I get a semi-regular update from Varonis on what it’s seeing in accounts, and this last briefing was particularly frightening. So much so that I asked to speak to one of the firm’s customers, which had uniquely moved its implementation of Varonis’ tool, from IT management and compliance and email and file servers, to every server the company had in order to assure compliance and catch breaches that other firms were missing.
What I think is particularly concerning is that breaches are now being identified that most companies aren’t even aware are happening. This suggests that a lot of you may be on the verge of a Yahoo-level event that may have actually already occurred. And, like Yahoo, once that kind of a breach is discovered, the whole “ignorance is bliss” thing that most firms seem to be operating on will be proven false.
Let’s talk about some of the discoveries.
Ransomware Is Rampant
Currently, Varonis is estimating 100,000 ransomware attacks worldwide a day. Now, most of those likely would have been unsuccessful, but remember that this is only the clients of Varonis; for those firms that don’t have some kind of aggressive access monitoring and reporting tool in place, these attempts are likely not being captured and reported. Because of the huge revenues involved in these attacks, a lot of work is going into improving the effectiveness of this class of malware. We also know that, often, these things lie dormant for extended periods and then execute at either a predetermined time or on command, and that some companies have been hit by the same attack again after paying the ransom. This suggests that, at some point, continuing to access your files may require a recurring fee to the entity that infected your company.
As this class of malware gains intelligence and, like other malware types, becomes polymorphic, it may become impossible to eradicate it once infected, and every time your firm writes that check, it’ll be a black spot on your CSO’s record.
Employees Are Doing Stupid Things to Get Jobs Done
Varonis is tracking increased bad behavior with employees. Because servers and permissions are hard to get, two unfortunate practices have come to light. One is that employees are having their privileges escalated so they can more easily get to information they occasionally need to use. This means they have excessive access, which means if they or their PCs are compromised, the amount of damage done will be at least a magnitude of order greater due to this policy violation. In addition, they are copying entire repositories in order to be able to search more quickly, and often putting them on thumb drives and taking them home. The U.S. Office of the Comptroller of the Currency just reported a 10,000 document breach from just such an action. The Hillary Clinton email server scandal is another example of someone doing something extremely stupid, allegedly for convenience, and it may yet cost her the election (and certainly made the U.S. government look negligent).
Executives Aren’t Immune
On one Varonis account, the HR director was flagged as suddenly copying massive numbers of company documents; it looked like a Snowden-level breach. What had happened is that the HR director’s PC had been compromised by malware and turned into a zombie; the remote attacker was using the HR director’s access to mine the firm for a vast trove of employee records. The attack was caught and shut down quickly, but it is doubtful that this is the only breach of its type going on. Had the firm been badly damaged or embarrassed, it would likely be looking for a new HR director. And had they not discovered that the PC was compromised, criminal charges could have resulted against this poor employee.
By the way, I should point out that kids aren’t immune to this, either. I got a call the other day from an attorney who was defending a kid who had been expelled after he graduated for sexting a teacher. He lost his degree and was being criminally charged, even though it seemed clear his PC had been taken over remotely. Keeping your kids protected as well as your executives should likely be a higher priority than it is.
My Interview with a Savvy Cybersecurity Pro
I had a fascinating interview with Stuart, who works for a financial firm in the health care industry. Firms like this don’t like to share their identity, which is unfortunate because Stuart appeared to understand the need for total coverage and separation of duties (a fundamental practice to assure against internal breaches and particularly embezzlement). While typically firms only protect their file and email servers, he’d wrapped every server the company had with access monitoring, largely in order to track any escalation of privilege or unusual access in order to prevent the firm’s servers from being taken over.
This has given his firm a level of protection against a broad set of threats and he even insured that another senior employee would get alerts if he was compromised, something that CSOs often forget. At one point, he shared, he even braced his CEO for not taking security seriously enough. This speaks well for the CEO: Rather than being fired, he got the resources he needed to address the vulnerabilities he identified. We desperately need more CSOs and more CEOs like these.
This all reminded me why the cybersecurity job sucks. You generally are underfunded and under-resourced. If no one breaches, that is just your job. If someone does breach and you catch it, it may be seen as partially your fault. You constantly worry about what you can’t see, and every coworker is a potential breach source, so you too often are telling people things they don’t want to hear.
Wrapping Up: Things Are Worse Than You Think
Breaches have become a way of life; we have known for some time that perimeter security is dead, and we got a reminder of that with the IoT DNS DDoS last month. So we need to get our hands around access controls and monitoring because bad guys are in our firms (for instance, did you know you could buy compromised servers in major companies now?). In the end, this is all a reminder that if we don’t step up with regard to security, we are likely to be stepped on. I guarantee we won’t enjoy the experience.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+