22 October 2018

The Russia Problem: What Businesses Can Learn From Cyberwarfare

Stu Sjouwerman

As someone who has built IT security companies from the ground up and dealt with the growing issue of malware for well over 15 years now, the last thing I expected when I started my current company is that I would have to become somewhat of a Kremlinologist. KnowBe4 helps organizations manage the problem of social engineering, and Russia has been one of the major sources of these types of attacks on organizations and governments. To illustrate this problem, we can look at the letter that U.S. Senator Ron Wyden (OR) recently sent to Senate leadership complaining about Russian cyberattacks and his plan to introduce legislation to help combat them. And the U.S. isn't alone in dealing with these attacks.


Maybe these attacks shouldn't come as a surprise seeing as how Russian President Vladimir Putin has commented that he feels the collapse of the Soviet Union “was the greatest geopolitical catastrophe of the century.” In the West, we tend to disagree.

And now, we have more or less been forced to investigate the root cause of Russian cyberattacks, including the forensics of criminal phishing attacks, ransomware campaigns and sometimes state-sponsored credential-harvesting attacks.

Russian Organized Cybercrime

Apart from Russia's three shadowy intelligence agencies (the FSB, SRVand GRU), Putin has another extremely useful resource: the criminal cybermafias that have come to prominence over the past decade. They are highly sophisticated hackers who have made spear phishing an applied art and science. And when needed, the Kremlin pulls them into cyberwar campaigns to degrade the infrastructure of “misbehaving” former Soviet satellites like Ukraine and the Baltic states.

The most egregious example is CryptoLocker’s evil genius, Evgeniy Bogachev, who has made an estimated $100 million with his nefarious Zeus botnet and weapons-grade ransomware. Despite the FBI's $3 million bountyfor his capture, the Kremlin claims he never committed a crime on Russian soil, and he has yet to be turned over to any foreign law enforcement.

Business Lessons Learned 

Russia has turned to hacking as a go-to strategy to project its power worldwide. One of the country's tactics is going after soft civil targets with sophisticated social engineering attacks. Both for-profits and nonprofits need to protect all their IT layers and pay special attention to their "human firewalls."

Train your troops: The internet was not built for security but resilience. In a nutshell, you would be right to conclude that the internet is basically a beta in its current form, and any organization that relies on it to some degree -- even if that is email only -- needs to be aware of this.

The inherent insecurity of the internet means that an organization's security and defensive measures need to reflect this liability. That means applying a concept called defense in depth: All layers need to be protected, including the layer that the bad guys are going after first -- the human layer.

First Lesson: Not training employees is a legal liability. Recent case law shows you need to provide a "reasonable" response against a known threat like phishing.

Antivirus is dead: The bad guys' time is also money. The last 10 years have shown us that they are going after the low-hanging fruit. Recently, cybercrime groups have grown in power and are apparently well-funded. Perpetrators are able to penetrate spam filters with malicious software all too frequently. Your employees have turned out to be the weak link in your IT security. Not having this last line of defense in place could bring down your whole organization with a ransomware infection.

Second lesson: Relying on just layers of software protection gives you a false sense of security.

Find the root cause, and fix it like there's no tomorrow: If you look at the vast majority of data breaches, there are really only two root causes: social engineering and unpatched software. Identify the 10 most used applications in your organization, and then patch them religiously -- and fast. Bad guys are trying to exploit weaknesses in these applications the moment they become known. A patching regime that is on the ball can prevent disasters like WannaCry. Last, but not least, put those users through new-school awareness training. Thousands of IT pros will attest it is their best-spent InfoSec budget.

Third Lesson: Effective security awareness training is a must for all employees, from the mailroom to the boardroom. Your staff can be turned into a strong human firewall, which is a very effective last line of defense that may very well keep you off the front page.

The Upshot

Cybercrime is the most serious threat to businesses. The internet is an extremely useful and valuable business tool, but it comes with a liability that all organizations need to understand and mitigate. Creating a culture of security from the top down and nourishing that culture is a must to prevent compromised networks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

No comments: