FINAL WORD
“
EDUCATING EXECUTIVES
IS REALLY IMPORTANT – THEY’RE
NOT TECHNICAL SPECIALISTS, BUT
THEY ARE RESPONSIBLE FOR THE
BUSINESS IMPACT.
What best practice advice would you
offer those looking to improve their
approach?
I always say getting the basics right
is key. And that might be multi factor
authentication, particularly for remote
services, password complexity and
segmenting your network, making sure that
your critical data is separated from your non-
critical data.
I think some organisations probably haven’t
even gone through that process of saying,
‘what is our critical data?’ And if you look
at our research, but also pretty much all
research in this space, most attacks still start
with a phishing email. If you get these basics
right, you educate your users, you have multi
factor authentication, suddenly that initial
hurdle to get into the environment through
phishing becomes so much harder.
How much of a role does education
and on-going training have to play?
I think it’s key for a couple of reasons. You
can always debate whether end-users have
responsibility, and we would say they do, but
of course they’re not experts, so they can
always be tricked and you can’t blame the
end-user sometimes for falling for what’s
quite a sophisticated attack.
have to invest in and take responsibility for
the security of an organisation.
Can you offer insight into what it’s
like to be working on the frontline of
incident response?
We always have the issue that no one’s
ever pleased to see us – we’re always there
because they have a problem.
It tends to be that we’ll get a call, often on
a Thursday or Friday night, from someone in
a panic, who has a significant problem. So
that’s the start point.
I think we then always have our own
education piece because often we’re dealing
with, let’s say the technical team or a CISO,
who understands what a cyberattack is but
not how it’s going to play out. They’ve got
one system that’s behaving oddly and they
want us to focus on that system. Quite often
when we see APT 34, for example, they will
have either tens or sometimes hundreds of
systems that they’ve compromised.
I think the most difficult part of being on the
front lines is you’re constantly giving more
bad news to the victim, until they get this
full realisation that it’s not likely to be just
one system or a few systems, it’s likely to be
network wide, multiple systems and multiple
accounts. In the worst cases, we’ve seen
attackers have been in an environment for
up to five years.
Are there any emerging threats that
CISOs should be preparing for?
One would be around a DNS hijacking
campaign. I think one of the issues we’ve
had getting entities to take this seriously
is that it sounds very technical but really,
in summary, we’ve got attackers who are
managing to divert all traffic for a given
organisation, or in some instances a
given country.
And then they have access to all of that
traffic including the encrypted portions of
it. I think one of the reasons that it hasn’t
come to the fore previously is because it also
can happen outside of the victim network
so the victim is investing in technology and
they think they’re secure but someone’s
managed to compromise their DNS admin
panel and they’re diverting traffic outside of
the network.
The reason it becomes really important
is that, if one of those servers is an email
server or VPN server, or remote access, the
attacker gets to collect all of the passwords
and even the second factor authentication
of everyone that’s logging in to that server
while they re-direct the traffic.
There’s some really simple steps that
you can take to mitigate that in terms of
multifactor on your DNS admin panel. So,
we’re urging people to look at that as a key
theme from the year.
Educating end-users will increase the bar but I
think educating executives is really important
– they’re not technical specialists, but they are
responsible for the business impact. There are also information operations where
we’re seeing multiple nation states, but also
other politically motivated groups, pushing
out misinformation.
If you look at public attacks like WannaCry or
NotPetya, there were organisations caught
up in that where the total bill was over one
billion dollars so we’re talking huge business
impact. At the time it hit, executives might
not have even been aware what ransomware
is or how it works. So education is key, not
just for end-users but for executives, who And sometimes that can also be used to
target individuals, so you will see inauthentic
social media accounts used to make contact
with people. That’s a new methodology of
phishing as well. So, broadly, inauthentic
media and information operations are areas
which haven’t featured prominently to date
but I think people need to be aware of. n
84
INTELLIGENTCIO
Alister Shepherd – Director, Middle East
and Africa, for Mandiant, the consulting
arm of FireEye
www.intelligentcio.com