Published on the 03/11/2015 | Written by Beverley Head
A new wave of ransomware looms – and this time it could get very “DieHard”, courtesy of the Internet of Things…
Anyone who has sat through a DieHard movie is familiar with the plotline where the bad guys threaten to blow something up unless their demands are met. It’s exactly the same modus operandi for ransomware such as CryptoLocker, where an unsuspecting employee clicks on a link in an email and suddenly the company’s computer system is locked up, with the key being offered in return for a ransom payment.
The Internet of Things (IoT) scenario which Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, envisages is even more worrying.
“IoT ransomware attacks could take control over everything from a point of sale device to something on a truck. The threat is that you pay up or that device will be wrecked or malfunction.
“I don’t think there will be bombs in schools – but the electronic equivalent in businesses,” he warned.
Bocek was in Australia last week to meet with local companies including financial institutions such as Westpac (which has increased its spending on security sevenfold in the last 12 months), to discuss the evolving threat landscape impacting antipodean businesses.
Wasting no opportunity to attempt to scare the living daylights out of enterprises Bocek said that the biggest risk now was for a “cryptopocalypse” where people lost trust in the computer systems and services offered by corporations.
He said that Australia was now in a position that the US had been about three years ago, and moving security from a “tick the box” compliance approach to a more active defence strategy. He said that local sluggishness may have been a biproduct of Australia’s continued lack of mandatory data breach notification.
Venafi also released the Australian cut of a global survey commissioned from the Ponemon Institute. The survey, which asked 336 Australian IT security professionals about the way they managed security keys and certification, found that their processes were flawed to the extent that around two thirds admitted to losing customers because people left a site when they saw a warning that a “digital certificate has expired.”
More than half – 55 percent – said that they did not know where all their keys were.
It is a widespread issue said Bocek, affecting even the largest companies, including Microsoft which had recently endured a 12 hour Azure outage because of an expired SSL certificate.