Check Point chap: Small firms don't invest in infosec then hope they won't get hacked. Spoiler alert: They get hacked

One vendor's security controls aren't enough, says Dan Wiley


Interview "I don't want to have a job any more," said Check Point's Dan Wiley, sitting in a fashionably nondescript London coffee shop. "I don't want to have to do my job. It means that we failed."

Far from being depressed, Wiley was expressing the forlorn hope that infosec as a field would be less dominated by malicious persons trying to make a fast buck by scamming honest folk and businesses out of their hard-earned money.

As Check Point's incident response head honcho, Wiley has full visibility into what the infosec company's operations involve. Increasingly, he said, it's turning into staving off more of the same attacks against Check Point's customers.

"Same attacks as 2019," he said, referring to what he's seen so far this year, "but the volume and the aggressiveness is increasing. Ransomware is still a very hot topic. BEC [business email compromise], equally hot, plus Office 365. Breaches of remote-access solutions. Citrix, RDP, Cisco VPN, Fortinet VPN, all of the remote-access systems are being fairly aggressively targeted."

If the list of attack types and vectors sounds familiar, that's because it is. Far from the olden days when script kiddies would pwn an unsecured server just to digitally graffiti over it, today's crooks are out for one thing only: money. As Wiley told The Register, the range of attack types is decreasing while the number of attacks themselves is up.

I feel like Moses a little bit or Noah. 'Yeah, the flood's coming. Oh we're in the flood, people!'

Check Point handled 2,000 incidents last year and based on January and February's attack volumes, the incident response director expects that to double.

"Especially," he said, "here in Europe for SMEs, it's very clear that management has not invested in security and is hedging their bets, playing the odds or whatever term you want to use, on not getting breached. The reality is they will get breached. They're not investing in the controls or systems or capabilities to be able to defend themselves."

A senior exec at a security company that is stoking security fears to sell more security, who's have thunk it. But he has a point.

Speaking of non-infosec-clued-up SMEs in general, Wiley elaborated: "They didn't have security controls, couldn't see the attack, didn't know how to to respond. The vast majority fall into that camp over and over."

What does he think about the most common attack vector of all? When El Reg asked him this, we didn't quite expect the response.

"Email's been around for 50 years," he said, cheerfully cursing as he continued: "But it's been around 50 years and we're talking about the same attack vectors: phishing; malware; manipulations; and all other delivery mechanisms. Email makes it so easy to deliver. And we still haven't dealt with it."

Don't click on shit

Surely he has some advice on how to get around the ancient problems email poses to security? Wiley reckons he does: "Don't trust one vendor's security controls. Start with that. Especially if you're using Office 365. Turning on Office 365 and turning on E3 or E5 security, that's not enough. You really need at least one or two different vendors to protect against the entire security landscape and we [vendors] have different approaches."

How many vendors should a discerning, security-conscious business have on board? "When you have three vendors that provide security into Office 365," opined Wiley, "you have a good fighting chance."

Talking of bolstering your chances against the bad guys, what about cyber insurance? At this Wiley sat back and started relating a lightly fictionalised scenario:

"A firm buys cyber insurance and pays its premiums. One day they get ransomware. All systems encrypted. Let's say they don't have a backup. They call their insurance company. They say, how much to restore all your systems? Customer says 100 man years. Insurance company says how much is the ransom? They go $1m. Insurance company contacts a third-party provider that negotiates a rate, gets a discount: helluva lot cheaper to pay the ransom than restore, let's just pay the ransom. They pay. Restore all their access, everybody's happy. Insurance company met their obligation, the customer is back up and running. Incident over. Three months later it happens again."

In Wiley's view, not only should the paying of ransoms be outlawed to prevent exactly this scenario from occurring, but a lot more data also needs gathering so the insurance industry can start making realistic actuarial tables to help avoid situations like this from arising.

While this isn't directly relevant to the kind of thing that makes panicky firms pick up the phone and call him, Wiley takes a wider view of the industry and the problems facing it. As plenty of others have told El Reg lately, until the underlying business models that power ransomware in particular are disrupted for good, there's no end in sight any time soon. ®

Similar topics


Other stories you might like

  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • Flaw could have granted criminals control over Ever Surf crypto wallets
    Check Point uncovers web vulnerability that could have led to cryptocurrency theft

    A flaw detected in the browser version of the Ever Surf cryptocurrency wallet could have given hackers who exploited it full control over a targeted user's wallet, say threat hunters at Check Point Research.

    The security vulnerability made it possible for threat actors to decrypt the private keys and seed phrases found in the browser's local storage, opening the door to cracking the victim's wallet and accessing the cryptocurrency stored there, the researchers wrote in a blog post Monday.

    "As the browser's local storage is unprotected, the data stored there must be securely encrypted," they wrote. "Despite the fact that Surf uses reliable cryptographic libraries for the key derivation and the encryption, the sensitive data in the web version of Surf doesn't appear to have adequate protection."

    Continue reading

Biting the hand that feeds IT © 1998–2022