It’s every CIO’s nightmare at the moment: ransomware, the new weapon of choice for hackers, is a real threat for companies of all sizes. But how do hackers manage to encrypt or hijack companies’ data? How can they protect themselves and heighten employee awareness of risks? We found out from Matthieu Bonenfant, an IT security expert.
Matthieu Bonenfant is Product Marketing Director at Stormshield, a subsidiary of Airbus Defence & Space. The result of a merger between Arkoon and Netasq, Stormshield specialises in protection solutions for networks, workstations, servers and data, and employs 250 people.
Bonenfant is also a member of R&D-SSI, a focus group made up of providers (vendors and distributors) and users of technological security solutions. The aim of the group is to identify protection requirements and then launch the projects to address them. R&D-SSI is supported by Euratechnologies’ excellence centre.
“There isn’t a week that goes by without us identifyiNG a new type of ransomware”
What sort of IT security issues are companies faced with?
There are a number of challenges which really depend on the company’s line of business. Some have problems protecting their information assets, i.e. data for which they have to guarantee confidentiality. For others, for example in industry, their main concern is ensuring business continuity and so IT availability. There’s not one single issue.
But one problem we’ve been hearing a lot about lately because it affects companies of all sizes is ransomware, a type of malware that encrypts files or data on computers and demands that the user pay a ransom, often via bitcoin, in order to access the data.
Over the past two years or so, ransomware has been growing exponentially. It’s extremely lucrative for hackers because the ransoms demanded are generally relatively low so that users agree to pay. And the consequences can be disastrous, particularly with hospitals, where access to data is absolutely crucial.
=> Also on our blog: What are the implications of healthcare data security? Interview with Cedric Cartau
At the moment, there isn’t a week that goes by without us identifying a new type of ransomware. Some of them can even encrypt websites. The problem with this type of threat is that a lot of them are polymorphic, meaning they mutate to avoid traditional antiviruses and can reach their target more easily. And it’s becoming increasingly professional: hackers are even starting to offer “ransomware as a service” platforms where you can rent a ransomware by paying the provider a percentage.
“THE EASIEST WAY OF SPREADING VIRUSES IS VIA email”
How do hackers get in?
The most frequent target is workstations. There are various ways of gaining access, but the most common is via email attachment. The emails sent are increasingly convincing-looking, leading users to open them. Once the attachment is opened, hackers can exploit vulnerabilities to take over the computer and install the malware that then encrypts the files.
Some hackers use websites. They may, for example, hack into a popular website and install an exploit kit on it, so that when a user logs on, the ransomware is installed. There are also various techniques for redirecting users to malicious websites. Another media used is USB sticks which, once infected, can be used to take over a computer.
A lot of attacks take advantage of vulnerabilities to access servers and retrieve information such as user account databases, credit card numbers, etc.
The means of access for viruses have increased considerably in recent years, particularly with the mobility boom which requires more and more remote access. The consumerisation of IT, moreover, means that users are working with their personal devices and apps – cloud-based apps which the in-house IT team can’t always master.
“YOU HAVE TO TEACH employees TO BE MORE CAUTIOUS”
What are the best practices organisations should be applying? How can they protect themselves?
France’s national IT security agency (Anssi) has published several guides which are available for free consultation.
Otherwise there are some basic rules:
- Regularly update the components of the IT system – servers, desktops, etc. – with the latest security patches.
- Don’t open ports unless you have to. Companies today need to share information and open up to the outside world, but that shouldn’t stop them from putting restrictions on firewalls.
- Make sure the security systems are correctly deployed everywhere, and that there are regular security reviews and checks of the configurations.
- Regularly analyse security events to monitor any abnormal behaviour.
- Be rigorous with passwords: make sure they are complex and regularly changed.
There are also some best practices in terms of user behaviour. A lot of hackers who target workstations prey on human weakness, so you need to alert employees and make sure they’re careful and look out for any details that can seem abnormal. There are little things that should set off alarm bells: lots of spelling mistakes in an email, unusual turns of phrases, unknown senders or suspicious-looking email addresses, etc. When in doubt, report it to the IT Manager or ask for advice from an outside expert before opening an attachment or looking at the content of a USB stick.
How can organisations increase awareness among employees?
It’s an important issue and there are lots of resources available. The first is by using traditional communication methods, for example using an off-beat poster campaign explaining the basic security rules about passwords or email attachments.
Other solutions involve testing users by putting them real attack situations, for example by sending them fake hacker emails and seeing who opens them, and then teaching them security best practices.
You should also hold information meetings when new employees arrive, to explain the dos and don’ts.
“SECURITY SHOULDN’T BE AN OBSTACLE TO ADOPTING NEW TECHNOLOGIES”
Security is very topical at the moment. A lot of people see it as a drawback and an obstacle to using new technologies. Third-party apps like Office 365 and Dropbox worry security managers because they don’t know how to limit their use and keep control of sensitive information.
But there are ways to control information whilst adopting all these new uses: for example by having a data-centric security approach, as opposed to one that focuses on the IT system, network or workstation. You shouldn’t be afraid of switching to these sorts of solutions, as long as you make sure the transition is smooth by using the right compensatory measures.
Also on our blog: