From tips on how to help business executives better understand risk acceptance to defining supply chain attacks to insight on how to overcome the security talent shortage, Cybereason CSO Sam Curry fielded several participant questions following our webinar on security trends for 2018.
In this blog, Sam answers some of the questions that he wasn’t able to get to following the webinar. Listen to a recording of the webinar or check out the slides to learn how security leaders can mitigate threats including fileless malware attacks, supply chain attacks and destructive attacks and why, despite ever-evolving enemies, 2018 has the potential to be the year of the defender.
Extending the concept of risk management beyond the CISO and CIO is great. But how does management handle the concept of risk acceptance?
This varies greatly by company. However formalized or not, risk conversations are happening. If your company is smaller and less formal, you may have a chance to lead it.
If it's larger and more formal, this is your shot to get involved. Go find that conversation and build relationships, listen a lot and adapt to that conversation. It's not the job of the business to learn security. It's our job to learn the business and plug in.
Could you provide a few more examples of supply chain attacks?
Think of this as the literal supply chain as in a manufacturing case but also in the ecosystem of partners and suppliers of products and services, from recruiting to HVAC to legal to development and even consulting. There are many trust relationships that can become vectors into the organization from outside the corporate footprint.
The data stolen in attacks is selling for less on the black market. Will this lead to an increase in attacks on critical infrastructure and IoT platforms?
Yes. It means knowledge-based authentication is dead. It means better mapping of trust pathways. It means better abilities to blackmail, spear phish and bribe, which generally means an increase in effectiveness and attack diversity. But not direct IoT yet. I don't think there's a correlation here with IoT but both are independently too easy so expect both to be exploited in parallel. Why not? Low hanging fruit to grow sophisticated actors’ asset base is job number one.
Since finding talent is very hard, should the security community be open to candidates from other technology areas like application development, infrastructure and tech management?
Absolutely. We would be fools not to welcome folks with transferable skills, affinities and the right attitude. My new year’s resolution is along these lines. Let's welcome everyone here and look to make it easier, deeper and clearer as a career path!
How likely is cyberwar and what form it might take?
We need to stop thinking of war here as a binary. It's a continuum. It's not just about all-out war. So I don't think all-out war is imminently likely. One day, sure. Not yet. But a gradually heating Cold War is already happening: unlike the historical Cold War, it's multipolar and there is not enough detente yet!
Did Cybereason coin the term destruction ware or is it an industry term? If the latter, what’s the difference between destruction ware and other attacks that destroy something?
Yes, that's all me. I use it to differentiate financially motivated blackmail and destructive malware from purely destructive malware where there's no bribe in the world that will save your data. NotPetya used techniques that were similar to ransomware. But no payment was going to save your data if your machine was infected. The guise of NotPetya being ransomware was, at best, a distraction and might have made the damage worse by leading defenders to think a payment could resolve things.
