The aim of a hacker used to be to steal or destroy information, yet today what they try to do above all is profit financially in exchange for information. We can see how attacks are becoming more professional and businesses are being built around them. Some years ago, it wasn’t so easy to buy ransomware or rent a bot to launch attacks. Xavier Mertens, an independent cybersecurity consultant and renowned IT security blogger, insists on the importance of traditional security to combat these highly effective new threats. Mertens’ voluntary participation in the SANS Internet Storm Center, the global cooperative system for warning against cyberthreats, gives him a great insight into the very latest attacks.
PS: How can IT security professionals adapt to these new needs?
XM: The usual protection measures are still important. If employees can stick to following typical security measures: implementing appropriate network segmentation, using secure passwords, configuring devices correctly and not exposing sensitive information or tools on the Web, I believe they could be protected against any modern threat.
Most security problems occur because people need to carry out everyday tasks, and are unaware of the basic measures required to protect them. Recently I tried to scan a document and, after checking the login credentials and firewall and ensuring that the printer worked correctly, I realized that it wouldn’t work because the Server Message Block version 1 (SMBv1) protocol was configured, something that has already been widely disapproved of. As such, it is something you need to decide whether or not to enable. Users normally enable the default settings as they don’t know how to change them or they simply don’t have time to do so and just want to get on with their day-to-day routine. But it is not so complicated, as industry experts, to resolve these basic problems and protect the security of tools that are as common in companies as printers.
PS: What is the Internet Storm Center? What is your role as an ISC Handler?
XM: The Internet Storm Center is an organization whose aim is to monitor the Internet and ensure it operates properly. Using automated tools, we collect information for professionals in the sector, generate useful content in the form of a cybersecurity journal and try to increase awareness of the problem. For example, with the dshield’ project, people can send their firewall records to build up our database and create a detection system based on repetition. We were able to detect the Mirai botnet because we have tools that showed activity peaks on specific ports. We are the ‘Internet’s firemen’.
PS: How can we avoid recent attacks such as those that are aimed at mining crypto-currencies?
XM: The protection remains the same as for other types of malware, because crypto-currency mining is carried out with malicious code that runs on your computer. The standard advice still stands: have a cybersecurity solution that protects you completely and don’t click or download unknown files. Nevertheless, I think that crypto-jacking is one of the most brilliant attacks I’ve seen. Criminals are moving from ransomware to mining because it is much less intrusive and you don’t need so many resources to evade detection. With ransomware, you don’t know if victims will pay the ransom because they may have backed up their files. With crypto-currency mining however, you are sure to recover your investment, and it is much less invasive. You can run mining on any type of device, unlike ransomware which is restricted to Windows, Mac or Linux, and the victim’s system will still operate despite the attack.
A colleague at the ISC analyzed the power of his computer while mining crypto-currencies. The fans and the CPU of the computer were always busy and running at full strength. So imagine the consequences that mining could have in a company with numerous computers: energy consumption increases, it has a significant impact on data center traffic and can even increase the office temperature.
PS: You have GIAC certification in reverse engineering malware. Should companies be investing in this type of analysis?
XM: I don’t think you should invest in reverse engineering unless you have a big budget and a lot of time. The aim of companies is not to understand the behavior of malware, but to resume normal activity as soon as possible. When analyzing malicious files, we want to know why they behave as they do in order to generate a list of ‘Indicators of Compromise’ to share with other researchers in the sector and provide this intelligence to customers.
PS: How do you draw up an effective incident response plan?
XM: Incident response plans are not easy to address, particularly if they are for companies that don’t have the resources or the right personnel. In my opinion, you can always start with the small things. The first step is to be prepared, increase awareness and involve all employees, and this is something that can be done by any company.
PS: As the deadline draws closer, how can companies prepare themselves for GDPR compliance?
XM: The GDPR is designed to protect the privacy of users. So bearing this in mind, if you have implemented a comprehensive security strategy, if you know where the data is and how it is protected, and if you only have collected the information that is strictly necessary for your business, the GDPR should not represent a problem for you. This regulation takes us back to basics, to some simple guidelines: encrypt your information, don’t store passwords in public files, make sure databases are not exposed on the Internet, etc. Possibly the biggest challenge will be for small companies that don’t have an inventory of all the information they possess, not just internal data, but also what they share with suppliers and users. Companies are now in the process of reviewing all the information they possess and we hope that they are taking the necessary measures to adapt to the GDPR.