On a hot day in June, the cloud security faithful gathered in London to discuss where security for the cloud is heading. The annual Cloud Security Summit was an excellent opportunity for business leaders and security veterans to explore some of our industries most pressing issues—and gain valuable insight from keynote speakers like Graham Cluley.
He is also one of the most respected voices in cybersecurity—with more than 25 years of experience working in and writing about digital security. Graham worked with Dr. Solomon’s—an early pioneer in the antivirus world, which was acquired by McAfee in 1998—and then with Sophos before going solo. His role as an independent security researcher makes him uniquely suited to offer a non-partisan view of the security threats we all need to be aware of.
Graham did an excellent job of framing the issues business face when it comes to digital security and the current threat landscape. Graham’s experience helped make the information both more engaging and more relevant with real-world examples and a healthy dose of common sense perspective.
Digital criminals – are they geniuses?
The example which seemed to resonate most with the audience revolved around debunking the myth that hackers are evil geniuses or possess superhuman intelligence. Despite the complete disconnect from reality, when people think of digital criminals, they generally picture the romanticized image portrayed in movies of a socially-awkward loner in a hoodie who can sit down at any computer in the world and hack into the Pentagon in under five minutes. That’s ridiculous on a number of levels.
Graham used a story of the Syrian Electronic Army to illustrate the point. Graham detailed how these hackers were foolish enough to have one of their members in Germany sign a contract with a ransom victim—sending across his passport details and email address in the process. This stranger-than-fiction example serves to illuminate a theme which ran through Graham’s presentation—
Digital criminals are not necessarily geniuses, and they are only as successful as they are because we allow them to be.
Reality is more mundane. Far more dangerous than evil genius super-hackers is the fact that many organizations do a poor job of simply identifying vulnerabilities and keeping servers and applications patched and updated. Graham calls unpatched or outdated software “the world’s most common security vulnerability.” Citing the example of the devastating Equifax data breach in 2017, and the patching policy which allowed the Apache Struts vulnerability to slip through the cracks, Graham suggested the fact that a company as big and multi-faceted as Equifax, failed to patch—or at least adequately mitigate—this critical vulnerability is unacceptable.
The evolution of ransomware was also touched on by Graham. Digital criminals continue to adapt and develop new, more insidious ways to extort users. He highlighted Popcorn Time–a recent ransomware strain that includes a twisted social experiment. Rather than paying the ransom, compromised users can choose to infect others as a form of “payment” in order to get their data back for free.
Digital criminals are not necessarily geniuses, but some are smarter than others. Graham provided examples of ingenious exploits and digital criminals as well—most notably, the Ukrainian hacker who hacked into three business newswires, which allowed him access to insider trading information in advance of it going public.
The ever-evolving threat landscape
These examples all served to illustrate the same example: These threats are out there, and the threat surface is constantly expanding. At the end of his talk, Graham apologized to the audience for the lack of good news in his presentation. I guess 25 years on the security frontlines can make a security researcher a bit jaded.
Expert help, at your service
If you find all this overwhelming and don’t know where to start to address your Digital Security solutions, we can help. Once you are ready to go, we’ll help you get up in running in days, so you don’t have to integrate a bunch of security compliance software tools or hire more people.