost businesses in 2017?
The cost is estimated to be around 5 billion, however, the reports vary. Some websites report that ransomware has cost the US 75 billion.
Attacks are actively bypassing security.
Of the companies that have experienced ransomware attacks, 7 out of 10 have fallen victim to at least one that got past their security and successfully encrypted their files. Traditional security solutions are simply struggling to keep up with the incredible pace at which new ransomware variants are being produced.
As a result, some organizations are looking to new solutions that utilize machine learning and behavioral analytics to block ransomware during runtime, while others are simply assuming they’ll be infected and are prioritizing response and recovery, instead (some even going as far as to stockpile Bitcoin in anticipation of paying off attackers).
So what we have learned in all of our research is the importance of educating your employees, but also the critical necessity of having a disaster recovery plan in place and possibly outsourcing your information technology to a business that specializes in IT Security. Tekconcierge supports a number of businesses helping them to secure their networks, create a disaster recovery plan and maintain business continuity in case of an attack. Furthermore, Tekconcierge partners with other security firms to stay on top of the latest threats and solutions to the ever-increasing number of potential security issues.