Every cyber security speaker has a presentation on “Threat Landscape” or “Cyber Crime” that is his or her go-to when talking to non-technical audiences who need to understand the world of cyber criminals and bad things they can do to them. I’ve been using mine since 2005, and have continually updated it as threats change and new events occur. Back in 2006, I added a slide called Ransomware when the industry was introduced to the Zippo Trojan. This malware encoded (not encrypted) your drive and asked you to send $300 to an e-gold account. It wasn’t very sophisticated and we could easily find the password on the hard drive. The next summer, someone (or maybe same group) came out with the Gpcode Trojan, which used real RSA-4096 encryption, but also only charge $300. The next summer it was updated to GPcode.ak, which was more sophisticated–though ransom price stayed the same. This pattern made me think it was some “summer project” for a Russian hacker or student. The pattern continued for a couple more years until I eventually stopped using the slide because I felt Ransomware had finally become mainstream.
Today we’ve just gone through Cryptolocker, which was the most advanced and effective ransomware tool to date, garnering over $100 million from businesses and consumers worldwide. And we recently saw the first widespread mobile ransomeware for Android users ANDROIDOS_LOCKER.A , eventually catching the guys who did it here.
The point to this history lesson is even though these Trojans are not stealing data, or passwords, or credit cards, they have impact on the enterprise, and individuals. This is due to loss of productivity and/or the actual cost of paying the ransom. Imagine if this happened to your personal PC, which stored decades of your family photos, or imagine if the only draft of that critical proposal was on your corporate laptop that was infected by Cryptolocker. The impact would be significant if you did not have a backup.
Security is more than protecting data, it’s also about maintaining access to data used for the business, and ensuring that data is accurate. As we move to more mobile enterprise, much of our data is in the cloud, which provides good opportunity to maintain “business continuity” as we can access it from anywhere on multiple devices. But we still hold a lot of data on the endpoints and mobile devices. We can’t forget that cyber security is really about risk management, and risks to our enterprise or personal data is not just the “unauthorized access” to data. Security architectures and security processes need to account for the availability and integrity of data, and weigh the prioritization of these factors to the confidentiality of the data being used. One might realize encrypting data is not always the first step, and it might actually hamper the speed of access to the data, which might be more critical to the business process. Risk management is tied to business process, not to technology. That starts with the business requirements, then finds a way to protect those business processes, and finally what technology will help manage those controls.
For more info on the topic, here is a good primer on ransomware.
– Rick Doten, DMI Chief Information Security Officer (CISO)