The old concerns have not gone away – organisations still need to combat phishing and DDoS (distributed denial of service) attacks – but, overall, the cyber security landscape is changing. And changing fast.
That’s the view of Rob Holmes, vice president of products at Proofpoint. The nature, scale and motivation behind cyber attacks on organisations are all shifting, Holmes argues, and the only common factor is the target – people. “We’ve seen a huge pivot,” Holmes told CBR TV. “There was a time when people were attacking the network, the infrastructure and the end point. The vast majority of attacks we see now – and are hitting the news headlines – exploit human vulnerability.”
All this is happening to a backdrop of budget constraints, adding an extra burden on the shoulders of the chief information officer and the chief information security officer, alike.
There are two classes of attack, in particular, that look to exploit the human factor. The first is ransomware where the criminal sends out high volumes of email in anticipation that a small minority of recipients will unwittingly click on a link within the body copy or an attachment, installing malware on the host computer that encrypts all files. “Very conveniently, the cybercriminal provides a key to unlock your files in exchange for a small or, in some cases, a very large sum of money,” Holmes explained.
Holmes was speaking in March on the day Proofpoint co-hosted a CBR Dining Club event on security threats. Since then, of course, we have witnessed the world’s most disruptive ransomware attack. Using the WannaCry virus as its payload, the attack played on vulnerabilities within a number of versions of the Microsoft Windows operating system to infect more than 300,000 computers across 150 countries including many parts of the NHS. “Ransomware is a very big problem for businesses. It’s widely touted as being a billion-dollar industry.
The second class of attack is business email compromise (BEC), sometimes referred to as wire transfer fraud or CEO fraud. In this scenario, the cybercriminal spoofs the email identity of someone with authority in an organisation – the chief executive, say – and sends an instruction to someone else within the organisation – asking, for example, a member of the accounts team to release funds. BEC works for a number of reasons, says Holmes. It carries the authority of the CEO or senior executive, it’s highly targeted and it’s highly researched. “The premise of social engineering is information about the victims – which is readily available online – so hackers can impersonate a CEO or any other employee for that matter.”
If those are the threats, what should organisations do by means of mitigation? “There is no silver bullet,” said Holmes. “It’s about people, processes and technology.” To that end, he endorses efforts in the public and private sector to raise awareness of cyber threats. “We should do more of that within our own organisations and to the wider public.”
Another layer of process control – to prevent anomalous transfer of funds or sensitive data – is an important step, too, but neither will eradicate the threat entirely. “The challenge with processes is that until they are baked into technology, they can be circumvented,” said Holmes.
“Technology needs to evolve [so it can] find that highly targeted imposter email and validate that, in fact, it did not come from the CEO – it was in fact someone pretending to be the CEO – and stop it in its tracks, upstream, before it becomes a problem.”