Cyber extortion — What is it and what can we do about it?

SUITS THE C-SUITE By Carlo Kristle G. Dimarucut

Business World (08/21/2017 – p.S1/2)

With “Wanna Cry” and “Petya” recently being added to the list of cybersecurity issues getting the attention of mainstream media, ransomware as a form of cyber extortion is now a leading conversation topic among cybersecurity professionals worldwide.

What is cyber extortion? It is a situation where malicious entities gain access to your computer and encrypt your files, documents, photos, and anything of potential value, making your data inaccessible until a ransom is paid, usually, in some form of crypto currency such as bitcoin. This leaves you the choice of paying up or losing your data forever.

How do these attackers get access to your system? Unfortunately, a foothold into a user’s computer or a company’s network can be as simple as one user visiting a web site, or opening an innocuous looking attachment. A study of published cyberattacks from 2015-2016 conducted by PhishMe, an organization providing phishing threat management, revealed that 91% of all cyberattacks are initiated with some variation of a targeted phishing attack. If a victim, whether an individual or a large organization, refuses to pay the ransom, the attacker will figuratively throw away the key to the victim’s files, making the files effectively inaccessible. As an added danger, attackers typically maintain access to their victims’ machines for days, weeks, or even months, making them vulnerable to further cyberattacks because of the nature of the information that was accessed by these malicious individuals.

Be forewarned that as the public becomes more aware and knowledgeable about the threat of attack, the attackers are improving their game as well. Malware and malvertising, which are infectious ads in disguise, are penetrating an astonishing amount of desktops and mobile devices — and the practice is escalating. The popular search engine, Yahoo, was compromised recently due to malvertising. With a reach of approximately six billion visits per month, this incident was heralded as the biggest attack in online advertising history.

What does this mean for us? Organizations need to reexamine the fundamentals of their information security programs to ensure they are adapting to the realities of the evolving threat landscape and related risks.

Unfortunately, the solution to this is something we have all heard of in the past — patching and user awareness. User awareness minimizes the risks of the attackers getting in the door, while patching, or regularly updating systems to fix security vulnerabilities and other bugs, makes it more difficult for cyberattackers to get a foothold once they are inside.

DECREASE TIME BETWEEN PATCHING CYCLES

We can no longer rely on the typical quarterly patching cycles. The game has changed. Exploits are being weaponized at an alarming rate. The amount of time it now takes to weaponize known vulnerabilities has dramatically decreased. What this means is that, from the day a vendor like Microsoft releases a patch, it takes an average of two weeks before an attacker is able to deconstruct and exploit the vulnerability. This is why security managers need to push for decreased time intervals between patching cycles.

While this seems to be a straightforward solution, it is not that plain and simple. Patching a system typically creates a dilemma between prioritizing security over potentially disrupting business operations. This happens every patching cycle. A system needs to be patched, but IT cannot do it without business signoff for the potential business interruption. However, we now have to recalibrate our understanding of the impact of cybersecurity attacks and their frequency. With the unfortunate advances in malware technology, particularly in the artificial intelligence capabilities of current malware strains, IT needs to reinforce the message that security just cannot wait “another quarter.”

Wanna Cry and Petya were not the first instances of Ransomware attacking companies. Malicious actors are thought to have generated around $325 million over the past three years by using the CryptoWall code, according to research by the Cyber Threat Alliance, while the Cryptolocker gang made over $30 million in 2015 using relatively simple ransomware. Wanna Cry, however,became the most publicized because it attacked British hospitals, thus making cybersecurity literally a life-threatening security concern. Some cybersecurity professionals have predicted that this will be the trend in 2017. Clearly, security vulnerabilities should no longer be considered as small operational risks but as paramount safety issues.

TRANSITION FROM LEARNING TO MENTAL CONDITIONING OF USERS

With the focus on targeted user attacks, traditional security awareness practices of newsletters, web learning, and classroom training have to evolve. Theoretically, everyone has been trained not to open malicious e-mails or random links. And yet users seem to always fall for the same tricks to get them to compromise corporate networks. Awareness programs have to shift their focus from learning to mental conditioning. Users have to be programmed to always be on the lookout for potential targeted attacks; and be constantly suspicious of each and every e-mail, link, or file that has been sent to them. This only happens through live exercises. Awareness programs need to incorporate live attack exercises with real consequences for the cyber-vigilant behavior to take hold.

INCREASING RISK VISIBILITY

Top level management have in the past been limited to annual or bi-annual reports on the state of information security within their organization. As the number and extent of breaches escalate among all industry sectors, cybersecurity has become an important business risk. One that demands to be incorporated into business strategies and new product offerings.

There needs to be increased awareness of cybersecurity risks based on threat intelligence, media coverage of cyberattacks, and ongoing cyberattacks. All organizations are in danger of falling victim and, in turn, their ecosystem of customers, suppliers, employees, and stakeholders. Business leaders must be able to recognize the true level of cybersecurity risk in which their business is entrenched.

Cyber risk management must also be taken up by stakeholders who go beyond IT. C-Suites, business leaders and boards need to play an active role in cybersecurity risk management and data breach preparedness. Senior leaders should be constantly involved in developing a cybersecurity risk program. All companies must also document formal breach management playbooks to prepare for future risks and attacks.

Cyber extortion may be the hot cybersecurity topic now. But in a year’s time, these attacks will continue to evolve and become even more insidious, hard to detect, and destructive.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of EY or SGV & Co.

Carlo Kristle G. Dimarucut is an Advisory Senior Director of SGV & Co.