​Want more clout with the CEO? Wait until your first ransomware attack.

IoT threats, business email compromise, and ransomware attacks are kickstarting new security discussions, CSO Perspectives attendees say

Ransomware may have become a scourge for businesses of all sizes, but there’s a silver lining for CSOs: once a business has suffered through one ransomware attack, it becomes much easier to find a receptive audience for discussions about cybersecurity.

The explosion in post-compromise security awareness was the most frequently cited experience amongst the security executives who gathered for CSO’s Perspectives Roadshow 2017 this month. By the time the time the tour passes through Sydney and Wellington this week, attending CSOs will have swapped war stories and learned security strategies from more than 500 of their peers across every kind of industry.

Reports of ransomware attacks were near universal this year – a big step from last year’s roadshow, when many businesses still had yet to experience their first locked systems and lost data. Since then, however, the escalating frequency and severity of ransomware had created some significant problems. They have also built up new skills, as reported by the CSO who said his company’s IT organisation had become experts at quickly wiping computers and restoring from backups – because of the sheer frequency of ransomware attacks.

Peer sharing – through Security Waves roundtable sessions that were moderated by industry leaders and gave every attendee the chance to discuss three chosen topics with their peers – is a key feature of the Perspectives event, which helped stimulate open candid learning and discussion within the secrecy of a Chatham House Rules-based environment.

The event also included an Australian Women in Security panel discussion in which a number of leading female security practitioners shared their experiences and recommendations for increasing the participation of women in a sector that has struggled to assert its appeal with women.

Distinguished keynote speakers also feature heavily in the event’s program, with security expert and former US Federal Bureau of Investigation agent Jeff Lanza weighing in on the range of threats businesses face today.

In outlining three primary types of computer crime – bank account takeovers, business email compromise (BEC), and ransomware – Lanza said the shift toward financial-related crime had become to today’s businesses what gangsters were in the 1930s and Mafia-related crime was in the 1970s.

Both eras saw the FBI ramping up its investigative skills and tactics to clamp down on extortion, racketeering, and more violent crimes. These would often end with dramatic raids and seizures led by the ‘FBI flip’ – the flipping-open of credentials by an FBI agent revealing their identity and arresting a suspect after a long investigation.

“What’s different about today is that there’s nobody to flip,” Lanza said, noting the high profile of hackers from China, Russia, and other countries. “We can’t arrest these people and we can’t solve them ourselves because we’re not going to get access to these people. We need the help of everybody in the room.”

BEC attacks, in particular, were proving to be expensive and problematic because they relied on human factors to intercept and prevent. Although they didn’t serve as the productivity handbrake that ransomware does, Lanza said that BEC attacks – which, recent Proofpoint research suggests, increased by 45 percent quarter-on-quarter in the last three months of 2016 alone and are particularly targeting manufacturing, retail, and technology organisations of all sizes – were proving devastating to companies that lost millions to scammers and had no recourse.

Companies should, for example, establish payment approval processes that include more than one person on different computers; verify wire transfers by phone; and more. “Companies are being victimised because they are not taking simple steps,” Lanza said, recounting the recent receipt of an email that contained the Olympic Vision keylogger. “It’s unlikely that I would ever get an invoice from a domain in Russia. To prevent bank account takeovers, just ask yourself ‘does this make sense?’“

Lanza’s sharing of the authorities’ perspective was balanced by Mark ‘Simple Nomad’ Loveless, a former hacker turned white-hat security consultant who offered perspective gleaned from years spent on the dark side of the Internet.

No stranger to law enforcement, Loveless had previously worked to find vulnerabilities in corporate security defences – but said he was “kind enough to let them know they needed to fix this because it was a real problem… When you’re doing this sort of stuff you’re on the edges of society, and trying new things, and experimenting. There is a different kind of ‘normal’ that is associated with it. But from their perspective they think everyone else are the crazy ones.”

Noting the ‘weaponisation of cyber’ as a major threat for companies today, Loveless said cybercriminals were initially driven by curiosity as they learned their way within and around the systems in the market. “Whether it’s a piece of hardware or a structure that exists within society, it’s all interesting,” he said. “They all have patterns and are fascinating to explore.”

By working on new ways to exploit identified vulnerabilities, hackers often set up proofs of concept exploits that “were just enough to get a vendor’s attention,” Loveless said. “Sometimes they only worked 1 in 5 times – but it was enough to prove the point that there was a vulnerability.”

This had particular implications for the coming Internet of Things (IoT), Loveless said, which had naturally come onto the radars of curiosity-driven hackers for whom the devices represented an unprecedented playground. Yet the harnessing of these devices – as in the now-infamous Mirai attacks perpetrated through exploitation of massive numbers of IoT devices – had created a situation not unlike the ‘Slashdot’ effect. Add in the commercialisation of exploits as criminals began trading exploits on the black market – something that Loveless said he thought “was a horrible idea because it was just going to lead to bad things” – and the market was rapidly hurtling towards the exploit free-for-all that is now threatening IoT and, in fact, every device.

To attract premium prices, Loveless said, “really smart individuals” had focused focusing on improving the viability of their exploits – spending 6 to 8 weeks to develop fully weaponised code that was going on to wreak havoc in a range of ways. Loveless even discussed how his experiments in compromising a Bluetooth-enabled power drill reflected the new vulnerabilities that were being introduced into worksites and other areas where safety was potentially compromised.

Such risks once seemed esoteric but growing connectivity of nearly every kind of device was redrawing the battle lines and forcing businesses to work to minimise new risks. “This is the template for the future,” Loveless said.

“If you work in the construction industry, you’re going to have to deal with this in a very real way because you are going to have these devices that you’re going to have to deal with. But even if you don’t, if you are going to have anyone in your organisation where that is part of the job, that traffic is going to end up on your network.”

“Everything is going to talk to everything – but it could get really bad before it gets really good. It may take a death before people really begin to pay attention to some of this.”