Poor endpoint security practices are only helping to propel the great ransomware epidemic of 2016 — and if allowed to fester, this threat will spread to new vulnerable endpoints including IoT devices, cars and ICS and SCADA systems, according to a new report from the Institute for Critical Infrastructure Technology (ICIT).
The report, released last week, recommends adopting holistic endpoint security solutions — including signature-based and behaviour-based anti-malware software, firewalls and intrusion detection and protection systems — as part of a multi-layered approach to IT security. “Of the lines of network defence available to an organisation, endpoint security is uniquely capable of stemming the growing ransomware menace,” the report reads.
ICIT warned that organisations become too easily disillusioned with endpoint solutions whenever they fail to thwart a systems breach within their industry. When this happens, security execs tend to look to bolster defences elsewhere in the network.
In truth, however, endpoint security solutions remain a critical component of good IT fortification, just not by themselves, the report explains. “The biggest misconception of endpoint security is that it is the only solution needed. EPS is but one of the many pieces needed to reduce the potential of a system compromise,” Kevin Chalker, CEO of GRA Quantum, said in the report.
“The endpoint aspect is just a part of a layered security strategy; there's no silver bullet, although every time there's a big breach, charlatans come out of the woodwork selling a silver-bullet solution,” said James Scott, co-founder of and senior fellow at ICIT, in an interview with SCMagazine.com.
Some organisations also eschew endpoint solutions because they falsely believe they don't have data worth stealing on their network, the report continues. But the beauty of ransomware is that the affected data doesn't have to hold value to the cyber-criminal — it need only hold value to the impacted company that desperately needs access to it.
Ryan Brichant, CTO of ICS at FireEye, an ICIT fellow, posited in an interview with SC that endpoint security technology has been around for so long that “it's not the sexy security sell”.
Meanwhile, Malcolm Harkins, global CISO at Cylance and also an ICIT fellow, told SC he thinks that IT execs view older, traditional endpoint solutions as products that “deteriorate the user experience.”
ICIT predicted that ransomware, if left unchecked, will continue to propagate in new ways. For instance, the report says it “seems likely” that by the beginning of the second half of 2016, there will be a notable public case of bad actors using ransomware as a decoy, distracting the victim's IT resources while secretly exfiltrating sensitive data from affected machines.
In such a scenario, the valuable data is the true end game, while the ransom — if ever paid — is essentially a bonus. “A lot of times we're seeing chatter on dark web forums that the most sophisticated [cyber-criminals] don't care about getting the ransom paid” in a case such as this, said Scott.
The report also foresees ransomware locking up industrial control and SCADA systems in the near future. SCADA — or Supervisory Control and Data Acquisition — systems enable the remote monitoring and control of industrial processes. These operations technology (OT) systems are particularly vulnerable, as they are generally antiquated and thus not equipped to thwart cutting-edge threats. The difference between IT systems and OT systems, said Brichant, is that while IT systems are vulnerable to zero-day threats, OT systems are susceptible to “zero-decade threats”.
“The chances of us already having had a [ransomware] attack on these infrastructures are high,” Brichant added. It's just a matter of whether or not the affected industrial organisation is willing to divulge the attack.
“I'm surprised that hasn't happened yet, frankly,” Harkins agreed, also referring to a ransomware attack on an ICS or SCADA system.
The report also predicted future ransomware attacks on IoT devices and Internet-connected cars. “Let's say I've got an electric ignition and… now I can't start my car until I've paid in bitcoin,” he said, envisioning one possible ransomware scenario. “Or let's say I've got traditional keys, but the car uses a passcode or fob or my fingerprint to unlock the door.” A cyber-criminal could theoretically take control of the locking mechanism and forbid entry until the ransom was paid, Harkins added.