Category: CYBERSECURITY

Cybersecurity Trends in 2017

Cybersecurity is in the news almost daily and Investment in cybersecurity, by established corporations or venture capital is rising. The stature and business significance of cybersecurity operations within organisations continues its rise to a strategic management issue in every organisation. A dearth of skills shortage continues to impede the progress of a successful cyber defense strategy that can be put in place, this is driving most organizations to increasingly look for outside help be entering into consulting and managed security services contracts.

Rapid Increase in the Investment in Cybersecurity

  • According to Gartner, worldwide spending on cybersecurity increased by 7% as compared to last year and will reach $86.4 billion in 2017.
  • Spending on both cybersecurity services and products is expected to keep growing into 2018, reaching $93 billion by the end of the year.
  • An Enterprise Strategy Group (ESG) survey found that for 39% of organizations, improving cybersecurity is the most important business initiative driving IT spending in 2017 and that 69% of organizations are increasing their cybersecurity budgets in this year alone. 
  • 81% of cybersecurity professionals agree that improving security analytics and operations is a high priority at their organizations.
  • Cybersecurity startup funding hit an all-time quarterly high in terms of number of deals in the first quarter of 2017, up 26% from the previous quarterly high. The trend held through the second quarter, which saw just one fewer deal (145 total) compared to the previous quarter. 
  • The amount of disclosed equity funding to cybersecurity companies has also recently broken records, reaching an all-time quarterly high of $1.6 billion in the second quarter of 2017, according to CB Insights.

From cybersecurity operations into strategic Digital Risk Management

Organizations today generally think of cyber-risk as internal network penetration and defense. But there is now a shift towards developing a more comprehensive risk management strategy that includes all the digital assests such as – websites, social networks, partner exposure, branding and reputation management and compliance. 
Says ESG: “Comprehensive Risk Management Strategy is a more holistic digital risk strategy designed to analyze threat intelligence, monitor deep web activities, track the posting of sensitive data, and overseeing third parties and partners.”
With the transformation of cybersecurity into comprehensive risk management, Gartner predicts that by 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today’s 40%. 
The key in presenting to the board, says Gartner, is to connect the cybersecurity program goals to business risks. An example would be a discussion of implementing a process for managing third-party risk to support a business’s cloud strategy.
Cybersecurity skills shortage, a problem needing attention
There are currently more than 348,000 open security positions, according to CyberSeek. By 2022, there will be 1.8 million unfilled positions, according to the Center for Cyber Safety and Education. And The industry needs and will continue to need new kinds of skills as cybersecurity evolves in areas such as data classes and data governance, says Gartner
According to the ESG Survey, Things aren’t improving at all, some survey results:
In 2016, 46% of organizations reported a problematic shortage of cybersecurity skills. In 2017, the research is statistically the same as last year; 45% of organizations say they have a problematic shortage of cybersecurity skills.
According to 2016 research conducted by ESG and the Information Systems Security Association (ISSA), 33% of respondents said that their biggest shortage of cybersecurity skills was in security analysis and investigations. Security analysis and investigations represented the highest shortage of all security skill sets.
Recent ESG research reveals that 54% of survey respondents believe that their cybersecurity analytics and operations skill levels are inappropriate, while 57% of survey respondents believe that their cybersecurity analytics and operations staff size is inappropriate.
The ramifications of skills and staff deficiencies are also apparent in the research. Cybersecurity operations staffs are particularly weak at things like threat hunting, assessing and prioritizing security alerts, computer forensics, and tracking the lifecycle of security incidents.
CISOs propose an easy fix: companies must work towards hiring more cybersecurity staff to bridge the knowledge and staffing gaps. In fact, 81% of the cybersecurity professionals surveyed say that their organization plan to add cybersecurity headcount this year.
However, its not that simple to do. According to the ESG research, 18% of organizations find it extremely difficult to recruit and hire additional staff for cybersecurity analytics and operations jobs while another 63% find it somewhat difficult to recruit and hire additional staff for cybersecurity analytics and operations.
Gartner recommends focusing the cybersecurity team on the most important tasks and automating the manual ones, such as log reviews. It tells CISOs to review their job listings to see if they are hiring for positions that can be outsourced.
Managed Security Services, SaaS and ITO route to managing security
All organizations need cybersecurity help, says ESG. When companies buy security tools, the product contracts include a professional services component that allow the companies to manage and ensure optimal usage of their security portfolio. CISOs can leverage the MSSPs and SaaS providers to outsource the relevant areas of their security portfolio.
According to Gartner, 40% of all managed security service (MSS) contracts in 2020 will be bundled with other security services and broader IT outsourcing (ITO) projects, up from 20% today. 
To deal with the complexity of designing, building and operating a mature security program in a short space of time, says Gartner, many large organizations are looking to security consulting and ITO providers that offer customizable delivery components that are sold with the MSS. 
As ITO providers and security consulting firms improve the maturity of the MSS they offer, customers will have a much broader range of bundling and service packaging options through which to consume MSS offerings. The large contract sizes associated with ITO and security outsourcing deals will drive significant growth for the MSS market through 2020.
IDC estimates that services will be the largest area of security-related spending over the next five years, led by three of the five largest technology categories: managed security services, integration services, and consulting services. 
Together, companies will spend nearly $31.2 billion, more than 38% of the worldwide total, on these three categories in 2017.
Increased confidence in cloud cybersecurity
Just about 5 years ago, concerns about adequate security were cited as one of the top reasons for not moving IT operations and assets to the cloud. This thinking has recently changed, accompanied by rapid cloud adoption by many large corporations. A recent survey by analyst firm ESG has found “improved security” reported as a benefit that has been realized by 42% of organizations that already leverage cloud-based data protection services.
Gartner explains the potential key benefit of cybersecurity in the cloud: Today’s data centers support workloads that typically run in several different places—physical machines, virtual machines, containers, and private and public cloud. Cloud workload protection platforms provide a single management console and a single way to express security policy, regardless of where the workload runs.
While there are known benefits of moving the security services to the cloud, Gartner warns that as the cloud environment reaches maturity, it’s becoming an increasing security target. As with most services, possibility of the cloud based security services being targeted and the rendering the service unstable and insecure. Organisations therefore should work on developing security guidelines as to how they use private and public cloud and prepare a cloud risks model.
AI and machine learning (ML) driven Cloud Security
ML algorithms have the ability and potential to help with employee productivity & security analytics, but the technology is in its infancy and not well understood, says ESG.  A survey of 412 cybersecurity professionals asked them to assess and characterize their knowledge of machine learning/artificial intelligence as it relates to cybersecurity analytics and operations technologies. Of the total survey population, only 30% of respondents claim to be very knowledgeable in this area. In other words, 70% of cybersecurity professionals really don’t understand where machine learning and AI fit their security portfolio.
Additionally, cybersecurity pros were asked about the status of deploying or are planning to deploy machine learning/AI technologies for cybersecurity analytics and operations in their respective organisations.
Only 12% say that their organization has done so extensively and 6% of respondents have no plans to deploy machine learning/AI technologies for cybersecurity analytics and operations. In the long run, most of the cybersecurity professionals did see the potential of AI and machine learning to help with automating manual tasks and ensure the management of skill shortage in the area.

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; text-align: justify; font: 18.0px ‘Helvetica Neue’; color: #454545} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; text-align: justify; font: 18.0px ‘Helvetica Neue’; color: #454545; min-height: 22.0px} li.li2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 18.0px ‘Helvetica Neue’; color: #454545} span.s1 {font: 10.0px Menlo} span.s2 {text-decoration: underline ; color: #e4af0a} ul.ul1 {list-style-type: disc}

Its is important that organisations take the effort to gain knowledge about AI and ML and how it will impact Cybersecurity Services and Products. This way they will be able to be more proactive to understanding the adversarial capabilities of hackers. Many companies employ ethical hackers to find out the loop holes in their security portfolios and protocols.

Author
Team HCITExperts

Your partner in Digital Health Transformation using innovative and insightful ideas

Ransomware Prevention 101 – Expert Tips by Nicola Whiting @CyberGoGiver

Whether you manage your own systems and devices, or rely on third-party hosted systems (i.e. ‘in the cloud’), your Ransomware risk is real, constant and growing….


Below are some key actions, that you can put in place now, to significantly reduce your Ransomware and Cyber Crime risk – they cover prevention, instant response during an attack and recovery


What to do first?


Set up regular data backup procedures – then ensure they happen
Backups are ESSENTIAL in protecting data. If you are successfully attacked with Ransomware your backup is the best, possibly only, option for saving your data and ability to do business. Backups also help you recover from many other forms of damaging malware attacks and even hardware failures. Some Ransomware variants, such as Cryptolocker, will also encrypt files on drives that are mapped. This includes connected cloud file stores, attached network drives and USB thumb drives. Action: Backup often, to an external drive or backup service (one that is not assigned a drive letter) & physically disconnect it from the computer between backups. Make sure the Backups are tested and are usable!

Setup your defences

Cyber Essentials Controls 
CESG spent many years determining which security best practices would remove the most risk. (a Cyber Essentials version of the 80/20 rule!)Following Cyber Essentials guidance can reduce your risk by 80%. In addition to being a great security guide, some Cyber Essentials checks can help to prevent Ransomware. The following is a list of those checks:

  1. Installing the latest software patches and updates can help against known security issues being leveraged by malicious software.
  2. Installing and keeping up to date the latest anti-malware/virus software can ensure that known bad executables, and potentially software behaviours, are stopped.
  3. Disabling auto-run can prevent malicious software being transferred between systems using storage technology such as USB pens.
  4. Do not use Administration-level accounts for day-to-day tasks. As well as being good security practice, this will help restrict the impact of any malware infection.
  5. Access privileges should be used to limit access to resources and systems.
  6. As above, this should also help to restrict the impact of any malware infection.
  7. Firewalls should limit network traffic to only approved source / destinations and service types.
  8. Malware protection, possibly in the form of APT / IPS, can prevent potentially malicious software from calling home or propagating on your systems.

You can check some of these controls using the FREE Risk Assessment Auditing Tool (www.titania.com/risk-assessment-tool). It provides key risk analysis in 21 areas, includes step by step mitigation suggestions and automates some of the manual configuration reviews, needed for Cyber Essentials. 

Automate Defence (when possible)Patch or Update your software 
Keeping your software up to date is a security essential, it significantly reduces your risk. Ransomware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. If you make a practice of updating your software often it can block their access. (As a triple bonus it also helps defend against other Malware and makes it harder to hack into your systems!). Action: Enable automatic updates, especially on major vendors such as Windows and Adobe.If you can’t auto-update go directly to the software vendor’s website (good practice as Ransomware / Malware creators can disguise Phishing attacks as software update notifications). 

Filter EXEs in email 
If your gateway mail scanner can filter files by extension, you may reduce risk by denying mails sent with “.EXE” files, and “*.*.EXE” files.  Users who then legitimately need to send or receive executable files could use password-protected ZIP files or via secure cloud services. Naturally this is not fool proof and you may want to consider other options (a 7-Zip vulnerability was recently discovered and patched). 

Re-enable showing full file-extensions 
Window’s default behaviour hides known file-extensions. Re-enabling showing full file-extensions will help your team spot & avoid clicking on suspicious files – e.g. those with unexpected “.EXE” (executable) extensions often used by Ransomware. 

Use a reputable security suite and keep it updated 
Ensure you include anti-malware software and a software firewall, they will both help identify threats or suspicious behaviour.  Ransomware developers frequently send out new variants, (to try to avoid detection) multiple layers of protection, will reduce their chances of success. If you run across a Ransomware variant so new that it gets past anti-malware software, it may still be prevented from executing, or be blocked from connecting with its Command and Control server (to receive its encryption instructions) by Software Restriction Policies (SRP) or your firewall… 

Firewalls/Proxies and APT/IPS 
Once something malicious is running inside your network, you do not want it to communicate with the outside. Firewalls should be configured to restrict network traffic going in both directions, not just inbound traffic. Web browsing should also be limited to prevent access to known malicious websites. Internet proxies can be used to help prevent access to malicious content, or user access to websites by content type. Advanced Threat Protection (APT) / Intrusion Prevention Systems (IPS) can also detect and prevent software from accessing or performing potentially malicious activity. 

Windows Policy Updates 
There are a number of Windows group policies that can be deployed to help prevent running malicious code. e.g. The user application data folder is often used by Malware developers, as a location to launch malicious software. 

Software Restriction Policies (SRP) can be used to prevent the execution of software from that folder. Computer Configuration/Policies/Windows Settings/Security Settings/Software Restriction Policies To prevent execution of programs within certain types of files, they can be configured under the following policy tree: 

User Configuration/Windows Settings/Security Settings/Software Restriction Policies 

On the latest versions of Windows you can take this further by configuring AppLocker policies to restrict the execution of software. 

This is a complex subject in its own right and Microsoft has provided lots of details in the following TechNet article: https://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx An example would be to configure policies to only permit the execution of signed software.

Train your People

Train your people to detect what “suspicious” looks like and what to do in the event of an attack. Help them by giving sensible policies, “attack reaction” training and showing hidden file-extensions.  

Email Attachments: 
Before opening email attachments, you should first check the emails validity. Potential malicious software is often attached to emails in the hope that someone will open it. The malicious emails can range from very simple and obvious through to sophisticated and less obvious. 

 These are fairly obvious…

Another…

Yet another example…

With emails that have “Invoice Attached” or something similar may be harder for someone in an accounts team to ignore. However, there are simple checks that you can perform to confirm details about the email. If you are unable to confirm any of the details, then try getting in touch with the sender to confirm its validity (do not use any of the contact details supplied in the email – they could be fake). Also check the attachment type, would you normally have an invoice attached as a ZIP or Executable file? 

It is important that everyone is trained on what to look out for in emails. And remember, banks do not send emails asking you to login to your account using a link contained in an email (or they should not). Also, Inland Revenue send information in the post, not via email. Be aware of what you are opening, clicking on and viewing.

What if the worst happens?

You’re in the middle of an attack or your files are being encrypted – what can you do? 

Disconnect from WiFi or unplug from the network immediately
This technique may not always help, but training your people to “immediately disconnect the system and notify IT” if they think they’ve clicked on a malicious attachment, can (if done quickly enough) limit your risk, damage and costs. Depending on the breed of Ransomware this action may cut off communication with the attackers’ server and localize the data encryption to just one machine (which may be far easier to recover from).   

It normally takes some time to encrypt all your files, so even if you’re not quick enough to outpace the malware spread, disconnecting from the network and notifying IT – will give your team valuable response time. It may help to isolate an infection. 

Restore or Recover
If you have System Restore enabled Windows, you might be able to defeat a Ransomware or Malware attacker. However, some versions of Ransomware (e.g. Cryptolocker) may delete the System Restore files, before you can return the system to a known clean state. If that is the case, then your best option would probably be a full restore from a clean back up. (You’ve got a clean backup and tested the procedure already…right?) 

Pay or Don’t Pay?
If you have any other option open to you, my advice would be don’t pay for two main reasons:

  1. You have no guarantee you will get your data back. In many cases the decryption key is never received, it fails to work or only partly decrypts the data.
  2. You’re then a proven “paying customer” which increases your likelihood of future re-targeting!

If you leaning towards paying… 
You can normally do a very quick google search to determine if you have viable option for recovery and often whether the criminals in question have a track history of delivering your data back. Some Ransomware variants such as Cryptolocker & Jigsaw, now have payment timers (after which time the price for your decryption key, or damage, goes up significantly)At time of writing, you could “beat the clock” with Cryptolocker, by setting the BIOS clock back to a time before their 72 hour window was up – resulting in a lower Ransom payment demand. In every case, if you’ve decided to pay, it’s worth quickly investigating your potential actions first… 

One Final Suggestion…. 
For the policies and practices you put in place to remain effective in protecting you and your business they must be enforceable, measurable and consistent. User training on cyber / information security procedures can be made part of your HR on-boarding process and refreshed regularly. For System Settings, firewall rules and policy enforcement, I would recommend using detailed system / configuration auditing tools such as the award winning Nipper Studio and Paws Studio

Useful Links & Free Tools

Cyber Essentials 
(https://www.cyberstreetwise.com/cyberessentials/
Government-backed walk-through on protecting yourself against cyber threats
  
FREE Risk Assessment Auditing Tool 
(https://www.titania.com/risk-assessment-tool
The Risk Assessment Auditing Tool, created by Titania Ltd, automates the auditing of 21 key security risks (such as unpatched software, missing anti-virus updates and poor password enforcement) that would leave your business vulnerable to attack. It will significantly reduce the time of hardening your system against Ransomware attacks. 

Cryptolocker Prevention Kit
(http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
Cryptolocker Prevention Kit created by Third Tier to help automate making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities.

Author

Nicola Whiting

Communication Strategist, Technology Speaker, Chief Operations Officer, Diving & Kayaking Enthusiast