Forget about ransomware. Businesses are going to have to deal with ransomware-plus, according to Stan Black, chief security officer of Citrix.
In an interview with BizTech at the Citrix Synergy 2016 conference in Las Vegas, Black says that companies of all sizes are going to need to defend against combination cyberattacks that use multiple methods of attack simultaneously.
Defending Against a Combination of Threats
Black recalled an event in which an attacker tried to use ransomware to hold data hostage, and in parallel the attacker also started a phishing scheme to try to steal information. He says the attacker wanted to “create a fire” with the ransomware attack to distract and scare and thus draw attention away from the phishing attack.
“Multivector attacks like that are becoming more and more common,” he says.
Fifteen to 20 years ago, he says, hackers needed to have “inherent technical knowledge” to attack a company. Today, hackers can say which kind of personal information they want to harvest and get their malware. “Now, you can go online and actually have custom-tailored malware written for you,” Black says. “You don’t have to be technical.”
How can businesses guard against those kind of attacks? Black notes that Citrix has a “unified incident handling program,” whether the incident is a hurricane or a phishing scam. The trick, he says, is for organizations not to simply fall back on well-worn responses to incidents. “It forces you into a muscle memory that you don’t necessarily want to get into because the attacks are so dynamic,” he says.
Malicious actors are in business too, he says, noting that there are roughly 8.6 million unique security events against private companies every 24 hours, and many more in the public sector.
“They’re in business too, but they’re just not regulated. Seriously,” he says. “They’re in business to make money. Follow the money. The one big challenge is they don’t have a board to report to, or they don’t have regulators to report to. That’s a significant piece of overhead.”
The Challenge for Small Businesses
Black says cybersecurity for small businesses is not that different than for large enterprises. The main difference is the scale.
“If you look at a lot of attacks that occur on the enterprise, they’re actually exploiting vulnerable SMB servers, systems and websites, because they’ve been taken over or they’ve been turned into zombie farms or what have you,” he says. “I think it is pure scale.”
There are very few companies, whether small or large global enterprises, that are not regulated somehow, Black says.
“So we are all kind of in this together. It’s just who has deep enough pockets to either take the risk off the table, which is kind of our story, or add enough layers and threat intelligence, layer upon layer of security technologies. It’s a challenge, to say the least.”
One of the big takeaways from Citrix Synergy this year is that Citrix is moving toward a model that will let businesses use desktop and application virtualization products on a Software as a Service basis in the cloud. Black says that in that model, all of the services are being routed through Citrix’s NetScaler cloud gateway platform, so the company can ensure ongoing protection through that. And if applications are virtualized and used in a secure channel, that removes many threat vectors or entry points.
“So, the big difference is, if you’re a small company, you have to manage every single endpoint,” he says. “If you are a small company using Citrix technologies via the cloud, you get to consume something that has as a reasonably industry-accepted amount of hygiene.”
Black noted that around 70 percent of all applications used by business are provisioned via web browsers. Historically, he says, individuals would launch a browser and connect to an application. “If we use virtualized browsers, and secure browsers for that matter, we essentially reduce potential risk,” he says, especially from tools like screen scrapers, key loggers and credential harvesting technology.
“How are those brought to the end point? In a traditional environment, it’s just another app running in memory,” Black says. “If we don’t allow the app to run in memory, then we mitigate that potential risk. Nothing takes all risks off the table. But at this point in time, that does quite a bit.”