Read the original text at epravda.com.ua.
Ukraine is losing a cyberwar. Unidentified attackers second consecutive year conduct a systematic attacks against the IT infrastructure, major projects in the energy sector, public finance, transport, and communications.
Probably, attacks are not related to each other, and maybe these are just fumble "loopholes" in the future, simultaneously across the country to put a crushing cyber strike.
We met with one of the leading experts in the field of cyber security, Cisco, Martin Lee. He directs the engineering department Talos - a division of Cisco. Talos investigates and analyzes threats in the sphere of information security (IS).
Martin, what does Talos deal with?
It specializes in research and analysis in the field of information security threats. Our team consists of 250 researchers in the field of information security and more than 600 software developers. Using telemetry data we monitor attacks on computer systems, developing methods to counter attacks by blocking them. Our department usually does not work directly with clients, but any company that is using Cisco products to provide IB indirectly enjoyed our developments. In Ukraine, it is more than 1000 clients of different sizes and forms of ownership, including banks, telecom operators, many government agencies and industry.
How did the algorithm of cyber attacks changed over the past decade?
In the last five years there have been changes in the strategy of the intruders. For example, instead of simply stealing of data, they are blocking access to them for the purpose of extortion. They set up a program that encrypts data and demand a ransom for decryption.
The heyday of this strategy contributes to the growing popularity of electronic payments and cryptocurrency. According to the FBI, in 2016 a virtual extortion became one of the most profitable software hacker with an estimated yield of $ 1 billion to the end of 2016.
In recent years, number of avalanche of malicious code for mobile platforms is increasing. Do not hand over positions such traditional threats such as DDoS-attacks. According to the forecasts of some experts, they've had to sink into oblivion. However, in October, we have witnessed a large-scale DDoS-attacks. In it a large number of devices, including cameras and DVRs compromised were involved. She has had a significant impact on most of the network. The number of threats to such intellectual devices connected to the network, will significantly increase as the growth of the Internet of Things.
Is it true that 99% of the users themselves provoke a hacker attack - run infected files, received by the e-mail?
Yes, cyber criminals have succeeded in methods of manipulation of consciousness and social engineering. They can make an e-mail with malicious content did not differ from the usual address. The end user only gape just for a second or confuse the letter sent by the attacker, expected to work to malware got on your computer after a single click on the hyperlink.
For example, attackers can send a letter with a few modified address, replacing the similar letters or writing: i is replaced by l, etc. Or even show the name and address of a trusted sender, using known vulnerabilities of the mail protocols.
On the other hand, the attackers could infect the user's computer, even when the user does not open any files. An example is the use of conventional means of online advertising on a completely trustworthy sites.
This is wrong. The user visits a web page and do not notice that redirection is using false or placed lawfully advertisement in his browser. Getting to a malicious site, the device becomes infected without any additional user interaction.
It is important that users are aware of the possible methods of attack, could reasonably foresee and confront them. So for example, for training of users within Cisco, we use third-party service for sending phishing messages. When our employees are opening these letters, they get a warning that became a victim of phishing. This helps them to be more careful in the future.
How would you recommend to form the budget for the cybersecurity of private enterprise or government agencies?
Any organization should analyze the risks and business challenges. Carefully think through what might go wrong, and what can follow from this. If you manage a production company and are planning to introduce new IT-technologies in industrial automation, you need hardware and software to create a reliable level of security processes. If you manage an organization with a large staff, for example, governmental agencies, you need to pay special attention to the training of personnel. If your company is output task to the European markets and certification under international ISO standards, you need to take into account the additional consulting and audit.
However, we understand that 100% protection does not exist. It is not less important is the behavior during the attack and after it. It is necessary to invest in solutions that can reduce the time of detection and reduce the effects of the attack.
Do you agree that a successful of attacks against the Ukrainian power companies in December 2015 was possible because of the negligence of employees of power companies?
I cannot discuss this specific attack. I suggest as a whole to understand the anatomy of such attacks in the industry. To blame only the end users, thus greatly simplifying the causes of such breaches and technology. For such targeted attacks are organizational groups, who can find vulnerabilities in almost any organization. Criminals are well aware that the weakest link in any organization are the end users. On this basis, they acquire the necessary skills of building an attack so as to lull users.
Using including social engineering, attackers may interest the user to open a letter pernicious. And further in case the shortcomings of IT and IS organizations come: the lack of separation of powers, the physical connection of critical systems to the Internet, the lack of monitoring of information security, vulnerability outdated software, weak use of password systems and so on. One of the key reasons for the success of such attacks no longer technical and organizational, and the lack of attention of management and owners of the company to the IB before the incident has already happened, no security policy at company level.
How to detect and counter such attacks?
The structure of information security should be multi-tiered. The first tier - perimeter protection. You must discover and confront the greatest possible number of attacks, aware that it is impossible to deal with all, without exception.
The following question is: how soon can we find that the perimeter of the breakthrough actually happened? Is attackers have implemented the network of our organization malware?
Suppose we could not find that the criminals have established their programs on a computer within the network. However, all these programs have a common weakness. In order to function smoothly, they need to exchange information with the host computer, which is on the Internet, and receive commands from attackers. Therefore, in the first place to protect against targeted attacks out monitoring of information security and implementation of the necessary separation of networks, which isolates the critical systems on the Internet.
Can you tell us about the organizational structure of the criminal group, capable of launching an attack of this scale?
The range of criminal organizations is extremely wide: from the not very well-trained individuals to large structured organizations that can act with the support of one or another state. In such organizations, provided specialization in one or another direction cybercriminal, the division of responsibilities and hard conspiracy.
In some cases, we manage a speculative guess, with whom we are dealing, or to find traces of criminal activities. One thing is clear: a serious organization of this kind is similar in scale to the business structure. It has developers of malicious software, social engineers, system administrators upgrade, analysts, managers of individual projects, the boss.
What are the traces and evidence left by the criminals after the attack?
All activities leave traces in the log files. If an attacker tries to make further changes in the logs to hide their actions, these changes, in turn, also leave traces. The search for such traces are engaged representatives of the so-called computer forensics.
Thus it is necessary to account for that cybercriminals are trying in every way to conceal, disguise or destroy the traces of their presence. Use this chain of intermediate servers in different countries, cryptography and anonymous exchange of information system.
Do anti-virus software play a critical role in protecting against cyber attacks?
Anti-virus is certainly a basic element of security, but it is only one of the blocks of complex protection system. Unfortunately, targeted hacker attacks easily bypass the anti-virus protection.
Anti-virus programs in most cases, determine the attack according to certain rules and behavior. But hackers to sophisticated attacks are developing new malware or modify old programs so that they are not detected by most antivirus overwhelming at the time of the attack. The effectiveness of traditional antivirus falls today.
Can you name the most propagated errors made by the government agencies, including Ukrainian ones, in the field of information security?
Government agencies around the world have the same elements of information security weaknesses, as well as many private organizations. And it is this lack of a comprehensive organizational and technical approach to security, which covers the key information systems and reflect the current threats.
Unfortunately, state structures rather inert in the world and do not always have time to react and implement relevant safety recommendations. Perhaps it is imposed budget constraints and lack of relevant professional experts on information security in the public administration structure.
I can identify five aspects of information security, requiring the utmost attention.
The first - the landscape of threats is constantly changing, so you need to regularly assess the information security risks that exist in the organization and on this basis to implement the processes.
Second - perfection of “network hygiene”: conduct timely testing for vulnerabilities; time to deploy patches and updates; segment your network; protect network boundaries, including e-mail and Internet connections; Deploy firewalls and intrusion prevention systems to suit your information security policy.
Third – monitor your security 24x7. Remember that attackers work at any time. And many attacks consciously begin at night or before the weekend, making it difficult to identify. Measure the time it takes to detect the attack.
Fourth - provide protection and training of end users, wherever they may be located inside or outside the corporate network. Remember that many of the serious break-ins start with a banal phishing.
Fifth - do backups of critical data, and regularly review, assessing how receptive a copy attacks.