Cybercrime is a business and the rising number and severity of attacks is not a result of criminals getting smarter and more skilled – a lot of businesses are just maintaining poor ‘cyber hygiene’.
That’s the opinion of SolarWinds MSP VP of security Tim Brown, who has over 20 years of experience in cybersecurity including roles at Dell, Symantec and CA Technologies.
“The threat landscape is always changing and that’s the constant we have. Since it’s a business, people are always looking for new methods to infiltrate systems and gain controls. When considering whether it’s better or worse, we see some signs that it could be becoming a little less benign and less angry, but still extremely active,” says Brown.
“Take crypto mining; this has evolved because the bad guys don’t necessarily want to be so bad—it’s easier to not inflict harm. They see crypto mining as an alternative as long as they’re getting their pay-out. One positive is that our ability to be able to stop threats is getting stronger, and we have an increased level of awareness (due in part to the media) that enables us to implement faster and smarter detection and response plans.”
Brown says when you look at cybercriminals, there is organised crime and then there is the unorganised group that are just looking for a quick dollar.
“The criminal marketplace is pretty segmented. Some people are in place to create a botnet, some to discover a botnet, and some are using that to do a DDoS attack. The main avenue of attack is still the basic one—bad cyber-hygiene—and criminals are always searching for weak points,” says Brown.
“They will do a broad scan and look for systems that are vulnerable and then move sideways to attack. It can be broad-based or specialised, like we see in certain verticals. Take education for example with pre-credit youth data. Every type of data has a value on the dark net.”
Brown says while there are some cases where cybercriminals have become smarter and more skilled, the majority of attacks are still a result of poor hygiene.
“So when you look at organisations who do well on their hygiene, and you look at others who don’t, you can see a spike in attacks. It’s one of the reasons we are seeing a shift to the bad guys targeting more and more small-medium sized businesses who don’t necessarily have the same levels of sophistication or resources to protect themselves as larger organisations do,” says Brown.
“The cybercriminals use them as an entry point to get to the bigger organisations. That’s what we saw with the Target attack and the HVAC vendor that “let them in” unknowingly. This is becoming a bigger and bigger problem for SMBs, which is why outsourced security services make a lot of sense for them.”
Brown says increasingly service people around the world are being trained to have cyber skills because there is no question that cyber is one of the largest battlefields of the future.
“The thing about most nation states is that they’re playing by rules they’ve played by for a long time; they’re just changing the attack method,” says Brown.
“But what they want to achieve is the same as it’s always been such as competitive intelligence gathering, governmental and political influencing, compromising assets such as critical infrastructure, election tampering, etc. It’s not that it’s so different now; they just have different tools to play with, and those tools happen to be cyber.”
SolarWinds MSP recently conducted a survey that analysed more than 200 UK and US IT security leaders on their awareness of and ability to defend against major cyberattacks.
“Looking at attacks like WannaCry, Petya, and the Vault 7 leaks, we found that a majority of businesses across all sizes don’t have the right resources to be able to overcome these types of threats. According to the survey, there is a continued increase in IT skills shortages which plays a large factor,” says Brown.
“In addition, less than half of respondents believe their organisations’ enabling security technologies and budget are sufficient to prevent, detect, and contain risk. Taken together, these findings support earlier results that show a low rating by security leaders about their organisation’s ability to curtail cyberthreats, such as ransomware or Vault 7-type attacks.”
In terms of what type of attack do businesses need to be more aware of, Brown says while, vertical and geography may play a role, it comes down to one thing.
“The bigger and more important factor is, what is the organisation’s crown jewels? In other words, what are they worth to the bad guys and how can the bad guys use them to infiltrate theirs and other connected systems? Our recent cyberthreat survey interestingly showed that about 30 percent across the board don’t feel these factors are that critical. And to a large degree, they’re right,” says Brown.
“An organisation needs to be sure it has a good incident response plan in place that gives it the ability to act swiftly across people, process, and technology, to lessen the probability of an attack and its impact, if one occurs.”