January 29, 2021
Malware Is Inevitable — But Beware of IT Fatalism
What should our attitude be toward malware, ransomware and other malevolent cyber threats?
We continually see coverage of cyber threats affecting enterprises, governments and academic institutions. Right now, headlines are focused on the global cyber espionage campaign that hijacked SolarWinds Orion software. A few weeks ago, global cybersecurity firm FireEye was compromised and had hacking tools stolen by attackers. By the time you read this, you’ll likely see a completely different attack in the news.
Different Cyber Security Strategies
Our customers have a wide variety of approaches to the increasingly dangerous and sophisticated threat of malevolent actors within the boundaries of the enterprise IT security perimeter. Regardless of a business’ IT security strategy, passive indifference and IT fatalism are not options.
For example, we are currently working with a customer to implement a comprehensive immutable storage solution to mitigate cyber-attack risks that the client recognizes as likely and eventual.
With another client, we are helping them take proactive steps to close the most common entry points into administrative privileges. Before contracting with us, they had been hyper-focused on significant edge security investments, while no-cost best practices were being neglected.
Prevention Is Only One Part of an Enterprise Cyber Security Strategy
In January of 2020, I attended the Hawaii International Conference of System Sciences (HICSS 2020). At that conference, Michael Fiske presented his paper, “Toward a Mathematical Understanding of the Malware Problem.”
In this article, Fiske succinctly describes the nature of the malware problem:
Malware can exploit a weakness in current computer systems: user authentication does not protect the execution of the user’s intended action. Malware can circumvent strong authentication on a hardware token even when it is tightly integrated with strong cryptographic protocols. As aptly stated by Shamir, “cryptography is typically bypassed, not penetrated.” It seems unlikely that malware detection methods can solely provide an adequate solution to the malware problem.
In short, malware will affect your systems, regardless of how robust your prevention apparatus.
Unfortunately, many people in corporate IT focus solely on detection and prevention instead of investing in remediation. This approach is also evident among companies that are most engaged in the IT security product domain as well as members of enterprise security teams.
But when you consider that companies as sophisticated as FireEye have been victims of supply chain attacks, we must conclude that enterprise IT teams cannot keep every malevolent threat at bay. This especially applies if your organization is considered a “whale” by organized hackers as a target of opportunity: video communication systems, school systems, healthcare, finance, etc.
Enterprises Need to Focus on Remediation for Cyber Attacks
As Fiske demonstrates in his piece, “detection methods are currently up against fundamental limits in theoretical computer science.” Therefore, what cannot be prevented must be mitigated. As enterprise IT professionals, we need to ensure our data recovery strategy includes technologies that make recovery and forensics easier, faster and more predictable. We cannot afford to invest only in defense and prevention and ignore the imperative for data protection.
IT leaders are stewards of our organization’s data. Our customers, employees, patients, providers, suppliers and larger communities depend on us personally and economically. As informed, responsible professionals, we must take the initiative to put cyber recovery capabilities in place, even if the organization is not asking for it.
Because when the inevitable occurs, it is undoubtedly too late.