At this point, it’s pretty much assumed that hackers are going to break into corporate computer networks. Global Finance talked with Michael Morris, chief Technology Officer of root9B, which offers cybersecurity services to corporate and government entities, about the war on digital attackers—and how businesses can retake some ground.
Global Finance: How would you rate the current state of corporate network security?
Michael Morris: Corporations are spending a lot of money on cybersecurity, but their strategy is obviously not working. Hackers are probably two steps ahead of the security industry as a whole. What makes it hard for this business is that organizations feel that if they train people [in digital security], they are going to leave. So we, as an industry, deploy automated solutions. But automated solutions are very predictive. From the attacker’s perspective, what you have to do is see how to bypass each of these automated solutions.
On average, it takes 200 days to find that an incident has occurred. Then, depending on the size of the network, it takes anywhere between 30 days to 18 months to be able to remove the intruder from the network. In the worst-case scenario we are talking about up to two-and-a-half years of an attacker living inside your environment. Think how much damage can occur.
GF: Can you use the information you get from one customer to alert another one about a possible attack?
Morris: Absolutely. I do not have to tell what clients I receive that information from. I can say they are using these tactics, this specific server, let’s go and set up the security products you have already purchased to block that server and those tactics. While working on a client’s network, we realized that attackers had pre-positioned themselves to launch an attack. We saw the attackers setting up a false domain as a bank in the UAE. In that case we were able to uncover their plans and informed the financial institutions that were potential targets. We provided details to each of the organizations, including Bank of America, Commerzbank and TD. We published a report to bring awareness to the entire security community. The report included specific malware signatures and defensive countermeasures to thwart the event.
But often there is not enough collaboration among private sectors and international communities. In June 2015, an independent researcher released a report documenting an exploit event against the German Parliament, including the same signatures reported
by root9B.
GF: What are different industries doing to fend off cyberattacks?
Morris: A 2014 study published by PwC says the median maximum amount spent by banking and finance organizations on cybersecurity was $2,500 per employee, versus $400 per employee spent by retailers and the consumer products business. We mentioned retailers and finance because those are the industries in the news. But those industries are more mature [in their security technology] than others. What we do not hear about are those organizations that do not know they’ve been exploited. The FBI said that in 2013 there have been 3,000 organizations exploited and unaware of it.
GF: Is that owing to limited resources?
Morris: For small firms, often the budget is not there—and even if they have a sophisticated security software they might not have the staff to see what is going on. But this is going to change because cybersecurity is becoming one of the top priorities that CEOs, CFOs and board directors are thinking of.
