We sat down with James Lyne, global head of research at Sophos to find out about the world of professional cybercriminal services and why security isn’t about the latest shiny box anymore.
What security issues are you focusing on at the moment?
There are a great number of trends that I’m focused on at the moment. 2015 is a weird year. Every year there is always something really big and new, but this year there isn’t.
This year it’s more of the same, but done more effectively. The details down below are changing rather than the high-level items.
There’s a resurge in document-based malware. It was a big thing ten years ago, and the last four or five years of malware prevention has been about dealing with web-based exploitation. Over the last few months, document-based malware has become really popular again.
Sadly a lot of people are falling for it because they haven’t come across this stuff before and the company awareness policy doesn’t talk about it.
Last year I announced the complete professionalisation of cyber criminals. You can go online and you can buy products and services to generate malware. This year, we’ve seen not just innovation in their technical model, but also with their business model. One of the exploit kits I’ve been tracking now offers a cloud cybercrime service. So not even cyber criminals want to buy on-premise software anymore.
So you go to these guys and you pay them $450 a month and they set up a cloud service, even offering a money-back guarantee in case your server gets taken down.
The problem is now we have a whole spectrum of attackers, from the script kids to the mainstream cybercriminal going after credit card details from consumers, up to nation-state higher end threats – all using a set of tools commercially produced by competent cyber criminals.
What that means is the cyber criminals have excellent evasion technologies. They are testing their stuff on vendors like us to make sure they can bypass protection.
How can security vendors fight against this?
Single points of protection are failing, will fail, and will fail even more going forwards. We’ve said for a long time that it wasn’t perfect. The answer for me is joining together the components that people have in their environments.
You go to most businesses now and they’ve got a bit of antivirus, maybe some password security, they do some patching, that's about it. The only way the security industry as a whole can react to this trend of lower profile malware and better evasion coordination is to tie together end-point antivirus, data protection technologies, encryption technologies and the networks. By combining them we can start to do some really clever things.
Maybe the malware gets in, maybe the antivirus fails to detect something, the attacker connects, then the network goes ‘that’s a weird looking connection there’. The hacker starts looking at data, notifying the data protection technology...
You can take all these things and go ‘there’s a problem, lock that system down’. Allowing you to investigate the issue.
For me the next five years in security aren’t about more components and buzzwords, but taking all the bits that security companies have built over the past ten years and connecting them together.
What’s your advice to businesses that are trying to overcome these problems?
Three things. Firstly, a lot of breaches occur due to basic failures, not high-end clever malicious codes. It’s bad passwords and out-of-date software. Businesses need to get the basics right and educate their staff. It makes a massive difference and eliminates 90 per cent of the threats you’ll run in to.
Secondly, don’t just add more and more stuff to your network. It isn’t about the latest shiny box. It’s about the same components we’ve all been talking about over the past five years and making them usable and right for your business. Don’t go sexy, go simple.
Lastly, a lot of traditional security controls that businesses deploy focus on the office still. But more and more employees work from home and on their mobiles. They’re connecting to wireless in Starbucks. So have a good hard look at your security controls and your IT infrastructure in general and figure out how you can protect your users when they access Office 365 in the cloud. There’s a lot that can be done, but many businesses just haven’t got round to it yet.
How will security evolve in the near future?
I think we are at the point of the greatest transformation in technology since we shifted from mainframes to PCs. Cloud applications and virtualisations are now making for more dynamic computing. Half or more of your infrastructure might be hosted in a completely different country on systems you never touch.
We’re in a world of very dynamic computing. Employees are using a whole wealth of new devices and that’s only going to accelerate. The boundaries between mobile and laptop are collapsing.
The office of the future will lack all boundaries and be totally elastic. It will be constantly connected and using other people’s resources. That presents massive challenges in privacy and security in legal and data protection contexts. Encryption has a huge role the play there. It’s not just looking out for dodgy links anymore.