Taking the bite out of the non-malware threat

Another round of viral attacks apparently masquerading as ransomware brought operations across industries to a halt last week. And the targets were anyone from multinational shipping corporations to even Chernobyl, of all places.

Following WannaCry and what appears to be the wiper mimicking the 2016 ransomware Petya, three things have become reliably predictable:

  1. In conversations with enterprises large and small, I get asked how to stop a ransomware or malware attack 42 times a day;
  2. No matter how many layers of defense you’ve deployed and how responsible users at your company are, you may still get hit;
  3. Everyone now offers an infallible product to protect all the things against everything. The problem is gone for as low as free, averaging somewhere around $20. So that’s easy: click, sign up, done.

Oh wait… After getting a new anti-virus and upon further reading, you now must ensure that:

  • All your employees do regular backups;
  • All your employees disable macros;
  • All your employees religiously update their devices to ensure their OS, AV, Flash, Java and browsers are solid;
  • All your employees enable “show file extensions” (assuming you have figured out how to make sure your team understands the meaning of “file extension”);
  • We all click on and open the right things only;
  • All corporate systems are patched… (I mean remain patched just as they have always been, right?);
  • Train — retrain — train — retrain — train;
  • Use strong passwords that can’t be brute-forced;
  • Block Tor.

There are also suggestions that we could use artificial intelligence at extended end points that (of course) cannot be beaten because there is no reliance on heuristics or signatures, which is to say it’s not just antivirus anymore.

As always, the response to a security event of a global magnitude is stamping “anti the thing in the news” on a product and chasing flashing lights. We are now 17 years removed from the I LOVE YOU worm luring unassuming users with promises of Anna Kournikova’s photos, and yet we have another piece of malware knocking off nuclear power plants and multinational oil and shipping companies.

While not a new challenge, one would think the sheer scale of these attacks should inspire behavior change and generate more new solutions. Yet, we get the same recipe as we’ve heard over the past 20 years — deploy tools in the network to catch suspicious events, train your employees, back up your data, segment your networks and use the best anti-virus.

So first of all, anti-virus is dead.

Okay, dying. Every week my team talks to companies that have liberated themselves from this shell game. However scary that may be, it is bad tech that only feeds the underlying problem.

Deploying network security tools.

Yes, you probably have to do some of this while keeping in mind that these are merely speed bumps that do have certain value. What’s important is to stay nimble and ready to switch providers on the fly understanding that you can/should only jam so much on your endpoints.

Training your team to only open and click on the things that are not harmful.

Take it from someone with 20 years of information security experience — not practical advice. Flip that script and operate knowing that your employees will and should click on and open things that are bad. Why? Because the current state of phishing is juvenile and, inevitably, the sophistication of attacks will increase in direct proportion to the efficacy of any training program. Build processes that enable your team to do their work and make mistakes.

Backing up data is not a new thing nor is the challenge of protecting these backups.

It used to be that storage was so deep in the network onion that most organizations treated storage security like hardware security — if someone has access to my storage array, they already have access to everything. But things have changed with cloud backups, which is why more thought needs to be given to what actually is worth storing and protecting. With almost 70 percent of stored corporate data having no or negligible business or regulatory value, attempting to protect these massive amounts of data makes no practical or security sense.

Of course, the big data economy encourages companies — big and small — to save and protect everything even though the math tells a different story. Perhaps the real important debate is whether liability will transfer to a cloud provider that encourages its customers to store and make available for search all of their communications and knowledge.

When in response to a malware attack global enterprises with great resources end up shutting down their systems, including critical communications, and move to employees’ personal devices for texts and emails, it is time to rethink the game of storing everything, which is making us more vulnerable and exposed.

Anyone knows that you cannot lose what you don’t have. By the same token, if you are in control of your data that is not stored server-side and expires when it’s no longer needed, a task of protecting less information that does need to be recorded becomes increasingly more manageable. When you build reliably ephemeral operations that are not dependent upon the hope that storing everything may someday prove useful, the notice that “the files expiring in a week are encrypted and will be deleted unless…” just doesn’t have the same teeth.

The bottom line is that the recent wave of viral malware attacks is nothing than more of the same. Email is vulnerable, network security is difficult, anti-virus is nowhere near being effective and everyone has a best product that will fix all of the things on the network or your endpoints. There will almost certainly be the next “NotPetya,” probably sooner than we expect. Why not flip the equation?

Use math to your advantage. Encrypt your communications and data proactively. Deploy tools to verify participants in critical communications.

Perhaps most importantly, understand that just because recorded communications have been the norm in the past 10 years, it doesn’t mean that we have to work in the paradigm that is no longer justified by current security environment. Ephemeral communication tools provide you the opportunity to rely on math to take control over your communications, how long it lives and how long it is accessible to intended recipients only. So you no longer have to protect all the things. Your move now.