editor ’ s question

NICOLAI

SOLLING , CTO AT HELP AG

yber-extortion involves attackers demanding payments rather than just stealing money via the cyber realm . This therefore requires them to have some leverage which could be sensitive data or disruption of services . The most common types of cyber-extortion attacks are therefore ransomware and Distributed Denial of Services ( DDoS ), as well as taking payment for not disclosing data obtained through hacking .

We have had our share of ransomware and DDOS extortion schemes here in the region , though the disclosure of these is less frequent or under the radar of the general press . That said , there are some notable companies which have engaged in paying attackers for not disclosing data .

The most discussed in the news is Uber , which paid US $ 100,000 under its bug bounty programme to a group which managed to exfiltrate driver data . As part of the payment , an agreement was made not to disclose any data from the leak .

Ransomware is a threat that by all accounts is set to grow in scale through 2018 .

What organisations need to understand is that with the type of encryption that modern ransomware now uses , it may be very difficult to recover data without the encryption key .

It is this key you pay for when you pay the ransom . You should also know that there is no guarantee that once you ’ ve made the payment ( usually a Bitcoin transaction ) the attacker will actually provide you the encryption key , they may not even have it . In fact , less than 51 % of the organisations paying the ransom actually get their data back . Organisations were much more successful in recovering data from a backup , so I advise clients that protection begins with good data management practices . I think a basic precaution against ransomware and a good practice in general is to maintain a backup of sensitive data . This backup could be within the data centre , disaster recovery site or even to a cloud platform if you cannot provide the correct infrastructure yourself . There are plenty of solutions that manage and automate this and a good backup and recovery solution should be a part of any large businesses ’ IT strategy .

Then there is the categorisation and management of data which helps ensure sensitive information does not get into the wrong hands . Even without ransomware , data that is exfiltrated from the organisation can be used for cyber-extortion . At Help AG , our Cyber Security Consultancy division assists the organisations in establishing frameworks that govern information throughout its creation , storage , use , sharing , archival and destruction and ensure protection of the confidentiality , integrity and availability of those data assets through their lifecycle . Again encryption keys come into place , but this time it is around how you manage them and not the attackers .

I believe that too many organisations do not have a proper strategy regarding how they encrypt data at rest or in motion and how they obtain the correct lifecycle around encryption key management .

Employee awareness and vigilance is also key to combating cyber-extortion . Your workforce needs to be mindful of the kinds of emails and attachments they open and downloads from questionable sources . With ransomware having successfully added mobile devices to the list of targets , users should also be mindful of the apps they download and take precautions such as avoiding third party app stores .

I still believe the old saying ‘ it all starts with an e-mail ’ and a lot of malware does start there . So please try to ensure that your technical controls are efficient and that your users are alert and educated .

Of course , cybersecurity is still an IT function and a large responsibility lies with the IT team . Ransomware is being propagated in new and often highly innovative ways . Both Petya and WannaCry leveraged exploits which were already fixable but patches were not applied , which caused the malware to spread . So in addition to best practices such as regularly issuing and applying patches , and limiting user privileges , IT teams need to track and implement the technical advisories put out by vendors once vulnerabilities and new attacks have been discovered .

Finally , when all else fails , services such as Managed Security Services , which delivers 24x7 security monitoring , enable organisations to identify an attack at its earliest stages and prevent it from spread . It is important to understand that your applications , networks and firewalls are talking to you in the form of logs and events , but if you are not listening or looking , the business impact may be big . And if looking at these events are not your core business , maybe you should allow someone where it is do it for you ? u

30 Issue 01 | www . intelligentciso . com