In this interview, Mark Sangster, VP & Industry Security Strategist at eSentire, talks about the most pressing issues CISOs are dealing with in today’s fast-paced threat environment.
How has the cybersecurity threat landscape evolved in the past 5 years? What are some of the most notable threats eSentire is seeing that were not an issue in the past?
The past five years have seen significant progress in both the recognition of cybercrime, but also the increase threat posed by organized cyber cartels and nation states. Past attacks were often rudimentary in strategy, uncoordinated, and opportunistic. Consider ransomware attacks for example. Attacks used generic phishing lures posing as streaming services, banking institutions, or travel agencies. These broad and unrefined nets were cast by smash-and-grab criminals, group or nations. Like bobbing plastic waste on the ocean, it snared all levels of the ecosystem from individuals to banks, laws firms and hospitals. Regardless of the duped party, the ransom payment was fixed rate-transactional fee and did not reflect the wherewithal of the victim.
But from this chaos came order. Organized criminal groups realized that cybercrime was more lucrative and less dangerous than traditional physical crime. And this led to both a systematic approach to extortion, but also targeting of more lucrative targets like law firms fearful of reputational damage or hospital petrified of operational disruption and the impact of patient care. Ransom values moved into the five and six figure range, and lures played upon the social and economic factors that drove the target industry.
At the same time, organized crime and nation states found that their wares offered a revenue channel. So, tools once the domain of advanced nations states appeared in the civil black markets. And now, malware and delivery mechanisms such as Emotet are not commodities. It’s a reflection of the fact that criminal business runs using the MBA best practices of their Fortune 500 prey. Why build and develop a payload delivery mechanism, when a perfectly good one is available on the market. It’s the same buy vs build decision businesses make everyday. It’s the commoditization of cyber tools. Commoditization means growth. Low cost opens market opportunities.
Nation states are recalibrating their radar to expose a wider range of targets. Companies are finding themselves the new form of a collateral damage in trade wars. Governments levee tariffs, trade wars heat up, and nations use cyber vengeance to try and equal the economic impact. It’s not felt in factories or ports of entry. It’s now affecting the heartland. Increase tariffs on steel, and opposing nation states steal funds and IP from industry and manufacturers.
What attack methods are cybercriminal organizations using the most? What type of organization is most at risk?
No one is immune to cyber attacks. But specific industries continue to grace the top steps of cyber crime podiums. While banks were once the simple one step connect the dots to profit (banks are where people keep their money), now criminals see other industries as big game.
While the sophistication of attacks increase, it’s more about understanding their target. They understand that what drives a business, what keeps them up at night, and what buttons to press to elicit the desired response. They use phishing lures and often use the firm’s own tools against them by compromising a trusted vendor, or leveraging embedded tools like remote administrative protocols that provide decentralized access to critical network operations.
Most notable are hospitals and healthcare facilities. They are open to the public, suspectable to attack, and hard to defend. As IoT permeates healthcare in forms of connect medical images, IV and patient monitoring systems, hospitals make easy targets. They are soft. And they are fearful of operational disruption. Downtime impacts patient care. It can mean life or death. And they are willing to pay to avoid protracted shutdowns caused by pervasive ransomware attacks. And patient records are valuable and can be used to defraud insurance carriers. What’s more, criminals know hospitals also pay hefty fines when data breaches occur. It’s salt in the wound. So, hospitals will pay to avoid downtime, lost patient billing, and regulatory privacy fines.
Law firms and other business services (accounting, marketing, consulting, etc.) have unparalleled access to critical information and are now a prime target of criminals. Law firms control financial information, intellectual property and other forms of valuable information. They are protective of their reputation and fear the repercussions of public attack. So they pay ransoms.
Manufacturing firms fall victim to fraudulent billing to the tune of billions. Operational disruption is costly. In one case a firm faced the dilemma of shutting down an infected assembly line to the cost of millions. The board elected to wait for a scheduled maintenance window, and suffer the consequence of the resulting cyber attacks in the meantime.
Education, media and entertainment and others have all seen their share of attacks. Once the water hole is discovered, all the predators circle knowing their prey will gather there.
What advice would you give to a CISO that wants to develop a risk management strategy for the long haul?
Security is no longer about ones and zeros. It’s not an IT problem to solve. It’s a business risk problem to manage. CISOs need a seat at the table, and should be consider step zero in a business objective setting process. Does this geographical market incur risk? Does this client bring undo political attention? Does housing medical information increase our obligations? These are business issues to solve, not IT problem to bandage with another firewall or more user awareness training.
CISOs need to be part of the legal group, and muster their equal share in the risk equation. Security needs to align to business objectives, and develop clear line of sight to the Board of Directions. And CISOs need to speak in dollars and cents, and not ones and zeros. They must frame the risk in terms that business people can understand. That’s the way to garner budget and resources. They know the risks, it’s selling the risk to the Board and executives who must understand their obligations as they relate to cybersecurity. There are enough dead roles and companies out there who’s corpses litter the headlines of cyber breaches.
What’s your prediction when it comes to the number and type of data breaches in 2020?
Attacks will continue to move toward high return, hands-on-keyboard attacks. This means simple security controls designed to stop malware and credential harvesting tools won’t keep pace with these tactics. Firms will need to invest in security experts who can go head to head with their criminal adversaries, and defend the fort.
Grey crime will also continue to develop and grow. Tactics used to sway public thinking and sway elections will be used to move the enterprise value of companies. Positively or negatively impacting a stock value means criminals can plant stories, and watch the social network carry their paper boat away on the current, and then buy or sell stock to ‘front run’ the trade with insider information. It will be much harder to detect than the theft of proprietary information, and much harder to stop.
The complexity of targeted crime, constantly changing technology, and the way humans interact creates a petri dish that will accelerate the growth of cybercrime. This concoction can be abused in infinite ways.