In the Infosecurity Europe keynote discussion about risks, threats and adversaries, Rik Ferguson, VP Security Research at Trend Micro and advisor to Europol and James Lyne, head of security research at Sophos, talked about the latest cyber-risks.
“The last year has been the year of ransomware,” Ferguson said, noting that there has been an exponential 748% increase on the previous year, resulting in $1bn of losses in 2016. Lyne called ransomware “a deviation from what people would expect. Cyber-criminals are producing high-quality, convincing malicious code with ransomware.”
Lyne referenced the “continued professionalization of ransomware as a service,” which he called, “sublime to ridiculous.” He referenced the dark web where there is a market rating system of malware, where criminals “earn stars for stealth, evil, value for price.” The cyber-criminals compete for business, many of which link to product marketing videos.”
Ferguson doesn’t expect the increase in ransomware to continue to grow at the same pace, however. Instead, he predicts a plateau, advising that best practice to protect against ransomware is back-up and restoration, access control, patching and employee awareness. “If we stop paying the ransoms, the cyber-criminals will move onto different things”, he said, adding that cyber-criminals are very practical, “If they don’t create an income, they’ll walk away and find something else that does.”
‘Something else’ could be business email compromise, including CEO fraud and invoice scans, which the FBI figures suggest cost $5bn in three years.
Ferguson declared that “IoT is not the future, it’s the present. It is deeply embedded in many industries, including medical and agricultural. To date, who has been responsible for IoT devices? Mostly you, the consumer”, he answered his own question. “However, as IoT moves into smart infrastructure and smart cities, “you lose control…the choices are taken away from you.”
By 2018, Gartner reported that Smart cities will use 3.3bn connected things. “It’s our future, and we owe it to ourselves to make sure that future is a secure one,” said Ferguson.
“With Internet of Things, wouldn’t we rather fix these problems whilst the devices are just silly toys?” asked Lyne. “We need to make these fixes before we have an enormous eco-system of IoT. We need to take it seriously.”
Lyne concluded by urging against negligence. “When we look at some of these cyber-attacks, we’re talking about failures verging on negligence. We can’t rely on continued tools to help us decrypt ransomware—WannaCry is a wake-up, but it could be worse.”