Content, Content

Security Pros vs Ransomware: Should CISOs Be the Negotiators?

Calling someone’s bluff isn’t just a poker thing, it’s also potentially a cybersecurity executive’s counter to an extortion ploy, a new report said.

The results of a new AlienVault study show that a good number of security pros are willing to test their nerve against a cyber attacker. In fact, among a field of 963 surveyed attendees at the recent Black Hat 2018 conference, including security pros, 65 percent said they would force a cyber kidnapper to show their cards before complying with a ransom demand, according to AlienVault’s report: Extortion, the Cloud, and the Geopolitical Landscape.

“A few years ago, raising the question as to how an organization would respond to extortion attempts involving stolen data would have been scoffed at,” wrote Javvad Malik, security advocate at AlienVault and the report’s author. “But today, these types of cyber attacks are now top of mind for many companies.”

One respondent, Raj Goel, CEO of Brainlink, said that if the hacker could prove they had his company’s customer database, if the data had been culled from his CRM system, then his “internal threat/risk meter” would climb as high as 50 percent. Worse, if the data came from Brainlink’s Knowledge Wiki, which contains sensitive data, the risk assessment would climb to 80 percent. If it came from the organization's password manager, we’re talking about 100 percent “and I am at their mercy completely,” Goel said.

How would he deal with the problem after assessing the risk? “I would consult with colleagues and friends in the InfoSec community to determine whether the threat is real or fraudulent.”

Ultimately, who’s the decider in dealing with hackers/extortionists demanding a ransom is important? Most likely it’s the chief information security officer (CISO), the participants said, but it could also include the head of IT or a board director.

“It’s not surprising to see the CISO at the top of the list. In this role, s/he will usually be best placed to understand the attacker’s demands,” Malik wrote. “The CISO has inside access to tools and resources enabling him or her to not only determine the legitimacy of the claims, but also understand the regulatory and business impact should the claims be legitimate.”

The study also looked at whether the “shiny veneer” of the cloud has begun to fade, and the geopolitical landscape's impact, if any, on the IT and security industry.

Here are some of those findings:

On satisfaction with the cloud:

  • 44 percent of the respondents are thinking about moving certain operations, apps or data from the cloud back to on premise. A greater number, 56 percent won’t to so or aren’t certain that they will.

"Does that mean that the cloud is not all that it’s cracked up to be?” wrote Malik. “Not really – it more than likely means that full consideration wasn’t given to all the aspects of cloud prior to migration," he said.

  • 46 percent said security was the reason they’d stalled or halted a project in the cloud.
  • 37 percent blamed it on cost, 25 percent said the risk was too great, 22 percent said the move was unnecessary and 14 percent said it required too much development. Of note, 16 percent favored an in-house solution.

“The cloud remains a good, stable, and cost-effective platform for many companies. The risks are different, as are some of the operating procedures. The architecture needs to be planned differently, and the cost breakdown works differently, as well,” the report read.

On the cloud vs. on-premise security incidents:

  • 52 percent said they didn’t believe that a security incident had occurred in the cloud which wouldn’t have occurred on premise.
  • 22 percent said that such an incident had taken place, while 26 percent were unsure.

On cyber attack readiness:

  • 54 percent believe that the U.S. public infrastructure is unprepared or very unprepared to defend against cyber threats.
  • 33 percent said the country is prepared to withstand a cyber attack.

On the geopolitical landscape:

  • 47 percent said the current geopolitical landscape (the threat of nation-state attacks) had no impact on security within their organization.

However, Raj Samani, chief scientist at McAfee, told AlienVault that the impact of cyber capabilities in today’s landscape should not be underestimated. “There is no question that development of offensive cyber capabilities to support national strategic imperatives are part of today’s infosec landscape,” he said. “Not only are capabilities being invested in, but for smaller states outsourced to even private entities.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.

Related