“We have had a train wreck coming” – evolve or die

“WE HAVE HAD A TRAIN WRECK COMING”

train-wreckThank you to the New York Times for a particularly good take on the problems that Shadow Brokers and Vault 7 have caused globally, not least at the National Security Agency.  The fact that the NSA (and the Central Intelligence Agency) has not been able to keep its house in order has proven calamitous for the world.

WHO DO YOU TRUST WITH YOUR BUSINESS?

They are not alone in being porous. AV security vendors have been continually embarrassed by Google’s Project Zero team, as Tavis Ormandy repeatedly ‘outs’ one company after another, as more vulnerabilities are discovered. The irony that someone you pay to make your network safe, is giving the bad guys a backdoor never ceases to make me cringe.

Microsoft had its source code (including their latest security innovations) for Windows 10 and Server 2016 dumped on the web, so all the bad guys could suck up the data.

More recently there was the spat between DirectDefense (and possibly Cylance, in the background) and Carbon Black which exposed the fact that PII is being sold on the ‘net, because of the threat-intelligence sharing model used by almost all the next gen AV security vendors. Not only was this illegal but it was glaringly bad security.

It must cause organisations to question whether,  knowingly or unknowingly, their AV security vendors business model enables data leakage. The potential for incurring massive fines  comes into force with GDPR in May 2018.

Former NSA Director and National Intelligence Director Mike McConnel said that “We have had a train wreck coming. We should have ratchetted up the defense parts significantly”.

Those pearls of wisdom are valid for all, not just the NSA.

A recent survey sponsored by Varonis found that IT decision makers’ cyber security confidence is misplaced, and that 40% of organisations are not at all properly securing their data. That was an average. If you dive deeper into the stats you see that only 66% of US business restrict access to sensitive information and only 51% in Europe.

c_pngzuxsaeth_7The German firms are the biggest offenders with only 38% fully restricting access. No surprise then that it is the Germans who have been hit hardest by ransomware over the last two years.

Over a third had been hit.  The German malaise is of epic proportions as both State and DAX businesses have their vulnerabilities exposed over and over.

Germany really exemplifies the necessity of culture change throughout business. Not engaging ‘proper’ IT security, arguing that employees may ‘push back’ if their access to Angry Birds et al is nonsensical, when multi billion business are facing business failure. Workers Councils needed to be afforded more respect, than the senior management presupposing that they would see good cyber security practices as an infringement on workers’ rights!

The reality is that businesses are consistently failing to restrict access to sensitive information and are regularly experiencing issues such as data loss, data theft and extortion in the form of ransomware.”

John Carlin – former Assistant Attorney General for the US Department of Justice’s National Security Division.

ARMS RACE TO NOWHERE

Cyber security is expected to be worth $170 billion p.a. by 2020, up from $75 billion in 2015. There is a veritable arms race going on, but to what effect? Spending cash is not the solution. While the VC’s are pumping in money and a host of new companies are all offering the holy grail, nothing alters. $170 billion should be funding a cyber-revolution. Organisations have been spending big sums of money, buying new solutions. Every time, the bad guys find a way through or round with seeming ease, adding disruption and massive hidden cost to the mix.

Shareholder pressure, the European Union’s GDPR and threats of further legislation in the USA may bring about evolution.

And if not? Business that does not change and invest in different technologies will go the way of the dinosaurs. Charles Darwin said, “It is not the strongest of the species that survives, nor the most intelligent, but the ones most responsive to change”.

Let’s hope it’s not “auf weidersehen, Deutschland”.

evolve-or-die-smallIf he wants to avoid his own Kodak-Psion-Nokia moment, the CEO needs to be asking the question “Who in my organisation right now will provide me with REAL assurance that I will NOT be meeting the press in the corporate car park, while my business burns down around me?

PREVENTION IS BETTER THAN THE CURE

Malware costs money, destroys shareholder value and ruins careers. Business needs to adopt a new cyber security strategy and look beyond the tried, tested and failing old technologies of signature-based anti-virus, white-listing and behavioural analysis tools. Prevalent practice is failing to protect against the real nasties.

The costs of accepting the status quo are horrendous, as evidenced by the $300 million lost by Federal Express, Maersk etc. Each.  Both are big enough to survive the NotPetya attack.  Conversely, while Equifax’s (revenue $3.1 billion) infamous data breach was down to very poor security management rather than a zero-day first strike, they are facing a $70 billion law suit and may not last. Smaller companies die.

Surely it is practical and desirable to adopt a proactive stance and prevent the malware infection before the damage is done?

Disclaimer: Alexander Rogan is CEO of Zero Day Plus Anti-Malware Limited.

Zero Day Plus are the global licensed re-seller of the HDF endpoint security technology, a kernel level filter driver of less than 100 KB that uses the fundamental characteristic of malware and ring-based architecture of OS to block new binaries including all persistent malware, knowns and unknowns, including WannaCry and NotPetya as zero-day first strikes.

It works with all cyber tools enabling multiple layers of security. It stops memory resident attacks gaining persistence and secures IT from Windows NT4 to the present day (after support and extended support ends)

HDF stops ZERO DAY first strike attacks, in the first seconds. We have no false positives (actual events) and there is no performance impairment.

You are welcome to contact me for an in-confidence discussion about why evolution is preferable to extinction.