Cyber 3-2-1: 8th July 2022

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week:?80% of Irish firms hit by ransomware pay the ransom, the US Department of Defense wants to be hacked, but their rewards are peanuts compared to the jackpot of zero days.

This week’s action:?Use a safe phone book.

If you’d prefer to listen to Cyber 3-2-1:?This week’s episode is accessible from?https://www.codeinmotion.ie/podcast?or wherever you get your podcasts.

?

THREE ARTICLES

?

1: Zero Days are on the up.

In the cyber world, a ‘zero day’ means a security gap has just been revealed in a piece of software, and the company that makes the software did not know about until now so has not yet been able to plug the gap. Serious ‘zero days’ could expose the users of the software to cyber-attack and this exposure would remain until the software vendor releases an update (a ‘patch’) that fixes the problem and the users of the software have installed the patch.

As reported by CSO Online this week, Google’s Project Zero team has counted almost 20 zero-days in the last 6 months alone, with most targeting operating systems and browsers. In 2021, Google counted 58, while Mandiant (a cyber specialist) counted 80.

This is only the number of zero days that we are aware of. If you read ‘This is how they tell me the world ends’ (which is an interesting / frightening read), we know that there are many nations (including the US and the UK) that know about other security gaps but have not told the software vendor, as they are valuable cyber weapons. The CSO article mentions that some governments pay up to $2 million for exclusive rights to one zero day.

The increasing prevalence of zero-days is why you have to have multiple layers of security, so a weakness in one layer does not immediately cause the organisation to be exposed. Multi-layer security could include things like

• Rigorous and responsive software update procedures, so you install any updates that fix these security gaps
• Firewalls
• Anti-virus & endpoint protection software
• Vulnerability scanners (which will alert you to known security gaps – aka vulnerabilities).
• And don’t forget the humans – Many of these zero day attacks still rely on a human being fooled by an email.

Read more:?https://www.csoonline.com/article/3665131/why-more-zero-day-vulnerabilities-are-being-found-in-the-wild.html

?

2: US Department of Defense wants to be hacked

Following on from the previous article about zero days, The Record reports that the US Department of Defense is offering hackers monetary rewards if they discovery significant gaps in the Department’s security defences.

The concept is simple. Why wait until the bad guys find a way in. Pay some good guys to try to find a way in first, so you can improve your security.

The initial pilot phase will pay hackers the princely-sum of $1000 for each flaw they find. If they find a real whopper, they could earn as much as $5,000.

According to some reports, certain government agencies in the US will pay hackers $100k to $1m (or more) for exclusive rights to certain hacks. How can the US Department of Defense compete with that?

Read more:?https://therecord.media/dod-issues-call-for-hackers-to-dig-into-networks/

?

3: Cyber Insurance Cover is becoming commonplace

Hiscox is a provider of cyber insurance. According to their “Cyber Readiness Report 2022”, almost two-thirds of respondents to their survey now have cyber insurance (either as a standalone policy, or as part of another policy). This is up from 58% last year.

Hiscox provides cyber insurance cover, so perhaps there is a bias in the numbers and the percentage across all businesses (not just respondents to an insurance company’s survey) is different. But given the benefits associated with the better policies (especially in relation to on-call incident response expertise), it does not surprise me that more firms are seeing the value in proper cyber cover. It also does not surprise me to see policy application forms increasingly asking very specific questions about the applicant’s security defences. Not coincidentally, you would have the right answers to a lot of these questions if you follow my guidance in?The Basics.

Read more:?https://www.hiscox.co.uk/cyberreadiness

?

TWO NUMBERS

?

1: 80%

According to the Hiscox Cyber Readiness Report, 80% of survey respondents in Ireland that had experienced a ransomware attack last year paid the ransom. This compares to 63% of respondents in the UK.

My initial reaction is that I don’t believe the statistic.

But assuming it is true, I am guessing that a large portion of this 80% paid because they did not have reliable and secure backups. I may be wrong, but I believe the primary reason you would pay a ransom is because you can’t restore your data from a backup – Perhaps because the attackers were able to corrupt them, or you didn’t have a backup in the first place.

I know ransomware attackers also now threaten to publish your stolen data if you don’t pay the ransom, but do people seriously believe that you can trust them to keep their word by paying the ransom?

If people are that na?ve, it’s no surprise that?ransomware victims are likely to get attacked again.

Read more:?https://www.hiscox.co.uk/cyberreadiness

?

2: 22%

According to the same Hiscox Cyber Readiness Report, Irish respondents to the survey spent 22% of their IT budget on cyber security, similar to the 7 other jurisdictions included in the survey.

My next question is whether the organisation has a reasonable IT budget? Because 22% of a poorly-funded IT environment may not be enough, but 22% of the IT budget in a tech-led organisation may be excessive.

It’s interesting that we still express cybersecurity as a percentage of IT spend, even though we try to convince people that cybersecurity is as much about people and processes as it is about technology. Wouldn’t the percentage of training budget spent on strengthening the organisation’s human defences be a very meaningful measure? Or perhaps it might reveal that the organisation spends 10 times more showing office workers how to lift a box correctly than they do showing them how to spot a phishing email!

Read more:?https://www.hiscox.co.uk/cyberreadiness

?

ONE ACTION

?

1: Use a safe phone book

Remember when we each had a phone book at home, where we could flick through the pages to find the address and phone number of any person in town?

Believe it or not, computers have the same phone book. It’s called a DNS service. When you type a web address into your browser (e.g.?www.codeinmotion.ie?is a great one!), your device has no idea where this site is. It uses a DNS service to find out where to go.

Now, let’s go back to the days of the paper phone book: Imagine if that phone book had a built-in security feature which removed the listing for any dodgy characters that it knew no-one in their right mind would want to contact?

Well, believe it or not, there are exactly these types of phone books online that remove the listings of any dodgy characters in Internet Town.

And best of all, many of these services are free.

By using one of these DNS services, if you get fooled by a dodgy character’s email and you click a link that would bring you to their website, your phone book may stop you getting there. It may not stop every dodgy character, but it certainly makes Internet Town a safer place to live.

What’s the name of one of these magical phone books? Quad9.net.

Instructions on how to get your PC, laptop, or mobile to use it are available at?https://www.quad9.net.

PS There are other paid-for solutions available, which offer even more DNS-related protection. For example, Cisco provides some free and low-cost versions for home and small business, as well as an enterprise-grade solution called Cisco Umbrella. You can read more at?https://www.opendns.com