Cyber Defense: Is your IT team telling you the whole truth?
As a CEO or CTO you rely on your IT team to keep your systems secure and whilst they are always wanting to do the best job they can for you, are you certain they are telling you the whole truth?
Imagine living in a house as a family and some of the kids knew the dad left the back door unlocked every night, the mum always assumed it was locked but it never was, and for years nothing happened. Then one night they get burgled and their prize possessions disappear.
Imagine the questions;
Dad: “well it was always unlocked that door”
Mum: “why, and why was I never told?”
Kid 1: “I knew but assumed you did mum!”
Kid 2: “Yeah I guessed it was unlocked but couldn’t be bothered saying….”
That’s the scenario in firms across the globe.
The mum (say COO of a business) doesn't think they need help as they have a husband who locks all the doors.
What follows is an illustration of the problem being faced right now in organisations.
We are seeing an increasing trend of attacks towards data backups. These are seldom targeted, but become a concern when ransomware is considered. Ransomware is a scary prospect at the best of times, where a computer virus is planted onto internal systems, leaving the criminals open to extort money out of businesses.
The course of action during a ransomware attack could be to lock IT administrators out of systems, steal client data, or even just wreak havoc. If you are already worried about how your organisation is protecting its backups, that is with good cause. But there is worse to come.
Jim from accounts – the silent problem
Imagine a scenario where you, as a business leader, have assurances from your technology team that the live environment and internet-facing perimeter topology is safe. It has passed all the recent tests and the metrics are all green. From a cybersecurity perspective, the recent Red Team exercises with the board went swimmingly and the playbooks are all up to date. A position many a C-Suite executive finds themselves in, and what a great place to be.
But, without anyone’s knowledge, good old Jim in accounts ordered his girlfriend a lovely pre-summer holiday present from a well-known online retailer yesterday. Today, Jim received an email from that same retailer stating his payment had been declined. After unknowingly clicking on a link to find out why, a new piece of malware, containing an undetectable virus (referred to as a zero-day attack), was downloaded onto his laptop.
This wasn’t a valid email but a well-worded phishing email. An embarrassed Jim deleted the email, carrying on with his day with no intention of reporting the incident for fear of rebuke.
Over at Cybercriminal Towers, an alert was quickly received that the malware was active, and a crack team of experts started work. These are well-organised outfits, with offices, free fruit, and a view – no longer a single young chancer wearing a balaclava punching keys into a keyboard in the hope of landing a big fish.
We need to evolve our appreciation of how cybercriminals operate and act. Given the lucrative nature of the work, they sometimes compete for the same tech talent that the right side of the law do, strange as it may seem.
This team of criminals, on this occasion, are targeting even more sinister malware against a specific target. They work quickly, undetected, and traverse the firm’s network starting at Jim’s laptop. They very quickly have access to the servers.
And after a short amount of time, there it is, the backup system – in all its glory. Akin to a scene from Lethal Weapon, where Murtaugh and Riggs await instructions for which colour cable to cut, a subtle click here and there and boom – a gnarly set of files containing the most complicated ransomware is planted on the backup system. The fallout? None, nothing. Not yet. Now we wait, as the timer ticks away.
Cybercriminal Towers – The revisit
As time goes on, another risk review occurs and it’s another clean bill of health. Happy days, until…
This time, the team at Cybercriminal Towers has aligned its next visit to Jim’s firm as a purposeful one. Into the network they go again. This time the live environment looks too appetising, and with good reason. That is where the crown jewels are. Another server, same effect, Boom! Ransomware landed again. Easy pickings.
This time the malware is executed straight away, alerting the technology teams. At the same time, the execs all receive emails holding the firm to ransom, as their website, app, and whole back office are grounded to a halt. The email states: ‘Pay or lose your data and online presence.’ A compelling and heart-skipping moment for anyone.
As the out-of-body experience subsides, the inevitable playbook emerges and the tech team arrives, chests pumped out ready for action. The prognosis is simple: don’t pay and we will follow the tried-and-tested process. Shut down the affected servers, delete the data, suffer a little downtime, and ignore any demands, and in no time at all the backups will restore the business to where it was. Remediation is then done, and any holes are plugged.
With smiles all around, the action plan is clear and the teams jump into action. However, this time the plan isn’t going as expected. The now very populated office is struck by shock and numbness, one by one, and, like a set of dominoes, everyone quickly realises the problem. The backups aren’t available. They are locked by the very same ransomware message seen minutes earlier on the live server.
Like an enlarged chessboard in many a pub garden, it feels like a very public call of checkmate has just been announced. As the inevitable scramble for a process to pay bitcoin quickly is written, it is the start of a very long day and night for everyone at the firm. They have no choice but to pay but wish to do it quietly, so as not to worry investors, clients, and shareholders.
If you believe your organisation is too big, too protected, and is precluded from such scenarios, then great, I admire that stance. Just be sure you follow the evolution of the risk landscape on a daily basis. Because that is what we are all fighting against. The culture at Cybercriminal Towers isn’t to write papers, or have committees or meetings, but to be hellbent on delivering their projects.
The ability to analyse data, perform security and penetration tests plus have good governance in place from the likes of Management Information and policies and procedures is often viewed as the boring or bureaucratic bit of technology. As demonstrated here - this really is not the case.
Ultimately your IT team may think they have all your security needs covered but in reality, they probably don’t. As a CEO or CTO, it is wise to get an outside opinion or a third party to assess the security gaps. Should you be asking your IT team more questions about the cover in place and challenging it?
About the author: David Davies, the Chief Executive of Navos Technologies, is an expert at helping financial services firms deal with online threats. As the former chief information officer at Hargreaves Lansdown, where he oversaw a team of 400, he is well placed to understand the importance of a watertight cyber-defence strategy.