CS Jan-Feb 2024
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
ansomware<br />
WE SHALL NOT BE MOVED!<br />
SEVERAL COUNTRIES HAVE TAKEN A STAND AGAINST RANSOMWARE<br />
ATTACKS BY AGREEING NOT TO MAKE PAYMENTS TO HACKERS<br />
shoplifting. Ransomware is an epoch event<br />
in information security: CISOs who have<br />
promised to 'protect the business, if only<br />
I have enough people and budget' are just<br />
doing performance art," adds Gladwell.<br />
The US government and dozens of its<br />
international allies have pledged never<br />
to pay ransom demands, in a bid to<br />
discourage financially motivated hackers and<br />
ransomware gangs profiteering from the<br />
current onslaught of cyber-attacks.<br />
The joint pledge is aimed at enhancing<br />
international cooperation to combat the<br />
growth of ransomware. It embraces 48<br />
countries, as well as the European Union<br />
and Interpol, making it the largest cyber<br />
partnership in the world. (Anne Neuberger,<br />
the White House's deputy national security<br />
advisor for cyber and emerging technologies,<br />
recently reported that another country has<br />
joined the CRI since the meeting - bringing<br />
the total number of countries to 49.)<br />
The European Union and INTERPOL have<br />
also signed the pledge, which stops short<br />
of actually banning<br />
companies from<br />
making<br />
ransom<br />
payments, which the US government has for<br />
long warned could inadvertently create opportunities<br />
for further extortion by ransomware<br />
gangs. However, Neuberger says that the<br />
initiative will aim to "counter the illicit finance<br />
that underpins the ransomware ecosystem".<br />
Her argument is that ransom payments<br />
not only fuel future attacks, but also don't<br />
guarantee the safe return of stolen data - or<br />
that all copies have been erased. Data provided<br />
to the US government by ransomware<br />
negotiators shows that companies with good<br />
backups are able to recover "far more quickly"<br />
than companies that pay a ransom. "Paying<br />
a ransom not only encourages ongoing<br />
ransomware attacks, it also is not necessarily<br />
the fastest way to recover," she insists. "Do<br />
those backups and do the basic cybersecurity<br />
practices that we know make a difference."<br />
RAD-ICAL THINKING<br />
While the 'don't pay, won't pay' mantra serves<br />
as a laudable goal for reducing the motivation<br />
of attackers, organisations need to have<br />
resilience to withstand attacks before they<br />
are forced to take this position, states James<br />
Blake, EMEA CISO at Cohesity. "Best-selling<br />
author Malcom Gladwell nailed it in his<br />
closing keynote at Mandiant's MWise<br />
conference…when he talked about<br />
'Radical Asymmetric Distribution' (RAD):<br />
organisations are better off investing in the<br />
ability to recover quickly and withstand<br />
attacks than invest in the illusion that we<br />
can stop all attacks."<br />
CISOs have to start having adult conversations<br />
with the business and stop suggesting<br />
that "cyber risk is unlike any other risk. It needs<br />
to be brought into the realm of every other<br />
operational risk that is a cost of doing<br />
business, such as pandemics, hurricanes and<br />
"Only focusing on likelihood mitigations<br />
when you're facing the inevitable is an act of<br />
insanity - impact must be reduced and ideally<br />
resilience achieved. We starve the adversary<br />
of funds by organisations being able to<br />
withstand attacks, not by legislation. That will<br />
only criminalise the victims. Fundamentally<br />
changing the perspective on the balance of<br />
Protection/Detection to Response/Recovery is<br />
where value will really be delivered. Legislation<br />
like EU's DORA that promotes digital operational<br />
resilience will deliver far better pragmatic<br />
cyber risk management than simply locking<br />
up executives."<br />
BREACHED, BIT BY BIT<br />
Satnam Narang, senior staff research engineer,<br />
at Tenable, highlights how LockBit is breaching<br />
some of the world's largest organisations -<br />
many of whom have incredibly large security<br />
budgets.<br />
He also points to how threat researcher Kevin<br />
Beaumont found that attackers have been<br />
targeting a vulnerability in Citrix Netscaler,<br />
called CitrixBleed, after tracking attacks against<br />
various companies, including the Industrial<br />
and Commercial Bank of China (ICBC), DP<br />
World AU, Allen & Overy and Boeing.<br />
Narang believes ransomware attacks are a<br />
threat to civil society, as long as organisations<br />
keep paying. Therefore, large-scale enterprises<br />
need to be able to patch vulnerabilities like<br />
CitrixBleed quickly. "Mass exploitation of CVE-<br />
2023-4966, a critical sensitive information<br />
disclosure vulnerability in Citrix's NetScaler<br />
ADC and Gateway products, has been<br />
ongoing since October 30 [2023]. Dubbed<br />
'CitrixBleed' by researchers, at the time, there<br />
were estimates of 30,000 internet-facing<br />
assets that were vulnerable to this flaw.<br />
Recent analysis suggests that the number has<br />
24<br />
computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2024</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk