When it comes to the ongoing battle between the ‘bad guys’ and the ‘good guys’, the stakes get higher and the fight more furious each and every year. Justin Richards MBCS recently spoke to several security experts about the ongoing challenges in securing both businesses and nation states and reports back.

Security experts approach the security problem from different angles, depending on what field they’re currently working in, so there will always be some personal bias, but, that aside, there is general agreement on some factors that are currently affecting the industry, including the explosion in the incidence of the use of ransomware, and the growing importance of threat intelligence.

Crypto ransomware is making a lot of noise at the moment. These encrypt all the files on a person’s machine, deliver a ransom note and demand payment to get the files back. They can also encrypt all the files on a network share too. The big difference here is that this malware is announcing its presence, unlike many other types of malware that tries to remain hidden.

A crypto-crisis

According to Dr Ian Pratt, Co-Founder and CEO, Bromium, ‘There are many businesses which have spent hundreds of millions of dollars on end-point security, which are still getting hit by Crypto-locker.’ He went on to say that: ‘With Crypto-locker it would certainly mean that they’re getting hit by some of the stealthy malware from nation states that are trying to extract their IP or their credit card numbers etc.’

Mark James, a security specialist from Eset, confirmed that ‘from a threat point of view ransomware is a main concern at the moment. Malware is fixable with the right knowledge, the right tools. The only options then are to pay the bad guys, which is funding criminal activity, restore from back-up - if they’ve got a back-up - or hopefully wait for a free decrypt to become available to unencrypt the data. This all means that we need to have high levels of detection and to deliver consistently good products.’

What makes ransomware even more galling to its victims is the fact that even paying the ransom isn’t necessarily going to get your files back. However, from a business model point of view, it’s in the criminal’s interest to decrypt the files, because they still want you to trust in the fact that if you pay your money you’ll get your files back.

Although there is a fly in this particular ointment. Mark James went on to say: ‘If the law authorities or the anti-virus firms bring down the servers, which are actually distributing these decryption files, then you’re never going to get your files returned.’

Your money or your files

Peter Cohen, Strategic Manager, Countercept followed up by saying that: ‘Ransomware is very efficient at avoiding detection until it’s too late. Because of that there’s more and more variants being released. The latest variants, which have links to nation state bodies, are very challenging indeed. We are also seeing more customer data being lifted with the threat of publishing it in return for ransom money. It’s the same sort of business model, but with a different criminal approach.’

When asked what the other major challenges that the security industry is struggling to get to grips with are, my temporarily tamed experts had a variety of thoughts on the subject. ‘It’s awareness to be honest with you’, says Dave Larson, Corero Network Security. ‘People have recognised that there’s a low level of DDOS attacks within their network and they think that maybe it’s benign and not really something they should worry about.

‘What we’re trying to do is to create a conversation with the IT security personnel about the fact that maybe they should look a little more closely.’ This follows off the back of two highly publicised breaches in the UK, namely Carphone Warehouse and Talk Talk, both of which had DDOS as accompanying vectors in the breach activity that happened.

The skills gap

Javvad Malik, Security Advocate, Alien Vault, on the other hand, was more concerned about the skills shortage in the security sector. He said: ’the industry has grown really rapidly and the adoption of internet connected devices has far outpaced the pace at which professionals can enter the industry. That is definitely a big concern.

The second problem that we have, and this has been building for a while, is that companies tend to buy one of everything, so you need someone to manage each one of those point security products and end up having to hire five different people to manage five different products. So that lack of unification in the security products also lends itself to this challenge where if you have 15 products you need 15 people, so you’re always going to be playing catch-up.

‘Trying to consolidate and automate what we have, and getting smarter in how we deploy security technologies, that will be another factor in trying to eliminate the gap in skills.’

And with the skills shortages in mind, Javvad went on to explain why he thought threat intelligence is very important too. ‘Threat intelligence is so important because there’s a lack of skills generally in security, and you can’t expect every company to have a team of researchers - malware engineers etc. - you’re lucky to have one person dedicated to security.’

Javvad went on to say: ‘What threat intelligence does is give leverage to all your security professionals around the world to share information about all sorts of threats, (making each other aware of them). So when a ‘bad guy’ attacks one person, everyone can bolster their defences by sharing that intelligence amongst them.’

The cybercrime arms race

The idea of good guys and bad guys leads naturally to the question of who will win the war. Is cyber crime a nut that will eventually be cracked?

‘It’s a weird one’ said Javvad Malik. ‘It’s kind of like the war on drugs, or the ‘war on terror’ - there is no end in sight - it’s an ongoing sort of battle. I think the mind-shift of people will need to change over the coming months to realise that business models have changed, where they are almost entirely reliant on the data they hold.

‘There’s no real value in the physical stock or in the premises they have, the whole value is in the data. And I don’t think the penny’s quite dropped for a lot of companies yet as to how much things have changed. As soon as that happens, then I think we’ll see a lot more improvements going forward.’

‘It’s become clear that the attackers have huge advantages’ stated Dr Ian Pratt. ‘If the only tools you have to defend yourself with involve detection, the attackers are eventually going to win. But it doesn’t have to be like that.

‘Even areas such as formal methods coming from different areas in computer science can enable us to build far more secure systems. But we haven’t taken advantage of the alternative techniques yet. There’s certainly hope that we can do a much better job in future. We need to make it riskier for attackers, so that there’s increased personal risk to them, to reduce the number of attacks.’

‘It’s not a nut that can be cracked’ said Peter Cohen; ‘It’s an evolutionary arms race. Security products and services are evolving in relation to different challenges. We always think that we’ve plugged one particular problem and then the attackers come up with something else. It’s a case of making sure we can evolve to meet the challenges of today and tomorrow.’