AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type
Posts

RSA reflections: ransomware and (the Internet of) things

by

I just got back from RSA, and with over 700 sessions during the conference, there were certainly no shortage of thought-provoking material on current and future cybersecurity challenges.

For me, a significant takeaway was that ransomware is now a big problem – and it’s getting worse.  It’s popular with criminals because it’s proven to work, giving them a lucrative business model that doesn’t require much effort.  So far ransomware has attacked ‘softer targets’ such as home users, small businesses, hospitals, transit authorities and local government. And while larger enterprises don’t seem to have been hit hard, it could be that they have been able to contain incidents – or that they are simply not reporting them.

Ransomware and regulation

However, I think this could well change in the near future.  Ransomware that encrypts personal data could present a serious regulatory compliance problem for organizations, following the precedent set by the healthcare sector.  According to guidance from the U.S. Department of Health and Human Services, if patient records are encrypted by ransomware, it is now considered a reportable violation under HIPAA, even if the scrambled data never actually leaves the network.  If similar measures start to apply to other regulated sectors too – such as banking, financial services and retail – it would make a successful ransomware attack far costlier in both remediation and compliance violations.

Ransomware could potentially also be used to target critical infrastructure, such as water and power utilities, as a security researcher demonstrated during a session at RSA.  The researcher showed how a range of internet-connected industrial programmable logic controllers (PLCs) could be targeted by malware to disrupt or disable processes that affect large numbers of citizens, such as water treatment, for blackmail purposes.  There’s also the potential that ransomware attacks will give attackers the potential to cause disruption beyond the encrypted data itself.  An example is the ransomware attack on the San Francisco Transit Authority:  it didn’t stop services operating, but it took down payment systems so that services ran for free over a weekend.  I believe we can expect to see a sharp increase in attacks like this over the next year.

It’s no surprise, then, that a panel of experts from the SANS Institute rated ransomware as the most dangerous attack vector we currently face.  This highlights the urgent need for all organizations – whether large or small, public or private sector – to immediately put in place the straightforward principles that help to mitigate the risk of a damaging ransomware attack including robust segmentation and taking regular back-ups, as we have blogged previously.

Insecure IoT

The second major takeaway from RSA for me was the current state of IoT security, which can be summarized in one word:  terrible.  Cybercriminals have now realized that smart devices are more than just simple targets:  they can be ‘drafted’ into huge botnet armies and used to launch DDoS attacks of unprecedented scale.

So a vulnerable IoT device, such as a smart thermostat or connected security camera isn’t just the owner’s problem – it’s everyone’s problem.  How should these devices be secured?  And who should pay for it:  would consumers be prepared to buy a more expensive IoT device if it has better security – when the added security does not directly benefit the person making the purchase?

This scenario is what economists call a “market failure”, and even libertarians like  Olaf Kolkman and Bruce Schneier in an RSA session recognized the need for legislative or government regulation for the security of IoT devices in order to protect our increasingly connected, always-on world.

And while this is more of a consumer and public policy issue, the security implications for enterprises are clear. If you plan to deploy smart IoT devices in your offices or on your networks, you need to conduct a proper security assessment on the devices, lock them down, segregate them to their own network zone, and restrict access to and from them, as we detailed here.  Avoid becoming part of the problem!

Subscribe to Blog

Receive notifications of new posts by email.