From cyber-espionage networks, to Conficker, to the threat posed by social media sites and mobile phones — if businesses could just keep their machines patched, hackers wouldn’t be so successful, says Sophos CEO Steve Munford. Here’s an edited version of what he had to tell ITBusiness.ca. You can also watch the video for the full scoop.
VIDEO – Interview with Sophos CEO, Steve Munford
Social engineering seems to be favoured hacker method today. Security researchers here in Toronto recently unveiled GhostNet, a cyber-espionage network that had put Trojans on some very high-value targets around the world, including in the Dalai Lama’s office. To get this done, they executed very well-targeted spear phishing attacks – for example, sending what looked like a letter supporting the Tibetan resistance movement to the Dalai Lama’s office. What defence is there against such well-planned attacks?
Social engineering really has been part of attacks for quite some time now. If you look at viruses spread over e-mail, a lot of them are “click here to receive an offer” or “click here to receive the latest Britney Spears pictures” or “click here to make lots of money.” We have a saying that people will continue to do stupid things for sex and money.
Social engineering to get pay loads into the company is nothing new. But social engineering is getting increasingly sophisticated. The tools these organizations deploy, and the resources they have to build those tools are quite extensive. It really does point to larger organizations being behind malware creation than we’ve seen historically. Now for a corporation, you boil that down to a couple of different vectors. Unfortunately there’s no one-size-fits-all solution.
On one hand, you have to educate IT users to understand practices out there and be more cautious. That’s the first step, but certainly not the last. It comes down to having a holistic view of security, and that starts with making sure your network and your machines are compliant. I think that’s where organizations are [failing] today. They deploy a lot of products and think by [doing that], they solve a problem.
But our surveys [show] up to 70 per cent of the machines in a corporate network are not patched or configured to the security policies of the corporation. So it’s about having a tool and a process to monitor the status of machines on my network to ensure they are properly compliant.
Lastly, it’s about having systems and process to mediate that. If something does get attacked, then how do I minimize the impact? That’s where data security comes in, where it’s about encrypting your data and protecting it, so even if someone gets into your network, your data won’t be exposed.
It sounds like you almost need to have the mindset that you will be breached, and take the appropriate precautions.
You always have to assume the worst case scenario. Recently, security news hasn’t been much of a headline topic. It’s been in the IT publications, but you never saw it in the Wall Street Journal, or the Globe and Mail, or the New York Times. But with things like Conficker and the incident that the University of Toronto uncovered, it’s back in the headlines.
So that tells us that corporations can’t assume they’ll never get exposed. But what is their backup plan if they do get exposed? They have to make sure they have one.
Conficker was unique in that it exploited the Windows Server rather than trying to fool end-users. What are the implications of this worm-style of attack, and can we expect to see more of it? What other vectors of attack should businesses be wary of?
I never like to predict the next attack vector. If I could do that, then we would be well ahead of things. Overall, you would just be proven wrong.
What I think we’ll continue to see are sophisticated attack vectors that change rapidly. What made Conficker so difficult was it was a piece of malware that was constantly changing, and very difficult to detect and stop [for that reason].
What Conficker shows us goes back to my first point. Conficker didn’t infect you if you were properly patched. Conficker didn’t hurt you if you had proper password controls, it had a lot of issues with the password side. So if your network was properly maintained, you would’ve been OK. It really attacked some vulnerabilities within the network.
I think we’ll continue to see attacks such as Conficker, but think we’ll start to see attacks on mobile platforms. People are taking advantage of new technology and technology being used by the Web 2.0 generation.
So do you think we’ll see more viruses attacking mobile phones, or phishing attacks on social networks?
In the past, we heard a lot of talk about viruses attacking mobile phones. The reality is the mobile environment has been a very hard one to write viruses for because of all the different operating systems and complexity. Secondly, all the data that’s been on mobile devices hasn’t really been worthwhile to attack and get at.
It’s safe to assume that as you get more and more common platforms that are extensible and more of these mobility tools get attached to the corporate network, they’re going to become more of an attractive target for attack vectors. Historically, it’s been Windows that is the common platform that’s become the easiest place to attack. We’ve seen people dabbling in the Macintosh platform because it’s a way of getting into the Windows environment. But I think more of these mobile platforms will come into play.
As far as social media sites go, they do provide a way for people to potentially get you to do something that will then bring a payload into the organization.