25 Jan A Conversation with Omdia’s Curt Franklin
This interview is part of our Cybersecurity Insights Series, where we tap our partners and industry experts for the latest trends, thoughts, and predictions for cybersecurity and beyond.
The past year and a half has been illuminating for cybersecurity professionals. From the increase in phishing and ransomware attacks to the supply chain disruptions and incidents like the Colonial Pipeline breach that demonstrate the importance of infrastructure cybersecurity, companies are focused on a broader range of attack vectors than ever before. Meanwhile, the transition to remote work has presented a whole new set of cybersecurity difficulties.
Curt Franklin is a senior analyst at the consulting firm Omdia, and his research is focused on the intersection of people, processes, and technology which determines the cybersecurity function for entire organizations. Curt’s decades of experience in enterprise security management put him in an ideal position to analyze the rapidly emerging developments outlined above, and he was kind enough to share his insights with NINJIO.
Matt Lindley: How have ransomware attacks evolved in recent years, and how should companies respond to them?
Curt Franklin: The biggest evolution in ransomware has been the move toward a combination of ransomware and extortionware. This is where threat actors will gain access to the system and exfiltrate sensitive information before they launch the encryption attack and threaten the victim with the release of that information. This means victims are pressured to pay the ransom regardless of whether or not they’re able to unencrypt the locked data.
In some cases, this sensitive information is confidential company data – or it’s the personally identifiable information of customers or patients – but in either direction, there’s usually a substantial financial or reputational hit to having the data released. This is how attackers cover their bases against decryption algorithms.
We’re beginning to see that the source of the ransom isn’t data being locked, but system functionality. For example, consider an attack on a manufacturing system where if a ransom isn’t paid, assembly lines don’t work or industrial robots won’t function. While we haven’t seen as many of these attacks as with the extortionware, it’s something that has the attention of manufacturers and their vendors around the world.
ML: How has COVID-19 changed supply chain cybersecurity? What are a few of the main attack vectors IT professionals in the sector should be worried about?
CF: In recent years, we’ve seen that companies increasingly recognize the importance of supply chain cybersecurity. This is especially true when it comes to physical supply chains. In cybersecurity, we’ve gotten used to thinking of supply chains in terms of software development – the software libraries, functions, and code snippets we use to build applications within the enterprise. COVID has renewed focus on the physical supply chain – how chips, steel, and wheat are delivered, for instance – so that has raised the level of scrutiny on data flow.
ML: Could you outline the main differences between BEC (business email compromise) and EAC (email account compromise) attacks? What are the warning signs employees should look for in each case?
CF: The big difference is the fact that, with BEC, you’re dealing with some sort of spoofed account where someone has gone in and arranged a server or an email header to pretend to be someone else.
EAC is almost always the second step in an attack – when an attacker has used spoofing, phishing, or some other type of social engineering to actually get the credentials and compromise a legitimate account. So in this case, rather than an email coming from a pretend account, it actually comes from a real account. That’s very worrying because these emails bypass many (if not all) of the standard security mechanisms that tend to protect against things like BEC. In sum, BEC uses email – typically a spoofed account – to convince people to do something they shouldn’t. EAC uses an actual account that has been compromised.
BEC attacks can get the credentials to launch an EAC, which tend to be very targeted and damaging. EAC takes a lot more work, so it’s a tactic that tends not to be wasted on small stakes. It’s a high-stakes compromise.
ML: What are the cybersecurity implications of the transition to remote work? What are two or three of your top concerns?
CF: We know certain types of attacks became more frequent, such as phishing. But by and large, one of the unappreciated victories of IT over the past year and a half has been the fact that companies could, on very short notice, disperse the entire workforce. Cybersecurity teams had to figure out how to protect this widely dispersed workforce, and in the majority of cases, they succeeded. I think that’s spectacular.
There have been two broad ways of dealing with distributed workforces. You could essentially try to ignore their home networks, along with the use of VPNs and zero-trust infrastructure. Cybersecurity teams could also up the authentication game – everyone is going to MFA and using VPNs while trying to isolate whatever threats exist on employees’ computers.
The other approach is to embrace the employee’s network. I know of companies that are doing things like shipping wireless routers to all their employees. This way, they basically have enterprise and cybersecurity configured – the firewall and router are provided in a box – which protects the entire network. This approach treats the employee network as part of the corporate network and carves off a logical subnet for the employee’s home use.
ML: What’s one major cybersecurity issue that companies tend to struggle with?
CF: In some organizations, there can be fuzziness and disconnect about who exactly on the board should have control of the security function. Does it ultimately feed up to the CIO or CFO? Is it part of the COOs domain? That varies from organization to organization – it’s a very interesting set of questions. Who ultimately owns cybersecurity? Also, what are the solid lines and dotted lines reporting into the cybersecurity function?
ML: How will the surging use of IoT devices affect cybersecurity?
CF: In many cases, IoT devices are outside the locked door of an office – whether they’re sitting in a warehouse or in a farmer’s field, they’re beyond the normal IT physical control structure. The possibility of physical access to IoT devices exists in a way that tends not to exist in classical IT. There are just an awful lot of these little devices, especially when you start talking about devices like smart building implementations, with some level of intelligence built into every door lock and light fixture. That’s a massive number of devices, each of which can present an opportunity for an enterprising threat actor to gain access to a system.
There are two main ways IoT affects cybersecurity. First, it increases the size and scope of the battlefield. Second, many of these devices were, until very recently, not designed to be touched once they were deployed. This means they have no ready mechanism for things like system updates. In many cases, there’s no opportunity to change passwords or administrative user accounts. People simply used what was built in by default.
ML: How do you expect companies to allocate their cybersecurity budgets next year? I know this will vary depending on industry, size, etc., but what general trends are you seeing?
CF: First, we’re seeing companies that are involved in any sort of software development, whether it’s for their own use or for customers, looking closely at third, fourth, and fifth-party dependencies. This is true not only for software development, but also in many cases for their cloud providers and various other cyber-providers. Companies don’t just want to know if the software they’re building and libraries they’re using are safe from vulnerabilities caused by dependencies. They also want to know if the publishers of their log analysis tools, software firewalls, and enterprise software have done the necessary due diligence on all their dependencies.
SolarWinds was a massive wake up call for companies – it provides lessons up and down the line. You’re seeing a lot more companies paying attention to risk because it puts the state of cybersecurity readiness in terms that the board understands, which means it ultimately translates to dollars. We’re seeing those two things tie together very closely – where companies are spending money tracking down dependencies and evaluating third parties, they’re focusing on risk more broadly.
ML: Which industries will be most susceptible to emerging cyberthreats in the coming years?
CF: We ought to be really careful on sectors like agriculture and food supply. We’re witnessing how the impact of difficulty in getting microprocessors can have a downstream effect on things like automobiles. Imagine if what we’re having trouble getting wasn’t computer chips, but wheat or corn or soybeans. That’s the kind of downstream impact that really cannot be ignored.
Most people don’t have a clue just how automated and data-dependent modern agriculture has become. From the time a field is prepped for seed until groceries land on your supermarket shelf, it’s a data-intensive supply chain and industry. I know the government considers agriculture a component of critical infrastructure, but it doesn’t get enough attention on a broad scale. If I was someone who paid attention to risks that could have an outsize impact, I’d be focused on agriculture and food delivery.