Alexis is a cyber security researcher and Security Intelligence Team Lead at ESET. You can find out more about his views on the future of malware in the second part of our interview focused on how tech advances will impact the fight against malware.
1) As part of Antimalware Day 2018, we’ve looked back at past threats such as the Michelangelo and Melissa viruses that arose in the 1990s. In your career how have you seen malware develop and change, and what do you think future trends will look like?
If we look at malware threats of the past, one of the major things that has changed is the purpose behind malware - in the old days we mostly saw malware with the sole purpose to break things, or ‘cyber vandalism’. Now, there’s a deeper motivation between each and every cyber-attack; it could be money, gaining access to sensitive data, disrupting critical systems such as healthcare systems or power grids, or operations to influence geo political events. I think the motives behind cyber-attacks will evolve as society evolves, and malware and cyber-crime in general will adapt to these changes.
2) What do you think will be the most dangerous malware threats to businesses in the future and what steps can businesses take to protect themselves?
I don’t think anyone can be guaranteed completely fool proof protection in a complex enterprise network. One of the most dangerous malware threats for businesses are those with immediate destructive powers, such as ransomware or ‘wipers’, whose purpose is to render specific systems unusable. Some businesses can absorb the attack, but for many even one day of lost operations can be devastating. We’ve seen companies like Maersk hit by the NotPetya ransomware, and although they have deep pockets and managed to recover, they disclosed a loss of USD $300 million just to deal with that incident alone. In terms of what business can do to prevent or reduce the risk of such an attack, there is no silver bullet, but we can say that businesses should have a cyber security team in place that’s well-resourced and has access to all the relevant tools they need to keep an eye on their IT infrastructure, and to monitor attacks that are occurring elsewhere so they can prepare to defend their own network against similar attacks.
3) Many people expect threats to critical national infrastructure to intensify in the near future, something that could have devastating effects for individuals, businesses and governments around the world. What are security companies working on to mitigate this risk and what are business’ best changes for protection?
That’s a complex question to answer, for security companies like ESET; we track different types of threats including threats against critical infrastructure. When we find a new cyber threat that is targeting infrastructure we share our analysis and research of the threat with all the entities that could potentially be targeted and could benefit from being protected against that threat. I think security companies have a social responsibility that goes beyond their commercial goals; if we learn about something that’s attacking civil society we need to help people be protected against it. Private companies have a huge weight on their shoulders to prevent unauthorised access and to protect their equipment and infrastructure from attackers. Fortunately in many countries there are public entities that will help these private companies to be informed about new potential attacks and also to help them to put in place different safety mechanisms. It’s encouraging that they’re not alone in protection and they do have access to resources that can improve their security.
4) Which sectors do you think might be most at risk from malware attacks in the future? Healthcare is an area that continually receives a lot of attention. Are there other types of businesses that will be most at risk in the future and what kind of targeted approach could they take to better protect themselves?
Technically any sector that has either money, large computing resources, or that is managing critical infrastructure or hosting sensitive information is a potential target - so that covers quite a lot of businesses. Healthcare is a particularly sensitive topic for me as the sensitive information they hold isn’t related to commercial top secret strategies or business acquisitions, it’s information about normal people. Knowing that such private and sensitive information is being stolen and put up for sale on the dark web worries me. There are no specific guidelines for different sectors; the first thing every sector needs to realise is that they are a target, that they face a risk, and that they need to address it properly. The way to address a cyber-attack whether you are a bank or a healthcare organisation is fairly similar, from a high level perspective – identify risks and put in place a plan and counter measures.
5) How do you think cybersecurity awareness and cyber security practice in different regions around the world could affect the future of malware? For example in countries where there is a lack of awareness and focus on cyber regulations.
From the target perspective, there is a focus on the US and Europe, but that follows the high population in these regions. It is interesting is to see it from the other perspective, in regions where the legal system is not yet ready to deal with cyber attackers; cyber-crime is not really a priority. They have more serious issues to deal with than catching cyber criminals, so overall it’s not exactly fair to expect that all countries or all regions evolve at the same rate in terms of awareness or regulations. Overall things are moving in the right direction, we’ll always have some regions behind others, but things are moving forward.
6) Finally, what would be your number one rule when advising businesses on how to balance current security challenges while planning for the possible future risks they will face?
Businesses face so many different risks, and cyber-attacks are just one more category of risk that needs to be assessed and dealt with. It’s easy to determine what would happen if a company’s main factory exploded and couldn’t deliver its output for a 6 months - it would be reconstructed. But what would happen if a business website went offline for an hour, a day, or a week? Businesses need to ask themselves, what are the critical systems within the business infrastructure and what would be the business impact if one of these systems were breached or made unusable. They need to identify the implications to the business, and have a proper strategy in place in order to be protected and recover from a potential attack.
Find out more from Alexis on the future of malware in the second part of our interview focused on how tech advances will impact the fight against malware.