At a series of recent roundtable events held by CSO Australia and sponsored by Zerto, participants were treated to an opportunity to speak with retired FBI agent Jeff Lanza.
With over two decades experience in investigating white collar and computer crime, Lanza offered some unique perspectives and advice for representatives of banking and finance, retail, resources, telecommunications, consulting/auditing and education sectors.
Unsurprisingly, crypto attacks launched by malicious actors employing spear-phishing were of interest to the attendees. One of the event participants said we needed to go back to the basics of people, process, and technology. People are critical but they can often be the weakest link when it comes to security risk. Organisations were advised to take a layered approach using analytics to detect unauthorised activity so it can be shut down.
Lanza said he spent much of his career investigating computer crime. One of the things he learned was, "Normally, when a company or person is victimised, it is always because they didn't do something they should have done. Prevention is not considered. The attitude was often 'It couldn't happen to me'.
One of the challenges that event attendees noted was in understanding what was valuable to hackers and what they had that was of value.
For example, in higher education, it's not the theft of research that is of primary concern. Universities have large networks that can be used to create powerful botnets. So, exploits that leverage the amount of compute power on the network are far more prevalent than cryptolocker attacks which would stifle the use of a compromised computer in a botnet.
Lanza noted that most companies only became serious about protecting their assets after an attack. This was supported by several attendees who said controls within organisations need to be strengthened. Identity and access management is critical to enforce role-based access to systems so users that move around an organisation don’t accumulate access.
For most companies, said Lanza, organised crime is the most significant threat actor. These gangs can recruit resources and acquire tools quite easily over the Dark Web and parties can virtually meet and conspire, assured that the chance of them being discovered is quite small.
Parties that specialise in developing phishing programs, acting as 'mules' to move money across borders, and those that steal data to harvest email addresses and user credentials now operate in a free market.
This online collaboration makes things challenging for law enforcement.
For companies, there were a couple of things organisations can do to protect themselves.
"One is to have a hardened environment to protect your business with the best anti-malware, intrusion detection and other systems. The other part is resilience, the ability to recover from an attack."
Attendees agreed with Lanza on this, pointing out many organisations fail to answer the big question: What's your plan B? By asking this, security professionals are able drive the business towards a better understanding of what is important to them.
This led the discussion to the challenges of how to effectively communicate the issues with boards and the C-suite. It was agreed security professionals need to become proficient and confident in talking to them in their language with a focus on business risk.
Part of that resilience is practicing recovery and resilience processes. Documentation isn’t enough, so it’s important to practice to ensure mistakes aren’t made through lack of experience.
One attendee cited the movie Sully, about airline pilot Chesley Sullenberger who emergency landed a commercial aircraft on the Hudson River in New York. Sullenberger had spent many hours in flight simulators practicing different emergency scenarios. His first action was to follow the procedure but he then skipped the first 16 pages because his experience and practice of the process meant he knew the best way to deal with the disaster.
Lanza discussed the impending changes to the threat surface as IoT devices continue to proliferate. With their ability to connect to networks and unknown security status, many of these devices are creating new opportunities for criminals. This was clear during last November's Mirai botnet attack which was used in a DDOS attack against the Dyn network service.