A Q&A with Tom Kellermann of Trend Micro
With a constantly evolving cache of weaponry, cyber criminals always seem to have the edge over their victims. I asked Tom Kellermann, Chief Cybersecurity Officer at Trend Micro for a forecast of the most pressing threats facing organizations in the coming months, and what they can do about them.
Which threats do you see emerging in the immediate future?
A combination of capabilities will create the next generation of threats: We will certainly be seeing more automated attacks specific to mobile devices, and specific to applications. Another concern is the evolution of automatic transfer systems that allow hackers to infiltrate devices and bypass two-factor identification. We’ll be seeing a mainstreaming of watering hole attacks—specific pages and sites that infect visitors with malware. Browser-based attacks are on the rise. Lastly, an important vector to be aware of is island hopping—this is what we saw with the Target breach. The perpetrator went through the supply chain to a vendor to gain access to the retailer’s data.
From a security standpoint…the model should be a supermax prison, with control over the population, data and everything that goes in and out.
What concerns you personally?
From a strategic or higher level we need to respect the fact that geopolitical events and tensions between nations will usher in cyber attacks, and what we’ve seen so far are really just harbingers for what’s to come. We can expect attempts to destroy infrastructure. With capabilities such as automated transfer systems increasing dramatically, it won’t be long before we see our own financial and ecommerce institutions attacked.
What are the risks for an average organization?
First and foremost, it’s reputational risk. We’re all focusing on brand, no matter the size of our business. Enduring a cyber attack will undoubtedly have an impact on your reputation, and solely relying on encryption to protect you is truly foolish, if not negligent. The internet is a hostile environment. It’s not just your own customers—it’s your partners, too. If you’ve advertised them in any way, you’ve allowed the enemy to target them, and you have for all intents and purposes put your business in danger.
What practical steps might an organization take to prevent or mitigate?
As a starting point, we need to be cognizant of these new realities. I’m painting a pretty bleak picture about the threats but there are significant things that can be done from governance to risk management. Every company should have a CISO (Chief Information Security Officer) and they should be reporting outside of the IT department, directly to the CFO. The board should be briefed on cyber posture on a monthly basis at a minimum.
From a security standpoint, organizations should shift away from the idea of building an impenetrable castle, which is literally impossible to defend 100 percent of the time. Instead the model should be a supermax prison, with control over the population, data and everything that goes in and out. Some other recommendations:
- Get away from passwords and use more extensive security measures.
- Don’t just retrofit existing cybersecurity controls for use in the cloud.
- Deploy a breach detection system.
- Deploy integrity monitoring.
- When dealing with vendors, don’t just sign service level agreements without really understanding the security provided. At the minimum, it’s worth going over with general counsel.
- Make sure your developer doesn’t go live with a new mobile app until it’s been vetted for the Top 20 vulnerabilities.
Tom compellingly summarizes the state of cyber threats. Working with the cyber liability insurance industry, we see MANY losses due to the failure of the safeguard controls Tom bulleted—particularly in vendor management. This is a soft spot for organizations of all sizes, many of whom are dealing with third party cloud providers that don’t offer enough security assurances.