Skip to main content

Interview Series - David Emm Snr Researcher at Kaspersky Lab

The next instalment in the interview series, sees a great interview with David Emm, Senior Security Researcher as Kaspersky Lab.

Ed:  Hi David, thanks for your time today with Infosec Professional.  How has information security changed in the last three years?
David:  I believe there have been several key changes.

First, the traditional ‘work place’ is disappearing. So the task of securing data has become harder for businesses, as staff increasingly conduct business ‘on the go’: at home, at the airport, in the hotel – or anywhere else they can get a wireless signal. It’s not so much that the traditional network perimeter has disappeared. Rather it has become fragmented – and moves around as employees do. This has increased the points of exposure to malware and hackers. Second, we’re seeing a related development – the growing use of smartphones at work. IT departments now have to manage a heterogeneous mix of endpoint devices. This problem is compounded because many people use the same smartphone for business and personal use. So loss of data may be bad news not just for an individual, but for the business too.

The nature of the threat from malware is changing too. For the last eight years, the threat landscape has been dominated by speculative attacks designed to steal financial data that gives access to victims’ bank accounts. During the last two years we’ve seen a growing amount of targeted attacks. Cybercriminals are selecting a specific target and are focusing on compromising this victim – to steal corporate information, to discredit an organisation or to make a political point. Paradoxically, in tandem with this targeting, we’ve seen a trend towards ‘steal everything’, not just bank data. Cybercriminals are trawling through the vast amount of data individuals post online and are sifting through it for information that can help them set up a targeted attack on a business or other organisation.

The growing volume and sophistication of threats in the last few years means that it’s no longer viable to rely solely on signature-based defences. Kaspersky Lab processes more than 70,000 unique malware samples daily. This onslaught can be dealt with effectively only by using a blend of proactive technologies – including heuristics, sandboxing, whitelisting, behavioural analysis and cloud-based systems that can respond to new threats in real-time.

Ed: What do you think are the main threats facing organisations in 2012?
David:  I don’t believe the speculative attacks outlined above will disappear any time soon. They represent the low-hanging fruit for cyber-criminals – like the activities of pickpockets in city centres around the world. However, it’s clear that, in relative terms, the weight of targeted attacks is growing. And the well-publicised attacks of the last 12 months or so have demonstrated that no organisation – or type of organisation – is immune to attack. For eight years illegal profits have dominated the scene. But it’s abundantly clear that cyber-crime now has a variety of motives. This should hardly be a surprise, given that the Internet is simply a reflection of life in general. And the more that we do online, the bigger the target for all types of cyber-criminal.

Ed:  Are organizations ready to deal with those threats and what can they do to protect themselves?
David:  In a general sense, security remains the same. The starting-point for securing any system, is to consider the potential risks and develop a strategy for mitigating those risks.  But for a security policy to be effective it must be measurable and must be reviewed regularly to ensure that it is still fit for purpose. With regard to the trends outlined above, there are clearly two distinct areas of security. The first is to secure corporate systems from outside attack – to prevent intrusions, Denial of Service attacks, misuse of systems, etc. The second is to secure the data held on the system. Given today’s working practices, this can only mean ‘follow-me’ security, i.e. protecting the data held on all endpoints, including mobile devices. After all, its one thing for an intruder to break in, but you also need to ensure that if this happens, they don’t escape with valuable data [e.g. third-party data, customer passwords, etc.]. This means not just defending against malware, but encrypting data and securing against data leakage from the inside.

I think one thing that is sadly often neglected is the human factor in security. Social engineering or manipulating of human behaviour is the starting-point for most attacks. So it’s essential to put in place a security education programme designed to foster a security mindset among staff. It’s not about *training* marketers, sales people, etc. to become security professionals. Rather it’s about helping them to realise the potential dangers to themselves and the organisation. Unfortunately, where such education exists, it’s often placed in the hands of security personnel [the obvious choice, of course], whereas we need to also engage HR, marketing and legal teams.

Ed:  Mobile phone use is increasing and smart phones are becoming more sophisticated – virtually mobile laptops in your pocket. Will we see mobiles becoming the main anti-virus attack vector and what can businesses and individuals do to protect their mobile data?
David:  It will take some time for mobile phones to become as big a target as desktop and laptop computers. Right now the volume of malware aimed at smart-phones is a trickle compared to the torrent of malware targeting people who use Windows. However, it’s growing fast – already there exist more than 9,000 mobile malware modifications. Mobile malware has been around for several years now. However, it’s only in the last 18 months that it has become a serious tool in the hands of cybercriminals. There are several reasons for this.

  1. The use of smart-phones has increased.
  2. Internet access from a smarphone is cheaper than ever before.
  3. They now hold valuable personal data, e.g. bank data, social network logins, etc.
  4. The same devices are often used at work too, so they also hold corporate data.

We see a mix of mobile malware. This includes SMS Trojans that silently send messages to premium-rate, or international numbers. It also includes banking Trojans and Trojans that steal social network logins and other data. However, the problem of data loss, from lost or stolen devices, is also important.

Part of the problem is perception. While smartphones are really powerful computers, they are perceived by most people as *phones*. This isn’t surprising. After all, historically this is what they were. And we still refer to them as phones, albeit using the prefix ‘smart’. As a result, it’s not immediately apparent that there’s a security dimension to using a smartphone, unlike traditional computers.

It’s important that we all make use of security apps to protect the ‘computer in your pocket’. This includes anti-malware protection, but also encryption, blocking of unwanted numbers and remote wiping of lost/stolen devices.

For businesses specifically, the key problem lies in managing security on smart-phones alongside other endpoint devices used in the enterprise. This feature should be considered a key component when evaluating security solutions for corporate smart-phones.

Ed:  If you were a newly appointed CISO in a large corporation, what would be the first item you would want to complete ASAP?

David:  That’s a difficult question, since the security of any organisation really needs to be looked at as a whole. However, going back to something I discussed above, I think I would want to review the organisation’s approach to its human assets. The focus of IT security is, understandably, on securing computer systems and digital assets. Consider, for example, the attention paid to applying security patches to software. However, given the attention paid by cybercriminals to exploiting human vulnerabilities, I believe we ignore our human resources at our peril. ‘Patching’ humans is much less straightforward than patching computer systems [though even this can be a serious challenge]. But it’s essential. There are several aspects to address. First, remember that we’re dealing with humans. They learn in different ways, respond to different stimuli, etc. So a ‘binary’ approach may not work – we should consider all the techniques we use to engage with customers when dealing with staff. Second, there’s no quick fix. It’s an ongoing process and, like creosote on a garden fence, it must be re-applied to be effective. Third, we’re much more likely to succeed, and get staff buy-in to corporate security, if we tap into people’s self-interest.

Ed:  Thanks David, for some fantastic explanations and insights to some complex questions.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…