Gina Vaccarella: Hello and welcome to episode four of our XMA plug in podcast. I’m thrilled to be here today, it’s Halloween and we’re going to be discussing a very very scary topic: cyber security. So today we’re going to be discussing the impacts of cyber threats and how organizations can combat these. Joining me today, i’m very glad to introduce Trung Tang, who is our cyber security sales lead at XMA and Tony Roberts, U.K. technical director at Panda Security, welcome guys.
Trung Tang: Hi Gina. Thank you for having us
Gina Vaccarella: Thank you so much for being here guys we’re excited to discuss this very very interesting topic today. So, what I’m going to do, I’m just going to start by touching on a little stat that I found today from discussing with Trung in advance. So apparently 45 percent of UK organisations experienced one attack in the last year. So, based on that what would you say are the biggest cyber threats of 2019? Trung let’s start with you.
Trung Tang: I think there’s probably the three biggest threats, the first one which has been around as well for a while internet of things. So the more the more we evolve in technology we’re having smart devices plugged into the network, fridges, everything seems to be connect to the network now and that poses a big risk when it comes to cybersecurity because firstly how does someone control what is on the network? manage what’s on the network and actually understand what is that item meant to be accessing? So I personally think that’s quite big risk its been floating about for a little while, also supply chain attacks people or attackers tried to tend to attack bigger companies and because they’ve got a lot of money to spend then generally it’s harder for them to penetrate. So, what people now do in relation to attackers are come the smaller companies who trade with these bigger companies. So, I think that’s a big threat because they’re smaller companies have a more relaxed security posture and old fashion phishing and malware attacks that is not getting any better and that is getting worse more advanced threats, there my three predictions this year and next year.
Tony Roberts: Yeah I think to echo what Trung said there, the threats are evolving. What risks there are to business this year are the same as they were last year but they’re broader and longer, the threat actors out there are evolving in their sophistication obviously we have technologies that are being implemented all the time to protect the business out there, but things are evolving all the time. We have to consider now what, what our risk assets that we have out there. And we look at ourselves for example you know we’re not just single entities now, we’re individuals both at home in the workplace. We have multiple digital assets laptops mobiles, even in our homes now we’re looking at things like CCTV, doorbells, everything is online. I would just talk about digital assets at that point, what about our virtual assets our Hotmail, our G mail, our cloud file storage locations. These are all assets that are available 24/7, I think the more exposure we have out to the wide web they’re all possible targets than the threats out there like Trung said they’re ever evolving. There are lots of categories that we fall into that we need to be aware of. Phishing you know the techniques being used ransomware has been massive and is going to keep on increasing because there is significant profit to be made in this industry by these threat actors. We’ll have to see how things evolve but it’s going to happen.
Trung Tang: It’s pretty scary out there, I’d definitely say that, one of the attacks which I heard, I mean it was going back a few years was a company in Saudi Arabia the largest oil company. They got hacked for malware and it closed the business down literally for ten days and they’d lost a lot of money. So you kind of think how would that affect a small business? How would that affect the school university let alone like a multi-billion pound and billion dollar organization? So you know there not just targeting big companies there targeting it at every single person, there after the same thing: the data. The data and the financials
Gina Vaccarella: That’s really something that every size company needs to consider and I think touching on what you just said Tony about evolution the fact that cyber threats are constantly evolving with technology just shows that we’re talking about 2019 right now but actually the threats exist now were very very different probably five, ten twenty years ago. I mean could you give me some kind of comparison to what we were thinking about we were talking about security threats 10 years ago versus now?
Tony Roberts: Yeah well if we look back in history back in a day it was all about infamy. Malware was written to be destructive but in this day and age it’s all about profit. So the intention has evolved massively stealth is wealth to these actors. They want to get into systems they want to negate and bypass the security you’ve got in place. They’ll use either traditional types of malware, techniques living off the land techniques social engineering techniques it’s advanced and we need to be aware we need to have steps in place to counter or prevent this from happening. It’s an interesting topic.
Gina Vaccarella: And a scary one I have to say. I mean I think everyone can probably say they’ve experienced something like that at some point in their lives whether it’s at work or personal use.
Tony Roberts: I think it’s interesting when we look at the statistics about detections, we see in the media every day every week there is another breach another detection and then other business held to ransom, happens all around the globe and these are the things that we only hear about. You know there is a lot of other instances that businesses don’t want to share, you know they don’t want people to become aware that they have had a breach of some form or another because of the collateral fallout that can happen as a result of that.
Gina Vaccarella: So what would you say are the biggest impacts on organizations and their end users?
Tony Roberts: Reputation is critical, you know whatever you see a large blue chip company you know a well-known brand appearing in the media.
Trung Tang: I think the biggest one for my point of view was WannaCry, I know that everyone’s kind of ranted and raved about that because it is the NHS and I think that’s probably the scary part. It was the NHS and that affected machines where people had to cancel operations so it moved away from a financial prospect or aspect to more of a I’m just damaging and you know it could put people’s lives at risk instead of financials, and I think you know that’s a bit of an eye opener really to say make sure your systems are up to date make sure you’ve got stuff in there to protect you because you know they’re going after everyone.
Gina Vaccarella: Yeah I mean I think we talk about financial risk a lot when it comes to cyber threats but actually even that can have a knock on effect to the people as well. I mean you know someone’s finances being compromised can have a serious effect on their lives and their families and their businesses.
Trung Tang: Yes you know if you if you do an interview with a lot of UK companies, SMB size companies if they had a cyber attack into, It’s not a case of how much it costs you to get your systems back. Well first of all as Tony was saying, reputation. You got to pay for the issue to be resolved, you got to get consultants in there, consultants cost what a thousand pound a day ten days that’s ten thousand pounds minimum for a small business, and then the reputation there afterwards is some guy trade with them because of the risk of losing their data? very unlikely and that’s going to have a massive impact though what will they reduce the staff? Will they kind of have to scale back? There’
s a lot of things to consider, not just now but in the future.
Gina Vaccarella: In regard to talking about real world examples, so it doesn’t necessarily have to be something in the public eye it could be you know a customer or someone that you’ve dealt with in the past. Could you recommend some dos and don’ts when facing security threats?
Tony Roberts: There’s plenty, I think the first thing business need to be aware of is there IT infrastructure. They need to know what they have in place and how it’s operating. You need to be responsible for the solutions that you have not just hardware but both software as well, things that you need to be ensuring that your assessing and reviewing actively is patching. One of the biggest factors of risk is vulnerabilities compromising of applications or services that you’ve got in place. Now we look at just the release of updates this this month that Microsoft of release critical updates secretively release critical updates. Oracle have released the same then the last Oracle update there was over 200 fixes in that last update. Over 100 of which were fixing potential remote exploitation of systems without requiring authentication, and these are services that are everywhere. There are obviously other key things the factor in probably most important one is education.
Trung Tang: Obviously I would say exactly the same, education.
Tony Roberts: Education for the users, we see we come across organizations all the time that either haven’t invested yet in teaching their staff on what to look out for, be vigilant don’t click on those links and then we see the other extreme scale where people have got regular training for their individuals they bring in third parties for consultation, they’re doing phishing attacks.
Trung Tang: I’ve seen there’s a few solutions out there which are simulated phishing attacks where it’s a case of the IT department send a phishing email out to all their staff, grab the data of what the staff are clicking on and what they’re not clicking on and then by that analytics they can then present a training program to their staff, so that’s a very very good solution purely for education. In addition to education although I think education for our clients because if the clients aren’t aware of what technologies are out there if we’re not if we’re not speaking to our clients and if they’re not approaching us then how do they know what’s out there, how do they know what’s available? You know we’re the experts are, i think in a sense from both sides you know we need to educate them and they need to get education from us and what we can do to assist them.
Tony Roberts: I think on the dos and don’ts category of things to be aware of you know obviously education is key. Other things is the basics, enforcing strong password complexity multi factor authentication ensure roles user roles within the business they aren’t compromised. Making sure that you are disabling accounts that are no longer in use definitely don’t publish your internal services out to the web. One thing that we see quite frequently is RDP brute force attacks where someone’s published their internal server out to the web and we’ve identified the fact that they are under attack and this usually manifests itself in the form of thousands and thousands of attempted connections coming from the same IP address. Now the fact of the matter is when this is being undergone is only a matter of time. Brute force attacks they will keep on going and eventually very likely get in. Once they’ve established a beachhead within a business you’re already on the back foot and you have to start identifying how that’s come about, if you can even find out that they’re in and that’s the big big problem. When we talk about businesses that have had this issue before in the past we have breaches that’s when they found out about that breach. They’re bringing in consultants to review that but that could be hundreds of days later after the fact and who knows what’s happened before.
Trung Tang: I think I’ve read statistically I think is that most attacks are found out a month afterwards, it happened. So you got to think how long, what can I do in a month’s time on your system. Can they change their passwords, can they actually stop you from accessing your systems yourself? They probably can.
Tony Roberts: And that’s why you need to make sure you implement security solutions, make sure you have file restrictions in place security systems event management so you are notified when things are occurring in your state that are out of the norm, obviously implementing a good EDR and endpoint detection response technology, better still through hunting. So, this isn’t something that small businesses can adopt very easily, they could subscribe to services that will provide the solution to them, but prevention is part of the cure.
Trung Tang: Resilience as well. Make sure there’s good e-mail filtering solution and then the second part is as you said EDR technology but it is all about resilience making sure that there’s multiple steps for them to gain access to your networks.
Gina Vaccarella: I think we’ve talked about a lot of the dos and don’ts here. Is there any other things you would suggest that organizations can use to combat threats?
Tony Roberts: One thing we need to be aware of is what is the situation out there in the I.T. landscape, when it comes down to cybersecurity obviously vulnerabilities patching is one of those key things. When clients are looking for security solutions it’s a fragmented marketplace. There are so many different security vendors out there now, beginning to pick the right one is very difficult because you’ve got such a choice to select from. Also employing the right people you know you want to have security engineers, threar hunters, people managing your I.T. admins looking after your estate. There’s definitely a skills crisis out there, you know we know there are jobs waiting to be fulfilled by skilled individuals and there are not enough for those individuals out there to populate this demand, and that’s good. That’s going to be increasing year on year as the topic gets broader, the threats become we are wider in their delivery and their techniques. You know we’re gonna need people to combat that.
Trung Tang: From a client’s perspective is if they feel they don’t have the expertise, because IT managers, directors have a lot of responsibilities so they can’t just purely focus on I.T security. So if they feel they don’t have the knowledge or expertise, lean on their partners, lean on their solutions providers because we’ve got the expertise in-house to assist them. I think that it’s not just a case we could suggest ideas and pen test. I think pen testing is a brilliant solution to understand firstly of their weaknesses. So get regular pen testing, understand not a case of what’s bad what’s good but what can be improved. And its not expensive, it’s a good starting point.
Gina Vacarella: OK so obviously you’re coming towards the end of the year now. So if we were to look ahead to 2020 what do you think are going to be some of the biggest topics that are going to be discussed in the world of cyber security? What are some of the biggest threats that you foresee coming in 2020 and what do you think organizations need to consider when thinking about all those things?
Tony Roberts: I think we’re going to see more of the same, ransomware, you know it’s what we’ve said its a fiscally rewarding technique used by people, and that’s going to be increasing clients customers out there are becoming more aware and they’re implementing technologies to combat this. That will prevent some instances of that occurring but it is not going away. It’s been increasing year on year and it’s profitable, so it’s not going to go away. We also need to start looking at the different approach because these threat actors they’ve used techniques the same for years but they adapt and now we’re seeing an increase in living off the land attacks. So having the ability to identify those types of threats occurring in businesses is something that they’re going to have to look into and address. So if your not aware, living off the land attacks is basically using legitimate processes to manipulate the system be it creating user accounts querying the network for particular information data configuration and using these legitimate processes to perform very similar actions to what you see with malware but used by using applications up part of the bespoke operating system though AV, EDR solutions we look at I think well that’s normal behaviour.
Gina Vacarella: So I think just to summarize today everything that I’ve learned is that the cybersecurity landscape has heavily evolved over the last five to ten years. And with that technology has evolved as well. However that doesn’t necessarily mean that the threat level is any less than it used to be. It’s quite clear as well that cyber attacks can have a huge impact on organizations and their end users and organizations really need to think about their cybersecurity plan and how they can implement processes to protect themselves from cyber-attacks. Thank you Trung and Tony so much for joining us today. If our listeners would like to reach out to discuss any topics that we’ve touched on today then our contact details on our podcast page as always. Thank you so much for listening to our XMA plug in podcast, tune in next time.