Understanding Cybersecurity Status Quo: Interview with Nick FitzGerald, Senior Research Fellow, ESET Asia Pacific

To learn more about the current cybersecurity landscape we have a chat with Nick FitzGerald.

By Mithun Mohandas Published Date
29 - Aug - 2016
| Last Updated
09 - Sep - 2016
Understanding  Cybersecurity Status Quo: Interview with Nick Fitz...

Digit: India is ranked pretty high when it comes to the volume of spam emerging from the country. Certain monitoring websites quantify 84% of the entire traffic as spam. Could things get any worse?

Nick: Spam has evolved over the years. In the past, spam was easy to spot as it tended to offer products or services that recipients had no interest in obtaining. Today, the level of sophistication has grown exponentially. Messages appear legitimate, designed to bait clicks by providing authentic and relevant content.

Delivery methods have changed as well. With the increasing adoption of connected devices in Asia-Pacific and the world, spammers are turning to social channels, in addition to the traditional method of email.

On the other hand, digital adoption in India is progressing at a breakneck pace. It has overtaken the US to become the second-largest smartphone market in the world, according to Counterpoint’s Research. With the growth of attack surfaces and increasing amount of data being placed online, it seems unlikely that the cybersecurity situation will ease anytime soon.

However, defending yourself against security issues caused by spam does not have to be a difficult job. Consumers should take proactive measures – such as being wary of information demanded by apps and keeping your operating systems updated – which are vital in reducing exposure to such threats.

Digit: Recently, a lot of ISPs came under DDoS attacks in Mumbai wherein Internet speeds were crippled in the city and major ISPs took to blocking certain incoming ports in order to mitigate the attack. Given that such attacks can be performed on any of the commonly used ports, isn’t blocking a temporary solution? Also, what would be the ideal solution?

Nick: In general, withstanding 200Gbps DDoS attacks requires specialist mitigation technology and extensive network redundancy. For best results for an ISP, I imagine that this should be designed into their infrastructure from the beginning, as adding it during an attack is likely to be problematic.

Digit: Given that over time both software and hardware adapt to combat known attack vectors, what is the next step in the evolution of cyber attacks?

Nick: If we knew that, we’d proactively block it now so it would not work, and thus it would not become the next evolution in cyberattacks!

Seriously though, when security researchers get together over a few drinks, conversation sometimes veers to “nightmare scenario” projections. We generally prefer not to give the bad guys ideas, so these prognostications are not usually discussed further in public.

However, given the increasing damage caused by ransomware recently, several endpoint security solutions developers, including ESET, have developed various essentially proactive defenses against ransomware. To the extent that these succeed, the ransomware threat should abate. If that happens, a number of cybercrime gangs who have been making substantial money from ransomware will no doubt be inspired to look for, develop, deploy and attempt to perfect “the next big thing” in crimeware. One possible direction that this may lead is described in a speculative article about the possible future intersection of ransomware and the Internet of Things, written by ESET Senior Security Researcher Stephen Cobb, where he coins and describes the term “jackware”.

Digit: We know that financial institutions are common targets for cyber attacks, what are the lesser known but equally important institutions that attackers are after?

Nick: Any organisation that handles sensitive data is at risk of cyber attack. This is not limited to financial institutions, where hacks often generate a lot of attention in mainstream media because of the immediacy and scale of the monetary impact on consumers. In fact, IBM’s 2016 Cyber Security Intelligence Index shows that the most-attacked industry in 2015 was actually healthcare.

Institutions or businesses dealing with healthcare often handle a wealth of sensitive information such as personal data (consumer particulars, physical health details etc.) and intellectual property. Technology is also expected to continue to grow in importance to the industry, exposing more attack vectors as more devices and software services are introduced. 

Hackers already have these targets on their radar. In January this year, a pharmaceutical company in India was hit with ransomware, and hackers demanded a bitcoin (about INR 40,000) for every affected computer. These attacks are also getting bigger and bolder. Anthem, a health and medical insurance provider in the US, saw data belonging to 80 million members stolen in 2015. 

And, of course, government and military sites and personnel are also heavily targeted. But really, any site or industry sector that handles sensitive data is likely to be of interest to some foe, be they cybercriminals or foreign government cyber warriors.

Digit: Since most companies have either moved or are in the process of moving their services to the cloud which, generally, come pre-built with enterprise firewalls and load-balancers, would the number of attacks reduce?

Nick: While some enterprise cloud services do come with in-built security features, it is not likely that this would cause the number of attacks to fall. In fact, as systems become increasingly interconnected and a greater number of devices are now online, this actually exposes a greater attack surface for cybercriminals.

Further, network level protections such as these only play a small part in preventing host-level compromises. No matter how effective “next generation” firewalls may be, they do nothing to prevent a “scatter a few ‘bad’ USB drives in the carpark” attack or, any other real-world social engineering attack, and a sufficiently motivated attacker will likely find such ways into your organization if they fail to thwart your network level defenses.

These attacks do not necessarily rely on new, sophisticated technology or advanced malware, but instead exploit an often-neglected aspect of cybersecurity: the end user. This is why at ESET, we emphasise the importance of education, to minimise the risk posed by human error.

Digit: India is a price-conscious market with a budding start-up scene, and quite a lot of the enterprise (antivirus/malware/firewall) solutions are very expensive. How would these cash-strapped enterprises protect themselves? 

Nick: Businesses should select security solutions/vendors according to their own needs, considering the volume and sensitivity of the data they handle among other factors. For smaller enterprises or start-ups with tight budgets, there are more affordable options available on the market.

ESET has a number of different and cost-effective solutions for businesses as well. These are available as disparate products, such as ESET Mail Security or ESET Endpoint Security for Android, or as packages recommended for each company by industry vertical or company size. ESET also offers solutions for small offices and home offices in the form of all-in-one Security Packs, or Business Solutions, which allows enterprises to choose what they need from a mix of ESET technology and react flexibly to growth.

Besides end-to-end solutions, enterprises can also minimise risk of security breaches by regularly educating their employees on cybersecurity best practices. For example, users in India were found to have scored the lowest among Asian nations surveyed in ESET’s recent Cyber-Savviness Report. Stepping up education efforts to help employees stay safe online is a cost-effective and sustainable method of protection that is often overlooked.

Digit: Is there anything peculiar about the types of cyber threats seen in India? How does it compare with the rest of the region and the world?

Nick: Despite recent reports from other vendors that India has a notably high level of exposure to ransomware, our telemetry does not show this. India does have a slightly higher detection rate – just over 8% of our customers in India have reported some kind of detection event this year, compared with 6.2% of all ESET customers – but I do not see any significant “stand out” differences contributing to that. 

The only thing that really does strike me is that the objects we commonly detect that, if not blocked by a security product, typically do lead to ransomware being installed. Some specific downloader, dropper and heuristic detections – are noticeably lower among our customers in India.

Digit: While a lot has been said about the implications that could arise as a result of a cyber attack, how many real life instances have there been in India? 

Nick: ESET generally does not share specific details such as absolute attack numbers.

The objective of our software is to detect and prevent events before they reach the level of a full “attack”. 

For example, say you receive an email with a URL leading to a malicious webpage. It is our preference to block that email before it ever reaches your inbox, because it is detected and blocked by an anti-spam component. 

But, maybe it is not sufficiently “spammy” enough to be blocked at that level and it reaches your inbox. At that point, if you open the message or click on the URL within it, perhaps our product would block you then because the server for that URL has a bad reputation, or the specific URL has already been classified as “bad” by the ESET LiveGrid system. 

If an attack attempt gets past those checks, the next step involved preventing the webpage from loading because our scanner sees malicious content within the web page or one of the many scripts it includes. 

Even if all that fails and the malicious webpage code gets to run and exploits a vulnerability in your web browser that our vulnerability detector misses, then much of the same kinds of reputation checks are made on the URL from which the next level of payload is downloaded. If they fail, then the download is scanned and various behavioural heuristics tested. The ESET LiveGrid is consulted for details about this application, as it may have already been classified as bad elsewhere and that data has not yet made it into a detection update shipped to the local scanner installation yet. 

So, our product monitors activity at multiple points along the typical chain of execution involved in being successfully attacked in a typical malware event. If we detect and block at that very last step, we know what kind of malware it was, but if we blocked the email as spam, or we blocked access to the URL, we don’t really know what was prevented in any specific instance of that block, just that based on a heap of data leading up to that point, it was probably not going to be something good!

Digit: Has there been any unique cyber-attack incident in recent history that stood out from the rest?

Nick: In my opinion, the Sony Pictures entertainment hack that resulted in at least US$35 million of damages to Sony, and untold reputational damage that is possibly still ongoing, is quite a stand-out event.

Also, the very recent suggestions that the Russian government, or at least Russian government sympathizers, may have been behind the reputed hack of the Democratic National Convention (DNC) is quite a development in international affairs if it can ever be shown to a reasonably degree of certainty to be true.

Digit: What are ESET’s offerings that cater to the needs of enterprises?

Nick: While ESET has always been stronger in the SMB and consumer sectors, we have also been developing a number of products to suit enterprise needs. In Japan, for example, where ESET is relatively well known in the enterprise segment, we support customers with up to 300,000 users. 

One such offering is the ESET Remote Administrator (ERA) console, which was designed using data from enterprise customers in countries such as Australia and Japan. It allows for centralized oversight and control of all ESET security solutions deployed on a network, and can support a huge number of users effectively. Our widening portfolio of products also includes DESlock, an encryption application for companies that has been integrated with other products.

In addition, ESET also provides expert support and training to help customers get the most out of their purchases, as we believe that education and technology are equally important in preventing hacks.

These efforts have been instrumental in transforming ESET from simply being an antivirus solution provider into an enterprise security company, and we will continue to do more to grow in this segment.

Mithun MohandasMithun Mohandas

While not dishing out lethal doses of sarcasm, this curious creature can often be found tinkering with tech, playing vidya' games or exploring the darkest corners of the Internets. #PCMasterRace