Trend Micro, a significant global security provider, hosted its Cybercrime 2016 Threat Defence Summit in Sydney which was attended by over 200 C-level and IT managers - all keen to hear why cybersecurity has become a boardroom imperative.
The speaker line-up was impressive:
- Charles Lim, Senior Industry Analyst, Cyber Security from Frost & Sullivan on “The State of Threat Landscape”
- Anil Suleyman, Head, Cyber Defence, Emerging Security Challenges Division (ESCD)NATO HQ, Brussels
- Raimund Genes, Global CTO, Trend Micro on “Strategy for Enterprises Addressing Cyber Threats”
- And Zak Khan, Director of Advanced Cyber Defence for Trend Micro Australia and New Zealand was the host of the event.
Following are some of the speaker’s paraphrased highlights.
Business needs digital transformation aligned to its end strategy [to survive and thrive] – disruptive change is driving business. But cyber criminals threaten to disrupt that digital disruption. Uber’s database was hacked and trust in that company declined. The value of business today is all about its trust. It takes 20 years to build a reputation and five minutes to destroy it.
Australia is highly targeted – more than 50% of ransomware is aimed at Australia because we pay! There were 11,073 reported security ‘incidents’ in 2014 and the loss was conservatively valued at A$17 billion (about 1% of Gross Domestic Product).
The top Australian industries under attack are Energy (29%), Banking, Financial services and insurance (20%), Communications (12%), Defence (10%), Transport (10%) and Water (6%).
In most cases cyber criminals go after the money but increasingly it is about disrupting the economy [State sponsored cyberwarfare or cyberterrorism].
Heavily engineered spear phishing email is still the most used malware delivery vector but block chain [a distributed database that maintains a continuously-growing list of data records hardened against tampering and revision] is also being used to distribute ransomware and more [nasty stuff].
Cybercriminals are now using the best encryption (AES256/1024), the best marketing [social engineering], using untraceable Bitcoin for payment, providing Tech Support to set up a Bitcoin account, and even helping to decrypt data when the ransom is paid – they want satisfied clients that validate their business model.
The message from all speakers was loud and clear – Do not pay ransomware attackers – it encourages them to do more. Instead, use the money to fix your security.
The problem is that many do pay as this means minimum loss of utility for perhaps 24 hours. Any longer to recover backups and clean systems may cost more in lost sales or reputation. This is a clear case where prevention is better than the cure.
Business needs to be prepared for the new better organised, better funded, highly savvy cyber criminals. It needs a comprehensive, achievable cyber security policy in place, an incident response plan, and a communications plan [PR] at the very least.
Resiliency will only be achieved via intensive education and using internal or external resources to send your own spear phishing emails to catch less than vigilant staff. [This was an ongoing theme – education is fine but being caught has more impact].
Lim finished by saying that you need 3 ‘C’s of cyber security
- Cyber protection – the latest layered security in place
- Cyber Intelligence – know what is happening and chart deviations from good
- Cyber resilience – have everything in place and keep it up to date
To achieve this business, government and everyone need to collaborate, share data, and start relevant conversations.
He was introduced as the Tom Cruise, Top Gun, of cyber-crime prevention but I suspect it would have been more appropriate to use ‘Men in White’ (referring to the Men in Black movie and white versus black hat hackers).
He spent much time talking about how NATO protects its own ‘network’ – ‘We have no dependencies on the usual networks’ and where it touches the internet there are special issues. His life is not boring – NATO is a high priority hacking target!
His words were chilling, “– “In the future Cyber threats will be considered a ‘conventional’ threat – just like terrorism, nuclear war and more”. He said that cyber defence had been seen as the underdog [compared to the importance of protecting the world against war, terrorism, nuclear attack, etc.) and now it impacts every part of every defence.
His message, however, was about playing catch up to cyber criminals who on the whole appeared better organised and funded than ever before – it’s a profitable business.
First, you need layers of protection – there is no such thing as one defence. Next, you need real-time analytics to know what is going on in the network. Then you need trained staff to administer it and NATO helps build this capacity via training at its School in Oberammergau, Germany and Defence College in Rome, Italy.
He said that there is no such thing as an isolated incident – they are all related. Organised cybercrime uses similar threat vectors, actors, campaigns and methods and this demands that industry (enterprise, government and threat protection) all collaboratein sharing information. You need to invest in situational awareness, resilience and partnerships [as cyber criminals do] because you can’t do it all yourself.
Genes was perhaps the unsung hero of the day – as Chief Technology Officer of Trend Micro he has seen it all. He said “Attacks should never happen in enterprise. All you need it basic housekeeping. Keep security up to date, apply patches and be aware. Cyber criminals take advantage of the lack of patching and old vulnerabilities.”
“Are we losing the battle against cyber criminals [business, government and security companies] – YES!”
He lamented that too many still see security as it was ten years ago – all about perimeter defence – a fortress. Well, there are too many ways to breach defences. The old way was like a Mentos – hard shell and soft on the inside. When cyber criminals get in – “Let’s accept this – they will” - they can do lots of harm. In any case, security is now about the internet, cloud, mobility, BYOD and remote workers – there is really no such thing as security if you only protect endpoints.
He said that every organisation needed a realistic security strategy in place, published guidelines, Layered protection, and to collaborate.
He spoke of the layered defence model. “There is no such thing as a silver bullet – throw anyone out that promises you one.” The layers of protection can be physical or abstract. In physical terms, defences can be deployed at the gateway, at the server (file server, email, and SharePoint), and on the endpoint itself. The abstract layers are network, endpoint, user, application, and data.
He was definite on ransomware. Do not negotiate with cyber criminals. Do not validate their business model by paying. Backup data and make sure you are resilient. Spend that money on fixing your security.
He gave special mention to access control, “Why do you let everyone access everything? Tie it down to what is needed.”
Above all if breaches occur be open with your customers, investigate and fix quickly, and report within one month to the board what happened and how you have protected that.
Q. Do you envisage mandatory reporting of breaches of PII data?
A. It is happening in the US and Europe but many companies/countries are perhaps too scared to make it mandatory. Any PII breaches should be subject to mandatory reporting and fines if necessary.
Q. What trigger point should be used to make reporting mandatory – perhaps breaches affecting 5% of revenue or more?
A. A big stick may be necessary for Australia. In some countries it is mandatory to employ a data protection officer if you handle PII.
Q. Would it be easier to establish a dialogue and negotiate with the cyber criminals re: ransomware?
A. It is just confirmation that their business model is working. Better to work with law enforcement to identify and get them jailed. But working with the law in some countries is very hard.
Q. Should organisations and countries take an offensive stance? [referring to Prime Minister Turnbull’s statement ‘The Australian Government has the tools to launch a cyber attack and they’re not afraid to use them.”]
A. Turnbull answered that himself. “The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.” The panel agreed that reverse hacking was not wise as it could knock out legitimate users.
Sorry if the report does not do the speakers justice – there was too much good content. I urge business to look to their security providers and see if they offer such summits and enter into more dialogue with them. Trend Micro offers a free consultation and analysis and frankly if your existing security company does not do this then head over to Trend.
Since I have been covering security issues, the landscape has certainly changed. The key messages were:
- Layered security measures – no silver bullet
- Education and training staff but also testing
- Good security hygiene – patch systems and keep everything up to date
- Invest in multiple security tools – analytics, authentication and much more. AV end-point protection is so yesterday.