We hear the stories almost daily, we see the headlines in the news, but how worried should we be?
The answer really is, it depends. Today I have seen a few headlines including this whopper: “New ransomware could poison your town’s water supply if you don’t pay up“. Sounds very scary, and the idea is, however it is important to understand that this is based on a Proof of Concept (PoC) attack demonstrated at RSA. Is it possible that this can occur, I suppose it is, but the real question is if it is likely. The answer is, not right now. This makes it FUD, or “Fear, Uncertainty and Doubt”. There is a big difference between showing a PoC and doing it in the wild, so you can sleep well tonight.
This is where it get’s a bit spooky. It is possible, and if the researchers that did this are thinking about it, you can bet our enemies and the bad guys just out for a big payout, are too. So research like this is important, but let’s not start stocking up on bottled water just yet.
What is the real threat RIGHT NOW?
The current threats deal more with making fast money and wreaking havoc on organizations by locking them out of records and data that is required to do business. Even that threat is expanding though as hackers are working to innovate. Before we see water supplies threatened, expect to see more and more attacks where the bad guys are threatening to, or actually publicly releasing, sensitive information. Imagine if your organizations “secret sauce” or proprietary information was made public. How much did it cost you to develop that, and how much of a competitive advantage would be lost if that happened? Take KFC’s “Secret Recipe” for example. Rumor is, it is guarded by eunuch Ninja cyborgs… or something like that.
The other real threat is CEO Fraud (aka BEC) and W2 scams that are happening right now. Just yesterday I spoke with an individual that signed up for our training because they sent all of their employees W2’s to some scammers. They were surprised to learn that they are not alone. Manatee County, FL (in my own back yard) was a victim, as was Argyle School District in Texas. Even Snapchat got caught in the crosshairs last year. This is real, this is in the wild, and it is happening to organizations of every size in every industry.
So, what do you about it?
The number 1 way to counter these attacks is through user training because the number 1 attack vector is via email phishing. You train your folks and phish them with non-malicious payloads and links. This way they get used to spotting these phishing emails before something real hits. Technical controls are just not reliable enough to catch and stop these targeted attacks, but making your users a “Human Firewall” is.
The number 2 thing is to have good backups. This really only matters for ransomware because once you send money or W2 info, backups won’t help. For those cases, number 2 is to have a plan to deal with it. Developing this plan will help you react quickly and help you develop policies to avoid these attacks (e.g. ALWAYS talk to the requestor on the phone BEFORE sending money or sensitive info). All should agree on this policy, and they will if you have trained them on the threats. Also, know who your local law enforcement contacts are, and how to contact them. Having a PR firm and/or lawyer in mind is also a good idea.
So, keep an eye on the new developments, but don’t get dragged in to the FUD. Focus on the real, current threats and you will do more to protect yourself than by chasing the possible (but not likely) ghosts of things to come.
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec