A panel Tuesday at SC Congress Atlanta turned into a debate over how serious the threat is posed by ransomware.
“It's all about money,” said panelist Phil Lambert, director, telecommunications and information security, Granite Services International. “Attackers are looking for revenue.”
But, panelist Winn Schwartau, CEO of The Security Company, was dismissive of vendors' claims as to the seriousness of ransomware. “I dispute all statistics provided by vendors,” he stated. “Is it real and will it increase? Certainly. But is it that important?” he posited.
Regardless, organisations have to have preparations in place. With ransomware, it's just another vector to be ready for, he said, emphasising the necessity of forensic capabilities. Entities have to understand the terrain – situational awareness – and include this new vector, he said.
A mature company would start with a security awareness programme, said Lambert. And as far as technical resources, he said patch and vulnerability management are too often overlooked.
Backup is mission-critical, added Schwartau, explaining that, owing to paranoia, for his company he's set up three separate backup systems.
The discussion came down to the role workers play in clicking on malicious links. The solution, Lambert said, was to look around at the amount of information users have and discern whether they can get along without escalated levels of access.
Schwartau added that security pros need to look at human resources policies to know what the ramifications are if someone is a serial abuser or makes “stupid” mistakes that put the company's security posture in danger. The hiring office needs the ability to fire an employee who continually “screws up,” Schwartau said.
But, Lambert was more conciliatory. “We do have policies, but people forget because security is not the first thing on their mind,” he said. In the healthcare sector, for example, it's hard to justify budget for security when your priority is the patients.
He stressed the importance of presenting security awareness programmes to employees on a regular basis to bring it to the forefront. As well, he advocated for policies that restrict credentials.
CEOs just want an iPad and the ability to use it without any security precautions, Schwartau pointed out. Lambert responded that in that case it was necessary to get policies and technology in place before these execs were handed the devices.
Returning to the heightened media attention ransomware has been receiving, Schwartua claimed it was just another FUD (fear, uncertainty, doubt) exploited by vendors to make their offerings seem more essential. “There are no stats to back up its reputation as so prominent,” he said. There were only a handful of known instances, he added. “The media is grabbing on to it because it's sexy,” he said. “It's just another buzzword attacking your mind, as good marketing should.”
But, the fact is, technology controls are not available to deal with the scourge of ransomware, the panelists agreed. “We can require a digital cert but there are still people involved,” said Schwartau.
Plus, once you've been hit, there is the danger of the malware delivering further payloads that could siphon out your data, said Lambert. “The attackers could still be in your network.”
Both agreed that whitelisting was essential. However, there was disagreement over how difficult this is to achieve, particularly in large environments.
Despite that, a lot of organisations do not segregate departments internally, said Lambert. Infosec pros need to focus on who needs access to data.
No one solution is the answer, was the consensus. Schwartau proposed a new paradigm, which he is preparing for publication, called detection-in-depth.
For his part, Lambert said the roadmap to security must be flexible.