Subscribe

A view from the trenches

Matthew Burbidge
By Matthew Burbidge
Johannesburg, 18 Nov 2021
Rudie Raath, Datacentrix
Rudie Raath, Datacentrix

As soon as a breach is discovered, it unleashes a chain of events, not least an icy stab of fear in the chests of executives and security professionals. There will be sleepless nights, and there will almost certainly be a number of conversations about money. It also depends on what has been stolen, and what course of action the attacker has chosen to follow. Some organisations have a lot to lose, say, a bank, or telco, and the blast radius could be very wide indeed, but others, such as medium or small business, may sink beneath the waves forever. Should the precaution have been taken, one of the first calls a victim will make is to their insurance company, which will take a look and decide whether it’s worth paying the ransom, or if it’s possible to recover without paying. There will also be calls to vendors, systems integrators or managed security service providers. These are the people at the cold black coalface of security, and, as Jeremy Matthews, CEO at Dax Data, says, a lot of midrange and small companies will ‘still run whatever comes to hand’.


It’s like mountain biking. It’s not if you’re going to fall, it’s when you’re going to fall.

Rudie Raath, Datacentrix

“They’ll run Microsoft Defender, because it’s in their 365 subscription. They may run McAfee and ESET and Symantec, all of which have advanced technologies, but people tend to run standard AV because that’s what they’ve always done and because they had a problem getting budget justification for additional security spend, particularly in the current climate.”

That is, until a breach.

“There are so many people who will not take your call, and then everything changes when they get hit,” he says, adding that it was one matter of what security technology people were buying, and quite another on how well the solution is being managed.

He reckons that while organisations spend a lot on things like perimeter security and identity and access management, the endpoint is often neglected, and the working from home phenomenon has exposed this weakness.

“Distributed networks, the user now becoming the perimeter, must really force a rethink around the defence technology we’re putting on endpoints, which are in many cases off the domain. To what extent have we now created a major vulnerability issue and increased the attack surface?”

Matthews also says that although it may be a truism, he’s found that time and time again, people are not doing the basics, such as patch management, which he says is a ‘huge’ problem.

Patch, and patch again

“How many attacks, like EternalBlue, WannaCry, were avoidable if you had the latest Microsoft security patches deployed? This remains an ongoing issue because maintaining a rigorous patching policy, and getting patches deployed to endpoints, is technically and operationally difficult to do.

“When it comes to your endpoints, and no matter what endpoint you have from which vendor, your endpoint security is the last line of defence. You have nothing left after that. Coverage is king. You need to ensure that you have healthy, installed protection that is talking back to the console so you know what is happening.”

The way Rudie Raath, chief security officer at the systems integrator Datacentrix puts it, ‘companies are fighting a war’, one they appear to be losing, particularly with ransomware. He says that globally, organisations have paid out more than R650 billion in ransoms in the past 12 months. The way into a company’s infrastructure, in many cases, is through the theft of credentials, and he says that over the last six months, he’s not had one incident that wasn’t related to this. He adds that most of these attacks are of the prosaic variety, and not orchestrated and sophisticated attacks, such as one may see in a film.

There are so many people who will not take your call, and then everything changes when they get hit.

Jeremy Matthews, Dax Data

Instead, there are basic vulnerabilities being taken advantage of, such as leaving potential clues about your position at a company on social media, which may lead to staff members being phished. Of course, compromised credentials can always be bought quite cheaply. Armed with these credentials, an easy point of access is a machine on a home network, after which malware can be installed through an open port. The antivirus programme can also be sidestepped with a zero-day script. Raath says that personally identifiable data will then be exfiltrated, often using DNS.

Chasing the data

“They’ll go and sniff out who doesn’t have two factor-authentication and target those users,” he says, adding that the credential pilfering tool Mimikatz keeps turning up, which is used to exploit vulnerabilities in a Microsoft environment.

Jeremy Matthews, Dax Data
Jeremy Matthews, Dax Data

“Over the last 18 months, it’s shifted from compromising infrastructure maliciously and trying to take control of infrastructure, to chasing the data that they can encrypt and ransom. It’s all about the data, and that’s why they’re going after soft targets.”

He adds that threat actors are banking on the fear of reputational damage, as well as the fear of penalties from local and EU regulators, ‘and that’s how they get the money’.

“Our user community is not educated enough, and we’re trying really hard to educate them about the importance of identities. One of the things we’re pushing for is to have proper vulnerability and identity management in environments,” he says.

I put it to him that even if a CISO has done all their homework and spent significant amounts of money on sophisticated security technology, it’s almost impossible to keep a determined hacker out.

No guarantees

“It’s like mountain biking. It’s not if you’re going to fall, it’s when you’re going to fall,” says Raath. “I say to all our customers, you’re going to pay me a lot of money, but I can never give you a 100% guarantee.”

What it does do rather a lot of, he adds, is running cyber drills and ‘what if’ statements to test a company’s cyber readiness.

“Everybody says they’ve got a disaster recovery (DR) plan, but do they have a cyber DR plan?” he asks.

“Do you know how long it will take you (to get back to doing business) if you go completely dark and then have to restore critical infrastructure? Have you done a complete cyber restore, bringing the data back online when there was a full breach?”.

Raath mentions the case of Life Healthcare Group, which fell victim to a cyber attack in June 2020. Although not a customer of Datacentrix, Raath said he watched the case with keen interest, and believes the group’s IT systems had been down for three months. The company didn’t pay the ransom, and its backups had also been encrypted. This meant the group had to resort to manual systems.

“It’s quite scary to think that people ignore the impact of what can happen postbreach. Suddenly, the exco wallet just opens up, and they’ll say, ‘do whatever you have to do to make this problem disappear’. That’s the sad part. Post-breach, money isn’t a problem, but why is money a problem pre-breach?”

Absurd decisions

Raath says a breach will send ripples through a business. “Your CISO did not explain the risk properly, or quantify it properly, or they’re just turning a blind eye to it, and actually fooling their customers by saying you’ve got all these controls in place.

“We need to start keeping CIOs and CEOs accountable for making absurd decisions before a breach.”

He thinks PoPI is going to tighten controls.

When he deploys his team into a business that’s been breached, the first person they meet is “the PR person, because they need to manage the PR message that’s going out.

“They say they take security seriously, but when we start the forensic investigation, we find stupid things...passwords are not being updated, or they’re using the most basic freeware to do their security checks. Some of them haven’t even reviewed their active directory logs, and we’re talking about large organisations. It’s quite scary that even though security has been in the press so much over the last 18 months, companies still think it’s okay because they have a backup, or that it won’t happen to them, so why should they spend money there?"

Raath thinks the lockdowns have swelled the ranks of cyber threat actors, and there are courses that can be taken in 45 minutes on the dark web. “They can learn exactly how to run a Linux server that does various built-in exploits, and it will take them two or three days to build themselves a lab, and then they can attack quite large institutions. You can buy those exploits online for a couple of dollars. That’s the scary part.”

It’s important to foster a culture of cyber awareness at a company, otherwise it’s an ‘uphill battle’.

“Some companies will try to find the cheapest way (for cybersecurity training) and get people to watch some videos. Excuse my language, but that’s absolute bullshit and is money thrown down the tubes.”

He advocates a tough approach to staff members shown to have lax attitudes towards cybersecurity, such as notifying their line manager.

“This is not just teaching them to look at the road signs, this is living, breathing and thinking about cybersecurity.”

Share