Check Point chap: Small firms don't invest in infosec then hope they won't get hacked. Spoiler alert: They get hacked
One vendor's security controls aren't enough, says Dan Wiley
Interview "I don't want to have a job any more," said Check Point's Dan Wiley, sitting in a fashionably nondescript London coffee shop. "I don't want to have to do my job. It means that we failed."
Far from being depressed, Wiley was expressing the forlorn hope that infosec as a field would be less dominated by malicious persons trying to make a fast buck by scamming honest folk and businesses out of their hard-earned money.
As Check Point's incident response head honcho, Wiley has full visibility into what the infosec company's operations involve. Increasingly, he said, it's turning into staving off more of the same attacks against Check Point's customers.
"Same attacks as 2019," he said, referring to what he's seen so far this year, "but the volume and the aggressiveness is increasing. Ransomware is still a very hot topic. BEC [business email compromise], equally hot, plus Office 365. Breaches of remote-access solutions. Citrix, RDP, Cisco VPN, Fortinet VPN, all of the remote-access systems are being fairly aggressively targeted."
If the list of attack types and vectors sounds familiar, that's because it is. Far from the olden days when script kiddies would pwn an unsecured server just to digitally graffiti over it, today's crooks are out for one thing only: money. As Wiley told The Register, the range of attack types is decreasing while the number of attacks themselves is up.
I feel like Moses a little bit or Noah. 'Yeah, the flood's coming. Oh we're in the flood, people!'
Check Point handled 2,000 incidents last year and based on January and February's attack volumes, the incident response director expects that to double.
"Especially," he said, "here in Europe for SMEs, it's very clear that management has not invested in security and is hedging their bets, playing the odds or whatever term you want to use, on not getting breached. The reality is they will get breached. They're not investing in the controls or systems or capabilities to be able to defend themselves."
A senior exec at a security company that is stoking security fears to sell more security, who's have thunk it. But he has a point.
Speaking of non-infosec-clued-up SMEs in general, Wiley elaborated: "They didn't have security controls, couldn't see the attack, didn't know how to to respond. The vast majority fall into that camp over and over."
What does he think about the most common attack vector of all? When El Reg asked him this, we didn't quite expect the response.
"Email's been around for 50 years," he said, cheerfully cursing as he continued: "But it's been around 50 years and we're talking about the same attack vectors: phishing; malware; manipulations; and all other delivery mechanisms. Email makes it so easy to deliver. And we still haven't dealt with it."
Don't click on shit
Surely he has some advice on how to get around the ancient problems email poses to security? Wiley reckons he does: "Don't trust one vendor's security controls. Start with that. Especially if you're using Office 365. Turning on Office 365 and turning on E3 or E5 security, that's not enough. You really need at least one or two different vendors to protect against the entire security landscape and we [vendors] have different approaches."
How many vendors should a discerning, security-conscious business have on board? "When you have three vendors that provide security into Office 365," opined Wiley, "you have a good fighting chance."
Talking of bolstering your chances against the bad guys, what about cyber insurance? At this Wiley sat back and started relating a lightly fictionalised scenario:
"A firm buys cyber insurance and pays its premiums. One day they get ransomware. All systems encrypted. Let's say they don't have a backup. They call their insurance company. They say, how much to restore all your systems? Customer says 100 man years. Insurance company says how much is the ransom? They go $1m. Insurance company contacts a third-party provider that negotiates a rate, gets a discount: helluva lot cheaper to pay the ransom than restore, let's just pay the ransom. They pay. Restore all their access, everybody's happy. Insurance company met their obligation, the customer is back up and running. Incident over. Three months later it happens again."
In Wiley's view, not only should the paying of ransoms be outlawed to prevent exactly this scenario from occurring, but a lot more data also needs gathering so the insurance industry can start making realistic actuarial tables to help avoid situations like this from arising.
While this isn't directly relevant to the kind of thing that makes panicky firms pick up the phone and call him, Wiley takes a wider view of the industry and the problems facing it. As plenty of others have told El Reg lately, until the underlying business models that power ransomware in particular are disrupted for good, there's no end in sight any time soon. ®