This is a contributed piece by Alan Zeichick, Principal Analyst at Camden Associates
When the US Federal Bureau of Investigation reverses its advice about a cybercrime epidemic, you know that the problem is bad – and getting worse. Ransomware, on the rise exponentially since 2015, has become one of the biggest headaches for consumers, businesses, hospitals, government agencies (including the FBI), telecoms carriers, insurance companies and cybersecurity researchers. And the Asia-Pacific region has been particularly hard-hit with ransomware. Originally, the FBI advised paying the ransom. Now the agency suggests that businesses and consumers find another way, and not give in to the criminal’s demands.
In a blue-ribbon panel discussion held in Sydney, Australia, including analysts, carriers and cybersecurity companies tackled major questions about ransomware – and the role of many industry players in studying and eradicating this global scourge.
The discussion was moderated by Tim Dillon founder and director of Tech Research Asia, based in Sydney, with participation from experts from Menlo Security, Cylance, Matrium Technologies, and Verizon.
Kicking off the discussion, Mr. Dillon pointed out that ransomware is technically not new, and that a reason for its current success is education — or lack of it — about cybersecurity. “The first ransomware appeared around 1989, something like that, so it's not exactly that this is a new threat. You have to question the effectiveness of education not just for ransomware, but ransomware is an important conversation to have.”
Stephanie Boo, Asia-Pacific Managing Director for Menlo Security, agreed that there is an education challenge — and that it’s getting harder all the time. “Education is a lot more challenging because hackers are using sophisticated social engineering techniques right now. It can fool anyone. So we see a lot of cases of ransomware happening on legitimate websites!”
Sadly, Australia has turned into a huge target for ransomware; as Mr. Dillon pointed out, in terms of reported incidents, “Australia is currently ranked third and last time it was fifth, so it’s in a worsening position.” Lack of education is a cause, but it’s not the only one: “From an enterprise perspective, there is a skills shortage in Australia,” he said, adding, “I know a professional services organization that has just spent 18 months trying to fill a security application position.”
And that leads to successful attacks, explained Ms. Boo, referencing one small business owner she talked to. “What happened is that he got exploited by ransomware. He did whatever people always asked him to do, always made sure he had a backup on his data. So what happened was he thought what he had was safe so when he got attacked, he refused to pay the ransom. But what he didn't realize was his backup data was actually also infiltrated. So it was double whammy for him because both sets of his data were compromised.”
Looking for Monetisation potential: Ransomware and worse
What’s the motivation for malware attackers? For ransomware, it’s the ransom. But what about other criminal activity? Attackers are looking for anything of value, explained Verizon Asia-Pacific senior consultant Aaron Sharp. “When an attacker gets in they try to find whatever they can to monetise. They could hit the jackpot and they could hit some personally identifiable information that would be sold for identity theft. It could be payment data. It could be intellectual property. They are looking for anything of value. If there is no meaningful data that they can get hold of, they'll keep that back door and they'll sell that machine either as a back door into that organisation because someone else might have an interest in in it, or they’ll turn it into a slave computer. Once malware is installed and active in the environment, it gets reused.”
Businesses should worry about those vulnerabilities, added Trent Owens, Director of Business and Technology at Matrium Technologies. “Cybersecurity opens the customer’s eyes to see what's going in and out of their business servers and virtual servers. Most attackers have tools on the actual servers themselves.” He added, “The data doesn't hide. That's what we find.”
The cost of those breaches? Potentially huge, said Menlo Security’s Ms. Boo, especially when there’s a compliance issue where legally protected information was compromised. “We've had to do a full log internal review for customers — and the damage set the organisation(s) back by a few hundred thousand dollars to over a million.”
Ransomware is not the biggest threat, agreed Andy Solterbeck, Regional Director for Cylance. “Ransomware is a pain. You know it is a pain, but you've got recovery measures. As security people, I actually don't think it is a real problem. It's just not. I know it's a terrible thing now, but giving somebody a couple of thousand dollars to get your machine back, is a pain, but it's not necessarily a disaster.”
The real problem, he explained, is targeted malware tuned for a specific enterprise. “Sixty percent of our customers have malware that is single site — and does not exist anywhere else in the ecosystem. It is targeted, especially wrapped for you as the customer. As a security professional, that's what worries me because in the end, that's creating the back doors, and taking intellectual property.”
Verizon’s Mr. Sharp said that sometimes cybercriminals are playing psychological games – maybe they want to you to know that you are vulnerable, such as when threatening a distributed denial-of-service attack until you buy them off. “Most of the time attackers want to keep the breach undetected so that they can exploit it further. But in the case of ransomware, whether it's malware or the threat of a DDoS-type extortion, the attackers absolutely want you to know, and demonstrate, that they're there and they've got you.”
Mr. Dillon, the panel moderator, asked, “Where do you see the typical attack of malware inside an organisation? From an organisation perspective, where are the common groups inside an organisation that get penetrated?”
Instant answer from Ms. Boo from Menlo Security: “Human resources, sales, marketing. The way sales are approached, the marketing people are more at risk because the nature of the way they work.” She added that some types of organisations are particularly vulnerable and likely to pay ransom quickly: “Even if they've got good backups and everything, if their time to restore that data is too long, they're more likely to pay as well. So banking, healthcare. We've all read about the hospitals in the United States that have been locked up by ransomware and have had to divert ambulances because their computers were down.”
Can you calculate the cost of such attacks? It simply can’t be done, not when you’re now dealing with human lives. That’s probably why organisations like Hollywood Presbyterian Medical Center have paid the ransom — they can’t afford not to. Sadly, paying off the cybercriminals isn’t always the answer, as Kansas Heart Hospital learned, when the hospital paid to get the data back, but only got partial access… and a demand for more money.
Isolation may be the answer
A number of security experts believe that isolation may be the best technique for reducing cybercrime, including ransomware. In this context, isolation means separating the internet from a direct connection to the organisation – including its servers, network and end users. As Menlo Security’s Ms. Boo explained, “Isolation could actually mean isolating the user by security tools, or it means isolating the organisation from the employees, by getting rid of people. It's really about isolation of the access content, and looking at what makes the internet a dangerous place. The World Wide Web is becoming so dangerous because employees are going to legitimate websites and getting compromised.”
Cylance’s Mr. Solterbeck thinks of isolation as requiring taking humans out of the security loop – and applying advanced computer science, including artificial intelligence, to the problem of threat identification and mitigation. “Humans are no longer able to scale to resolving the issues that we've got from a security perspective right now and we need to start applying the techniques and capabilities that we've done in so many other industries like large data and algorithmic mathematics.”
He continued, “Those techniques exist and we had better start applying those to our world both on the network side and on the endpoint side because that is the only way we're going to be able to navigate past having humans making real-time security decisions on our behalf. When you have a million network cybercriminals being creative and attacking every day, there is no human that can scale for that. We're done.”
AI means products, and panel moderator Tim Dillon asked directly: “How does a company make sense of a broad range of vendor cybersecurity solutions and know which are going to work?”
One size doesn’t fit all, says Trent Owens from Matrium, because customers have different network models and security requirements, which create pockets of challenge for the vendors. “You run into problems where you've got this solution for this pocket, and another solution for another pocket. From an admin’s perspective, you don't really have a consistent security profile so that causes a problem unless you get a security solution that sits across them all.”
Solterbeck agreed, and said that the proof of the pudding must be in the eating – that is, how does a security solution work on your network? “People must proof-of-concept. They have to test the solution, drive it and see whether it actually does what it says it does or not.”
He then pointed to Asia-Pacific as a region where proof-of-concept tests will be critical — and will be driven by largely managed security service providers (MSSPs). “In Australia and elsewhere, the role of the MSSP is going for the managed outcome. It’s huge. The SME businesses can’t do those tests themselves, so they're going to rely on managed outcomes from MSSPs to do the testing and validate solutions — and then keep the solution current after deployment. It's the only way to actually work in scale.”
And if you work for a SME business, Solterbeck suggests, “Find a managed outcome provider that actually knows what they're doing and go to them because you aren't doing evaluations yourself. You cannot do it.”
What about cyberinsurance?
Cyberinsurance can help mitigate the financial downside of a successful cyberattack, and is considered to be essential in companies that might be at risk for disclosure or theft of protected information, such as customer data or financials. It’s important to read the fine print, though, said Verizon’s Aaron Sharp, to see what is covered — and what is not. “You’ve got to look at your policy language to see if you’re covered for ransomware. Some policies say that you are covered for destruction of data or loss of data. However, with ransomware, the data is not actually destroyed, and has not been stolen.” So, Mr. Sharp said, you may not be insured.
Matrium’s Mr. Owens added, “We were speaking to some insurance companies and their policy does not change, no matter what the customer does or has. When it comes to cyberinsurance the insurance company doesn’t get into what you’ve got in your network. It’s just a generic policy.” So, again, review the policy carefully to see if ransomware and other threats are covered.
Ransomware: pay or not pay?
As noted earlier, the recommended best practices for paying ransom are changing. Reasonable experts can have different opinions – and change those opinions at any time.
Menlo Security’s Ms. Boo conceded, “In many cases, smaller organisations will pay the ransom unfortunately. That’s why businesses are really struggling. People are paying the attackers and when people stop paying, I hope that’s when we will see ransomware start to decline.”
Tech Research Asia’s Tom Dillon, the panel organiser, asked about the efficacy of technology to block ransomware and other such attacks now and in the future: “So from an endpoint perspective, is there an opportunity for an endpoint security provider to guarantee 100%?”
Alas, no, said Cylance’s Mr. Solterbeck. “No matter how sophisticated you are or how good you are at what you do, there is no such thing as 100% protection. Anyone who tells you that is just crazy or a liar. What we can say, though, if you’ve got an appropriate preventative layer you should be able to significantly reduce your risk. Cylance blocks about 99%, which is significantly better than the 30% to 40% protection range we see with previous generation technologies.”
Ransomware. It’s a real problem, in Asia-Pacific and elsewhere around the world. The only way to protect against ransomware and other cyber threats is to be vigilant – and deploy the best technology available. You literally cannot afford to ignore the business risk to you — and your customers.
PREVIOUS ARTICLE«News Roundup: More Samsung explosions, Snap vs Flash, and IoT-Fish
NEXT ARTICLECan cloud rivals catch up with AWS?»
Mark Chillingworth on IT leadership
Phil Muncaster reports on China and beyond
Kathryn Cave looks at the big trends in tech