Q&A: CBR catches up with security researcher David Emm about the big threats on the horizon.
David Emm, Principal Security Researcher at Kaspersky Lab, has worked in the anti-malware industry since 1990 in a range of roles spanning McAfee and Dr Solomon's Software.
CBR caught up with him to find out what he thinks are the big cyber threats facing the business world right now.
CBR: What do you think is the number one threat vector right now?
Emm: There are several threat vectors. These include the use of social engineering to trick people into clicking on attachments and links in messages, the use of vulnerabilities in applications, the threat from compromised web sites (so-called ‘drive-by downloads’) and the danger of spreading malware via USB devices. Three types of malware that have grown dramatically in the last few years are ransomware, banking threats and mobile malware. In Q2 2016 alone, we saw 9,296 modifications across 28 ransomware families (and this from a total of around 26,000 ransomware modifications in total). In the same period, Kaspersky Lab products blocked mobile banking Trojans on 1,132,031 computers. 3,626,458 malicious mobile installation packages were discovered in this period (83,048 of them were mobile ransomware programmes).
CBR: 2016 has been a big year for ransomware. What do you think are the big threats that we will see in the future?
Emm: I think the three types of threat outlined above, including ransomware, will continue to grow. They are all ways to make easy money and while they prove to be lucrative for cybercriminals, they will continue to invest in them. That’s why we have seen such diversification in ransomware methods (e.g. infecting at a sector level, encrypting data on servers, using scripting languages for flexibility). More aspects of life are becoming connected, offering a wider attack surface than ever before. So we will see attacks on various aspects of the Internet of things – already, researchers have shown how connected ‘things’ as diverse as cars, children’s toys and CCTV cameras can be subverted.
CBR: There have been a range of big breaches recently. Are there any unifying themes and lessons that organisations can learn from them?
Emm: I think it’s vital that organisations work on the basis that their defences will be breached. That isn’t to say that perimeter defence isn’t important – it is. But defence in-depth is vital, so that if a breach does occur, attackers aren’t able to make off with valuable data – including sensitive customer data. This means developing a security strategy based around people and processes, as well as technology. It means limiting the scope of any attack by limiting the rights employees have on computers (i.e. not assigning admin rights by default) and segmenting the network to limit the spread of an attack. It also means investing in education of staff, to make it harder for attackers to trick staff into doing something that jeopardises security. With regard to customer data specifically, it’s important for providers to hash and salt passwords and to provide multi-factor authentication to make it harder for criminals to make use of stolen data.
CBR: Do you see the security world moving towards more unified architecture?
Emm: I see a lot of diversity. Alongside traditional endpoint devices (desktops and laptops) mobile platforms have become an integral part of business and personal life. On top of this, manufacturing and industrial systems use other systems. If we consider the Internet of things, it’s clear that connectivity is implemented differently across the spectrum of devices. The key, moving forward, is for those implementing connectivity in IoT devices to build in security at the design stage – because retro-fitting it after something bad has happened, is a lot harder.
CBR: 2016 has also seen unprecedented attacks on financial systems, such as the SWIFT attacks. Do you expect more of these and what can be done?
Emm: Historically, attempts to make money directly have involved attacking bank customers, rather than bank infrastructure. But the latter have become more common in last few years. Some involve attacks on common infrastructure, such as SWIFT (and also infection of Point-of-Sale devices), but some campaigns are designed to infiltrate bank systems directly and steal money – e.g. Carbanak, Metel and GCMAN. Some of these (Tyupkin and Skimer are notable examples) infect ATM machines in order to steal money this way. I think cyber criminals will certainly continue to look for ways to undermine security in financial institutions.