One of the things we've seen, particularly during the Coronavirus pandemic, is how disinformation, has become a real problem institutionally – not just here in SA, but also in many countries around the world, where disinformation has had an impact on the ability to respond to the pandemic.
So said Paul McKay, principal analyst at Forrester, during his keynote on “Cyber security in 2022 and beyond”, at the ITWeb Security Summit 2022, being held at the Sandton Convention Centre in Johannesburg this week.
He says the impact of ransomware is growing, both in terms of the number of organisation that it hits as well as in terms of the size of ransoms, with some double or even triple extortion attacks being seen in the wild.
“Security leaders have seen quite an increase in attacks since 2020. The way in which we think about work has completely changed. People are working in their home offices, or in offices, or even in when travelling, which has seen the attack surface become so much more complicated.”
Old vulnerabilities
He says in 2021, the IBM X-Force Threat Intelligence Report and many other reports produced by vendors say much the same thing.
“Over half of the vulnerabilities that were found in their incident response engagements were at the root cause of incidents that they responded to, and 50% of those vulnerabilities were released prior to 2021.”
In many cases, organisations across all parts of the world are falling foul to vulnerabilities that have been disclosed already, in some cases quite a long time ago – more than 12 or 18 months ago, McKay adds.
"The basic hygiene processes of patching and upgrading infrastructure and keeping it up to date are very simple controls that are still at the heart of many things that go wrong.”
Privileged credentials
When it comes to what actually led to the attacks in 2021, he says the picture looks pretty familiar to what reports might have said over the last couple of years – unpatched known vulnerabilities are at the root cause of many breaches.
In addition, many bad actors are placing a great level of effort and attention on trying to get privileged credentials and using them to understand what is within an organisation's infrastructure, how they can find valuable targets to disrupt, or to launch particular operation from, or information that's of use to them in some way.
What they do with this obviously depends on the threat actor. It could be an economically focused threat actor, such as an organised criminal gang, or a nation state looking to acquire IP or to disrupt operations depending on their particular political goals and motivations. "Either way, protecting privileged credentials, and spotting opportunities for misuse is a key thing that we, as an industry, need to place a lot more focus on. This sounds quite easy in practice, but in in most organisations this is phenomenally difficult, and very expensive," he says.
Triple extortion
"We're also starting to see, in a few small cases, examples of triple extortion, where having launched the ransomware attack on a company’s infrastructure and taken out said infrastructure, they’ve exfiltrated a bunch of data and threatened to release it publicly unless the victim pays up a large ransom,” McKay adds.
“Some criminal actors (and we've only maybe started seeing this in the last month or two) are also saying, 'Oh, and by the way, we will sell the credentials on the Dark Web that helped us to get in here in the first place'. So the stakes are getting really pretty high and really quite nasty,” he adds.
Phishing and social engineering are key ways in which criminals still get their hands on these credentials. “I think the human risk around cyber security has been overdone somewhat, so I'm not going to emphasise that any more than I that I should.”
Ukraine conflict
In ending, McKay discussed the impact of the conflict in Ukraine. The key message here, is that it hasn't led to the large scale cyber war that was predicted but this doesn't mean that the threat is still not there.
Despite early predictions that Ukraine will be overtaken within 72 hours, the kinetic and physical warfare for Russia has really not gone to plan, nor when it comes to cyber war warfare, he explains.
“Aside from some operations in the run up to it, most of the activity has actually been contained within the conflict zone. But during the early months of the conflict – and this statistic comes from Microsoft's recently released report on what they've picked up within Ukraine itself, and the work they've done with the Ukrainian national search –they've discovered six nation state actors working with Russia, who have launched 236 unique attacks targeting Ukrainian institutions and critical infrastructure.
"Some of this has spread beyond the conflict zone, but we haven't really seen it yet it," he says. "This doesn't mean that it's not being planned or isn’t going to happen in future. It’s just been a little bit different than what we expected."
Finally, he says, what we haven't really thought about yet is that organisations that have taken sides against Russia are legitimate targets. There are more than 1 000 firms that, in the wake of the invasion, exited the Russian market. “I think that was absolutely the right moral cause, however, it does potentially make them a target as and when Russia starts to be able to get some headspace to prepare cyber capabilities. When they're thinking who they would go after, I would say that organisations on this list are certainly going to be top of mind .”
Getting on top of cyber hygiene
“Contrary to some of the discussions we've had earlier in the day, talking about the deployment of advanced technical solutions, I’m going to say something that sounds a little bit more boring. It's not exciting, but getting on top of basic cyber hygiene goes quite a long way to fix most of the problems I’ve talked about. It doesn't fix it entirely, and I'm not saying that we should not look at the forefront of what's coming up in the future,” he adds.
However, he advises to make the most of the technology you already have, and use it to its full potential. One of the things that frustrates him is when clients acquire new technologies that they don't have the capability to use, while they could achieve many of the same objectives by using the things they already have, by making sure they're using them to their full capability and capacity.
“If you have vendors that you work with here in the room, and you're not sure that you're getting the value from them – talk to them, make the use of the in person contact to see if you can get them to help you out, and make you a bit more effective with what you've got at the same time as they try to sell you the next big thing,” he ends.
Share