Basics needed to swerve security apocalypse

James Lyne, Global Head of Security Research at Sophos, talks security basics and predictions for the next security apocalypse.

When we last spoke towards the end of 2015, Sophos’ Global Head of Security Research James Lyne predicted a bumpy 2016 and beyond: chiefly that ransomware would continue to grow in popularity, and that the Internet of Things producers would be in for a ‘big wake-up call’ if they didn’t address the security basics they were failing to implement in their devices.

Since then, we’ve seen Dyn buckle under the weight of a DDoS attack powered thousands of IoT-enable CCTVs, and thousands of companies brought to a standstill thanks to the WannaCry ransomware.

“It's happened. Which I'm really angry about,” he tells IDG Connect in 2017.

“I predicted that cyber criminals would not take long figure out that IoT – even if it’s in its infancy compared to where it's probably going – could be valuable. Mirai and follow on campaigns demonstrated that. Even though it was embryonic in terms of capability, it could have been enhanced trivially to infect so many more devices.

“Ransomware was already very popular, so it wasn't a prediction that it would become popular but that it would increase in impact and scale, that we'd see a really big campaign. [With WannaCry] We were in the right region generally speaking there.”


Back to basics

In his talk at InfoSecurity Europe this year, and expanded on further in another piece on Ransomware and WannaCry, Lyne explained that the WannaCry ransomware attack – and many like it – are often succeeding ‘in spite of themselves’. Much of today’s ransomware is built using simple tools readily available through criminal channels. However much of it is poorly built.

“Ransomware has been the great love of cyber criminals, we've seen that it can hit headlines, but that ransomware is actually very average. There's a lot of ransomware with terrible crypto, embedded passwords, really bad payment channels, half arsed social engineering.”

He warns that there are far more technically proficient campaigns such as Locky and Cerba out there that can do far more damage, and are harder to overcome. And the trend is one of greater numbers, of continuous improvement, and with the rises of ransomware as a service, homogenisation of technical capability.

“The ransomware as a service model means we're at the beginning of a wave of more capable ransomware: you download it, change the password, change the look and feel, put in custom dollar values, change the payment channel, hit build. You've got your own piece of ransomware.

 “I think there's more mileage in ransomware unfortunately yet.”

One concerning aspect of how companies are dealing with ransomware is the expectation that there will be a way around it. Some – such as WannaCry – are often built quickly and leave clues behind which can lead to decryption tools. However, Lyne warns that being able to develop such tools is never a guarantee.

“I have a hard time saying the good thing about WannaCry in general, because of the real impact it had on people and organizations all over the world,” he says.

“There is undeniably a silver lining that it's helping people raise the profile with boards once more of patching, the importance of things like making sure all your security controls are turned on, up to date, and doing what they should be doing. Basics.”

“Let's just make sure as security  professionals, as an industry, we don't run to implement practices against WannaCry, we use this as an opportunity to implement security best practices that represent the body of what’s most important to protect your day to day.”

So what can organisations do? Lyne suggests that it is more important than ever to ‘keep your finger on the pulse’ of what’s going on.

“Don't go and look up the latest security advice yearly, don't wait to be told in headlines in the news; because of something like WannaCry, go do X.”

Instead, he says, have a look for the latest best practice every couple of months at least, and ensure you’re ‘part of the solution, not the problem’ by ensuring everything is up to date and as secure as possible.

“It's so easy to get distracted by the latest sexy topic. It's important to always remind ourselves, those outside the echo chamber, those basics give us all a huge opportunity to make life harder for cyber criminals.”

“Cyber criminals are moving faster and faster and have more opportunities. You need to start thinking; ‘My kettle is a computer; it's not a black box device, it's a computer. I have to update it, I have to worry about security best practice’.”


More doomsday predictions

When asked for his predictions on what kind of security threats we could see in the future, Lyne simply replies: “I don’t know.”

“My prediction is, things are about to speed up a whole lot and change more than they ever have. We are at such an unbelievable point of different things occurring in our industry, we're at the melting pot moment of different trends. The scale of it and the complexity is just phenomenal. in every direction I look, we have epic themes.

“The whole IoT thing is still far from fully hitting the apex of blowing up. We've had years of mobile devices getting some focus from cyber criminals, but we haven't had the big 'oh my god' moment, the exploit that hits every mono-ecosytem iPhone.

 “As a researcher that's exciting and interesting. As a business worrying about security, I wish we could go back to the days of good old simple Trojans and people trying to steal banking information.”


Also read:
IoT industry is in “for a big wakeup call” if security isn’t addressed
What will be the single biggest security threat of 2017?
How IoT companies can learn from the Mirai malware exploitation
Consumers shouldn’t be responsible for IoT device security