30th September 2018 Ransomware, GDPR, IoT and the Cloud
Topics that are seldom out of the news with security concerns as the common denominator.Let’s start with ransomware. Industry experts predict that this will continue to be the malware of choice for cybercriminals and that variants will continually evolve. Indeed, just recently, a new strain of ransomware was reported that was able to escape detection from the majority of anti-virus engines and well-known cloud applications including Google Drive and Microsoft Office 365. With the rise of ransomware-as-a-service, it gives more opportunities for would-be hackers to try their luck. By deploying these malwares that encrypt files, they pay a percentage of the funds they collect to the author. No wonder then that ransomware continues to be big business in the criminal world – even vying with drug dealing in terms of its revenue according to some analysts. There are, of course, conflicting reports on how much revenue is generated. Some say that the percentage of ransomware bitcoin payments has declined but, in any event, payment is only a small part of the real cost of entrapment, particularly for business. The total cost of damage includes not only the potential loss of data (bearing in mind that there is no guarantee that files will be returned even if payment is made), but also disruption to business, investigation and restoration, additional employee training and most importantly, reputational damage that can impact the brand.

Jon Rayment, managing director at security solutions provider NetThreat, a customer of Exertis, maintained that 70 – 80% of security conversations with their clients included the topic of ransomware. “Initially, it was SPAM, then ID theft followed by phishing and now ransomware is the biggest single concern. Fortunately, our portfolio of vendors allows us to provide appropriate security solutions enabling our customers to address the risk. Prevention: which includes training and filtering; Detection: through deployment of recent client software tools and Restoration by deployment of suitable backup technology, are all key parts of the solution”

The WannaCry attack last year, which affected high profile organisations like the NHS, has increased awareness of the problem and the media has played an important role in highlighting the issue. However, even now the NHS has struggled to meet the required cyber security levels with their digital deputy CEO admitting in February that all 200 NHS trusts that had been accessed had failed to reach the Cyber Essentials Plus standards. Most of the failures were worryingly down to a lack of patching of systems – one of the main reasons the NHS was so badly affected by the WannaCry attack. Whilst the “WannaCry lessons learned” report, just recently published, pointed out that more funding was required for the NHS, it also called for them to have sufficient quality and capable IT technical resources to manage and support their local infrastructure, systems and services.

The report also highlighted the need for employees within organisations to receive sufficient training on cyber security. Phishing attacks, leveraging social engineering techniques, have been the most common forms of attack using emails, social media, instant messaging and SMS to trick victims. Designed to create curiosity and urgency and appearing to come from a trusted source, they aim to obtain sensitive information or entice the recipient to open an affected attachment or visit a compromised website to infiltrate their systems.

NetThreat’s Rayment also concurred with the need for training “As part of our security offering, we can determine the vulnerability of staff in an organisation and then deliver training courses for companies as part of an ongoing solution. Employees are tested on their ability to spot phishing and other forms of communication that contain malware. This includes identifying whaling attacks that focus on higher profile contacts within an organisation that are much more profitable for the criminal.”

Whilst the media has been influential in highlighting ransomware, there has also been a lot of noise surrounding encryption. It seems that encryption has become the holy grail. Whilst it has enormous benefits, it has also highlighted a further security concern. Much of the internet has become encrypted and as businesses increasingly look to cloud solutions, they rely more on encryption as a means to protect their data. Gartner has predicted that by 2019, 80% of web traffic will be encrypted. Net Threat’s Rayment highlighted the issue this has caused for some organisations “With increasing encrypted traffic, malware can go undetected. Whilst encryption enables online privacy, it has provided the opportunity for cybercriminals to hide malicious content that can go undetected without the right security solutions in place. There has been a rise in hackers leveraging SSL/TLS encryption to hide attacks. Inspecting encrypted traffic is key to preventing any number of threats and the percentage of organisations that have deployed the necessary solutions to inspect encrypted threats remains low. It’s likely that more sophisticated malware inside encrypted traffic will be deployed by cybercriminals and organisations will have to increase their protection and their security expenditure to match it.”

Of course, data loss will become an even greater concern for companies in the coming months with the GDPR on the horizon. GDPR isn’t prescriptive in terms of what technology to deploy although it advocates the deployment of security practices. It only suggests: “The pseudonymisation and encryption of data; ability to ensure confidentiality, integrity, availability and resilience of processing; the ability to restore data after an incident; and a process for testing, assessing and evaluating effectiveness of security”. Preventing threats is important but often it’s human error either willingly or unwittingly that poses the biggest issue. Vendors like SonicWall provide firewalls that are able to inspect encrypted traffic and detect, block and provide incident reporting to prevent such a breach.

Whilst conversations about GDPR per se haven’t been that widespread with NetThreat customers, Rayment believes that it has helped companies understand the need to deploy the right security solutions in the first place to prevent a breach with multi-layered protection that includes: firewalls, end point security, e-mail security, remote access management and disaster recovery. “GDPR has provided a framework for discussion on security and we have been running some educational webinars on the subject. Historically companies have been collecting huge amounts of data that in the future they won’t be able to hold.”

Some of this data has inevitably moved to the cloud. Rayment believes that some companies have moved to the cloud first and considered security second. “We are beginning to see questions being asked about cloud security. Security vendors have been rather slow in their approach to securing the cloud.” With GDPR both the data owner and the cloud service provider will be equally held responsible for compliancy. Companies will need to ensure that their provider is indeed compliant and inevitably some are better than others. No doubt reputable CSPs will be able to demonstrate their GDPR capabilities but companies should look to seek clarity, supported by a detailed services contract.

You can take your pick on the number of connected devices that analysts believe will be in place by 2020: 30, 50 or 75bn. The number is so big it’s hard to comprehend. Clearly IoT is going to play an increasing role in our home and workplace. Inevitably that poses a security risk for both consumers and industry. One which cybercriminals will be keen to exploit. In their 2018 predictions, SonicWall believes that more devices connected to the internet will result in more compromises with DDoS attacks via compromised IoT devices continuing to be a main threat for IoT attacks. In addition, as more data is collected by these devices, they will become a more lucrative target. It will be up to manufacturers to ensure that security is a key part of the product specification to maintain the trust of the users and that the right security is in place wherever they are deployed.