Some 33% of all malware comes via email. Hence, companies should pay much more attention to developing pro-active defence measures. Read about the pro-active defences and find out about other measures that will help your company to secure defences against one the most of the cyberattack. The interview with Per Söderqvist Team Leader ales Engineer, Nordics & Baltics was conducted after an event of the Finnish -Lithuanian Chamber of Commerce at the Embassy of Finland.
What are the main take-aways from this report?
Per Soderqvist: First of all, if we look at it, I think there are two exciting things to see here. How we moved into more adversary types of attacks, which is more of a targeted type of approach. So this, if you compare it to the last year’s report, has increased by a lot. The other thing that I think is important, for companies as well, the takeaway that I would use is to look at how do organizations and companies get infected with malware – we see that email is still the most significant problem across the board.
Something like 33%...
33% of all malware comes in via email. The problem is that companies, they are investing much money in protecting their email, but, I usually say this – you can only get so far with having a kind of reactive approach. You can maybe reach the 95% security level with a reactive type of approach. Companies are investing more and more money in putting more and more reactive kinds of methods, protection layers to their company, but it won’t fill that 5% gap that you still have.
Companies need to start to invest more money in kind of pro-active type of defence. What I mean by a pro-active defence is, for example, train your users, educate them. There’s a lot of interesting tools; for example, we have a tool that we call “fish trap”. Basically you can send out an email to your users and you can measure how many users opened up that email, if there’s an attachment in that email – how many people downloaded that attachment, how many enabled a mac for that document, how many users would click on a link in an email, that opens up a web page that looks like office 365 and how many users would enter their credentials.
And then when you have that knowledge, okay, well actually the scary part is that we see on average, something like 7 out of 10, if it’s a well-designed campaign, would open up that website and authenticate it.
So you can use training, guides and say, okay these are kind of, you should look out for this. The first question you should ask yourself is, are you expecting an email from this Fed Ex or whatever, do you have a package on the way to you? So yes, there might be a way that you are actually expecting, and the next question is –okay why are they sending this to me and so on? So investing more in pro-active that would be crucial moving forward because we won’t be able to stop all the threats with a reactive approach.
How are these cybercrimes evolving? How are they changing?
So we’re seeing that, just like we’re doing with deep learning, for example, the reason why we’re using deep learning is really to alternate as much as possible. The data is becoming too much, and we see the same thing on the criminal side, they’re automating their attacks, they try to get in as quickly as possible, they tend to use kind of low hanging fruits.
The easiest way in used to be that all the Windows computers were the targeted approach. In contrast, now we’re seeing everything from Android devices being targeted, the Internet of Things (IOT) devices being targeted for an attack, we’re seeing servers being targeted because usually the company when they’re designing their security. They tend to put many resources in securing their endpoint, but they forget about the android device, they forget about the servers. They think they don’t need that much protection, and they have everything on a flat network.
So you put your clients’ servers, IOT devices, Android devices, everything is all on the same network, meaning that if one of them get hit, it’s easier for the criminals to laterally move from that starting point across the network and live off the line and see what they can. And that’s why we’re seeing these more advanced attacks. The persistent threat attacks they usually take their time, they could stay on the network for 72 hours looking at what security products you have in place, how you can get around that, do you have any internal firewalls, how you can get around that and so on.
What should businesses and public services do to avoid those things? You mentioned about cloud services and that everything is moving to the cloud.
So the dream scenario currently is to go towards this zero-trust approach, this zero-trust networking, having the ability to relay segment your devices from one another. So I think that’s something that companies need to start investigating in moving forward.
We’ve gone from kind of a flat network to now most of the time companies, they have these segmented networks, so they have one zone for their servers, another area for their clients, the third one for their IOT devices. A third approach is where you have each device segmented by itself, so I think that will be important. That and the pro-active approaches.
What are the most unexpected cyber-attacks that you have come across in your working experience?
Working with this, of course, there are different scenarios. Everything from the criminals starting to use their phone, how they could send an email to a user and then pick up the phone and call that user saying I just sent you an email, I’m from IT you need to click on this link and patch your whatever, and then they get infected.
I think that’s a very next level of social engineering; usually, it’s just an email, and they hope for the best, and the user will click on that, we’re starting to see more and more examples where they’re starting to take the extra distance to do the phone call as well. We’ve even seen it worked with another company where they had a person came up to the front desk handed over a USB stick and asked basically can you print my CV, and the receptionist is helpful of course helped out and got infected that way.
There are many instances where companies have been infected; they had a back door into their company for several years; it’s hard to grasp that. But imagine if you have a company where all your, you put all your information on the servers, cloud storage and so on. Basically, the criminals have a back door open all the time.
You spoke a lot about the backdoor. What is the easiest, how can you detect that you have a backdoor?
First of all, having some next-generation type of security or defence on your endpoint that can detect if a Metasploit backdoor has been established. That’s one thing that is important to have. Not just having an antivirus solution as traditionally, but having something next generation.
The third step is really to start thinking about using MDR (Managed Detection Response). It is a security operations centre connected to your environment, and they have the security expertise to check this continuously, and that’s the best approach, there’s nothing that can beat that.
There’s a lot of hype surrounding 5G right now and much talk about backdoor possibilities. Do you think this hype is valid or should we be worried about 5G crawling into our systems and them being taken over through 5G?
If there is something that we can learn from history, it is that in the beginning all new technologies that are introduced, they have a period in time where they will have more vulnerabilities that can be exploited for criminal or whatever other gains. So yes, that’s a concern, but from what I am seeing, the biggest concern is that we’re now connecting more and more devices.
I think Gartner predicted that in 2020, we will have approximately 20 billion IOT devices connected and IOT devices tend to be… To put it like this – the security of the product is not the main focus – they want to get their IOT device onto the market as quickly as possible, as cheap as possible, be as competitive as possible, and the problem with security is that it can be quite expensive to invest in so they somewhat forget about it.
There are so many examples of IOT devices using unencrypted passwords and UPnP to connect to an outside resource, which punches a hole through your firewall. In this aspect, 5G will allow more of these devices to be connected, which is a security risk.
Back to more practical issues: let’s assume I’m a frequent traveller, flier, I go to the airport outside the EU and need to connect to Wi-Fi because I need to send an important file, data. If I connect to the airport’s Wi-Fi on my computer, what does that mean?
So Wi-Fi has been used for attacks, there have been many different scenarios; for instance, there is Pineapple. The interesting thing with Wi-Fi is, if you have connected to your home network before that your mobile phone will continuously ask every time: “Hello, home network, are you there?” Usually, it can’t find that, but Pineapple works in a way that responds “Yes, I’m here, I’m home network.” Then through the use of an SSID, you can start attacks.
If there’s one thing that we’ve been good at, particularly since Edward Snowden released the NSA papers, back then only about 10% of web traffic was encrypted. Just as of last week, we’re at 90% of all web traffic being encrypted. That’s a massive accomplishment in approximately five years.
We have almost encrypted the entire internet and should be really proud of that. This makes such Wi-Fi attacks more difficult, and Google and Firefox have done much work in enhancing their security. For example, the introduction of HSTS, which basically allows the browser to ensure that the connection to the remote site is intact and is not being tampered with along the way.
There has been much progress made in this area, but of course, wireless to this day remains a significant security risk. I was talking to one pen tester and what they did and what almost always works for them is that they go around with a sort of Pineapple approach, throwing out SSIDs, telling devices that their home network is available.
Then the device would connect to both the wireless network and also a cable would be connected to the computer. Then, through different types of attack, they could bridge the wireless network to your local network and then start an attack that way. It is also an entry point for organisations, going around a company with these types of devices.