lolloj - Fotolia
There really is no endgame when it comes to cyber security, according to security industry veteran and chief research officer at F-Secure Mikko Hypponen.
“We will always have cyber security problems because we will always have bad people, which means job security in security is likely to continue for ever,” he told the Wired Security conference in London.
Cyber attackers are continually evolving their techniques and capabilities to steal and monetise data in new ways, which means the goalposts are continually moving, he told Computer Weekly.
“If we were still fighting the enemy of 10 years ago, we would be in great shape,” he said, alluding to the security tools that have been developed since then, as well as the security improvements in software.
“Attackers will always have the upper hand because they have the luxury of time to study our defences, while defenders do not have that luxury, so it is an unfair contest – a never-ending race.”
Reflecting on lessons learned over his 25-year career in information security, Hypponen said the most important thing is to understand the adversary.
However, he said the days of being able to do that easily are long gone, with most organisations finding themselves faced with a whole range of attackers.
Mikko Hypponen, F-Secure
They are all looking to gain something, said Hypponen, whether they are hacktivists supporting a cause, nation state actors or criminals.
“But for most organisations, criminals are the most likely to be attacking them,” he said, noting that of the 350,000 to 450,000 new malware samples that F-Secure sees on a daily basis, 95% comes from organised cyber crime groups.
“It is different when you get targeted by foreign intelligence agencies, because they are really bad, but most organisations are not targeted by foreign spies because most organisations are of no interest to them,” he said.
Although these cyber criminals like to portray themselves as Mafiosi, Hypponen said most are just “geeks” looking to make money from selling things such as hacked PayPal accounts and credit card details along with step-by-step guides on how to use them to make money.
Ransomware most popular
Ransomware that encrypts victims’ data and demands payment in return for restoring it is fast becoming the most popular way for cyber criminals to make money.
“This is a simple business model based on the principle of selling data to the highest bidder, which is often the person or organisation that owns the data in the first place,” said Hypponen.
F-Security is currently tracking more than 110 different ransomware groups operating around the world and competing for market share.
“Ransomware has become very competitive, with the result of some groups seeking to expand into new markets by translating ransomware campaigns into 26 different languages,” said Hypponen.
Another evolution of ransomware attacks is the shift away from consumers to target enterprises.
“As soon as an infected computer is connected to the corporate network, the attackers enumerate and mount all the file shares the user can access and dynamically set the ransom based on how many files they manage to encrypt on the network,” said Hypponen.
The biggest concern about ransomware for enterprises is that it will stop business operations. With continuity in mind, some enterprises are even setting up bitcoin wallets to be able to pay ransoms quickly and minimise the impact on business continuity.
“This idea of continuity is really backwards, because it does not address the problem,” said Hypponen. “The more enterprises pay these ransoms, the greater and more entrenched this problem will become.”
Read more about ransomware
- UK organisations are still not taking ransomware seriously enough, and continue to fall prey to this method of low-cost, low-risk cyber extortion, according to security experts.
- Next wave of ransomware expected to be more pervasive, resilient and capable of spreading quickly and effectively throughout networks by capitalising on vulnerabilities.
- Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
- The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works.
Another factor promoting the popularity of ransomware among attackers, he said, is that unlike many other forms of malware, ransomware does not require any special user rights.
“If your system gets infected by a keylogger, it has to escalate privileges to become an administrator on the system so it can survive a reboot, but all ransomware needs is access to the files the infected user can access,” said Hypponen. “This makes them a unique problem because you can’t fight ransomware by locking down systems, restricting user access or removing administrator privileges from users.
“I fully support this approach to security. Only give users access to what they need, take away admin privileges, but none of these things will protect against ransomware,” he told Computer Weekly.
The most effective way to counter ransomware, said Hypponen, is to backup all critical data, but many organisations are failing in this.
“They may be backing up data, but they are typically not doing it often enough. They are not backing up all the information they really need because files are not being saved to the right folders, and they are not testing their backups regularly. Even if they have backed up the information, they are often unable to restore it to a usable form,” he said.
“In addition to regularly tested backups, organisations should also ensure they would be able to detect and respond to a live ransomware Trojan on their network before it has succeeded in locking up all the data,” said Hypponen.
One way of approaching this is to plant dummy “canary” files throughout the network. These should never be touched by legitimate users and act as alarms. If these files are touched, it points to malicious activity on the network.
Ransomware is also popular, he said, because its developers are able to outsource the risk to partners whose role is infect computers in return for a share in the money extorted from victims.
In addition to ransomware, another new business model for cyber criminals is circumventing the fingerprint locks on iPhones.
“Once fingerprint readers were added to iPhones, users were able to lock and unlock them quickly and easily. This meant that if the phone was stolen, it was useless and could be only sold for spares, which did not yield very much,” said Hypponen.
But researchers are now starting to see criminal organisations that are able to trick victims of mobile phone theft into revealing their iCloud credentials.
“Victims typically receive an email message a few days after their phone is stolen to say it has been located using the ‘track my iPhone’ facility, telling them to click the link embedded in the message,” said Hypponen. “But the link takes them to a phishing site that asks them to log into their iCloud account, and once they have done that, the criminals have the information to reset the stolen phone and sell it as a fully working device.”
This has opened up a whole new business of buying stolen iPhones at low prices, resetting them with the stolen credentials, and selling them at a profit.
The second lesson learned in 25 years of cyber security, said Hypponen, is that people will never learn, and that user education is a waste of time.
“It doesn’t matter how many times you tell them, they will always double-click on every executable. They will always follow every link, they will always type their password and credit card number into any online form that asks for that information, and they will always post their credit card picture and even CVV numbers on Twitter,” he said.
Admitting this may be overly pessimistic, Hypponen said that instead of trying to “patch” people by educating them, the responsibility should be shifted to those better equipped to handle it.
“We should be thinking about where we really want the responsibility to be,” he added. “Do we really want people to be responsible for security when most of them can’t handle it, or should we be thinking about taking the responsibility away from the user and giving it to operating system developers, security companies, and internet service providers and mobile operating firms that provide the connectivity that causes the problems in the first place?”