Ten years since the first corp ransomware, Mikko Hyppönen sees no end in sight This year is an unfortunate anniversary for information security: We're told it's a decade since ransomware started infecting corporations. Extortionists had been hitting normal folk in the early 2010s with file-scrambling malware. Eventually criminals figured out that there was much more money to be made hitting business …
"There is one bright light on the horizon, for security folks at least: If you work in the industry, and you're good at it, then it looks like you've got a job for life."
It assumes you are given the budget to do the job properly and we increasingly hear of the bean-counters seeing money spent in this direction as non-productive so inadequate resources are made available and there is also a lack of pen testing.
Secondly you've got to be at the top of your game all the time, ensure all patches are applied in a timely manner, staff are properly educated against phishing attempts etc. You've got to block and deal with every attempted intrusion, while the scumbags have only got to succeed once for you to be considered to have failed in your role.
Don't think I'd want the stress - or to deal with any politics, intransigent management and indifferent users.
I agree. I'm surprised that after all these years users still have unfettered access to open random attachments or click random links. A security conscious environment I worked at twenty years ago blocked such access as well as disabling users from plugging in random USB sticks etc. Special permissions had to be approved on a case by case basis by IT security to access potentially hazardous email attachments. Even incoming physical mail and parcels were scanned and searched for anything suspicious.
Unfortunately it still leaves open the risk of gullible users falling for phishing scams by convincing and assertive callers. In mitigation, to a certain extent, the users should be restricted to access only what they need to do their job and nothing more.
I'll just add, that a phished user could disclose enough information to allow the scumbag to move sideways or deeper within the organisation. The more information they have, the more convincing they can sound to their next victim.
Ultimately, I think lots of people could fall for phishing in the right circumstances at the right time. A friend of mine was dealing with Microsoft support regarding an issue they were having within their business and guess who phoned while this was happening? "Hello, this is Microsoft support". They fell hook, line and sinker for the scammer. It was only a few minutes after they had given the scammer full access to their systems that the penny dropped whilst she was talking to a colleague and the plug was literally pulled.
Agreed. As a consultant, I have worked for the past two decades in various environments. Many times, especially in the banking industry, I have been given workstations with which I had no access to either USB ports or network shares. I only had the access I strictly needed to do my job.
I'm thinking that there should be a default security package by now, which locks down Windows to only use whatever IT has installed, only access whatever network is made available, and shuts down those damn USB ports.
That shouldn't be so hard, now should it ?
It isn't that hard. The two hard parts are getting IT to do it in the first place and getting the business set up so that such a mode does not negatively affect productivity. The second issue is often the largest obstacle, because no matter how much IT might demand to do it, if stuff breaks, they'll often be overruled. However, IT not wanting to is part of the problem in some cases and shouldn't be ignored.
I'm thinking that there should be a default security package by now, which locks down Windows to only use whatever IT has installed, only access whatever network is made available, and shuts down those damn USB ports.
How would the 'default security package' know what software the IT has installed? If all USB ports are shut down, connecting local keyboard/mouse/printer could be problematic in today's computers.
You can easily restrict Windows to allow only binaries in the Windows / Program Files folder structures. Or specific hashes of allowed binaries outside those locations. You can also block all USB storage, or only allow whitelisted USB storage hardware ids (which obviously isn't a perfect solution). The security package to configure both setting is called the Group Policy Editor and comes with every Windows Server / Workstation.
If you want to go the 3rd party way, there are security vendors with central management software and locally installed agents which can do the same and more.
How would the 'default security package' know what software the IT has installed?
Er, Windows has this facility built into the OS. In multiple ways, in fact. For that matter, you can achieve it on pretty much any multiuser OS just by limiting end-user privileges.
Regarding the original suggestion, I think a lot of the attack surface can be removed just by denying that stuff by default, and making users raise tickets with justification if they feel they need it. Then those for whom it's enough of a problem will get the bits they need, and those who just wanted to play games or whatever won't make the effort, and the end-user devices are that much more secure in the aggregate.
Someone who picks up a USB thumb drive in the parking lot won't plug it into their work machine if that machine doesn't allow external storage devices without going through hoops. They'll wait and plug it into their personal machine at home, and then at least the infection is their problem, not the company's.
"Anyone who correctly identifies and draws to their mangler's attention a phishing attempt without falling for it will receive an immediate £50 cash bonus and the afternoon off"
Set the incentive appropriately, staff will train themselves.
"Anyone caught creating a fake phishing campaign directed against themselves will be moved to the IT department as punishment"
Don't blame the users. They get anti-phishing training, but they're also bombarded every day by legitimate email messages asking them to click links. I see a steady flow of "is this a phish?" queries to IT in Slack, and that doesn't include the people who just click the "report phish" button (which is what they should do).
The problem is the vast number of businesses who refuse to give upon asking people to click links in email messages. Docusign. Shipping companies. Survey and marketing firms. Financial companies. Medical providers.The list goes on and on.
At a previous employer, the IT department arranged for anti-phishing training from an external firm and then sent an email with a link telling everyone they needed to click on it to start their training. I think every person in the software-security group sent back a reply pointing out whoever did that was an idiot. Didn't change their behavior, though.
MIME is right up there with nullable columns in relational databases and in-band signaling in C strings for the worst ideas in software. We need to shut that crap down.
Nothing is foolproof because fools are so damn ingenious.
A previous employer sent a series of vaguely obvious fake phishing messages to all staff. Clicking the first link took you to a 'oops, silly' web page, the second to a mandatory repeat if the infosec training and the third took you to HR for formal disciplinary action.
A colleague managed to click a link while everyone around was discussing the merits of the campaign in general and the specifics of the latest message. Literally interrupted the conversation to ask why an email about approving invoices had taken her to the corporate training page...
> A previous employer sent a series of vaguely obvious fake phishing messages to all staff. Clicking the first link took you to a 'oops, silly' web page, the second to a mandatory repeat if the infosec training and the third took you to HR for formal disciplinary action.
We got a presentation about not clicking dodgy links and so on, followed by an email containing related advice and a one-click confirmation link which had part of its content blocked due to it not being from a trusted sender.
It left me in two minds as to whether I was meant to click the link or the report button I'd just learnt about...
(I won't name names, but if they wanted their site to be taken seriously they could have chosen better!)
Banks still send out emails saying "Your account statement is ready to view... Click this link to access your account."
Utter stupidity.
Scammers simply need to send identical emails out but with a link that goes to a clone of the bank's website login screen, after that all bets are off.
Yes. All too often, though, the sender will provide an obvious link and then the "go to the site yourself" information in the small print. Docusign do that. They seem to want to make it difficult for anyone to avoid using the link; the instructions and code for using the site directly are buried further down in the message, and the "Access Documents" link on the website isn't prominent either (because most of the site's front page is idiotic marketing, of course).
Shoulbe be interesting as he's going to review those developments in cybercrim and also talk about the expected upcoming role of AI for perpetrators and defenders. One may imagine cybergangsterism unicorns (with all the dough they've raked in) to invest heavily in AI, raising the challenge level for defenders.
The question about insurance (in the interview) was also quite interesting (IMHO) as he suggested insurers may offer related coverage only to outfits with mature cybersecurity environments -- which seems quite reasonable, and may help raise awareness of the importance of adopting well-designed practices, systems, and strategies.
Mikko Hypponen: Open Source Software Will Make the World More Secure (2013)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
