Editor: Please tell us about your background.
Karchmer: I am a senior manager with iDiscovery Solutions (iDS). I began my consulting career almost fourteen years ago with a focus on digital forensics. I have now expanded that focus to include data breach response and ESI processing and review management. I have also offered expert testimony on matters surrounding those topics.
Editor: What are some recent trends in cybersecurity threats?
Karchmer: Many of the “new” cybersecurity trends are not very new. There has, in fact, been some uptick in malware-infected Microsoft Office files. That sounds like we are in a time warp, but some of the oldest malware threats from the 1990s were packaged as common Microsoft Office macro payloads and continue to be packaged as malware today. The variance and appearance of the malware may be new, but attackers tend to use very old, yet tried and true, means of exploiting systems. To counteract, being vigilant, disabling macros, using strong passwords and practices, and following your information security policies can thwart many cyber threats.
Editor: Why are so many recent threats similar to past cyber threats?
Karchmer: Attackers are always looking for new ways to do old things that have worked in the past. Many attackers need to run their malware on a victim system - but in practice there is a limitation to the number of ways that can happen. As a result, attackers look for creative ways to package and deliver their malware, whether by inducing victims to click on a link they shouldn’t or by giving away sensitive information over the phone without verifying who the caller is. Email phishing scams also tend to work by tricking the victim or incentivizing the victim into clicking. Today, we see malware developers really paying attention to the software and the services that people are using and capitalizing on that interest – one example is the rise in “free to try” cloud storage services. Companies need to be especially wary of tech offerings that seem to offer time saving strategies which are, in reality, security risks. Sometimes employees will save documents to the cloud using these “free” services, but in doing so usually end up completely bypassing their organization’s information security procedures. Applications for file sharing and cloud storage are also often preloaded on devices or computers, making their use very attractive to individuals who want to access work documents from their phones, tablets, and other computers.
Editor: It’s preloaded so it should be okay, right?
Karchmer: Well, that’s what most of us would tend to think. However, once a service becomes popular and easy to use, it can become an efficient tool to transmit malware. Within these systems, attackers may embed documents and create links that look more legitimate than the malware of the 90’s. People are more likely to click a link if they believe they are opening a document hosted by a known, popular cloud service with a recognizable name.
Editor: What should companies be learning from these repeat threats, and how can a business adjust its cybersecurity policy to protect itself from future attacks?
Karchmer: The goal is to have good information security practices. Know what your systems are. Know where your data is and where it goes. Know how your data is protected and identify potential weaknesses. It’s also important to remember that identifying vulnerabilities should be an ongoing practice. For example, you should regularly assess traffic to and from your web applications. If your application is suddenly sending huge amounts of data to IP addresses in Eastern Europe, and your system does not normally do that, this should be a red flag. If you are a small organization that outsources some of your information security, you should at least have access to firewall and traffic reports. Think also about how your employees use company information systems. If an employee doesn’t need administrative rights to install software for his job function, then he shouldn’t have it. You might also consider disabling the use of USB devices for employees that do not need to use them.
Editor: What is Cryptolocker?
Karchmer: Cryptolocker is in a class of malware known as ransomware, which, as you might expect, holds your data for ransom. When Cryptolocker attacks a system, it will encrypt documents and display a ransom message on the screen directing the victim to pay a specified sum in a certain amount of time. If that time elapses, the ransom amount might increase and, if too much time passes, your data may be permanently lost. It should be noted your data may be lost already, and paying the ransom is a shot in the dark. There is no guarantee you will get your data back even if you do pay.
Editor: What can a business do to protect itself from ransomware like Cryptolocker?
Karchmer: Regularly patch your systems and applications, use antivirus software, and consider enabling a software policy that prohibits the ability to install or execute software. Businesses should also regularly direct employees not to click on links they are not expecting. User education is important, and it’s worth reminding folks once or twice a year how to be a good digital citizen. To minimize any threats, including ransomware, backup your data and have a disaster recovery plan. Natural disasters can destroy data, but so can malware.
Editor: Are more network threats coming from internal or external sources?
Karchmer: The data we have on this is imperfect because it is limited to those organizations that have reported network security incidents. The Verizon Data Breach Investigations Report has been compiling information for about ten years, and its reporting shows that the majority of threats are still coming from outside the organization. Thirty-five percent of the reported breaches in 2013 were attacks on web-based applications. These are not attacks directed at company networks, but rather the web-facing applications that are used by a growing number of companies. The report also indicated that cyber espionage or attacks from state-sponsored actors made up twenty-two percent of the reported breaches in 2013. Internal threats are somewhat steady since 2011 – insider misuse and physical theft accounted for eight percent of reported breaches over the last few years.
Editor: How can a business identify its vulnerability to internal threats?
Karchmer: Every organization has to consider what employees have access to and whether or not they need that access. In projects dealing with allegations of trade secret theft or intellectual property theft, often a disgruntled or departing employee might try to take data with him by copying data to a USB drive or by logging onto his personal web-based email account and sending files to himself in an effort to circumvent the corporate email system. To protect from potential threats associated with an employee separating from the company, an organization might consider blocking access to web-based email sites or prohibiting the use of USB devices on workstations. It depends on what suits the business and what makes sense from an operational standpoint.
Editor: How has the role of the corporate IT department changed to better prepare for cyber threats?
Karchmer: Managing IT risk and managing IT operations are very different disciplines and companies are just beginning to see the value in creating separate roles to manage those functions. For organizations that are large enough to do so, creating a devoted chief information security officer (CISO) position and a security department can help to better define responsibilities within the organization. The primary role of the CISO is to protect the enterprise’s information assets – they are responsible for reducing risks to the IT infrastrucure, overseeing regulatory compliance and also for creating the company’s standards for incident response. Today, however, it’s common to see responsiblities for information security get lumped in with the CIO or IT department, which is responsible for the organization’s systems and operations.
Organizations that are thinking of creating a CISO position should review their corporate structure to ensure the CISO reports to the appropriate executive and is not just established as a figure-head position. Ideally, a CISO would report to the CEO or executive team. In practice, perhaps because it’s a newer role, the CISO often reports to the head of IT or the CIO.
The impression of what role the CISO should play may need some improvement. There was a recent vendor survey of two hundred C-level executives in U.S. companies with a CISO management position that illustrated the conflicting opinions about in-house information security. Forty-four percent of the executives surveyed said that the CISO should be held responsible for all data breaches and fifty-three percent said the CISO should also be responsible for all cybersecurity-related purchasing; however, a much larger seventy-four percent of them stated that the CISO should not be part of the executive management team. The title may be gaining popularity, but this data also suggests that the CISO may be viewed as a scapegoat. CISO is a specialized position that few people can satisfy, but it’s also one that has very heavy responsibilities, so it should be structured in the organization accordingly.
One noted example where good structure could have made a difference, if it was in place, was Target. Target didn’t have a CISO or a separate IT security team prior to their well-publicized breach last December and those people that were in charge of information security reported to IT management or were themselves IT management. That, of course, has since changed.
With the benefit of hindsight, we can look at any company that has had a breach and speculate as to whether the breach would have occurred if they instead had a devoted information security team, rather than lumping security responsibilites on top of IT operations. For an IT department tasked with managing both operations and security, the security side is sometimes overlooked as long as operations are running normally – especially if IT is overworked. Having a devoted security department, with employees whose role is solely information security, may make a difference. No organziation is immune from network attacks or malware, but having a security department to focus on threats might prevent more breaches.