In the sixteen years I’ve been working in infrastructure design, security has become more and more important. But much of what’s reported in the media seems to relate to large, multinational, household name organisations. So when I met with security expert David Emm I was keen to discuss security from the perspective of the typical UK organisation: what does the threat landscape look like for them, how is this likely to change over the next year or two, how can they assess the threat they face, what should an effective security policy look like, and how can they identify an appropriate security solution?
An expanding threat landscape
Over the past 20 years we’ve seen pretty much exponential growth in malware, to the point that we’re now seeing more than a million new samples a day, with 310,000 unique threat samples every day. While the bulk of that represents random speculative attacks – the sort of traditional cybercrime we’ve come to expect – the remaining 10% are targeted attacks. Here the attackers are going after a specific company or sector of the market, and these are impacting every size of business.
At the same time we’re operating in a much more complex business environment – with increasing connectivity, always-on technologies, data on premise, in cloud and on a multitude of devices – providing a much bigger attack surface. So it’s not surprising that we also have a very diversified threat landscape, which includes banking attacks, targeted attacks on the organisation, mobile threats and, as the Internet of Things becomes more pervasive, a situation in which routers, meters and other everyday items are becoming subject to attack.
David Emm speaks of four key vehicles in the spread of malware: exploit kits, which are code developed to exploit vulnerabilities in unpatched software; social networks where messages containing links are prevalent; email, where we see both links and attachments used; and removable devices, such as USB, which skip straight through your perimeter defences.
Inevitably the threat landscape we see now will change over the next few years so I was interested to hear how David Emm saw this changing.
Banking attacks will continue to be a major area of activity. Most are aimed at consumers, rather than the bank’s backend systems, and as businesses are major consumers of banking services they usually have multiple staff empowered to interact with the bank.
Ransomware, effectively a form of extortion, is growing to the extent that David expects to see this eventually outstrip banking attacks. Criminals use ‘blockers’ to block use of a computer or other device, or ‘cryptors’ to encrypt files, and demand payment, in some anonymised form, for you to get the data back. And this doesn’t just affect Windows – Linux, mobile devices and Mac OSX are increasingly becoming the target. The number of targeted attacks has grown significantly and David sees no immediate end to this.
While targeted attacks on big organisations such as TalkTalk, Experian or Ashley Madison tend to make the headlines, there are also many more targeted attacks on small and medium sized organisations. Some of these are stepping stone attacks, where information is stolen in order to launch an attack on a larger organisation, such as a key customer or business partner.
I asked David for practical suggestions about how people can start to assess the threats they face. The starting point, for any size of organisation, should be an audit of their assets that could be of value to an attacker, which could include customer or partner data, intellectual property, future product development or the organisation’s position as part of a larger company’s supply chain. Then you should look at how an attacker might try and get to these assets, and how to block them.
Pragmatically we can no longer rely on perimeter defences alone. We need to recognise that someone may get in, and plan for how to handle that. This comes down to what David Emm calls the three Ps: people, processes and protection (in other words, technology). Protection means defending endpoints, including mobile devices, and a range of options such as encryption and whitelisting, as well as traditional anti-malware.
From a process perspective it means not assigning everyone in the organisation with admin rights – because if you do that, effectively any malware in the organisation adopts the same rights as that person. For the same reason, you should segment the network to prevent lateral movement, so if malware comes into one part of the organisation it can’t freely access other parts of the network because they are cordoned off. And it also means having a disciplined backup regime as a precaution against ransomware attacks.
Ultimately most attacks start with people: attackers look at how to trick someone into giving them access to the organisation. So we need to patch people as well as assets, which in the human context means ongoing education and awareness.
Many of the organisations I encounter still seem to have a very passive approach to security, so I was keen to discuss what an effective security policy should look like. Without it becoming too burdensome, David advocates including the audit and risk assessment, along with the protection, processes and people we’ve already outlined.
As well as having the right protection, businesses need to ensure software gets patched. Many of the exploits we see can easily be blocked, just by applying the updates from Microsoft, Adobe, Java and other vendors as they come out. And on a personal note, one of the things I particularly like about Kaspersky security is the way that it helps you manage and keep on top of all software updates, not just Microsoft.
Important though it is to have a policy, there’s a danger of thoroughly working it out but then not reviewing it. Technology shifts, and the way we use it changes, and the tools we can use to combat attacks evolve over time, so policies need to be regularly reviewed. There’s also a risk of reading up and creating a detailed checklist of ‘wants’ that include encryption or heuristics or whatever else is being talked about. While a checklist is useful, it needs to be meaningful to your organisation and relate to functionality that you will actually use.
Finding the right solution
That got me thinking – we can tell an organisation they should pick the right solution for them, but how do they actually go about doing that?
David answered my question by pointing out that an organisation will know their business better than anyone else, but need to first identify the potential risks: initially by understanding the threat landscape, then by knowing what information they hold that might be important to an attacker. Companies may wonder why anyone would want to attack them, but often it’s because of the value of their information and customer data.
Once the risks are understood, the task is to map them to the available security technologies. For example, email will need protecting, but you also need to think about the mobile devices in use and the data they carry – including securing any devices brought in by staff. With sensitive data and mobile staff, maybe it’s also time to think about encryption.
Independent tests play a significant role in informing your selection. Don’t just look at what the testers are saying in their most recent tests, but look at what a product’s track record is like over time.
Also ask yourself ‘what’s going to work in my environment?’, not just from a technical perspective but also in terms of its usability.
Historically, a lot of detection has been signature-based so you may be surprised to learn that 80% of Kaspersky’s detections are now pro-active. This includes heuristic capabilities: being able to look for suspicious aspects of code, such as ransomware encrypting files.
Pro-active detection also includes behavioural analysis: looking at the system and what impact something has on it, shadowing it as it completes tasks on your computer, and stopping it if it misbehaves. As a result, proactive detection that will review the metadata of a program you run or download, and look at its overall reputation – thus providing an instant analysis in real time without having to wait for a signature update – should increasingly be part of your thinking.
On reflection, a fascinating discussion with David Emm has produced a lengthy, but I hope interesting, post. If it’s whetted your appetite to learn more, please join me on 14 April for a short webinar in which I’ll be quizzing Kaspersky’s Adrian Louth to provide ‘A practical guide to why analysts rate Kaspersky as cybersecurity leaders’.