Most new articles on high profile cyberattacks call these attacks sophisticated, but are they really? At the RSA 2015 conference a few days ago, researchers Ira Winkler and Araceli Treu Gomes, wrote ‘the Irari rules for declaring a cyberattack sophisticated’. The summary article can be found here, and the conference slide pack here. The main message is just because the cyber attackers managed a large successful attack (such as the Sony breach), does not make it sophisticated. Sophisticated means it defeated security defences and was undetected until perhaps too late. We don’t call a burglar sophisticated if they managed to steal everything valuable out of a building if the doors where left unlocked, the codes for the vault were written on a post-it above it and the security alarms were easily turned off. Therefore, just because a piece of malware was able to wipe out all computers, exfiltrate a huge amount of data, commit fraud and cause all sorts of damage does not mean it did anything clever – it may mean that the victim just had poor security controls.
So really, the Irari rules are a check-list for malware security controls. If all the controls are in place and a piece of malware still manages to get in – only then is it sophisticated. Some examples of the types of malware controls that every business should have, no matter how big or small, are:
- Anti malware software. This includes things like endpoint protection on employee workstations and servers (anti-virus as a minimum); network protection; malicious email scanning etc.
- Two factor authentication and strong password management; especially for the things that are important and attackers would like to get their hands on
- Proper network segregation and network intrusion software
- Vulnerability and patch management on workstations and servers
- Segregation of duties for staff (i.e. someone cannot change something important and also approve it at the same time) as well as having the minimum privileges that they need to do their job
- User training, e.g. on phishing