By Raimond Genes , CTO at Trend Micro
We have seen online extortion manifest in the ransomware epidemic which has seen those behind CryptoWall net hundreds of millions . Why exactly will we see more and more hackers demanding money from firms not to release customer data they ’ ve stolen ? After all , it ’ s always been the case that a major breach can lead to prohibitive clean-up and remediation costs , industry fines , possible legal fees and reputation damage . Well , the hackers are getting cleverer and the tools to launch such attacks are increasingly widespread on the cybercrime underground . But more than that , it ’ s becoming less and less financially rewarding to target individuals .
If you ’ re running Windows 10 , for example , you ’ ll have to click through several warnings to download most ransomware . Even Windows 7 has safeguards built in – so fewer are doing so . Then we ’ ve got the think about the multiplicity of operating systems out there . If an attacker sends out a piece of ransomware , no matter how neatly crafted it is there is now a growing percentage of the population who won ’ t open it on the Windows PC it was designed for but a tablet , or a smartphone . In short , the addressable market is waning .
That ’ s not to say ransomware and other online extortion isn ’ t still happening . Of course it is . But the prospect of hacking a major corporation and obtaining thousands or millions of customer records becomes that much more attractive .
And the more TalkTalk-type stories there are in the headlines , the more hackers prick up their ears . There ’ ll be many out there right now inspired – thinking if it were them , they ’ d have done it better .
Snooper ’ s Charter : Danger Ahead
While we ’ re on the subject of extortion , several reports have suggested recently that internet users ’ browsing history could be the next major source of online blackmail for hackers in the wake of the Ashley Madison attack . Rest easy netizens : there ’ s not much chance a cybercriminal is likely to go to the effort of targeting an individual , working out their name and circumstances and then crafting an online extortion plot . But there is danger ahead .
If the proposed Investigatory Powers Bill is passed in its current form then I fear the worst . It requires ISPs to retain the web history of everyone in the UK for 12 months . These massive data stores would be an incredibly attractive target for online extortionists . Home secretary Theresa May has claimed that these records will not include the individual pages of a site a user visits , but a site address alone could be enough for a blackmailer . The government must make sure if this law is passed that it mandates the highest data security standards for the ISPs tasked with following it . However , as we see with each passing breach of customer data by a big name organisation ( JPMorgan anyone ?) – even those firms which spend millions on security can be hacked by a
determined adversary . Someone will almost certainly try to hack these records , and eventually someone will succeed .
Bring in the DPOs
So what can these firms do to minimise the risk of a damaging breach ? Well , follow the basics for sure . Enforce strong two-factor authentication , reduce the number of privileged users to the bare minimum and operate an access policy of least privilege . You also need good visibility into what ’ s going on inside your network . If it was breached via a simple SQLi , TalkTalk should have been able to spot and block the huge number of customer records flowing out to an individual IP address . Systems also need to be patched and up-to -date to minimise the chances of any software flaws being exploited . And remember to regularly pen test systems to ensure they ’ re as secure as they can be .
But perhaps the most important step from an organisational perspective is to appoint a Data Protection Officer ( DPO ). We predict that by the end of next year less than 50 % of organisations will have one , despite it being a requirement of the forthcoming European General Data Protection Regulation . Unlike a CISO , the DPO has a role specifically focused on protecting the organisation ’ s most important resource – its data . And even better – they are independent of the IT department and can ’ t be fired as easily by the CEO .
In short , they occupy as objective , dispassionate and critical a role in improving data security within an organisation as you can get . The sooner more firms realise this , the more secure all of our data will be .
www . securityplusonline . co . uk / trend